Search Results (Refine Search)
- Results Type: Overview
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2018-13288 |
Information exposure vulnerability in SYNO.FolderSharing.List in Synology File Station before 1.2.3-0252 and before 1.1.5-0125 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter. Published: April 01, 2019; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2018-13287 |
Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readable configuration. Published: April 01, 2019; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-13286 |
Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration. Published: April 01, 2019; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-13285 |
Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. Published: April 01, 2019; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 9.0 HIGH |
CVE-2018-13284 |
Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. Published: April 01, 2019; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 9.0 HIGH |
CVE-2018-13283 |
Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command, (2) hostname, or (3) port parameter. Published: April 01, 2019; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 7.4 HIGH V2.0: 5.8 MEDIUM |
CVE-2017-16775 |
Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors. Published: April 01, 2019; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 5.8 MEDIUM |
CVE-2017-16774 |
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter. Published: April 01, 2019; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2019-1002101 |
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0. Published: April 01, 2019; 10:29:00 AM -0400 |
V4.0:(not available) V3.0: 5.5 MEDIUM V2.0: 5.8 MEDIUM |
CVE-2019-1002100 |
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server. Published: April 01, 2019; 10:29:00 AM -0400 |
V4.0:(not available) V3.1: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2014-7198 |
OMERO before 5.0.6 has multiple CSRF vulnerabilities because the framework for OMERO's web interface lacks CSRF protection. Published: March 31, 2019; 8:29:00 PM -0400 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2019-10678 |
Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options. Published: March 31, 2019; 5:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2019-10672 |
treeRead in hdf/btree.c in libmysofa before 0.7 does not properly validate multiplications and additions. Published: March 31, 2019; 1:29:00 PM -0400 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-10664 |
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp. Published: March 31, 2019; 10:29:00 AM -0400 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-10663 |
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI. Published: March 30, 2019; 1:29:00 PM -0400 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2019-10662 |
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI. Published: March 30, 2019; 1:29:00 PM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 9.0 HIGH |
CVE-2019-10661 |
On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password. Published: March 30, 2019; 1:29:00 PM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2019-10660 |
Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field. Published: March 30, 2019; 1:29:00 PM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2019-10659 |
Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field. Published: March 30, 2019; 1:29:00 PM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2019-10658 |
Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call. Published: March 30, 2019; 1:29:00 PM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |