CVE List - 2019 / May
Showing 301 - 400 of 1316 CVEs for May 2019 (Page 4 of 14)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2018-20838 | 2019-05-13 | ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS. |
| CVE-2019-11888 | 2019-05-13 | Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. |
| CVE-2019-12041 | 2019-05-13 | lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section. |
| CVE-2018-19037 | 2019-05-13 | On Virgin Media wireless router 3.0 hub devices, the web interface is vulnerable to denial of service. When POST requests are sent and keep the connection open, the router lags... |
| CVE-2018-14710 | 2019-05-13 | Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. |
| CVE-2018-14711 | 2019-05-13 | Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs. |
| CVE-2018-14712 | 2019-05-13 | Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter. |
| CVE-2018-14713 | 2019-05-13 | Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter. |
| CVE-2018-14714 | 2019-05-13 | System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter. |
| CVE-2018-12295 | 2019-05-13 | SQL injection in folderViewSpecific.psp in Seagate NAS OS version 4.3.15.1 allows attackers to execute arbitrary SQL commands via the dirId URL parameter. |
| CVE-2018-12296 | 2019-05-13 | Insufficient access control in /api/external/7.0/system.System.get_infos in Seagate NAS OS version 4.3.15.1 allows attackers to obtain information about the NAS without authentication via empty POST requests. |
| CVE-2018-12297 | 2019-05-13 | Cross-site scripting in API error pages in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via URL path names. |
| CVE-2018-12298 | 2019-05-13 | Directory Traversal in filebrowser in Seagate NAS OS 4.3.15.1 allows attackers to read files within the application's container via a URL path. |
| CVE-2018-12299 | 2019-05-13 | Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via uploaded file names. |
| CVE-2018-12300 | 2019-05-13 | Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter. |
| CVE-2018-12301 | 2019-05-13 | Unvalidated URL in Download Manager in Seagate NAS OS version 4.3.15.1 allows attackers to access the loopback interface via a Download URL of 127.0.0.1 or localhost. |
| CVE-2018-12302 | 2019-05-13 | Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting. |
| CVE-2018-12303 | 2019-05-13 | Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via directory names. |
| CVE-2018-12304 | 2019-05-13 | Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL. |
| CVE-2018-15530 | 2019-05-13 | Cross-site scripting (XSS) in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code. |
| CVE-2018-18558 | 2019-05-13 | An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate... |
| CVE-2018-16639 | 2019-05-13 | Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation. |
| CVE-2018-16626 | 2019-05-13 | index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name. |
| CVE-2018-16625 | 2019-05-13 | index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. |
| CVE-2018-16624 | 2019-05-13 | panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page. |
| CVE-2018-16623 | 2019-05-13 | Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown. |
| CVE-2018-18524 | 2019-05-13 | Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability. An attacker can use this XSS issue to inject Node.js code under Present mode. After a victim opens an... |
| CVE-2018-18872 | 2019-05-13 | The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stored XSS via the event_title parameter in a wp-admin/admin.php?page=calendar add action, or the category name during category creation at the... |
| CVE-2019-12043 | 2019-05-13 | In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL. |
| CVE-2018-19048 | 2019-05-13 | Simditor through 2.3.21 allows DOM XSS via an onload attribute within a malformed SVG element. |
| CVE-2018-15128 | 2019-05-13 | An issue was discovered in Polycom Group Series 6.1.6.1 and earlier, HDX 3.1.12 and earlier, and Pano 1.1.1 and earlier. A remote code execution vulnerability exists in the content sharing... |
| CVE-2018-19986 | 2019-05-13 | In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter... |
| CVE-2018-19987 | 2019-05-13 | D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code,... |
| CVE-2018-19988 | 2019-05-13 | In the /HNAP1/SetClientInfoDemo message, the AudioMute and AudioEnable parameters are vulnerable, and the vulnerabilities affect D-Link DIR-868L Rev.B 2.05B02 devices. In the SetClientInfoDemo.php source code, the AudioMute and AudioEnble parameters... |
| CVE-2018-19989 | 2019-05-13 | In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter... |
| CVE-2018-19990 | 2019-05-13 | In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vulnerable, and the vulnerability affects D-Link DIR-822 B1 202KRb06 devices. In the SetWiFiVerifyAlpha.php source code, the WPSPIN parameter is saved in the... |
| CVE-2012-6652 | 2019-05-13 | Directory traversal vulnerability in pageflipbook.php script from index.php in Page Flip Book plugin for WordPress (wppageflip) allows remote attackers to include and execute arbitrary local files via a .. (dot... |
