VYPR

CVEs

100,082 total · page 1622 of 2,002

  • CVE-2018-1936HigApr 3, 2019
    risk 0.55cvss 8.4epss 0.01

    IBM DB2 9.7, 10.1, 10.5, and 11.1 libdb2e.so.1 is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. IBM X-Force ID: 153316.

  • CVE-2019-10673HigApr 3, 2019
    risk 0.57cvss 8.8epss 0.02

    A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the…

  • CVE-2019-6531HigApr 2, 2019
    risk 0.53cvss 8.1epss 0.01

    An attacker could retrieve passwords from a HTTP GET request from the Kunbus PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) if the attacker is in an MITM position.

  • CVE-2018-12680HigApr 2, 2019
    risk 0.49cvss 7.5epss 0.01

    The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and…

  • CVE-2017-6049HigApr 2, 2019
    risk 0.49cvss 7.5epss 0.01

    Detcon Sitewatch Gateway, all versions without cellular, an attacker can edit settings on the device using a specially crafted URL.

  • CVE-2018-12679HigApr 2, 2019
    risk 0.49cvss 7.5epss 0.01

    The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP…

  • CVE-2019-9946HigApr 2, 2019
    risk 0.00cvss 7.5epss 0.03

    Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take…

  • CVE-2019-7477HigApr 2, 2019
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in SonicWall SonicOS and SonicOSv TLS CBC Cipher allow remote attackers to obtain sensitive plaintext data when CBC cipher suites are enabled. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2,…

  • CVE-2018-4049HigApr 2, 2019
    risk 0.51cvss 7.8epss 0.00

    An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy's “Games” directory, version 1.2.48.36 (Windows 64-bit Installer). An attacker can overwrite executables of installed games to exploit this vulnerability and execute…

  • CVE-2018-3974HigApr 2, 2019
    risk 0.51cvss 7.8epss 0.01

    An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy's install directory. An attacker can overwrite an executable that is launched as a system service on boot by default to exploit this vulnerability and execute arbitrary…

  • CVE-2019-5524HigApr 2, 2019
    risk 0.58cvss 8.8epss 0.04

    VMware Workstation (14.x before 14.1.6) and Fusion (10.x before 10.1.6) contain an out-of-bounds write vulnerability in the e1000 virtual network adapter. This issue may allow a guest to execute code on the host.

  • CVE-2019-5515HigApr 2, 2019
    risk 0.58cvss 8.8epss 0.04

    VMware Workstation (15.x before 15.0.3, 14.x before 14.1.6) and Fusion (11.x before 11.0.3, 10.x before 10.1.6) updates address an out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters. Exploitation of this issue may lead to code execution on the…

  • CVE-2019-1010260HigApr 2, 2019
    risk 0.00cvss 8.1epss 0.01

    Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been…

  • CVE-2019-4043HigApr 2, 2019
    risk 0.46cvss 7.1epss 0.02

    IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID:…

  • CVE-2018-1640HigApr 2, 2019
    risk 0.57cvss 8.8epss 0.04

    IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the…

  • CVE-2018-1618HigApr 2, 2019
    risk 0.50cvss 7.7epss 0.03

    IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force…

  • CVE-2019-9193HigApr 1, 2019
    risk 0.57cvss 7.2epss 0.92

    In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused…

  • CVE-2019-5514HigApr 1, 2019
    risk 0.57cvss 8.8epss 0.03

    VMware VMware Fusion (11.x before 11.0.3) contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest…

  • CVE-2018-19113HigApr 1, 2019
    risk 0.51cvss 7.3epss 0.01

    The Pronestor PNHM (aka Health Monitoring or HealthMonitor) add-in before 8.1.13.0 for Outlook has "BUILTIN\Users:(I)(F)" permissions for the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, which allows local users to gain privileges…

  • CVE-2018-17990HigApr 1, 2019
    risk 0.58cvss 8.8epss 0.04

    An issue was discovered on D-Link DSL-3782 devices with firmware 1.01. An OS command injection vulnerability in Acl.asp allows a remote authenticated attacker to execute arbitrary OS commands via the ScrIPaddrEndTXT parameter.

  • CVE-2019-6715HigApr 1, 2019
    risk 0.50cvss 7.5epss 0.19

    pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.

  • CVE-2019-3489HigApr 1, 2019
    risk 0.49cvss 7.5epss 0.02

    An unauthenticated file upload vulnerability has been identified in the Web Client component of Micro Focus Content Manager 9.1, 9.2, and 9.3 when configured to use the ADFS authentication method. The vulnerability could be exploited by an unauthenticated remote attacker to…

  • CVE-2019-8956HigApr 1, 2019
    risk 0.00cvss 7.8epss 0.01

    In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the "sctp_sendmsg()" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.

  • CVE-2018-4050HigApr 1, 2019
    risk 0.51cvss 7.8epss 0.00

    An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy's Games, version 1.2.47 for macOS. An attacker can globally adjust folder permissions leading to execution of arbitrary code with elevated privileges.

