Total
1885 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-11282 | 2 Cloudfoundry, Pivotal Software | 2 Cf-deployment, Cloud Foundry Uaa | 2024-11-21 | 4.3 Medium |
| Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA. | ||||
| CVE-2019-11277 | 1 Cloudfoundry | 2 Cf-deployment, Nfs Volume Release | 2024-11-21 | 8.1 High |
| Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack. | ||||
| CVE-2019-11275 | 2 Pivotal, Pivotal Software | 2 Apps Manager, Pivotal Application Service | 2024-11-21 | 4.3 Medium |
| Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege. | ||||
| CVE-2019-11073 | 1 Paessler | 1 Prtg Network Monitor | 2024-11-21 | 7.2 High |
| A Remote Code Execution vulnerability exists in PRTG Network Monitor before 19.4.54.1506 that allows attackers to execute code due to insufficient sanitization when passing arguments to the HttpTransactionSensor.exe binary. In order to exploit the vulnerability, remote authenticated administrators need to create a new HTTP Transaction Sensor and set specific settings when the sensor is executed. | ||||
| CVE-2019-11045 | 7 Canonical, Debian, Fedoraproject and 4 more | 8 Ubuntu Linux, Debian Linux, Fedora and 5 more | 2024-11-21 | 3.7 Low |
| In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. | ||||
| CVE-2019-10795 | 1 Undefsafe Project | 1 Undefsafe | 2024-11-21 | 6.3 Medium |
| undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||||
| CVE-2019-10794 | 1 Component-flatten Project | 1 Component-flatten | 2024-11-21 | 6.3 Medium |
| All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||||
| CVE-2019-10793 | 1 Dot-object Project | 1 Dot-object | 2024-11-21 | 6.3 Medium |
| dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||||
| CVE-2019-10792 | 1 Bodymen Project | 1 Bodymen | 2024-11-21 | 6.3 Medium |
| bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||||
| CVE-2019-10665 | 1 Librenms | 1 Librenms | 2024-11-21 | 9.8 Critical |
| An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php script. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, file content, denial of service, or writing arbitrary files. | ||||
| CVE-2019-10074 | 1 Apache | 1 Ofbiz | 2024-11-21 | 9.8 Critical |
| An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533 | ||||
| CVE-2019-1020006 | 1 Inveniosoftware | 1 Invenio-app | 2024-11-21 | N/A |
| invenio-app before 1.1.1 allows host header injection. | ||||
| CVE-2019-1010310 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1. | ||||
| CVE-2019-0319 | 1 Sap | 2 Gateway, Ui5 | 2024-11-21 | N/A |
| The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead a user to believe this information is from the legitimate service when it's not. | ||||
| CVE-2019-0304 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2024-11-21 | N/A |
| FTP Function of SAP NetWeaver AS ABAP Platform, versions- KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, allows an attacker to inject code or specifically manipulated command that can be executed by the application. An attacker could thereby control the behaviour of the application. | ||||
| CVE-2018-9062 | 1 Lenovo | 97 20hm, 20hn, 20hq and 94 more | 2024-11-21 | 6.8 Medium |
| In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrary code. | ||||
| CVE-2018-7032 | 1 Myrepos Project | 1 Myrepos | 2024-11-21 | N/A |
| webcheckout in myrepos through 1.20171231 does not sanitize URLs that are passed to git clone, allowing a malicious website operator or a MitM attacker to take advantage of it for arbitrary code execution, as demonstrated by an "ext::sh -c" attack or an option injection attack. | ||||
| CVE-2018-6603 | 1 Promise | 1 Webpam Proe | 2024-11-21 | N/A |
| Promise Technology WebPam Pro-E devices allow remote attackers to conduct XSS, HTTP Response Splitting, and CRLF Injection attacks via JavaScript code in a PHPSESSID cookie. | ||||
| CVE-2018-6519 | 2 Debian, Simplesamlphp | 2 Debian Linux, Saml2 | 2024-11-21 | N/A |
| The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 in SimpleSAMLphp has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp. | ||||
| CVE-2018-6289 | 1 Kaspersky | 1 Secure Mail Gateway | 2024-11-21 | N/A |
| Configuration file injection leading to Code Execution as Root in Kaspersky Secure Mail Gateway version 1.1. | ||||