Lista CVE - 2019 / Marzo
Visualizzazione 601 - 700 di 1194 CVE per Marzo 2019 (Pagina 7 di 12)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2019-7222 | 2019-03-17 | The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. |
| CVE-2018-13103 | 2019-03-17 | OX App Suite 7.8.4 and earlier allows SSRF. |
| CVE-2018-17996 | 2019-03-17 | LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/. |
| CVE-2018-19694 | 2019-03-17 | HMS Industrial Networks Netbiter WS100 3.30.5 devices and previous have reflected XSS in the login form. |
| CVE-2018-13104 | 2019-03-17 | OX App Suite 7.8.4 and earlier allows XSS. Internal reference: 58742 (Bug ID) |
| CVE-2018-17997 | 2019-03-17 | LayerBB 1.1.1 allows XSS via the titles of conversations (PMs). |
| CVE-2019-7383 | 2019-03-17 | An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with firmware V1.1-R2.1_TRUNK-20181105.bin. A shell command injection occurs by editing the description of an ISP file. The file... |
| CVE-2019-7384 | 2019-03-17 | An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below. The value of the... |
| CVE-2018-19783 | 2019-03-17 | Kentix MultiSensor-LAN 5.63.00 devices and previous allow Authentication Bypass via an Alternate Path or Channel. |
| CVE-2018-18435 | 2019-03-17 | KioWare Server version 4.9.6 and older installs by default to "C:\kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's... |
| CVE-2019-8934 | 2019-03-17 | hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. |
| CVE-2019-7385 | 2019-03-17 | An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the... |
| CVE-2018-6517 | 2019-03-17 | Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints for previously unknown hosts getting added to the user's known_hosts file without confirmation. In version 0.3.0 this is... |
| CVE-2018-11747 | 2019-03-17 | Previously, Puppet Discovery was shipped with a default generated TLS certificate in the nginx container. In version 1.4.0, a unique certificate will be generated on installation or the user will... |
| CVE-2018-18762 | 2019-03-17 | SaltOS 3.1 r8126 contains a database download vulnerability. |
| CVE-2018-19917 | 2019-03-17 | Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities. |
| CVE-2019-7386 | 2019-03-17 | A Denial of Service issue has been discovered in the Gecko component of KaiOS 2.5 10.05 (platform 48.0.a2) on Nokia 8810 4G devices. When a crafted web page is visited... |
| CVE-2019-5417 | 2019-03-17 | A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server. |
| CVE-2019-5415 | 2019-03-17 | A bug in handling the ignore files and directories feature in serve 6.5.3 allows an attacker to read a file or list the directory that the victim has not allowed... |
| CVE-2019-7391 | 2019-03-17 | ZyXEL VMG3312-B10B DSL-491HNU-B1B v2 devices allow login/login-page.cgi CSRF. |
| CVE-2018-18798 | 2019-03-17 | Attendance Monitoring System 1.0 has SQL Injection via the 'id' parameter to student/index.php?view=view, event/index.php?view=view, and user/index.php?view=view. |
| CVE-2019-5416 | 2019-03-17 | A path traversal vulnerability in localhost-now npm package version 1.0.2 allows the attackers to read content of arbitrary files on the remote server. |
| CVE-2018-19934 | 2019-03-17 | SolarWinds Serv-U FTP Server 15.1.6.25 has reflected cross-site scripting (XSS) in the Web management interface via URL path and HTTP POST parameter. |
| CVE-2019-5413 | 2019-03-17 | An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1. |
| CVE-2019-7416 | 2019-03-17 | XSS and/or a Client Side URL Redirect exists in OpenText Documentum Webtop 5.3 SP2. The parameter startat in "/webtop/help/en/default.htm" is vulnerable. |
| CVE-2019-7417 | 2019-03-17 | XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple parameters in the "/cgi-bin/alexserv" servlet, as demonstrated by the DB, FN, fn, or id parameter. |
| CVE-2019-5414 | 2019-03-17 | If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in... |
| CVE-2019-7418 | 2019-03-17 | XSS exists in SAMSUNG X7400GX SyncThru Web Service V6.A6.25 V11.01.05.25_08-21-2015 in "/sws/swsAlert.sws" in multiple parameters: flag, frame, func, and Nfunc. |