  • CVE-2019-9132HigApr 1, 2019
    risk 0.57cvss 8.8epss 0.02

    Remote code execution vulnerability exists in KaKaoTalk PC messenger when user clicks specially crafted link in the message window. This affects KaKaoTalk windows version 2.7.5.2024 or lower.

  • CVE-2018-5757HigApr 1, 2019
    risk 0.58cvss 8.8epss 0.08

    An issue was discovered on AudioCodes 450HD IP Phone devices with firmware 3.0.0.535.106. The traceroute and ping functionality, which uses a parameter in a request to command.cgi from the Monitoring page in the web UI, unsafely puts user-alterable data directly into an OS…

  • CVE-2019-5890HigApr 1, 2019
    risk 0.57cvss 8.8epss 0.02

    An issue was discovered in OverIT Geocall 6.3 before build 2:346977. Weak authentication and session management allows an authenticated user to obtain access to the Administrative control panel and execute administrative functions.

  • CVE-2019-5889HigApr 1, 2019
    risk 0.49cvss 7.5epss 0.02

    An log-management directory traversal issue was discovered in OverIT Geocall 6.3 before build 2:346977.

  • CVE-2018-8913HigApr 1, 2019
    risk 0.46cvss 7.1epss 0.01

    Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL.

  • CVE-2018-13296HigApr 1, 2019
    risk 0.49cvss 7.5epss 0.02

    Uncontrolled resource consumption vulnerability in TLS configuration in Synology MailPlus Server before 2.0.5-0606 allows remote attackers to conduct denial-of-service attacks via client-initiated renegotiation.

  • CVE-2018-13285HigApr 1, 2019
    risk 0.49cvss 7.5epss 0.02

    Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.

  • CVE-2018-13284HigApr 1, 2019
    risk 0.49cvss 7.5epss 0.02

    Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.

  • CVE-2018-13283HigApr 1, 2019
    risk 0.57cvss 8.8epss 0.01

    Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command, (2) hostname, or (3) port parameter.

  • CVE-2017-16775HigApr 1, 2019
    risk 0.46cvss 7.1epss 0.01

    Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

  • CVE-2014-7198HigApr 1, 2019
    risk 0.57cvss 8.8epss 0.01

    OMERO before 5.0.6 has multiple CSRF vulnerabilities because the framework for OMERO's web interface lacks CSRF protection.

  • CVE-2019-10678HigMar 31, 2019
    risk 0.04cvss 7.5epss 0.17

    Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.

  • CVE-2019-10663HigMar 30, 2019
    risk 0.59cvss 8.8epss 0.28

    Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.

  • CVE-2019-10662HigMar 30, 2019
    risk 0.61cvss 8.8epss 0.44

    Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.

  • CVE-2019-10660HigMar 30, 2019
    risk 0.57cvss 8.8epss 0.03

    Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.

  • CVE-2019-10659HigMar 30, 2019
    risk 0.57cvss 8.8epss 0.03

    Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.

  • CVE-2019-10658HigMar 30, 2019
    risk 0.57cvss 8.8epss 0.03

    Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.

  • CVE-2019-10656HigMar 30, 2019
    risk 0.58cvss 8.8epss 0.04

    Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call.

  • CVE-2019-10652HigMar 30, 2019
    risk 0.50cvss 7.2epss 0.07

    An issue was discovered in flatCore 1.4.7. acp/acp.php allows remote authenticated administrators to upload arbitrary .php files, related to the addons feature.

  • CVE-2019-10650HigMar 30, 2019
    risk 0.53cvss 8.1epss 0.04

    In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.

  • CVE-2019-10644HigMar 30, 2019
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in HYBBS 2.2. /?admin/user.html has a CSRF vulnerability that can add an administrator account.

  • CVE-2018-15840HigMar 29, 2019
    risk 0.49cvss 7.5epss 0.02

    TP-Link TL-WR840N devices allow remote attackers to cause a denial of service (networking outage) via fragmented packets, as demonstrated by an "nmap -f" command.

  • CVE-2019-9922HigMar 29, 2019
    risk 0.50cvss 7.5epss 0.11

    An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. Directory Traversal allows read access to arbitrary files.

  • CVE-2019-9920HigMar 29, 2019
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to perform an action within the context of the account of another user.

  • CVE-2018-20378HigMar 29, 2019
    risk 0.49cvss 7.5epss 0.02

    The L2CAP signaling channel implementation and SDP server implementation in OpenSynergy Blue SDK 3.2 through 6.0 allow remote, unauthenticated attackers to execute arbitrary code or cause a denial of service via malicious L2CAP configuration requests, in conjunction with crafted…

  • CVE-2019-9604HigMar 29, 2019
    risk 0.57cvss 8.8epss 0.01

    PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Cross-Site Request Forgery (CSRF) for Edit Profile actions.