Export limit exceeded: 75900 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (75900 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-19731 | 1 Roxyfileman | 1 Roxy Fileman | 2024-11-21 | 7.5 High |
| Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal. A remote attacker can write uploaded files to arbitrary locations via the RENAMEFILE action. This can be leveraged for code execution by uploading a specially crafted Windows shortcut file and writing the file to the Startup folder (because an incomplete blacklist of file extensions allows Windows shortcut files to be uploaded). | ||||
| CVE-2019-19729 | 1 Bson-objectid Project | 1 Bson-objectid | 2024-11-21 | 7.5 High |
| An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-input object. As a result, objects in arbitrary forms can bypass formatting if they have a valid bsontype. | ||||
| CVE-2019-19728 | 3 Debian, Opensuse, Schedmd | 3 Debian Linux, Leap, Slurm | 2024-11-21 | 7.5 High |
| SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 executes srun --uid with incorrect privileges. | ||||
| CVE-2019-19726 | 1 Openbsd | 1 Openbsd | 2024-11-21 | 7.8 High |
| OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root. | ||||
| CVE-2019-19724 | 1 Sylabs | 1 Singularity | 2024-11-21 | 7.5 High |
| Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. | ||||
| CVE-2019-19721 | 1 Videolan | 1 Vlc Media Player | 2024-11-21 | 7.8 High |
| An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product. | ||||
| CVE-2019-19720 | 1 Yabasic | 1 Yabasic | 2024-11-21 | 8.8 High |
| Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file. | ||||
| CVE-2019-19707 | 1 Moxa | 6 Eds-g508e, Eds-g508e Firmware, Eds-g512e and 3 more | 2024-11-21 | 7.5 High |
| On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets. | ||||
| CVE-2019-19704 | 1 Jetbrains | 1 Upsource | 2024-11-21 | 7.5 High |
| In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm. | ||||
| CVE-2019-19702 | 1 Modoboa | 1 Modoboa-dmarc | 2024-11-21 | 7.5 High |
| The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain. | ||||
| CVE-2019-19699 | 1 Centreon | 1 Centreon | 2024-11-21 | 7.2 High |
| There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration. | ||||
| CVE-2019-19695 | 1 Trendmicro | 1 Antivirus | 2024-11-21 | 7.5 High |
| A privilege escalation vulnerability in Trend Micro Antivirus for Mac 2019 (v9.0.1379 and below) could potentially allow an attacker to create a symbolic link to a target file and modify it. | ||||
| CVE-2019-19693 | 2 Microsoft, Trendmicro | 5 Windows, Antivirus\+ Security 2020, Internet Security 2020 and 2 more | 2024-11-21 | 7.1 High |
| The Trend Micro Security 2020 consumer family of products contains a vulnerability that could allow a local attacker to disclose sensitive information or to create a denial-of-service condition on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | ||||
| CVE-2019-19689 | 2 Microsoft, Trendmicro | 2 Windows, Housecall For Home Networks | 2024-11-21 | 7.8 High |
| Trend Micro HouseCall for Home Networks (versions below 5.3.0.1063) could be exploited via a DLL Hijack related to a vulnerability on the packer that the program uses. | ||||
| CVE-2019-19688 | 1 Trendmicro | 1 Housecall For Home Networks | 2024-11-21 | 7.8 High |
| A privilege escalation vulnerability in Trend Micro HouseCall for Home Networks (versions below 5.3.0.1063) could be exploited allowing an attacker to place a malicious DLL file into the application directory and elevate privileges. | ||||
| CVE-2019-19687 | 2 Openstack, Redhat | 2 Keystone, Openstack | 2024-11-21 | 8.8 High |
| OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) | ||||
| CVE-2019-19685 | 1 Nopcommerce | 1 Nopcommerce | 2024-11-21 | 8.8 High |
| RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions. | ||||
| CVE-2019-19684 | 1 Nopcommerce | 1 Nopcommerce | 2024-11-21 | 8.8 High |
| nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin. | ||||
| CVE-2019-19681 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 8.8 High |
| Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands | ||||
| CVE-2019-19680 | 1 Proofpoint | 1 Enterprise Protection | 2024-11-21 | 8.8 High |
| A file-extension filtering vulnerability in Proofpoint Enterprise Protection (PPS / PoD), in the unpatched versions of PPS through 8.9.22 and 8.14.2 respectively, allows attackers to bypass protection mechanisms (related to extensions, MIME types, virus detection, and journal entries for transmitted files) by sending malformed (not RFC compliant) multipart email. | ||||