National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

There are 129,662 matching records.
Displaying matches 1361 through 1380.
Vuln ID Summary CVSS Severity
CVE-2019-20071

On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs.

Published: December 29, 2019; 07:15:11 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 5.8 MEDIUM
CVE-2019-20070

On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration).

Published: December 29, 2019; 07:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20063

hdf/dataobject.c in libmysofa before 0.8 has an uninitialized use of memory, as demonstrated by mysofa2json.

Published: December 29, 2019; 03:15:28 PM -05:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-20058

** DISPUTED ** Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use in production. This is related to CVE-2018-12040.

Published: December 29, 2019; 02:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20057

com.proxyman.NSProxy.HelperTool in Privileged Helper Tool in Proxyman for macOS 1.11.0 and earlier allows an attacker to change the System Proxy and redirect all traffic to an attacker-controlled computer, enabling MITM attacks.

Published: December 29, 2019; 02:15:11 PM -05:00
V3.1: 3.7 LOW
    V2: 4.3 MEDIUM
CVE-2019-20056

stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has an assertion failure in stbi__shiftsigned.

Published: December 29, 2019; 02:15:11 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20055

LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substring followed by a URL in square brackets.

Published: December 29, 2019; 12:15:11 AM -05:00
V3.1: 6.5 MEDIUM
    V2: 6.4 MEDIUM
CVE-2019-20054

In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.

Published: December 28, 2019; 12:15:11 AM -05:00
V3.1: 5.5 MEDIUM
    V2: 4.9 MEDIUM
CVE-2019-20053

An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX 3.95 via a crafted Mach-O file.

Published: December 27, 2019; 05:15:11 PM -05:00
V3.1: 5.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20052

A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because SafeMulDims does not consider the rank==0 case.

Published: December 27, 2019; 05:15:11 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20051

A floating-point exception was discovered in PackLinuxElf::elf_hash in p_lx_elf.cpp in UPX 3.95. The vulnerability causes an application crash, which leads to denial of service.

Published: December 27, 2019; 05:15:11 PM -05:00
V3.1: 5.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2014-6420

Cross-site scripting (XSS) vulnerability in Livefyre LiveComments 3.0 allows remote attackers to inject arbitrary web script or HTML via the name of an uploaded picture.

Published: December 27, 2019; 04:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2014-5289

Buffer overflow in Senkas Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a POST request.

Published: December 27, 2019; 04:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2014-3136

Cross-site request forgery (CSRF) vulnerability in D-Link DWR-113 (Rev. Ax) with firmware before 2.03b02 allows remote attackers to hijack the authentication of administrators for requests that change the admin password via unspecified vectors.

Published: December 27, 2019; 04:15:10 PM -05:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2012-4980

Multiple stack-based buffer overflows in CFProfile.exe in Toshiba ConfigFree Utility 8.0.38 allow user-assisted attackers to execute arbitrary code.

Published: December 27, 2019; 04:15:10 PM -05:00
V3.1: 7.8 HIGH
    V2: 6.8 MEDIUM
CVE-2014-4550

Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter.

Published: December 27, 2019; 03:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2014-4536

Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter.

Published: December 27, 2019; 03:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2014-4535

Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php.

Published: December 27, 2019; 03:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20049

An issue was discovered on Alcatel-Lucent OmniVista 4760 devices. A remote unauthenticated attacker can chain a directory traversal (which helps to bypass authentication) with an insecure file upload to achieve Remote Code Execution as SYSTEM. The directory traversal is in the __construct() whereas the insecure file upload is in SetSkinImages().

Published: December 27, 2019; 02:15:12 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 10.0 HIGH
CVE-2019-20048

An issue was discovered on Alcatel-Lucent OmniVista 8770 devices before 4.1.2. An authenticated remote attacker, with elevated privileges in the Web Directory component on port 389, may upload a PHP file to achieve Remote Code Execution as SYSTEM.

Published: December 27, 2019; 02:15:12 PM -05:00
V3.1: 7.2 HIGH
    V2: 9.0 HIGH