Total
23890 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-18251 | 1 Deltek | 1 Vision | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Deltek Vision 7.x before 7.6 permits the execution of any attacker supplied SQL statement through a custom RPC over HTTP protocol. The Vision system relies on the client binary to enforce security rules and integrity of SQL statements and other content being sent to the server. Client HTTP calls can be manipulated by one of several means to execute arbitrary SQL statements (similar to SQLi) or possibly have unspecified other impact via this custom protocol. To perform these attacks an authenticated session is first required. In some cases client calls are obfuscated by encryption, which can be bypassed due to hard-coded keys and an insecure key rotation protocol. Impacts may include remote code execution in some deployments; however, the vendor states that this cannot occur when the installation documentation is heeded. | |||||
CVE-2019-15494 | 1 It-novum | 1 Openitcockpit | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. | |||||
CVE-2019-9874 | 1 Sitecore | 2 Cms, Experience Platform | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. | |||||
CVE-2016-10904 | 1 Olimometer Project | 1 Olimometer | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The olimometer plugin before 2.57 for WordPress has SQL injection. | |||||
CVE-2019-7103 | 2 Adobe, Microsoft | 2 Shockwave Player, Windows | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
CVE-2019-14348 | 1 Beardev | 1 Joomsport | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter. | |||||
CVE-2019-3707 | 1 Dell | 1 Idrac9 Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Dell EMC iDRAC9 versions prior to 3.30.30.30 contain an authentication bypass vulnerability. A remote attacker may potentially exploit this vulnerability to bypass authentication and gain access to the system by sending specially crafted input data to the WS-MAN interface. | |||||
CVE-2019-7104 | 1 Adobe | 1 Shockwave Player | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
CVE-2019-7781 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010.20099 and earlier, 2017.011.30140 and earlier, 2017.011.30138 and earlier, 2015.006.30495 and earlier, and 2015.006.30493 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
CVE-2019-11768 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. | |||||
CVE-2018-11691 | 1 Emerson | 2 Ve6046, Ve6046 Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches’ management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson’s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool. | |||||
CVE-2019-8003 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Macos and 1 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution . | |||||
CVE-2019-15846 | 2 Debian, Exim | 2 Debian Linux, Exim | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. | |||||
CVE-2019-8271 | 2 Siemens, Uvnc | 4 Sinumerik Access Mymachine\/p2p, Sinumerik Pcu Base Win10 Software\/ipc, Sinumerik Pcu Base Win7 Software\/ipc and 1 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer handler, which can potentially result code execution. This attack appears to be exploitable via network connectivity. This vulnerability has been fixed in revision 1212. | |||||
CVE-2019-13400 | 1 Fortinet | 2 Fcm-mb40, Fcm-mb40 Firmware | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext. These credentials can be retrieved via cgi-bin/getuserinfo.cgi?mode=info. | |||||
CVE-2019-15224 | 1 Rest-client Project | 1 Rest-client | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions <=1.6.9 and >=1.6.14 are unaffected. | |||||
CVE-2019-1619 | 1 Cisco | 1 Data Center Network Manager | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device. | |||||
CVE-2018-10171 | 1 Kromtech | 1 Mackeeper | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Kromtech MacKeeper 3.20.4 suffers from a root privilege escalation vulnerability through its `com.mackeeper.AdwareAnalyzer.AdwareAnalyzerPrivilegedHelper` component. The AdwareAnalzyerPrivilegedHelper tool implements an XPC service that allows an unprivileged application to connect and execute shell scripts as the root user. | |||||
CVE-2019-16314 | 1 Indexhibit | 1 Indexhibit | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Indexhibit 2.1.5 allows a product reinstallation, with resultant remote code execution, via /ndxzstudio/install.php?p=2. | |||||
CVE-2019-7096 | 5 Adobe, Apple, Google and 2 more | 8 Flash Player, Flash Player Desktop Runtime, Mac Os X and 5 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Adobe Flash Player versions 32.0.0.156 and earlier, 32.0.0.156 and earlier, and 32.0.0.156 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution. |