National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

There are 124,593 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2019-11253

Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.

Published: October 17, 2019; 12:15:10 PM -04:00
(not available)
CVE-2019-15850

eQ-3 HomeMatic CCU3 firmware version 3.41.11 allows Remote Code Execution in the ReGa.runScript method. An authenticated attacker can easily execute code and compromise the system.

Published: October 17, 2019; 10:15:10 AM -04:00
(not available)
CVE-2019-15849

eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.

Published: October 17, 2019; 10:15:10 AM -04:00
(not available)
CVE-2019-14424

A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to read sensitive files via a simple HTTP Request.

Published: October 17, 2019; 10:15:10 AM -04:00
(not available)
CVE-2019-14423

A Remote Code Execution (RCE) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to execute system commands as root remotely via a simple HTTP request.

Published: October 17, 2019; 10:15:10 AM -04:00
(not available)
CVE-2019-17676

app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.

Published: October 17, 2019; 09:15:11 AM -04:00
(not available)
CVE-2019-17675

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Published: October 17, 2019; 09:15:11 AM -04:00
(not available)
CVE-2019-17674

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.

Published: October 17, 2019; 09:15:11 AM -04:00
(not available)
CVE-2019-17673

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.

Published: October 17, 2019; 09:15:11 AM -04:00
(not available)
CVE-2019-17672

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

Published: October 17, 2019; 09:15:11 AM -04:00
(not available)
CVE-2019-17671

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

Published: October 17, 2019; 09:15:10 AM -04:00
(not available)
CVE-2019-17670

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

Published: October 17, 2019; 09:15:10 AM -04:00
(not available)
CVE-2019-17669

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

Published: October 17, 2019; 09:15:10 AM -04:00
(not available)
CVE-2019-17668

Samsung Galaxy S10 and Note10 devices allow unlock operations via unregistered fingerprints in certain situations involving a third-party screen protector.

Published: October 17, 2019; 08:15:12 AM -04:00
(not available)
CVE-2019-17667

Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.

Published: October 17, 2019; 07:15:11 AM -04:00
(not available)
CVE-2019-17666

rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.

Published: October 16, 2019; 10:15:13 PM -04:00
(not available)
CVE-2019-17611

HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter.

Published: October 16, 2019; 06:15:10 PM -04:00
(not available)
CVE-2019-17610

HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.

Published: October 16, 2019; 06:15:10 PM -04:00
(not available)
CVE-2019-17609

HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.

Published: October 16, 2019; 06:15:10 PM -04:00
(not available)
CVE-2019-17608

HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.

Published: October 16, 2019; 06:15:10 PM -04:00
(not available)