Export limit exceeded: 328782 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9745 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-19031 | 1 Edit-xml | 1 Easy Xml Editor | 2024-11-21 | 8.1 High |
| Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload. | ||||
| CVE-2019-19015 | 1 Titanhq | 1 Webtitan | 2024-11-21 | 9.8 Critical |
| An issue was discovered in TitanHQ WebTitan before 5.18. The proxy service (which is typically exposed to all users) allows connections to the internal PostgreSQL database of the appliance. By connecting to the database through the proxy (without password authentication), an attacker is able to fully control the appliance database. Through this, several different paths exist to gain further access, or execute code. | ||||
| CVE-2019-18998 | 1 Hitachienergy | 1 Asset Suite | 2024-11-21 | 7.1 High |
| Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly. | ||||
| CVE-2019-18954 | 1 Netease | 1 Pomelo | 2024-11-21 | 5.3 Medium |
| Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can manipulate internal attributes by adding additional attributes to user input. | ||||
| CVE-2019-18943 | 1 Microfocus | 1 Solutions Business Manager | 2024-11-21 | 6.1 Medium |
| Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations. | ||||
| CVE-2019-18936 | 1 Bloq | 1 Univalue | 2024-11-21 | 7.5 High |
| UniValue::read() in UniValue before 1.0.5 allow attackers to cause a denial of service (the class internal data reaches an inconsistent state) via input data that triggers an error. | ||||
| CVE-2019-18854 | 1 10up | 1 Safe Svg | 2024-11-21 | 7.5 High |
| A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring. | ||||
| CVE-2019-18853 | 1 Imagemagick | 1 Imagemagick | 2024-11-21 | 6.5 Medium |
| ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2. | ||||
| CVE-2019-18844 | 1 Linux | 1 Acrn | 2024-11-21 | 7.5 High |
| The Device Model in ACRN before 2019w25.5-140000p relies on assert calls in devicemodel/hw/pci/core.c and devicemodel/include/pci_core.h (instead of other mechanisms for propagating error information or diagnostic information), which might allow attackers to cause a denial of service (assertion failure) within pci core. This is fixed in 1.2. 6199e653418e is a mitigation for pre-1.1 versions, whereas 2b3dedfb9ba1 is a mitigation for 1.1. | ||||
| CVE-2019-18818 | 1 Strapi | 1 Strapi | 2024-11-21 | 9.8 Critical |
| strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. | ||||
| CVE-2019-18815 | 1 Popojicms | 1 Popojicms | 2024-11-21 | 6.1 Medium |
| PopojiCMS 2.0.1 allows refer= Open Redirection. | ||||
| CVE-2019-18797 | 1 Sass-lang | 1 Libsass | 2024-11-21 | 6.5 Medium |
| LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp. | ||||
| CVE-2019-18781 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 6.1 Medium |
| An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. | ||||
| CVE-2019-18626 | 1 Harriscomputer | 1 Ormed Mis | 2024-11-21 | 4.3 Medium |
| Harris Ormed Self Service before 2019.1.4 allows an authenticated user to view W-2 forms belonging to other users via an arbitrary empNo value to the ORMEDMIS/Data/PY/T4W2Service.svc/RetrieveW2EntriesForEmployee URI, thus exposing sensitive information including employee tax information, social security numbers, home addresses, and more. | ||||
| CVE-2019-18568 | 2 Avira, Microsoft | 2 Free Antivirus, Windows | 2024-11-21 | 8.8 High |
| Avira Free Antivirus 15.0.1907.1514 is prone to a local privilege escalation through the execution of kernel code from a restricted user. | ||||
| CVE-2019-18451 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.1 Medium |
| An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. It has an Open Redirect. | ||||
| CVE-2019-18412 | 1 Jetbrains | 1 Idetalk | 2024-11-21 | 7.5 High |
| JetBrains IDETalk plugin before version 193.4099.10 allows XXE | ||||
| CVE-2019-18227 | 1 Advantech | 1 Wise-paas\/rmm | 2024-11-21 | 7.5 High |
| Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data. | ||||
| CVE-2019-18213 | 3 Eclipse, Theia Xml Extension Project, Xml Language Server Project | 3 Wild Web Developer, Theia Xml Extension, Xml Server Project | 2024-11-21 | 8.8 High |
| XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response capture for password cracking). This occurs in extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java. | ||||
| CVE-2019-17638 | 2 Eclipse, Redhat | 3 Jetty, Jboss Fuse, Openshift | 2024-11-21 | 9.4 Critical |
| In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize). | ||||