National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

There are 122,723 matching records.
Displaying matches 41 through 60.
Vuln ID Summary CVSS Severity
CVE-2019-16318

In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.

Published: September 14, 2019; 02:15:11 PM -04:00
(not available)
CVE-2019-16317

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.

Published: September 14, 2019; 02:15:11 PM -04:00
(not available)
CVE-2019-16307

A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKey parameter (deleteWebExMeetingCheck.jsp).

Published: September 14, 2019; 01:15:10 PM -04:00
(not available)
CVE-2019-16314

Indexhibit 2.1.5 allows a product reinstallation, with resultant remote code execution, via /ndxzstudio/install.php?p=2.

Published: September 14, 2019; 12:15:10 PM -04:00
(not available)
CVE-2019-16313

ifw8 Router ROM v4.31 allows credential disclosure by reading the action/usermanager.htm HTML source code.

Published: September 14, 2019; 12:15:10 PM -04:00
(not available)
CVE-2019-16312

s-cms V3.0 has XSS in index.php?type=text via the S_id parameter.

Published: September 14, 2019; 12:15:10 PM -04:00
(not available)
CVE-2019-16311

NIUSHOP V1.11 has CSRF via search_info to index.php.

Published: September 14, 2019; 12:15:10 PM -04:00
(not available)
CVE-2019-16310

NIUSHOP V1.11 has XSS via the index.php?s=/admin URI.

Published: September 14, 2019; 12:15:10 PM -04:00
(not available)
CVE-2019-16309

FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.

Published: September 14, 2019; 12:15:10 PM -04:00
(not available)
CVE-2019-16294

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

Published: September 14, 2019; 12:15:10 PM -04:00
(not available)
CVE-2019-16305

In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle the link. If accepted, another popup appears asking for further confirmation. If this is also accepted, command execution is achieved, as demonstrated by the MobaXterm://`calc` URI.

Published: September 14, 2019; 11:15:10 AM -04:00
(not available)
CVE-2019-16303

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

Published: September 13, 2019; 08:15:10 PM -04:00
(not available)
CVE-2019-5485

NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.

Published: September 13, 2019; 02:15:11 PM -04:00
(not available)
CVE-2019-5484

Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted.

Published: September 13, 2019; 02:15:11 PM -04:00
(not available)
CVE-2019-11660

Privileges manipulation in Micro Focus Data Protector, versions 10.00, 10.01, 10.02, 10.03, 10.04, 10.10, 10.20, 10.30, 10.40. This vulnerability could be exploited by a low-privileged user to execute a custom binary with higher privileges.

Published: September 13, 2019; 02:15:10 PM -04:00
(not available)
CVE-2019-5315

A command injection vulnerability is present in the web management interface of ArubaOS that permits an authenticated user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. This vulnerability only affects ArubaOS 8.x.

Published: September 13, 2019; 01:15:12 PM -04:00
(not available)
CVE-2019-5314

Some web components in the ArubaOS software are vulnerable to HTTP Response splitting (CRLF injection) and Reflected XSS. An attacker would be able to accomplish this by sending certain URL parameters that would trigger this vulnerability.

Published: September 13, 2019; 01:15:12 PM -04:00
(not available)
CVE-2019-16293

The Create Discoveries feature of Open-AudIT before 3.2.0 allows an authenticated attacker to execute arbitrary OS commands via a crafted value for a URL field.

Published: September 13, 2019; 01:15:12 PM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2019-13923

A vulnerability has been identified in IE/WSN-PA Link WirelessHART Gateway (All versions). The integrated configuration web server of the affected device could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known.

Published: September 13, 2019; 01:15:11 PM -04:00
(not available)
CVE-2019-13922

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). An attacker with administrative privileges can obtain the hash of a connected device's password. The security vulnerability could be exploited by an attacker with network access to the SINEMA Remote Connect Server and administrative privileges. At the time of advisory publication no public exploitation of this security vulnerability was known.

Published: September 13, 2019; 01:15:11 PM -04:00
(not available)