Total
4412 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15642 | 1 Webmin | 1 Webmin | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users." | |||||
| CVE-2019-15599 | 1 Tree-kill Project | 1 Tree-kill | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command. | |||||
| CVE-2019-15597 | 1 Node-df Project | 1 Node-df | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input. | |||||
| CVE-2019-15388 | 1 Coolpad | 2 Mega 5, Mega 5 Firmware | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more. | |||||
| CVE-2019-15318 | 1 Yikesinc | 1 Easy Forms For Mailchimp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input field. | |||||
| CVE-2019-15224 | 1 Rest-client Project | 1 Rest-client | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions <=1.6.9 and >=1.6.14 are unaffected. | |||||
| CVE-2019-15087 | 1 Prise | 1 Adas | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in PRiSE adAS 1.7.0. An authenticated user can change the function used to hash passwords to any function, leading to remote code execution. | |||||
| CVE-2019-15001 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request. | |||||
| CVE-2019-14965 | 1 Frappe | 1 Frappe | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists. | |||||
| CVE-2019-14867 | 2 Fedoraproject, Freeipa | 2 Fedora, Freeipa | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server. | |||||
| CVE-2019-14827 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions. | |||||
| CVE-2019-14746 | 1 Kuaifan | 1 Kuaifancms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A issue was discovered in KuaiFanCMS 5.0. It allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request. | |||||
| CVE-2019-14282 | 1 Simple Captcha2 Project | 1 Simple Captcha2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. | |||||
| CVE-2019-14281 | 1 Datagrid Project | 1 Datagrid | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. | |||||
| CVE-2019-13956 | 1 Codersclub | 1 Discuz\!ml | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Discuz!ML 3.2 through 3.4 allows remote attackers to execute arbitrary PHP code via a modified language cookie, as demonstrated by changing 4gH4_0df5_language=en to 4gH4_0df5_language=en'.phpinfo().'; (if the random prefix 4gH4_0df5_ were used). | |||||
| CVE-2019-13714 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL. | |||||
| CVE-2019-13558 | 1 Advantech | 1 Webaccess | 2024-11-21 | 9.0 HIGH | 9.8 CRITICAL |
| In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash. | |||||
| CVE-2019-13372 | 1 Dlink | 1 Central Wifimanager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication. | |||||
| CVE-2019-13354 | 1 Strong Password Project | 1 Strong Password | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6. | |||||
| CVE-2019-12844 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3. | |||||