National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

There are 123,027 matching records.
Displaying matches 41 through 60.
Vuln ID Summary CVSS Severity
CVE-2018-21018

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.

Published: September 22, 2019; 11:15:13 AM -04:00
(not available)
CVE-2019-16681

** DISPUTED ** The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to the opening of arbitrary URLs, which can inject deceptive content into the UI. (When in physical possession of the device, opening local files is also possible.) NOTE: as of 2019-09-23. the vendor has not agreed that this should be considered a vulnerability.

Published: September 21, 2019; 05:15:10 PM -04:00
(not available)
CVE-2019-16680

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

Published: September 21, 2019; 05:15:10 PM -04:00
V3.1: 5.3 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-16679

Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.

Published: September 21, 2019; 04:15:10 PM -04:00
V3.1: 4.9 MEDIUM
    V2: 4.0 MEDIUM
CVE-2019-16678

admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.

Published: September 21, 2019; 04:15:10 PM -04:00
V3.1: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-16677

An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.

Published: September 21, 2019; 04:15:10 PM -04:00
(not available)
CVE-2019-16669

The Reset Password feature in Pagekit 1.0.17 gives a different response depending on whether the e-mail address of a valid user account is entered, which might make it easier for attackers to enumerate accounts.

Published: September 21, 2019; 03:15:10 PM -04:00
(not available)
CVE-2019-16665

An issue was discovered in ThinkSAAS 2.91. There is XSS via the content to the index.php?app=group&ac=comment&ts=do&js=1 URI, as demonstrated by a crafted SVG document in the SRC attribute of an EMBED element.

Published: September 21, 2019; 02:15:11 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-16664

An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter.

Published: September 21, 2019; 02:15:11 PM -04:00
V3.1: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2019-16661

Ogma CMS 0.5 has XSS via creation of a new blog.

Published: September 21, 2019; 02:15:11 PM -04:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2019-16660

joyplus-cms 1.6.0 has admin_ajax.php?action=savexml&tab=vodplay CSRF.

Published: September 21, 2019; 02:15:11 PM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-16659

TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF.

Published: September 21, 2019; 02:15:11 PM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-16658

TuziCMS 2.0.6 has index.php/manage/notice/do_add CSRF.

Published: September 21, 2019; 02:15:11 PM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-16657

TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/.

Published: September 21, 2019; 02:15:11 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-16656

joyplus-cms 1.6.0 allows remote attackers to execute arbitrary PHP code via /install by placing the code in the name of an object in the database.

Published: September 21, 2019; 02:15:11 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-16655

joyplus-cms 1.6.0 allows reinstallation if the install/ URI remains available.

Published: September 21, 2019; 02:15:10 PM -04:00
V3.1: 7.5 HIGH
    V2: 6.4 MEDIUM
CVE-2019-16650

On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the server managed by the BMC.

Published: September 20, 2019; 10:15:11 PM -04:00
(not available)
CVE-2019-16649

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.

Published: September 20, 2019; 10:15:11 PM -04:00
(not available)
CVE-2019-6650

F5 BIG-IP ASM 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 may expose sensitive information and allow the system configuration to be modified when using non-default settings.

Published: September 20, 2019; 04:15:11 PM -04:00
V3.1: 9.1 CRITICAL
    V2: 5.8 MEDIUM
CVE-2019-6649

F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.

Published: September 20, 2019; 04:15:11 PM -04:00
(not available)