| CVE-2018-18845 | 2019-03-17 | internal/advanced_comment_system/index.php and internal/advanced_comment_system/admin.php in Advanced Comment System, version 1.0, contain a reflected cross-site scripting vulnerability via ACS_path. A remote unauthenticated attacker could potentially exploit this vulnerability to supply malicious HTML... |
| CVE-2018-19985 | 2019-03-17 | The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in... |
| CVE-2019-7419 | 2019-03-17 | XSS exists in SAMSUNG X7400GX SyncThru Web Service V6.A6.25 V11.01.05.25_08-21-2015 in "/sws/leftmenu.sws" in multiple parameters: ruiFw_id, ruiFw_pid, ruiFw_title. |
| CVE-2018-20121 | 2019-03-17 | Podcast Generator 2.7 has stored cross-site scripting (XSS) via the URL addcategory parameter. |
| CVE-2018-18849 | 2019-03-17 | In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. |
| CVE-2019-7420 | 2019-03-17 | XSS exists in SAMSUNG X7400GX SyncThru Web Service V6.A6.25 V11.01.05.25_08-21-2015 in "/sws.application/information/networkinformationView.sws" in the tabName parameter. |
| CVE-2019-7421 | 2019-03-17 | XSS exists in SAMSUNG X7400GX SyncThru Web Service V6.A6.25 V11.01.05.25_08-21-2015 in "/sws.login/gnb/loginView.sws" in multiple parameters: contextpath and basedURL. |
| CVE-2018-20140 | 2019-03-17 | Zenphoto 1.4.14 has multiple cross-site scripting (XSS) vulnerabilities via different URL parameters. |
| CVE-2019-7422 | 2019-03-17 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF parameter. |
| CVE-2019-7423 | 2019-03-17 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/editProfile.jsp" file in the userName parameter. |
| CVE-2018-20141 | 2019-03-17 | AbanteCart 1.2.12 has reflected cross-site scripting (XSS) via the sort parameter, as demonstrated by a /apparel--accessories?sort= substring. |
| CVE-2019-7424 | 2019-03-17 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/index.jsp" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt,... |
| CVE-2018-20340 | 2019-03-17 | Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could enable a malicious token to exploit a buffer overflow. An attacker could use this to attempt to execute malicious code... |
| CVE-2019-7425 | 2019-03-17 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the task parameter. |
| CVE-2018-20162 | 2019-03-17 | Digi TransPort LR54 4.4.0.26 and possible earlier devices have Improper Input Validation that allows users with 'super' CLI access privileges to bypass a restricted shell and execute arbitrary commands as... |
| CVE-2018-18862 | 2019-03-17 | BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has Incorrect Access Control in ITAM forms, as demonstrated by TLS%3APLR-Configuration+Details/Default+Admin+View/, AST%3AARServerConnection/Default+Admin+View/, and AR+System+Administration%3A+Server+Information/Default+Admin+View/. |
| CVE-2018-20212 | 2019-03-17 | bin/statistics in TWiki 6.0.2 allows cross-site scripting (XSS) via the webs parameter. |
| CVE-2018-20218 | 2019-03-17 | An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. The login form passes user input directly to a shell command without any kind of escaping or... |
| CVE-2018-20219 | 2019-03-17 | An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can... |
| CVE-2018-20220 | 2019-03-17 | An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the... |
| CVE-2018-20221 | 2019-03-17 | Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as... |
| CVE-2018-18881 | 2019-03-17 | A Denial of Service (DOS) issue was discovered in ControlByWeb X-320M-I Web-Enabled Instrumentation-Grade Data Acquisition module 1.05 with firmware revision v1.05. An authenticated user can configure invalid network settings, stopping... |
| CVE-2018-18882 | 2019-03-17 | A stored cross-site scripting (XSS) issue was discovered in ControlByWeb X-320M-I Web-Enabled Instrumentation-Grade Data Acquisition module 1.05 with firmware revision v1.05. An authenticated user can inject arbitrary script via setup.html... |
| CVE-2018-14486 | 2019-03-17 | DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML. |
| CVE-2018-18898 | 2019-03-17 | The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing. |
| CVE-2018-14575 | 2019-03-17 | Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject. |
| CVE-2018-19158 | 2019-03-17 | ColossusCoinXT through 1.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker... |
| CVE-2018-15532 | 2019-03-17 | SynTP.sys in Synaptics Touchpad drivers before 2018-06-06 allows local users to obtain sensitive information about freed kernel addresses. |
| CVE-2018-19191 | 2019-03-17 | Webmin 1.890 has XSS via /config.cgi?webmin, the /shell/index.cgi history parameter, /shell/index.cgi?stripped=1, or the /webminlog/search.cgi uall or mall parameter. |
| CVE-2018-19276 | 2019-03-17 | OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a... |
| CVE-2018-15818 | 2019-03-17 | An issue was discovered in Repute ARForms 3.5.1 and prior. An attacker is able to delete any file on the server with web server privileges by sending a malicious request... |
| CVE-2018-15906 | 2019-03-17 | SolarWinds Serv-U FTP Server 15.1.6 allows remote authenticated users to execute arbitrary code by leveraging the Import feature and modifying a CSV file. |
| CVE-2018-19487 | 2019-03-17 | The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_employer_ajax_profile() function through the admin-ajax.php file, which allows remote unauthenticated attackers to enumerate information... |
| CVE-2018-19488 | 2019-03-17 | The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_reset_pass() function through the admin-ajax.php file, which allows remote unauthenticated attackers to reset the... |
| CVE-2018-20323 | 2019-03-17 | www/soap/application/MCSoap/Logs.php in MailCleaner Community Edition 2018.08 allows remote attackers to execute arbitrary OS commands. |
| CVE-2018-16519 | 2019-03-17 | COYO 9.0.8, 10.0.11 and 12.0.4 has cross-site scripting (XSS) via URLs used by "iFrame" widgets. |
| CVE-2018-19498 | 2019-03-17 | The Simplenia Pages plugin 2.6.0 for Atlassian Bitbucket Server has XSS. |
| CVE-2018-19509 | 2019-03-17 | wg7.php in Webgalamb 7.0 makes opportunistic calls to htmlspecialchars() instead of using a templating engine with proper contextual encoding. Because it is possible to insert arbitrary strings into the database,... |
| CVE-2018-19510 | 2019-03-17 | subscriber.php in Webgalamb through 7.0 is vulnerable to SQL injection via the Client-IP HTTP request header. |
| CVE-2018-19511 | 2019-03-17 | wg7.php in Webgalamb 7.0 lacks security measures to prevent CSRF attacks, as demonstrated by wg7.php?options=1 to change the administrator password. |
| CVE-2018-19512 | 2019-03-17 | In Webgalamb through 7.0, a system/ajax.php "wgmfile restore" directory traversal vulnerability could lead to arbitrary code execution by authenticated administrator users, because PHP files are restored under the document root... |
| CVE-2018-19513 | 2019-03-17 | In Webgalamb through 7.0, log files are exposed to the internet with predictable files/logs/sql_error_log/YYYY-MM-DD-sql_error_log.log filenames. The log file could contain sensitive client data (email addresses) and also facilitates exploitation of... |
| CVE-2018-19514 | 2019-03-17 | In Webgalamb through 7.0, an arbitrary code execution vulnerability could be exploited remotely without authentication. Exploitation requires authentication bypass to access administrative functions of the site to upload a crafted... |
| CVE-2018-11767 | 2019-03-18 | In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. |
| CVE-2018-11789 | 2019-03-18 | When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path=... |
| CVE-2016-9166 | 2019-03-18 | NetIQ eDirectory versions prior to 9.0.2, under some circumstances, could be susceptible to downgrade of communication security. |
| CVE-2019-9857 | 2019-03-18 | In the Linux kernel through 5.0.2, the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(), which will cause a memory leak (aka refcount leak). Finally, this... |
