| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Raml-Module-Builder 26.4.0 allows SQL Injection in PostgresClient.update. |
| XENFCoreSharp before 2019-07-16 allows SQL injection in web/verify.php. |
| CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs. |
| GNU Libextractor through 1.9 has a heap-based buffer over-read in the function EXTRACTOR_dvi_extract_method in plugins/dvi_extractor.c. |
| An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the LoginPassword field to Login. |
| An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Username field to Login. |
| An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Interface field to SetStaticRouteSettings. |
| An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the MaxIdTime field to SetWanSettings. |
| An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Type field to SetWanSettings, a related issue to CVE-2019-13482. |
| There is Missing SSL Certificate Validation in the pw3270 terminal emulator before version 5.1. |
| CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI. |
| An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API. |
| An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_session in daemon.c neglects to force a failure of a hello command when the configuration requires use of SSL. |
| Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object. |
| comelz Quark before 2019-03-26 allows directory traversal to locations outside of the project directory. |
| Power-Response before 2019-02-02 allows directory traversal (up to the application's main directory) via a plugin. |
| Swoole before 4.2.13 allows directory traversal in swPort_http_static_handler. |
| jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal. |
| Cuberite before 2019-06-11 allows webadmin directory traversal via ....// because the protection mechanism simply removes one ../ substring. |
| Discourse 2.3.2 sends the CSRF token in the query string. |
