Total
1756 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12425 | 1 Apache | 1 Ofbiz | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host | |||||
| CVE-2019-12416 | 1 Apache | 1 Deltaspike | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default. | |||||
| CVE-2019-12303 | 1 Suse | 1 Rancher | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container. | |||||
| CVE-2019-11718 | 2 Mozilla, Opensuse | 2 Firefox, Leap | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11354 | 1 Ea | 1 Origin | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices communication. | |||||
| CVE-2019-11282 | 2 Cloudfoundry, Pivotal Software | 2 Cf-deployment, Cloud Foundry Uaa | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA. | |||||
| CVE-2019-11277 | 1 Cloudfoundry | 2 Cf-deployment, Nfs Volume Release | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack. | |||||
| CVE-2019-11275 | 2 Pivotal, Pivotal Software | 2 Apps Manager, Pivotal Application Service | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege. | |||||
| CVE-2019-11073 | 1 Paessler | 1 Prtg Network Monitor | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A Remote Code Execution vulnerability exists in PRTG Network Monitor before 19.4.54.1506 that allows attackers to execute code due to insufficient sanitization when passing arguments to the HttpTransactionSensor.exe binary. In order to exploit the vulnerability, remote authenticated administrators need to create a new HTTP Transaction Sensor and set specific settings when the sensor is executed. | |||||
| CVE-2019-11045 | 6 Canonical, Debian, Fedoraproject and 3 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. | |||||
| CVE-2019-10795 | 1 Undefsafe Project | 1 Undefsafe | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2019-10794 | 1 Component-flatten Project | 1 Component-flatten | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2019-10793 | 1 Dot-object Project | 1 Dot-object | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2019-10792 | 1 Bodymen Project | 1 Bodymen | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2019-10665 | 1 Librenms | 1 Librenms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php script. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, file content, denial of service, or writing arbitrary files. | |||||
| CVE-2019-10074 | 1 Apache | 1 Ofbiz | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533 | |||||
| CVE-2019-1020006 | 1 Inveniosoftware | 1 Invenio-app | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| invenio-app before 1.1.1 allows host header injection. | |||||
| CVE-2019-1010310 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 3.5 LOW | 3.5 LOW |
| GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1. | |||||
| CVE-2019-0319 | 1 Sap | 2 Gateway, Ui5 | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead a user to believe this information is from the legitimate service when it's not. | |||||
| CVE-2019-0304 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FTP Function of SAP NetWeaver AS ABAP Platform, versions- KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, allows an attacker to inject code or specifically manipulated command that can be executed by the application. An attacker could thereby control the behaviour of the application. | |||||