| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In JetBrains TeamCity before 2019.1.4, reverse tabnabbing was possible on several pages. |
| In JetBrains TeamCity before 2019.1.4, insecure Java Deserialization could potentially allow remote code execution. |
| In JetBrains TeamCity before 2019.1.2, access could be gained to the history of builds of a deleted build configuration under some circumstances. |
| JetBrains MPS before 2019.2.2 exposed listening ports to the network. |
| JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution. |
| In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery. |
| A buffer over-read was discovered in ReadMP3APETag in apetag.c in MP3Gain 1.6.2. The vulnerability causes an application crash, which leads to remote denial of service. |
| An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2). |
| An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 1 of 2). |
| An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7. |
| Improper access control exists on PHOENIX CONTACT FL NAT 2208 devices before V2.90 and FL NAT 2304-2GC-2SFP devices before V2.90 when using MAC-based port security. |
| In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET parameter affects the authorization component, leading to execution of JavaScript code in the login after-action script. |
| HotkeyP through 4.9 r96 allows privilege escalation in the privilege function in Commands.cpp. |
| An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1. |
| A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email. |
| A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user. |
| A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application. |
| Sourcecodester Online Grading System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the student, instructor, department, room, class, or user page (id or classid parameter). |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The SFTP service (default port 22/tcp) of the Control Center Server
(CCS) does not properly limit its capabilities to the specified purpose.
In conjunction with CVE-2019-18341, an unauthenticated remote attacker with
network access to the CCS server could exploit this vulnerability
to read or delete arbitrary files, or access other resources on the same
server. |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The SFTP service (default port 22/tcp) of the Control Center Server
(CCS) contains an authentication bypass vulnerability.
A remote attacker with network access to the CCS server could
exploit this vulnerability to read data from the EDIR directory
(for example, the list of all configured stations). |
