Export limit exceeded: 363054 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363054 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16929 | 1 Auth0 | 1 Auth0.net | 2024-11-21 | 7.5 High |
| Auth0 auth0.net before 6.5.4 has Incorrect Access Control because IdentityTokenValidator can be accidentally used to validate untrusted ID tokens. | ||||
| CVE-2019-16927 | 1 Glyphandcog | 1 Xpdf | 2024-11-21 | 5.5 Medium |
| Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the TextPage::findGaps function in TextOutputDev.cc, a different vulnerability than CVE-2019-9877. | ||||
| CVE-2019-16926 | 1 Flower Project | 1 Flower | 2024-11-21 | 6.1 Medium |
| Flower 0.9.3 has XSS via a crafted worker name. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access | ||||
| CVE-2019-16925 | 1 Flower Project | 1 Flower | 2024-11-21 | 6.1 Medium |
| Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access | ||||
| CVE-2019-16924 | 1 Nuvending | 1 Nulock | 2024-11-21 | 8.8 High |
| The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock. | ||||
| CVE-2019-16923 | 1 Kkcms Project | 1 Kkcms | 2024-11-21 | 6.1 Medium |
| kkcms 1.3 has jx.php?url= XSS. | ||||
| CVE-2019-16922 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 5.3 Medium |
| SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files. | ||||
| CVE-2019-16921 | 1 Linux | 1 Linux Kernel | 2024-11-21 | 7.5 High |
| In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813. | ||||
| CVE-2019-16919 | 2 Linuxfoundation, Vmware | 3 Harbor, Cloud Foundation, Harbor Container Registry | 2024-11-21 | 7.5 High |
| Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. | ||||
| CVE-2019-16917 | 1 Wikidsystems | 1 Two Factor Authentication Enterprise Server | 2024-11-21 | 8.8 High |
| WiKID Enterprise 2FA (two factor authentication) Enterprise Server through 4.2.0-b2047 is vulnerable to SQL injection through the searchDevices.jsp endpoint. The uid and domain parameters are used, unsanitized, in a SQL query constructed in the buildSearchWhereClause function. | ||||
| CVE-2019-16915 | 1 Netgate | 1 Pfsense | 2024-11-21 | 9.8 Critical |
| An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents. | ||||
| CVE-2019-16914 | 1 Netgate | 1 Pfsense | 2024-11-21 | 6.1 Medium |
| An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization. | ||||
| CVE-2019-16913 | 1 Pcprotect | 1 Antivirus | 2024-11-21 | 7.8 High |
| PC Protect Antivirus v4.14.31 installs by default to %PROGRAMFILES(X86)%\PCProtect with very weak folder permissions, granting any user full permission "Everyone: (F)" to the contents of the directory and its subfolders. In addition, the program installs a service called SecurityService that runs as LocalSystem. This allows any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a Trojan horse. | ||||
| CVE-2019-16909 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2024-11-21 | 4.3 Medium |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14_J8 for Jira. It is possible to obtain a list of all Jira projects (with authentication as a Jira user, but without authorization for specific projects) via the plugins/servlet/nfj/NotificationSettings URI. | ||||
| CVE-2019-16908 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2024-11-21 | 5.3 Medium |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14_J8 for Jira. It is possible to obtain a list of all Jira projects without authentication/authorization via the plugins/servlet/nfj/ProjectFilter?searchQuery= URI. | ||||
| CVE-2019-16907 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2024-11-21 | 5.3 Medium |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. It is possible to obtain a list of all valid Jira usernames without authentication/authorization via the plugins/servlet/nfj/UserFilter?searchQuery=@ URI. | ||||
| CVE-2019-16906 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2024-11-21 | 7.5 High |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. By using plugins/servlet/nfj/PushNotification?username= with a modified username, a different user's notifications can be read without authentication/authorization. These notifications are then no longer displayed to the normal user. | ||||
| CVE-2019-16904 | 1 Teampass | 1 Teampass | 2024-11-21 | 5.4 Medium |
| TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.) | ||||
| CVE-2019-16903 | 1 Plutinosoft | 1 Platinum | 2024-11-21 | 5.3 Medium |
| Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServer.cpp because it checks for /.. where it should be checking for ../ instead. | ||||
| CVE-2019-16902 | 1 Reputeinfosystems | 1 Arforms | 2024-11-21 | 7.5 High |
| In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname. | ||||