All CVEs — 2019 (Page 2/123)

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0

2019-12-30

High

CVE-2019-20074

On Netis DL4323 devices, any user role can view sensitive information, such as a user password or the FTP password, via the form2saveConf.cgi page.

CVSS: 8.8 CWE: CWE-269

Medium

CVE-2019-20073

On Netis DL4323 devices, XSS exists via the form2userconfig.cgi username parameter (User Account Configuration).

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2019-20072

On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname parameter (Dynamic DNS Configuration).

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2019-20071

On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs.

CVSS: 6.5 CWE: CWE-352

Medium

CVE-2019-20070

On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration).

CVSS: 6.1 CWE: CWE-79

2019-12-29

High

CVE-2019-20063

hdf/dataobject.c in libmysofa before 0.8 has an uninitialized use of memory, as demonstrated by mysofa2json.

CVSS: 8.8 CWE: CWE-665

Medium

CVE-2019-20058

Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use in…

CVSS: 6.1 CWE: CWE-79

Low

CVE-2019-20057

com.proxyman.NSProxy.HelperTool in Privileged Helper Tool in Proxyman for macOS 1.11.0 and earlier allows an attacker to change the System Proxy and redirect all traffic to an attacker-controlled com…

CVSS: 3.7 CWE: CWE-345

Medium

CVE-2019-20056

stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has an assertion failure in stbi__shiftsigned.

CVSS: 6.5 CWE: CWE-617

Medium

CVE-2019-20055

LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substring followed by a URL in square brackets.

CVSS: 6.5 CWE: CWE-918

2019-12-28

Medium

CVE-2019-20054

In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.

CVSS: 5.5 CWE: CWE-476

2019-12-27

Medium

CVE-2019-20053

An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX 3.95 via a crafted Mach-O file.

CVSS: 5.5 CWE: CWE-119

Medium

CVE-2019-20052

A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because SafeMulDims does not consider the rank==0 case.

CVSS: 6.5 CWE: CWE-401

Medium

CVE-2019-20051

A floating-point exception was discovered in PackLinuxElf::elf_hash in p_lx_elf.cpp in UPX 3.95. The vulnerability causes an application crash, which leads to denial of service.

CVSS: 5.5 CWE: CWE-682

Medium

CVE-2014-6420

Cross-site scripting (XSS) vulnerability in Livefyre LiveComments 3.0 allows remote attackers to inject arbitrary web script or HTML via the name of an uploaded picture.

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2014-5289

Buffer overflow in Senkas Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a POST request.

CVSS: 9.8 CWE: CWE-20

High

CVE-2014-3136

Cross-site request forgery (CSRF) vulnerability in D-Link DWR-113 (Rev. Ax) with firmware before 2.03b02 allows remote attackers to hijack the authentication of administrators for requests that chang…

CVSS: 8.8 CWE: CWE-352

High

CVE-2012-4980

Multiple stack-based buffer overflows in CFProfile.exe in Toshiba ConfigFree Utility 8.0.38 allow user-assisted attackers to execute arbitrary code.

CVSS: 7.8 CWE: CWE-787

Medium

CVE-2014-4550

Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML v…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2014-4536

Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers t…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2014-4535

Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to g…

CVSS: 6.1 CWE: CWE-79

High

CVE-2019-20048

An issue was discovered on Alcatel-Lucent OmniVista 8770 devices before 4.1.2. An authenticated remote attacker, with elevated privileges in the Web Directory component on port 389, may upload a PHP…

CVSS: 7.2 CWE: CWE-434

High

CVE-2019-20047

An issue was discovered on Alcatel-Lucent OmniVista 4760 devices, and 8770 devices before 4.1.2. An incorrect web server configuration allows a remote unauthenticated attacker to retrieve the content…

CVSS: 7.5 CWE: CWE-522

Medium

CVE-2014-4567

Cross-site scripting (XSS) vulnerability in comments/videowhisper2/r_logout.php in the Video Comments Webcam Recorder plugin 1.55, as downloaded before 20140116 for WordPress allows remote attackers…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2014-4558

Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2014-4548

Cross-site scripting (XSS) vulnerability in tinymce/popup.php in the Ruven Toolkit plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the popup pa…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2014-4544

Cross-site scripting (XSS) vulnerability in the Podcast Channels plugin 0.20 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the Filename parameter to get…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2014-4539

Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/d…

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2013-5027

Collabtive 1.0 has incorrect access control

CVSS: 9.8 CWE: CWE-269

Critical

CVE-2007-0158

thttpd 2007 has buffer underflow.

CVSS: 9.8 CWE: CWE-787

Medium

CVE-2014-4592

Cross-site scripting (XSS) vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2014-4519

Cross-site scripting (XSS) vulnerability in the Conversador plugin 2.61 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the 'page' parameter.

CVSS: 6.1 CWE: CWE-79

High

CVE-2013-4985

Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream

CVSS: 7.5 CWE: CWE-863

Critical

CVE-2013-4982

AVTECH AVN801 DVR has a security bypass via the administration login captcha

CVSS: 9.8 CWE: CWE-287

Critical

CVE-2013-4976

Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials

CVSS: 9.8 CWE: CWE-287

High

CVE-2013-4975

Hikvision DS-2CD7153-E IP Camera has Privilege Escalation

CVSS: 8.8 CWE: CWE-269

Medium

CVE-2013-4868

Karotz API 12.07.19.00: Session Token Information Disclosure

CVSS: 5.3 CWE: CWE-200

Medium

CVE-2013-4867

Electronic Arts Karotz Smart Rabbit 12.07.19.00 allows Python module hijacking

CVSS: 6.3 CWE: CWE-269

High

CVE-2013-4859

INSTEON Hub 2242-222 lacks Web and API authentication

CVSS: 8.1 CWE: CWE-276

High

CVE-2013-4796

ReviewBoard 1.6.17 allows code execution by attaching PHP scripts to review request

CVSS: 8.8 CWE: CWE-434

Medium

CVE-2013-4764

Samsung Galaxy S3/S4 exposes an unprotected component allowing an unprivileged app to send arbitrary SMS texts to arbitrary destinations without permission.

CVSS: 4.3 CWE: CWE-276

Medium

CVE-2013-4763

Samsung Galaxy S3/S4 exposes an unprotected component allowing arbitrary SMS text messages without requesting permission.

CVSS: 4.6 CWE: CWE-276

Critical

CVE-2013-4743

Static HTTP Server 1.0 has a Local Overflow

CVSS: 9.8 CWE: CWE-120

Medium

CVE-2013-4692

Xorbin Analog Flash Clock 1.0 extension for Joomia has XSS

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2013-4621

Magnolia CMS before 4.5.9 has multiple access bypass vulnerabilities

CVSS: 9.8 CWE: CWE-287

High

CVE-2019-16896

In K7 Ultimate Security 16.0.0117, the module K7BKCExt.dll (aka the backup module) improperly validates the administrative privileges of the user, allowing an arbitrary file write via a symbolic link…

CVSS: 7.8 CWE: CWE-59

High

CVE-2013-4695

Winamp 5.63: Invalid Pointer Dereference leading to Arbitrary Code Execution

CVSS: 7.8 CWE: CWE-763

Medium

CVE-2013-4693

WordPress Xorbin Digital Flash Clock 1.0 has XSS

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2013-4691

Sencha Labs Connect has XSS with connect.methodOverride()

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2013-4665

SPBAS Business Automation Software 2012 has CSRF.

CVSS: 6.5 CWE: CWE-352

Medium

CVE-2013-4664

SPBAS Business Automation Software 2012 has XSS.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-1000029

Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would potentially impact other admins (Tenable IDs 5218 and 5269).

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2016-1000028

Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would only potentially impact other admins. (Tenable ID 5198).

CVSS: 4.8 CWE: CWE-79

Critical

CVE-2019-19781

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

CVSS: 9.8 CWE: CWE-22

Medium

CVE-2014-4559

Multiple cross-site scripting (XSS) vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web sc…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2014-4525

Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in the Ebay Feeds for WordPress plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web scr…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2014-4523

Cross-site scripting (XSS) vulnerability in the Easy Career Openings plugin 0.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or…

CVSS: 4.3 CWE: CWE-269

Medium

CVE-2019-20042

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has b…

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2019-20041

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colo…

CVSS: 9.8 CWE: CWE-20

Medium

CVE-2019-20024

A heap-based buffer overflow was discovered in image_buffer_resize in fromsixel.c in libsixel before 1.8.4.

CVSS: 6.5 CWE: CWE-787

Medium

CVE-2019-20023

A memory leak was discovered in image_buffer_resize in fromsixel.c in libsixel 1.8.4.

CVSS: 6.5 CWE: CWE-401

Medium

CVE-2019-20022

An invalid memory address dereference was discovered in load_pnm in frompnm.c in libsixel before 1.8.3.

CVSS: 6.5 CWE: CWE-672

Medium

CVE-2019-20021

A heap-based buffer over-read was discovered in canUnpack in p_mach.cpp in UPX 3.95 via a crafted Mach-O file.

CVSS: 5.5 CWE: CWE-125

Medium

CVE-2019-20020

A stack-based buffer over-read was discovered in ReadNextStructField in mat5.c in matio 1.5.17.

CVSS: 6.5 CWE: CWE-125

Medium

CVE-2019-20019

An attempted excessive memory allocation was discovered in Mat_VarRead5 in mat5.c in matio 1.5.17.

CVSS: 6.5 CWE: CWE-770

Medium

CVE-2019-20018

A stack-based buffer over-read was discovered in ReadNextCell in mat5.c in matio 1.5.17.

CVSS: 6.5 CWE: CWE-125

Medium

CVE-2019-20017

A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5 in mat5.c in matio 1.5.17.

CVSS: 6.5 CWE: CWE-125

Medium

CVE-2019-20016

libmysofa before 2019-11-24 does not properly restrict recursive function calls, as demonstrated by reports of stack consumption in readOHDRHeaderMessageDatatype in dataobject.c and directblockRead i…

CVSS: 6.5 CWE: CWE-787

Medium

CVE-2019-20015

An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_LWPOLYLINE_private in dwg.spec.

CVSS: 6.5 CWE: CWE-770

High

CVE-2019-20014

An issue was discovered in GNU LibreDWG before 0.93. There is a double-free in dwg_free in free.c.

CVSS: 8.8 CWE: CWE-415

Medium

CVE-2019-20013

An issue was discovered in GNU LibreDWG before 0.93. Crafted input will lead to an attempted excessive memory allocation in decode_3dsolid in dwg.spec.

CVSS: 6.5 CWE: CWE-770

Medium

CVE-2019-20012

An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_HATCH_private in dwg.spec.

CVSS: 6.5 CWE: CWE-770

High

CVE-2019-20011

An issue was discovered in GNU LibreDWG 0.92. There is a heap-based buffer over-read in decode_R13_R2000 in decode.c.

CVSS: 8.8 CWE: CWE-125

High

CVE-2019-20010

An issue was discovered in GNU LibreDWG 0.92. There is a use-after-free in resolve_objectref_vector in decode.c.

CVSS: 8.8 CWE: CWE-416

Medium

CVE-2019-20009

An issue was discovered in GNU LibreDWG before 0.93. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_SPLINE_private in dwg.spec.

CVSS: 6.5 CWE: CWE-770

2019-12-26

Medium

CVE-2019-20008

In Archery before 1.3, inserting an XSS payload into a project name (either by creating a new project or editing an existing one) will result in stored XSS on the vulnerability-scan scheduling page.

CVSS: 5.4 CWE: CWE-79

Critical

CVE-2013-3088

Belkin N900 router (F9K1104v1) contains an Authentication Bypass using "Javascript debugging".

CVSS: 9.8 CWE: CWE-287

Critical

CVE-2013-3085

An authentication bypass exists in the web management interface in Belkin F5D8236-4 v2.

CVSS: 9.8 CWE: CWE-287

Medium

CVE-2019-20007

An issue was discovered in ezXML 0.8.2 through 0.8.6. The function ezxml_str2utf8, while parsing a crafted XML file, performs zero-length reallocation in ezxml.c, leading to returning a NULL pointer…

CVSS: 6.5 CWE: CWE-476

High

CVE-2019-20006

An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_char_content puts a pointer to the internal address of a larger block as xml->txt. This is later deallocated (using free), lea…

CVSS: 7.5 CWE: CWE-416

Medium

CVE-2019-20005

An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_decode, while parsing a crafted XML file, performs incorrect memory handling, leading to a heap-based buffer over-read while r…

CVSS: 6.5 CWE: CWE-125

Medium

CVE-2019-19389

JetBrains Ktor framework before version 1.2.6 was vulnerable to HTTP Response Splitting.

CVSS: 5.4 CWE: CWE-74

High

CVE-2015-5290

A Denial of Service vulnerability exists in ircd-ratbox 3.0.9 in the MONITOR Command Handler.

CVSS: 7.5 CWE: CWE-119

Medium

CVE-2013-4318

File injection vulnerability in Ruby gem Features 0.3.0 allows remote attackers to inject malicious html in the /tmp directory.

CVSS: 5.4 CWE: CWE-74

High

CVE-2013-2011

WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix fo…

CVSS: 8.8 CWE: CWE-116

High

CVE-2012-4420

An information disclosure flaw was found in the way the Java Virtual Machine (JVM) implementation of Java SE 7 as provided by OpenJDK 7 incorrectly initialized integer arrays after memory allocation…

CVSS: 7.5 CWE: CWE-200

High

CVE-2012-3462

A flaw was found in SSSD version 1.9.0. The SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup o…

CVSS: 8.8 CWE: CWE-287

Medium

CVE-2012-2736

In NetworkManager 0.9.2.0, when a new wireless network was created with WPA/WPA2 security in AdHoc mode, it created an open/insecure network.

CVSS: 4.4 CWE: CWE-306

High

CVE-2019-5275

USG9500 with versions of V500R001C30;V500R001C60 have a denial of service vulnerability. Due to a flaw in the X.509 implementation in the affected products which can result in a heap buffer overflow…

CVSS: 7.5 CWE: CWE-787

High

CVE-2019-5274

CVSS: 7.5 CWE: CWE-835

High

CVE-2019-5273

CVSS: 7.5 CWE: CWE-120

Medium

CVE-2019-5272

USG9500 with versions of V500R001C30;V500R001C60 have a missing integrity checking vulnerability. The software of the affected products does not check the integrity which may allow an attacker with h…

CVSS: 4.9 CWE: CWE-354

Critical

CVE-2019-19398

M5 lite 10 with versions of 8.0.0.182(C00) have an insufficient input validation vulnerability. Due to the input validation logic is incorrect, an attacker can exploit this vulnerability to modify th…

CVSS: 9.8 CWE: CWE-20

Medium

CVE-2011-1474

A locally locally exploitable DOS vulnerability was found in pax-linux versions 2.6.32.33-test79.patch, 2.6.38-test3.patch, and 2.6.37.4-test14.patch. A bad bounds check in arch_get_unmapped_area_top…

CVSS: 5.5 CWE: CWE-400

High

CVE-2019-19995

A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user.