| CVE-2019-8350 | 2019-05-13 | The Simple - Better Banking application 2.45.0 through 2.45.3 (fixed in 2.46.0) for Android was affected by an information disclosure vulnerability that leaked the user's password to the keyboard autocomplete... |
| CVE-2019-7404 | 2019-05-13 | An issue was discovered on LG GAMP-7100, GAPM-7200, and GAPM-8000 routers. An unauthenticated user can read a log file via an HTTP request containing its full pathname, such as http://192.168.0.1/var/gapm7100_${today's_date}.log... |
| CVE-2019-7411 | 2019-05-13 | Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title,... |
| CVE-2019-7409 | 2019-05-13 | Multiple cross-site scripting (XSS) vulnerabilities in ProfileDesign CMS v6.0.2.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page, (2) gbs, (3) side, (4) id, (5)... |
| CVE-2019-3684 | 2019-05-13 | susemanager installer creates world-readable swap files |
| CVE-2019-12047 | 2019-05-13 | Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by child_process.exec and the "<img src=# onerror='eval(new Buffer(" substring. |
| CVE-2019-11429 | 2019-05-13 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add... |
| CVE-2018-4014 | 2019-05-13 | An exploitable code execution vulnerability exists in Wi-Fi Command 9999 of the Roav A1 Dashcam running version RoavA1SWV1.9. A specially crafted packet can cause a stack-based buffer overflow, resulting in... |
| CVE-2018-4016 | 2019-05-13 | An exploitable code execution vulnerability exists in the URL-parsing functionality of the Roav A1 Dashcam running version RoavA1SWV1.9. A specially crafted packet can cause a stack-based buffer overflow, resulting in... |
| CVE-2018-4017 | 2019-05-13 | An exploitable vulnerability exists in the Wi-Fi Access Point feature of the Roav A1 Dashcam running version RoavA1SWV1.9. A set of default credentials can potentially be used to connect to... |
| CVE-2018-4023 | 2019-05-13 | An exploitable code execution vulnerability exists in the XML_UploadFile Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can... |
| CVE-2018-4026 | 2019-05-13 | An exploitable denial-of-service vulnerability exists in the XML_GetScreen Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted set of packets... |
| CVE-2018-4025 | 2019-05-13 | An exploitable denial-of-service vulnerability exists in the XML_GetRawEncJpg Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can cause... |
| CVE-2018-4018 | 2019-05-13 | An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version RoavA1SWV1.9. The HTTP server allows for arbitrary firmware binaries to be uploaded... |
| CVE-2018-4028 | 2019-05-13 | An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. The HTTP server could allow an attacker to overwrite the... |
| CVE-2018-4027 | 2019-05-13 | An exploitable denial-of-service vulnerability exists in the XML_UploadFile Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can cause... |
| CVE-2018-4024 | 2019-05-13 | An exploitable denial-of-service vulnerability exists in the thumbnail display functionality of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can cause... |
| CVE-2018-4029 | 2019-05-13 | An exploitable code execution vulnerability exists in the HTTP request-parsing function of the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can... |
| CVE-2015-9287 | 2019-05-13 | Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field ("kid") of the IdP's HTTP response message ("WLS-Response") can be manipulated by an attacker. The... |
| CVE-2019-4259 | 2019-05-13 | A security vulnerability has been identified in IBM Spectrum Scale 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and 5.0.0 with CES stack enabled that could allow sensitive data to be included with... |
| CVE-2019-7690 | 2019-05-13 | In MobaTek MobaXterm Personal Edition v11.1 Build 3860, the SSH private key and its password can be retrieved from process memory for the lifetime of the process, even after the... |
| CVE-2019-8342 | 2019-05-13 | A Local Privilege Escalation in libqcocoa.dylib in Foxit Reader 3.1.0.0111 on macOS has been discovered due to an incorrect permission set. |
| CVE-2019-10050 | 2019-05-13 | A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination... |
| CVE-2019-9726 | 2019-05-13 | Directory Traversal / Arbitrary File Read in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to read arbitrary files of the device's filesystem. This vulnerability can be exploited... |
| CVE-2019-9727 | 2019-05-13 | Unauthenticated password hash disclosure in the User.getUserPWD method in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to retrieve the GUI password hashes of GUI users. This vulnerability... |
| CVE-2019-3702 | 2019-05-13 | A Remote Code Execution issue in the DNS Query Web UI in Lifesize Icon LS_RM3_3.7.0 (2421) allows remote authenticated attackers to execute arbitrary commands via a crafted DNS Query address... |
| CVE-2019-11680 | 2019-05-13 | KonaKart 8.9.0.0 is vulnerable to Remote Code Execution by uploading a web shell as a product category image. |
| CVE-2019-7217 | 2019-05-13 | Citrix ShareFile before 19.12 allows User Enumeration. It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is... |