| CVE-2018-20525 | 2019-03-18 | Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile.php, and fileslist.php. |
| CVE-2018-20526 | 2019-03-18 | Roxy Fileman 1.4.5 allows unrestricted file upload in upload.php. |
| CVE-2018-20555 | 2019-03-18 | The Design Chemical Social Network Tabs plugin 1.7.1 for WordPress allows remote attackers to discover Twitter access_token, access_token_secret, consumer_key, and consumer_secret values by reading the dcwp_twitter.php source code. This leads... |
| CVE-2018-20556 | 2019-03-18 | SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter. |
| CVE-2018-20615 | 2019-03-18 | An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag... |
| CVE-2018-20669 | 2019-03-18 | An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious... |
| CVE-2019-3495 | 2019-03-18 | An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. network/mesh/edit-nds.php is vulnerable to arbitrary file upload, allowing an attacker to upload .php files and execute code on... |
| CVE-2019-3496 | 2019-03-18 | An issue was discovered on Wifi-soft UniBox controller 3.x devices. The tools/controller/diagnostic_tools_controller Diagnostic Tools Controller is vulnerable to Remote Command Execution, allowing an attacker to execute arbitrary system commands on... |
| CVE-2019-3497 | 2019-03-18 | An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. The tools/ping Ping feature of the Diagnostic Tools component is vulnerable to Remote Command Execution, allowing an attacker... |
| CVE-2019-6724 | 2019-03-18 | The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a privileged process and can allow an unprivileged local attacker to... |
| CVE-2018-14724 | 2019-03-18 | In the Ban List plugin 1.0 for MyBB, any forum user with mod privileges can ban users and input an XSS payload into the ban reason, which is executed on... |
| CVE-2019-7299 | 2019-03-18 | A stored cross-site scripting (XSS) vulnerability in the submit_ticket.php module in the WP Support Plus Responsive Ticket System plugin 9.1.1 for WordPress allows remote attackers to inject arbitrary web script... |
| CVE-2018-19365 | 2019-03-18 | The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request. |
| CVE-2018-18466 | 2019-03-18 | An issue was discovered in SecurEnvoy SecurAccess 9.3.502. When put in Debug mode and used for RDP connections, the application stores the emergency credentials in cleartext in the logs (present... |
| CVE-2018-20737 | 2019-03-18 | An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product. |
| CVE-2018-20736 | 2019-03-18 | An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-based XSS exists in the store part of the product. |
| CVE-2019-6970 | 2019-03-18 | Moodle 3.5.x before 3.5.4 allows SSRF. |
| CVE-2019-7161 | 2019-03-18 | An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any... |
| CVE-2019-6492 | 2019-03-18 | SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC4 is called. This kernel pointer... |
| CVE-2019-9093 | 2019-03-18 | A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in file/file/upload in Humhub 1.3.10 Community Edition. The user-supplied input containing a JavaScript payload in the filename parameter is echoed back,... |
| CVE-2019-9094 | 2019-03-18 | A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in /s/adada/cfiles/upload in Humhub 1.3.10 Community Edition. The user-supplied input containing JavaScript in the filename is echoed back in JavaScript code,... |
| CVE-2018-1836 | 2019-03-19 | IBM WebSphere MQ 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.1.0.0, and 9.1.0.1 console is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus... |
| CVE-2019-4094 | 2019-03-19 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full... |
| CVE-2019-9867 | 2019-03-19 | An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The proxy server password is displayed to an administrator. |
| CVE-2019-9868 | 2019-03-19 | An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The SMTP password is displayed to an administrator. |