VYPR

CVEs

101,963 total · page 1600 of 2,040

  • CVE-2015-9338HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.01

    The wp-file-upload plugin before 2.5.0 for WordPress has insufficient restrictions on upload of .php files.

  • CVE-2019-15330HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.02

    The webp-express plugin before 0.14.11 for WordPress has insufficient protection against arbitrary file reading.

  • CVE-2019-15060HigAug 22, 2019
    risk 0.58cvss 8.8epss 0.04

    The traceroute function on the TP-Link TL-WR840N v4 router with firmware through 0.9.1 3.16 is vulnerable to remote code execution via a crafted payload in an IP address input field.

  • CVE-2019-12385HigAug 22, 2019
    risk 0.57cvss 8.8epss 0.02

    An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.). This may lead to…

  • CVE-2018-20988HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.01

    The wpgform plugin before 0.94 for WordPress has eval injection in the CAPTCHA calculation.

  • CVE-2015-9341HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.01

    The wp-file-upload plugin before 3.4.1 for WordPress has insufficient restrictions on upload of .php.js files.

  • CVE-2019-7617HigAug 22, 2019
    risk 0.40cvss 7.2epss 0.02

    When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.

  • CVE-2019-9154HigAug 22, 2019
    risk 0.00cvss 7.5epss 0.02

    Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed.

  • CVE-2019-9153HigAug 22, 2019
    risk 0.00cvss 7.5epss 0.02

    Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.

  • CVE-2019-14751HigAug 22, 2019
    risk 0.42cvss 7.5epss 0.06

    NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.

  • CVE-2019-11029HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.02

    Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Download() method of AutoUpdateService in SMServer.exe, leading to Directory Traversal. An attacker could use ..\ with this method to iterate over lists of interesting system files and download them without previous…

  • CVE-2018-18573HigAug 22, 2019
    risk 0.47cvss 7.2epss 0.03

    osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a…

  • CVE-2018-18572HigAug 22, 2019
    risk 0.47cvss 7.2epss 0.03

    osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter didn't prevent the '.pht'…

  • CVE-2019-5635HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.00

    A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption.…

  • CVE-2019-15324HigAug 22, 2019
    risk 0.57cvss 8.8epss 0.04

    The ad-inserter plugin before 2.4.22 for WordPress has remote code execution.

  • CVE-2019-15323HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.02

    The ad-inserter plugin before 2.4.20 for WordPress has path traversal.

  • CVE-2017-18584HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.01

    The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action.

  • CVE-2016-10924HigAug 22, 2019
    risk 0.50cvss 7.5epss 0.12

    The ebook-download plugin before 1.2 for WordPress has directory traversal.

  • CVE-2015-9337HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.01

    The profile-builder plugin before 2.1.4 for WordPress has no access control for activating or deactivating addons via AJAX.

  • CVE-2019-14511HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.02

    Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only).

  • CVE-2018-20980HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.01

    The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.

  • CVE-2016-10918HigAug 22, 2019
    risk 0.57cvss 8.8epss 0.01

    The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF.

  • CVE-2019-5638HigAug 21, 2019
    risk 0.57cvss 8.7epss 0.01

    Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential…

  • CVE-2019-15316HigAug 21, 2019
    risk 0.46cvss 7.0epss 0.00

    Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race condition.

  • CVE-2019-15315HigAug 21, 2019
    risk 0.51cvss 7.8epss 0.00

    Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions that lack the CVE-2019-14743 patch.

  • CVE-2019-14686HigAug 21, 2019
    risk 0.51cvss 7.8epss 0.01

    A DLL hijacking vulnerability exists in the Trend Micro Security's 2019 consumer family of products (v15) Folder Shield component and the standalone Trend Micro Ransom Buster (1.0) tool in which, if exploited, would allow an attacker to load a malicious DLL, leading to elevated…

  • CVE-2019-14685HigAug 21, 2019
    risk 0.51cvss 7.8epss 0.01

    A local privilege escalation vulnerability exists in Trend Micro Security 2019 (v15.0) in which, if exploited, would allow an attacker to manipulate a specific product feature to load a malicious service.

