National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

There are 122,894 matching records.
Displaying matches 221 through 240.
Vuln ID Summary CVSS Severity
CVE-2019-16309

FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.

Published: September 14, 2019; 12:15:10 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-16294

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

Published: September 14, 2019; 12:15:10 PM -04:00
V3.1: 7.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-16305

In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle the link. If accepted, another popup appears asking for further confirmation. If this is also accepted, command execution is achieved, as demonstrated by the MobaXterm://`calc` URI.

Published: September 14, 2019; 11:15:10 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-16303

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

Published: September 13, 2019; 08:15:10 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-5485

NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.

Published: September 13, 2019; 02:15:11 PM -04:00
V3.1: 10.0 CRITICAL
    V2: 10.0 HIGH
CVE-2019-5484

Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted.

Published: September 13, 2019; 02:15:11 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-11660

Privileges manipulation in Micro Focus Data Protector, versions 10.00, 10.01, 10.02, 10.03, 10.04, 10.10, 10.20, 10.30, 10.40. This vulnerability could be exploited by a low-privileged user to execute a custom binary with higher privileges.

Published: September 13, 2019; 02:15:10 PM -04:00
V3.1: 7.8 HIGH
    V2: 7.2 HIGH
CVE-2019-5315

A command injection vulnerability is present in the web management interface of ArubaOS that permits an authenticated user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. This vulnerability only affects ArubaOS 8.x.

Published: September 13, 2019; 01:15:12 PM -04:00
V3.1: 7.2 HIGH
    V2: 9.0 HIGH
CVE-2019-5314

Some web components in the ArubaOS software are vulnerable to HTTP Response splitting (CRLF injection) and Reflected XSS. An attacker would be able to accomplish this by sending certain URL parameters that would trigger this vulnerability.

Published: September 13, 2019; 01:15:12 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-16293

The Create Discoveries feature of Open-AudIT before 3.2.0 allows an authenticated attacker to execute arbitrary OS commands via a crafted value for a URL field.

Published: September 13, 2019; 01:15:12 PM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2019-13923

A vulnerability has been identified in IE/WSN-PA Link WirelessHART Gateway (All versions). The integrated configuration web server of the affected device could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known.

Published: September 13, 2019; 01:15:11 PM -04:00
V3.1: 9.6 CRITICAL
    V2: 4.3 MEDIUM
CVE-2019-13922

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). An attacker with administrative privileges can obtain the hash of a connected device's password. The security vulnerability could be exploited by an attacker with network access to the SINEMA Remote Connect Server and administrative privileges. At the time of advisory publication no public exploitation of this security vulnerability was known.

Published: September 13, 2019; 01:15:11 PM -04:00
V3.1: 2.7 LOW
    V2: 4.0 MEDIUM
CVE-2019-13920

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. The security vulnerability could be exploited by an attacker that is able to trigger requests of a logged-in user to the application. The vulnerability could allow switching the connectivity state of a user or a device. At the time of advisory publication no public exploitation of this security vulnerability was known.

Published: September 13, 2019; 01:15:11 PM -04:00
V3.1: 4.3 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-13919

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some pages that should only be accessible by a privileged user can also be accessed by a non-privileged user. The security vulnerability could be exploited by an attacker with network access and valid credentials for the web interface. No user interaction is required. The vulnerability could allow an attacker to access information that he should not be able to read. The affected information does not include passwords. At the time of advisory publication no public exploitation of this security vulnerability was known.

Published: September 13, 2019; 01:15:11 PM -04:00
V3.1: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2019-13918

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). The web interface has no means to prevent password guessing attacks. The vulnerability could be exploited by an attacker with network access to the vulnerable software, requiring no privileges and no user interaction. The vulnerability could allow full access to the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known.

Published: September 13, 2019; 01:15:11 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-13548

CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which could cause a stack overflow and create a denial-of-service condition or allow remote code execution.

Published: September 13, 2019; 01:15:11 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-13532

CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working directory of the controller.

Published: September 13, 2019; 01:15:11 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-10937

A vulnerability has been identified in SIMATIC TDC CP51M1 (All versions < V1.1.7). An attacker with network access to the device could cause a Denial-of-Service condition by sending a specially crafted UDP packet. The vulnerability affects the UDP communication of the device. The security vulnerability could be exploited without authentication. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.

Published: September 13, 2019; 01:15:11 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2018-7081

A remote code execution vulnerability is present in network-listening components in some versions of ArubaOS. An attacker with the ability to transmit specially-crafted IP traffic to a mobility controller could exploit this vulnerability and cause a process crash or to execute arbitrary code within the underlying operating system with full system privileges. Such an attack could lead to complete system compromise. The ability to transmit traffic to an IP interface on the mobility controller is required to carry out an attack. The attack leverages the PAPI protocol (UDP port 8211). If the mobility controller is only bridging L2 traffic to an uplink and does not have an IP address that is accessible to the attacker, it cannot be attacked.

Published: September 13, 2019; 01:15:10 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 9.3 HIGH
CVE-2010-5333

The web server in Integard Pro and Home before 2.0.0.9037 and 2.2.x before 2.2.0.9037 has a buffer overflow via a long password in an administration login POST request, leading to arbitrary code execution.

Published: September 13, 2019; 12:15:12 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH