| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Xpdf 2.00 allows a SIGSEGV in XRef::constructXRef in XRef.cc. NOTE: 2.00 is a version from November 2002. |
| Password disclosure in the web interface on socomec DIRIS A-40 devices before 48250501 allows a remote attacker to get full access to a device via the /password.jsn URI. |
| admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution. |
| An issue was discovered in Maarch RM before 2.5. A path traversal vulnerability allows an unauthenticated remote attacker to overwrite any files with a crafted POST request if the default installation procedure was followed. This results in a permanent Denial of Service. |
| An issue was discovered in Maarch RM before 2.5. A privilege escalation vulnerability allows an authenticated user with lowest privileges to give herself highest administration privileges via a crafted PUT request to an unauthorized resource. |
| eQ-3 HomeMatic CCU3 firmware version 3.41.11 allows Remote Code Execution in the ReGa.runScript method. An authenticated attacker can easily execute code and compromise the system. |
| eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system. |
| JetBrains TeamCity 2019.1 and 2019.1.1 allows cross-site scripting (XSS), potentially making it possible to send an arbitrary HTTP request to a TeamCity server under the name of the currently logged-in user. |
| The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. |
| Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. |
| Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions. |
| A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3. A particular condition involving a man-in-the-middle attack may lead to partial data leakage or malicious file writing. |
| The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress has XSS. |
| The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CSRF via ajax_woo_infobanner_post_click, ajax_woo_infobanner_post_xout, or ajax_fb_toggle_visibility. |
| The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CSRF. |
| The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS, a different vulnerability than CVE-2019-14789. |
| The webp-express plugin before 0.14.8 for WordPress has stored XSS. |
| The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored XSS. |
| The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF. |
| The webp-converter-for-media plugin before 1.0.3 for WordPress has CSRF. |