  • CVE-2019-11603HigAug 21, 2019
    risk 0.49cvss 7.5epss 0.02

    A HTTP Traversal Attack in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.0.2 allows remote attackers to read files outside the http root.

  • CVE-2019-11601HigAug 21, 2019
    risk 0.49cvss 7.5epss 0.03

    A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.

  • CVE-2018-17791HigAug 21, 2019
    risk 0.49cvss 7.5epss 0.02

    Newgen OmniFlow Intelligent Business Process Suite (iBPS) 7.0 has an "improper server side validation" vulnerability where client-side validations are tampered, and inappropriate information is stored on the server side and fetched from the server every time the user visits the…

  • CVE-2019-1936HigAug 21, 2019
    risk 0.53cvss 7.2epss 0.39

    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an authenticated, remote attacker to execute arbitrary commands on the underlying Linux…

  • CVE-2019-1908HigAug 21, 2019
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in the Intelligent Platform Management Interface (IPMI) implementation of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to view sensitive system information. The vulnerability is due to insufficient security…

  • CVE-2019-1907HigAug 21, 2019
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to set sensitive configuration values and gain elevated privileges. The vulnerability is due to improper handling of substring comparison operations…

  • CVE-2019-1900HigAug 21, 2019
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to cause the web server process to crash, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient…

  • CVE-2019-1896HigAug 21, 2019
    risk 0.47cvss 7.2epss 0.02

    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary commands and obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input…

  • CVE-2019-1885HigAug 21, 2019
    risk 0.47cvss 7.2epss 0.04

    A vulnerability in the Redfish protocol of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of…

  • CVE-2019-1883HigAug 21, 2019
    risk 0.51cvss 7.8epss 0.00

    A vulnerability in the command-line interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow them to obtain root privileges. The vulnerability is due to…

  • CVE-2019-1871HigAug 21, 2019
    risk 0.47cvss 7.2epss 0.03

    A vulnerability in the Import Cisco IMC configuration utility of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition and implement arbitrary commands with root privileges on an affected device.…

  • CVE-2019-1865HigAug 21, 2019
    risk 0.57cvss 8.8epss 0.04

    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. The vulnerability is due to…

  • CVE-2019-1864HigAug 21, 2019
    risk 0.57cvss 8.8epss 0.03

    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. The vulnerability is due to…

  • CVE-2019-1863HigAug 21, 2019
    risk 0.53cvss 8.1epss 0.02

    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to make unauthorized changes to the system configuration. The vulnerability is due to insufficient authorization…

  • CVE-2019-1850HigAug 21, 2019
    risk 0.47cvss 7.2epss 0.04

    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. An attacker would need to have…

  • CVE-2019-1634HigAug 21, 2019
    risk 0.47cvss 7.2epss 0.03

    A vulnerability in the Intelligent Platform Management Interface (IPMI) of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on the underlying operating system (OS). The…

  • CVE-2019-14258HigAug 21, 2019
    risk 0.49cvss 7.5epss 0.02

    The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988.

  • CVE-2019-14257HigAug 21, 2019
    risk 0.51cvss 7.8epss 0.01

    pyraw in Zenoss 2.5.3 allows local privilege escalation by modifying environment variables to redirect execution before privileges are dropped, aka ZEN-31765.

  • CVE-2019-13477HigAug 21, 2019
    risk 0.57cvss 8.8epss 0.01

    In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.

  • CVE-2019-12634HigAug 21, 2019
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The…

  • CVE-2019-12627HigAug 21, 2019
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in the application policy configuration of the Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data. The vulnerability is due to insufficient application identification.…

  • CVE-2019-12624HigAug 21, 2019
    risk 0.62cvss 8.8epss 0.19

    A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The…

  • CVE-2017-18521HigAug 21, 2019
    risk 0.57cvss 8.8epss 0.01

    The democracy-poll plugin before 5.4 for WordPress has CSRF via wp-admin/options-general.php?page=democracy-poll&subpage=l10n.