CVE List - 2019 / March
Showing 901 - 1000 of 1194 CVEs for March 2019 (Page 10 of 12)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-3480 | 2019-03-25 | Mitigates a stored/reflected XSS issue in ArcSight Logger versions prior to 6.7. |
| CVE-2019-3481 | 2019-03-25 | Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7. |
| CVE-2019-3482 | 2019-03-25 | Mitigates a directory traversal issue in ArcSight Logger versions prior to 6.7. |
| CVE-2019-3483 | 2019-03-25 | Mitigates a potential information leakage issue in ArcSight Logger versions prior to 6.7. |
| CVE-2019-3484 | 2019-03-25 | Mitigates a remote code execution issue in ArcSight Logger versions prior to 6.7. |
| CVE-2019-3476 | 2019-03-25 | Remote arbitrary code execution in Micro Focus Data Protector, version 10.03 this vulnerability could allow remote arbitrary code execution. |
| CVE-2015-3954 | 2019-03-25 | Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges... |
| CVE-2019-6240 | 2019-03-25 | An issue was discovered in GitLab Community and Enterprise Edition before 11.4. It allows Directory Traversal. |
| CVE-2019-3841 | 2019-03-25 | Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were reported to disable TLS certificate validation when importing data into PVCs from container registries. This could enable man-in-the-middle attacks between a container registry... |
| CVE-2019-3831 | 2019-03-25 | A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8. The systemd_run function exposed to the vdsm system user could be abused to execute arbitrary commands... |
| CVE-2019-3808 | 2019-03-25 | A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have... |
| CVE-2019-3809 | 2019-03-25 | A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the... |
| CVE-2018-16838 | 2019-03-25 | A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD... |
| CVE-2018-16858 | 2019-03-25 | It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An... |
| CVE-2015-3956 | 2019-03-25 | Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates,... |
| CVE-2019-3827 | 2019-03-25 | An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when... |
| CVE-2017-7510 | 2019-03-25 | In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface. |
| CVE-2019-3863 | 2019-03-25 | A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value... |
| CVE-2019-10039 | 2019-03-25 | The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use an API URL /goform/setSysAdm... |
| CVE-2019-10040 | 2019-03-25 | The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use a hidden API URL... |
| CVE-2019-10041 | 2019-03-25 | The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use an API URL /goform/form2userconfig.cgi... |
| CVE-2019-10042 | 2019-03-25 | The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use an API URL /goform/LoadDefaultSettings... |
| CVE-2019-10011 | 2019-03-25 | ICS/StaticPages/AddTestUsers.aspx in Jenzabar JICS (aka Internet Campus Solution) before 2019-02-06 allows remote attackers to create an arbitrary number of accounts with a password of 1234. |
| CVE-2019-10012 | 2019-03-25 | Jenzabar JICS (aka Internet Campus Solution) before 9 allows remote attackers to upload and execute arbitrary .aspx code by placing it in a ZIP archive and using the MoxieManager (for... |
| CVE-2015-1014 | 2019-03-25 | A successful exploit of these vulnerabilities requires the local user to load a crafted DLL file in the system directory on servers running Schneider Electric OFS v3.5 with version v7.40... |
| CVE-2019-4046 | 2019-03-25 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability... |
| CVE-2015-1012 | 2019-03-25 | Wireless keys are stored in plain text on version 5 of the Hospira LifeCare PCA Infusion System. According to Hospira, version 3 of the LifeCare PCA Infusion System is not... |
| CVE-2018-12652 | 2019-03-25 | A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin 5.4 HRMS Software. The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response... |
| CVE-2018-12653 | 2019-03-25 | A Reflected Cross Site Scripting (XSS) vulnerability exists in Adrenalin HRMS 5.4.0. An attacker can input malicious JavaScript code in /RPT/SSRSDynamicEditReports.aspx via 'ReportId' parameter. |
| CVE-2019-3879 | 2019-03-25 | It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling... |
| CVE-2019-3838 | 2019-03-25 | It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to,... |
| CVE-2019-3835 | 2019-03-25 | It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for... |
| CVE-2019-3874 | 2019-03-25 | The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel... |
| CVE-2019-3861 | 2019-03-25 | An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A... |
| CVE-2019-3860 | 2019-03-25 | An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server... |
| CVE-2019-3857 | 2019-03-25 | An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed.... |
| CVE-2019-3856 | 2019-03-25 | An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker... |
| CVE-2019-7608 | 2019-03-25 | Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other... |
| CVE-2019-7610 | 2019-03-25 | Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send... |
| CVE-2019-7611 | 2019-03-25 | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are... |
| CVE-2019-7612 | 2019-03-25 | A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash... |
| CVE-2019-7613 | 2019-03-25 | Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event. |
| CVE-2019-3395 | 2019-03-25 | The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from... |
| CVE-2019-3396 | 2019-03-25 | The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before... |
| CVE-2015-1007 | 2019-03-25 | A specially crafted configuration file could be used to cause a stack-based buffer overflow condition in the OPCTest.exe, which may allow remote code execution on Opto 22 PAC Project Professional... |
| CVE-2014-9189 | 2019-03-25 | Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could... |
| CVE-2014-9187 | 2019-03-25 | Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead... |
| CVE-2019-10044 | 2019-03-25 | Telegram Desktop before 1.5.12 on Windows, and the Telegram applications for Android, iOS, and Linux, is vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because... |
| CVE-2018-15583 | 2019-03-25 | Cross-Site Scripting (XSS) vulnerability in point_list.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter. |
| CVE-2017-7340 | 2019-03-25 | A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the applicationSearch parameter in the FortiView functionality. |