CVSS: 8.8 CWE: CWE-352

Critical

CVE-2019-16327

D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypass. They do not check for authentication at the server side and rely on client-side validation, which is bypassable. NOTE: this i…

CVSS: 9.8 CWE: CWE-287

High

CVE-2019-16326

D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token is implemented. A remote attacker could exploit this in conjunction with CVE-2019-16327 to enable remote router management and de…

CVSS: 8.8 CWE: CWE-352

High

CVE-2019-16789

In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress lead…

CVSS: 7.1 CWE: CWE-444

Medium

CVE-2019-16781

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admi…

CVSS: 5.8 CWE: CWE-79

Medium

CVE-2019-16780

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an a…

CVSS: 5.8 CWE: CWE-79

Medium

CVE-2018-20492

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control (issue 2 of 6).

CVSS: 5.3 CWE: CWE-863

Medium

CVE-2019-6035

Open redirect vulnerability in Athenz v1.8.24 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page.

CVSS: 6.1 CWE: CWE-601

Medium

CVE-2019-6034

a-blog cms versions prior to Ver.2.10.23 (Ver.2.10.x), Ver.2.9.26 (Ver.2.9.x), and Ver.2.8.64 (Ver.2.8.x) allows arbitrary scripts to be executed in the context of the application due to unspecified…

CVSS: 6.1 CWE: CWE-74

Medium

CVE-2019-6033

Cross-site scripting vulnerability in a-blog cms versions prior to Ver.2.10.23 (Ver.2.10.x), Ver.2.9.26 (Ver.2.9.x), and Ver.2.8.64 (Ver.2.8.x) allows remote attackers to inject arbitrary web script…

CVSS: 6.1 CWE: CWE-79

High

CVE-2019-6032

The NTV News24 prior to Ver.3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certifi…

CVSS: 7.4 CWE: CWE-295

Medium

CVE-2019-6031

Cross-site scripting vulnerability in KINZA for Windows version 5.9.2 and earlier and for Mac version 5.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via RSS reader.

CVSS: 6.1 CWE: CWE-79

High

CVE-2019-6030

Cross-site request forgery (CSRF) vulnerability in Custom Body Class 0.6.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2019-6029

Cross-site scripting vulnerability in Custom Body Class 0.6.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 6.1 CWE: CWE-79

High

CVE-2019-6027

Cross-site request forgery (CSRF) vulnerability in WP Spell Check 7.1.9 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2019-6025

Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable…

CVSS: 6.1 CWE: CWE-601

Medium

CVE-2019-6024

Rakuma App for Android version 7.15.0 and earlier, and for iOS version 7.16.4 and earlier allows an attacker to bypass authentication and obtain the user's authentication information via a malicious…

CVSS: 6.5 CWE: CWE-522

Medium

CVE-2019-6022

Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.3 allows remote authenticated attackers to alter arbitrary files via the 'Customapp' function.

CVSS: 6.5 CWE: CWE-22

Medium

CVE-2019-6021

Open redirect vulnerability in Library Information Management System LIMEDIO all versions allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially…

CVSS: 6.1 CWE: CWE-601

Medium

CVE-2019-6020

Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary w…

CVSS: 6.1 CWE: CWE-601

High

CVE-2019-6019

Untrusted search path vulnerability in STAMP Workbench installer all versions allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

CVSS: 7.8 CWE: CWE-426

Medium

CVE-2019-6018

Cross-site scripting vulnerability in NetCommons 3.2.2 and earlier (NetCommons3.x) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2019-6016

Cross-site scripting vulnerability in REMISE Payment Module (2.11, 2.12 and 2.13) version 3.0.12 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 6.1 CWE: CWE-79

High

CVE-2019-6014

DBA-1510P firmware 1.70b009 and earlier allows an attacker to execute arbitrary OS commands via Web User Interface.

CVSS: 8.8 CWE: CWE-78

Medium

CVE-2019-6013

DBA-1510P firmware 1.70b009 and earlier allows authenticated attackers to execute arbitrary OS commands via Command Line Interface (CLI).

CVSS: 6.6 CWE: CWE-78