Search Results (Refine Search)
- Results Type: Overview
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2015-9450 |
The plugmatter-optin-feature-box-lite plugin before 2.0.14 for WordPress has SQL injection via the wp-admin/admin-ajax.php?action=pmfb_cc pmfb_tid parameter. Published: October 07, 2019; 11:15:10 AM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-3688 |
The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain persistence by changing the binary Published: October 07, 2019; 10:15:11 AM -0400 |
V4.0:(not available) V3.1: 7.1 HIGH V2.0: 6.6 MEDIUM |
CVE-2019-16263 |
The Twitter Kit framework through 3.4.2 for iOS does not properly validate the api.twitter.com SSL certificate. Although the certificate chain must contain one of a set of pinned certificates, there are certain implementation errors such as a lack of hostname verification. NOTE: this is an end-of-life product. Published: October 07, 2019; 8:15:11 AM -0400 |
V4.0:(not available) V3.1: 7.4 HIGH V2.0: 5.8 MEDIUM |
CVE-2019-15751 |
An unrestricted file upload vulnerability in SITOS six Build v6.2.1 allows remote attackers to execute arbitrary code by uploading a SCORM file with an executable extension. This allows an unauthenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to the web root of the application. Published: October 07, 2019; 8:15:11 AM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2019-15750 |
A Cross-Site Scripting (XSS) vulnerability in the blog function in SITOS six Build v6.2.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. Published: October 07, 2019; 8:15:11 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-15749 |
SITOS six Build v6.2.1 allows a user to change their password and recovery email address without requiring them to confirm the change with their old password. This would allow an attacker with access to the victim's account (e.g., via XSS or an unattended workstation) to change that password and address. Published: October 07, 2019; 8:15:11 AM -0400 |
V4.0:(not available) V3.1: 6.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-15748 |
SITOS six Build v6.2.1 permits unauthorised users to upload and import a SCORM 2004 package by browsing directly to affected pages. An unauthenticated attacker could use the upload and import functionality to import a malicious SCORM package that includes a PHP file, which could execute arbitrary PHP code. Published: October 07, 2019; 8:15:11 AM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-15747 |
SITOS six Build v6.2.1 allows a user with the user role of Seminar Coordinator to escalate their permission to the Systemadministrator role due to insufficient checks on the server side. Published: October 07, 2019; 8:15:11 AM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2019-15746 |
SITOS six Build v6.2.1 allows an attacker to inject arbitrary PHP commands. As a result, an attacker can compromise the running server and execute system commands in the context of the web user. Published: October 07, 2019; 8:15:11 AM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2018-18379 |
The elementor-edit-template class in wp-admin/customize.php in the Elementor Pro plugin before 2.0.10 for WordPress has XSS. Published: October 07, 2019; 8:15:10 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-17269 |
Intellian Remote Access 3.18 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the Ping Test field. Published: October 06, 2019; 8:15:10 PM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2019-17267 |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. Published: October 06, 2019; 8:15:10 PM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-17266 |
libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly check an NTLM message's length before proceeding with a memcpy. Published: October 06, 2019; 6:15:10 PM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-17264 |
In libyal liblnk before 20191006, liblnk_location_information_read_data in liblnk_location_information.c has a heap-based buffer over-read because an incorrect variable name is used for a certain offset. NOTE: the vendor has disputed this as described in the GitHub issue Published: October 06, 2019; 6:15:10 PM -0400 |
V4.0:(not available) V3.1: 3.3 LOW V2.0: 2.1 LOW |
CVE-2019-17263 |
In libyal libfwsi before 20191006, libfwsi_extension_block_copy_from_byte_stream in libfwsi_extension_block.c has a heap-based buffer over-read because rejection of an unsupported size only considers values less than 6, even though values of 6 and 7 are also unsupported. NOTE: the vendor has disputed this as described in the GitHub issue Published: October 06, 2019; 6:15:10 PM -0400 |
V4.0:(not available) V3.1: 3.3 LOW V2.0: 2.1 LOW |
CVE-2019-17240 |
bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers. Published: October 06, 2019; 3:15:09 PM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 4.3 MEDIUM |
CVE-2019-17226 |
CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field. Published: October 06, 2019; 2:15:10 PM -0400 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2019-17225 |
Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue. Published: October 06, 2019; 1:15:11 PM -0400 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2019-17219 |
An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the device does not enforce any authentication. An adjacent attacker is able to use the network interface without proper access control. Published: October 06, 2019; 12:15:10 PM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 5.8 MEDIUM |
CVE-2019-17218 |
An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the communication to the web service is unencrypted via http. An attacker is able to intercept and sniff communication to the web service. Published: October 06, 2019; 12:15:10 PM -0400 |
V4.0:(not available) V3.1: 9.1 CRITICAL V2.0: 5.0 MEDIUM |