| CVE-2017-7342 | 2019-03-25 | A weak password recovery process vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via a hidden Close button |
| CVE-2019-6538 | 2019-03-25 | Medtronic Conexus Radio Frequency Telemetry Protocol Improper Access Control |
| CVE-2019-7642 | 2019-03-25 | D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are... |
| CVE-2019-0204 | 2019-03-25 | A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0... |
| CVE-2019-10060 | 2019-03-25 | The Verix Multi-app Conductor application 2.7 for Verifone Verix suffers from a buffer overflow vulnerability that allows attackers to execute arbitrary code via a long configuration key value. An attacker... |
| CVE-2019-3804 | 2019-03-26 | It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request... |
| CVE-2019-3848 | 2019-03-26 | A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged... |
| CVE-2019-10061 | 2019-03-26 | utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection. It does not validate user input allowing attackers to execute arbitrary commands. |
| CVE-2019-7711 | 2019-03-26 | An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. The undocumented shell command "prompt" sets the (user controlled) shell's prompt value, which is... |
| CVE-2019-7712 | 2019-03-26 | An issue was discovered in handler_ipcom_shell_pwd in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. When using the pwd command, the current working directory path is used... |
| CVE-2019-7713 | 2019-03-26 | An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. There is a heap-based buffer overflow in the function responsible for printing the shell... |
| CVE-2019-7714 | 2019-03-26 | An issue was discovered in Interpeak IPWEBS on Green Hills INTEGRITY RTOS 5.0.4. It allocates 60 bytes for the HTTP Authentication header. However, when copying this header to parse, it... |
| CVE-2019-7715 | 2019-03-26 | An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. The main shell handler function uses the value of the environment variable ipcom.shell.greeting as... |
| CVE-2019-8981 | 2019-03-26 | tls1.c in Cameron Hamilton-Rich axTLS before 2.1.5 has a Buffer Overflow via a crafted sequence of TLS packets because the need_bytes value is mismanaged. |
| CVE-2019-9764 | 2019-03-26 | HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set... |
| CVE-2019-10063 | 2019-03-26 | Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed... |
| CVE-2014-5434 | 2019-03-26 | Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 has a default account with hard-coded credentials used with the FTP protocol. Baxter asserts... |
| CVE-2019-7646 | 2019-03-26 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vulnerable to Stored/Persistent XSS for the "Package Name" field via the add_package module parameter. |
| CVE-2014-5433 | 2019-03-26 | An unauthenticated remote attacker may be able to execute commands to view wireless account credentials that are stored in cleartext on Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX)... |
| CVE-2014-5432 | 2019-03-26 | Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 is remotely accessible via Port 22/SSH without authentication. A remote attacker may be able... |
| CVE-2014-5431 | 2019-03-26 | Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 contains a hard-coded password, which provides access to basic biomedical information, limited device settings,... |
| CVE-2018-19856 | 2019-03-26 | GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before 11.5.3 allows Directory Traversal in Templates API. |
| CVE-2019-9053 | 2019-03-26 | An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist... |
| CVE-2014-5401 | 2019-03-26 | Hospira MedNet Code Injection |
| CVE-2019-9055 | 2019-03-26 | An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach... |
| CVE-2019-9057 | 2019-03-26 | An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection. |
| CVE-2013-2807 | 2019-03-26 | Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it calculates an... |
| CVE-2019-9058 | 2019-03-26 | An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated... |
| CVE-2019-9059 | 2019-03-26 | An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail... |
| CVE-2013-2806 | 2019-03-26 | Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it calculates an... |
| CVE-2019-9061 | 2019-03-26 | An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve... |
| CVE-2013-2805 | 2019-03-26 | Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it receives a... |
| CVE-2019-3597 | 2019-03-26 | Authentication bypass in McAfee Network Security Manager 9.x |
| CVE-2019-3606 | 2019-03-26 | Data leakage when in an MDR pair by McAfee Network Security Manager 9.x |
| CVE-2010-5305 | 2019-03-26 | Rockwell PLC5/SLC5/0x/RSLogix Credentials management |
| CVE-2019-10068 | 2019-03-26 | An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for... |
| CVE-2019-3878 | 2019-03-26 | A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user... |
| CVE-2018-16856 | 2019-03-26 | In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private... |
| CVE-2019-3849 | 2019-03-26 | A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request... |
| CVE-2019-3850 | 2019-03-26 | A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments would open directly (in the same window). Although links themselves may be... |
| CVE-2019-3851 | 2019-03-26 | A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out... |
| CVE-2019-3852 | 2019-03-26 | A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities |
| CVE-2019-6540 | 2019-03-26 | Medtronic Conexus Radio Frequency Telemetry Protocol Cleartext Transmission of Sensitive Information |
| CVE-2019-3826 | 2019-03-26 | A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL... |
| CVE-2019-8987 | 2019-03-26 | TIBCO Spotfire Data Science Vulnerable to Persistent Cross-Site Scripting |
| CVE-2019-8988 | 2019-03-26 | TIBCO Spotfire Data Science Privilege Escalation Vulnerability |
| CVE-2019-8989 | 2019-03-26 | TIBCO Spotfire Data Science Spoofing Vulnerability |
| CVE-2019-3830 | 2019-03-26 | A vulnerability was found in ceilometer before version 12.0.0.0rc1. An Information Exposure in ceilometer-agent prints sensitive configuration data to log files without DEBUG logging being activated. |
| CVE-2019-6341 | 2019-03-26 | Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004 |
| CVE-2019-9961 | 2019-03-26 | A cross-site scripting (XSS) vulnerability in ressource view in core/modules/resource/RESOURCEVIEW.php in Wikindx prior to version 5.7.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. |