| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Prospecta Master Data Online (MDO) allows CSRF. |
| On D-Link DIR-823G devices, the GoAhead configuration allows /HNAP1 Command Injection via shell metacharacters in the POST data, because this data is sent directly to the "system" library function. |
| On D-Link DIR-823G devices, ExportSettings.sh, upload_settings.cgi, GetDownLoadSyslog.sh, and upload_firmware.cgi do not require authentication, which allows remote attackers to execute arbitrary code. |
| In blynk-server in Blynk before 0.39.7, Directory Traversal exists via a ../ in a URI that has /static or /static/js at the beginning, as demonstrated by reading the /etc/passwd file. |
| Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. |
| A cross-site scripting (XSS) vulnerability in the Edit Filter page (manage_filter_edit page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name. |
| A cross-site scripting (XSS) vulnerability in the Manage Filters page (manage_filter_page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name. |
| Foxit PhantomPDF and Reader before 9.3 allow remote attackers to trigger Uninitialized Object Information Disclosure because creation of ArrayBuffer and DataView objects is mishandled. |
| Telegram Desktop (aka tdesktop) 1.3.14, and Telegram 3.3.0.0 WP8.1 on Windows, leaks end-user public and private IP addresses during a call because of an unsafe default behavior in which P2P connections are accepted from clients outside of the My Contacts list. |
| An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have access to the router control panel with administrator privileges. |
| PCProtect Anti-Virus v4.8.35 has "Everyone: (F)" permission for %PROGRAMFILES(X86)%\PCProtect, which allows local users to gain privileges by replacing an executable file with a Trojan horse. |
| Seqrite End Point Security v7.4 has "Everyone: (F)" permission for %PROGRAMFILES%\Seqrite\Seqrite, which allows local users to gain privileges by replacing an executable file with a Trojan horse. |
| Ingenico Telium 2 POS terminals have an insecure NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N. |
| Ingenico Telium 2 POS terminals have a buffer overflow via SOCKET_TASK in the NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N. |
| Ingenico Telium 2 POS terminals allow arbitrary code execution via the TRACE protocol. This is fixed in Telium 2 SDK v9.32.03 patch N. |
| Ingenico Telium 2 POS terminals have hardcoded FTP credentials. This is fixed in Telium 2 SDK v9.32.03 patch N. |
| Ingenico Telium 2 POS terminals have a buffer overflow via the RemotePutFile command of the NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N. |
| Ingenico Telium 2 POS terminals have a buffer overflow via the 0x26 command of the NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N. |
| Ingenico Telium 2 POS terminals have an insecure TRACE protocol. This is fixed in Telium 2 SDK v9.32.03 patch N. |
| Ingenico Telium 2 POS terminals have hardcoded PPP credentials. This is fixed in Telium 2 SDK v9.32.03 patch N. |
