| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| iF.SVNAdmin through 1.6.2 allows svnadmin/usercreate.php CSRF to create a user. |
| REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file. |
| An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503. |
| In the MobileFrontend extension for MediaWiki, XSS exists within the edit summary field of the watchlist feed. This affects REL1_31, REL1_32, and REL1_33. |
| The Branding Module in Viki Vera 4.9.1.26180 allows an authenticated user to change the logo on the website. An attacker could use this to upload a malicious .aspx file and gain Remote Code Execution on the site. |
| The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode. |
| check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion. |
| parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access. |
| The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF. |
| The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF. |
| The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF. |
| The wp-slimstat plugin before 4.8.1 for WordPress has XSS. |
| The wp-front-end-profile plugin before 0.2.2 for WordPress has a privilege escalation issue. |
| The wp-front-end-profile plugin before 0.2.2 for WordPress has XSS. |
| The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter. |
| An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component. |
| An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. |
| An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. |
| An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. |
| An issue was discovered in Tyto Sahi Pro 6.x through 8.0.0. TestRunner_Non_distributed (and distributed end points) does not have any authentication mechanism. This allow an attacker to execute an arbitrary script on the remote Sahi Pro server. There is also a password-protected web interface intended for remote access to scripts. This web interface lacks server-side validation, which allows an attacker to create/modify/delete a script remotely without any password. Chaining both of these issues results in remote code execution on the Sahi Pro server. |
