Total
23728 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-5490 | 1 Netapp | 2 Clustered Data Ontap, Service Processor | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed version of Service Processor firmware IMMEDIATELY. | |||||
CVE-2019-7261 | 1 Nortekcontrol | 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Linear eMerge E3-Series devices have Hard-coded Credentials. | |||||
CVE-2019-13027 | 1 Realization | 1 Concerto Critical Chain Planner | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter. | |||||
CVE-2019-9039 | 1 Couchbase | 1 Sync Gateway | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway’s public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required for Couchbase Mobile replication and external access to this REST endpoint has been blocked to mitigate this issue. This issue has been fixed in versions 2.5.0 and 2.1.3. | |||||
CVE-2019-15872 | 1 Wpbrigade | 1 Loginpress | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The LoginPress plugin before 1.1.4 for WordPress has SQL injection via an import of settings. | |||||
CVE-2019-1938 | 1 Cisco | 2 Ucs Director, Ucs Director Express For Big Data | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
A vulnerability in the web-based management interface of Cisco UCS Director and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system. The vulnerability is due to improper authentication request handling. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an unprivileged attacker to access and execute arbitrary actions through certain APIs. | |||||
CVE-2017-18634 | 1 Tagdiv | 1 Newspaper | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The newspaper theme before 6.7.2 for WordPress has script injection via td_ads[header] to admin-ajax.php. | |||||
CVE-2019-7964 | 1 Adobe | 1 Experience Manager | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Adobe Experience Manager versions 6.5, and 6.4 have an authentication bypass vulnerability. Successful exploitation could lead to remote code execution. | |||||
CVE-2019-11362 | 1 Rocboss | 1 Rocboss | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
app/controllers/frontend/PostController.php in ROCBOSS V2.2.1 has SQL injection via the Post:doReward score paramter, as demonstrated by the /do/reward/3 URI. | |||||
CVE-2019-13548 | 1 Codesys | 13 Control For Beaglebone, Control For Empc-a\/imx6, Control For Iot2000 and 10 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which could cause a stack overflow and create a denial-of-service condition or allow remote code execution. | |||||
CVE-2019-12300 | 1 Buildbot | 1 Buildbot | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim. | |||||
CVE-2012-6719 | 1 Sharebar Project | 1 Sharebar | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The sharebar plugin before 1.2.2 for WordPress has SQL injection. | |||||
CVE-2019-12776 | 1 Enttec | 8 Datagate Mk2, Datagate Mk2 Firmware, E-streamer Mk2 and 5 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They include a hard-coded SSH backdoor for remote SSH and SCP access as the root user. A command in the relocate and relocate_revB scripts copies the hardcoded key to the root user's authorized_keys file, enabling anyone with the associated private key to gain remote root access to all affected products. | |||||
CVE-2018-17988 | 1 Layerbb | 1 Layerbb | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
LayerBB 1.1.1 and 1.1.3 has SQL Injection via the search.php search_query parameter. | |||||
CVE-2019-3918 | 1 Nokia | 2 I-240w-q Gpon Ont, I-240w-q Gpon Ont Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 contains multiple hard coded credentials for the Telnet and SSH interfaces. | |||||
CVE-2014-5432 | 1 Baxter | 3 Sigma Spectrum Infusion System, Sigma Spectrum Infusion System Firmware, Wireless Battery Module | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 is remotely accessible via Port 22/SSH without authentication. A remote attacker may be able to make unauthorized configuration changes to the WBM, as well as issue commands to access account credentials and shared keys. Baxter asserts that this vulnerability only allows access to features and functionality on the WBM and that the SIGMA Spectrum infusion pump cannot be controlled from the WBM. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes. | |||||
CVE-2019-13656 | 1 Broadcom | 2 Ca Client Automation, Ca Workload Automation Ae | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An access vulnerability in CA Common Services DIA of CA Technologies Client Automation 14 and Workload Automation AE 11.3.5, 11.3.6 allows a remote attacker to execute arbitrary code. | |||||
CVE-2019-7772 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010.20099 and earlier, 2017.011.30140 and earlier, 2017.011.30138 and earlier, 2015.006.30495 and earlier, and 2015.006.30493 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
CVE-2019-7551 | 1 Cantemo | 1 Portal | 2023-12-10 | 6.0 MEDIUM | 9.0 CRITICAL |
Cantemo Portal before 3.2.13, 3.3.x before 3.3.8, and 3.4.x before 3.4.9 has XSS. Leveraging this vulnerability would enable performing actions as users, including administrative users. This could enable account creation and deletion as well as deletion of information contained within the app. | |||||
CVE-2019-14231 | 1 Onionbuzz | 1 Onionbuzz | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/unprivileged user to perform a SQL injection attack capable of remote code execution and information disclosure. |