| CVE-2019-7218 | 2019-05-13 | Citrix ShareFile before 19.23 allows a downgrade from two-factor authentication to one-factor authentication. An attacker with access to the offline victim's otp physical token or virtual app (like google authenticator)... |
| CVE-2018-18912 | 2019-05-13 | An issue was discovered in Easy File Sharing (EFS) Web Server 7.2. A stack-based buffer overflow vulnerability occurs when a malicious POST request has been made to forum.ghp upon creating... |
| CVE-2019-12083 | 2019-05-13 | The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. If the `Error::type_id` method is... |
| CVE-2019-1649 | 2019-05-13 | Cisco Secure Boot Hardware Tampering Vulnerability |
| CVE-2019-1862 | 2019-05-13 | Cisco IOS XE Software Web UI Command Injection Vulnerability |
| CVE-2018-16139 | 2019-05-13 | Cross-site scripting (XSS) vulnerability in BIBLIOsoft BIBLIOpac 2008 allows remote attackers to inject arbitrary web script or HTML via the db or action parameter to to bin/wxis.exe/bibliopac/. |
| CVE-2019-11600 | 2019-05-13 | A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed... |
| CVE-2019-10053 | 2019-05-13 | An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based... |
| CVE-2018-16136 | 2019-05-13 | An issue was discovered in the administrator interface in IPBRICK OS 6.3. The application doesn't check for Anti-CSRF tokens, allowing the submission of multiple forms unwillingly by a victim. |
| CVE-2018-16137 | 2019-05-13 | An issue was discovered in the Web Management Console in IPBRICK OS 6.3. There are multiple SQL injections. |
| CVE-2018-16138 | 2019-05-13 | An issue was discovered in the administration page in IPBRICK OS 6.3. There are multiple XSS vulnerabilities. |
| CVE-2019-8951 | 2019-05-13 | An Open Redirect vulnerability located in the webserver affects several Bosch hardware and software products. The vulnerability potentially allows a remote attacker to redirect users to an arbitrary URL. Affected... |
| CVE-2019-8952 | 2019-05-13 | A Path Traversal vulnerability located in the webserver affects several Bosch hardware and software products. The vulnerability potentially allows a remote authorized user to access arbitrary files on the system... |
| CVE-2019-9618 | 2019-05-13 | The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter. |
| CVE-2019-12087 | 2019-05-14 | Samsung S9+, S10, and XCover 4 P(9.0) devices can become temporarily inoperable because of an unprotected intent in the ContainerAgent application. For example, the victim becomes stuck in a launcher... |
| CVE-2019-11336 | 2019-05-14 | Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus... |
| CVE-2018-18800 | 2019-05-14 | The Tubigan "Welcome to our Resort" 1.0 software allows SQL Injection via index.php?p=accomodation&q=[SQL], index.php?p=rooms&q=[SQL], or admin/login.php. |
| CVE-2019-6512 | 2019-05-14 | An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF network... |
| CVE-2019-6514 | 2019-05-14 | An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to inject a JavaScript payload that will be stored in the database and then displayed and executed on... |
| CVE-2019-6515 | 2019-05-14 | An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user. |
| CVE-2019-6516 | 2019-05-14 | An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to force the application to perform requests to the internal workstation (port-scanning) and to perform requests to adjacent... |
| CVE-2019-8390 | 2019-05-14 | qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. |
| CVE-2019-8391 | 2019-05-14 | qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. |
| CVE-2018-11691 | 2019-05-14 | Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches’ management password upon commissioning. Emerson released patches for DeltaV... |
| CVE-2019-8404 | 2019-05-14 | An issue was discovered in Webiness Inventory 2.3. The ProductModel component allows Arbitrary File Upload via a crafted product image during the creation of a new product. Consequently, an attacker... |
| CVE-2019-8923 | 2019-05-14 | XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued. |
| CVE-2019-9861 | 2019-05-14 | Due to the use of an insecure RFID technology (MIFARE Classic), ABUS proximity chip keys (RFID tokens) of the ABUS Secvest FUAA50000 wireless alarm system can easily be cloned and... |
| CVE-2019-11846 | 2019-05-14 | /servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection. |
| CVE-2019-11845 | 2019-05-14 | An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter. |
| CVE-2019-11844 | 2019-05-14 | An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn or entryDisplayNameIn parameter. |
| CVE-2019-11419 | 2019-05-14 | vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service (application crash) by replacing an emoji file (under the /sdcard/tencent/MicroMsg directory)... |
| CVE-2018-8940 | 2019-05-14 | ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it... |
| CVE-2018-6885 | 2019-05-14 | An issue was discovered in MicroStrategy Web Services (the Microsoft Office plugin) before 10.4 Hotfix 7, and before 10.11. The vulnerability is unauthenticated and leads to access to the asset... |
| CVE-2019-8978 | 2019-05-14 | An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2,... |
| CVE-2019-3568 | 2019-05-14 | A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for... |