Search Results (83361 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-5524 1 Vmware 2 Fusion, Workstation 2024-11-21 N/A
VMware Workstation (14.x before 14.1.6) and Fusion (10.x before 10.1.6) contain an out-of-bounds write vulnerability in the e1000 virtual network adapter. This issue may allow a guest to execute code on the host.
CVE-2019-5518 1 Vmware 3 Esxi, Fusion, Workstation 2024-11-21 N/A
VMware ESXi (6.7 before ESXi670-201903001, 6.5 before ESXi650-201903001, 6.0 before ESXi600-201903001), Workstation (15.x before 15.0.4, 14.x before 14.1.7), Fusion (11.x before 11.0.3, 10.x before 10.1.6) contain an out-of-bounds read/write vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). Exploitation of this issue requires an attacker to have access to a virtual machine with a virtual USB controller present. This issue may allow a guest to execute code on the host.
CVE-2019-5515 1 Vmware 2 Fusion, Workstation 2024-11-21 N/A
VMware Workstation (15.x before 15.0.3, 14.x before 14.1.6) and Fusion (11.x before 11.0.3, 10.x before 10.1.6) updates address an out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters. Exploitation of this issue may lead to code execution on the host from the guest but it is more likely to result in a denial of service of the guest.
CVE-2019-5485 1 Gitlabhook Project 1 Gitlabhook 2024-11-21 10.0 Critical
NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.
CVE-2019-5477 3 Canonical, Debian, Nokogiri 3 Ubuntu Linux, Debian Linux, Nokogiri 2024-11-21 9.8 Critical
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
CVE-2019-5475 1 Sonatype 1 Nexus Repository Manager 2024-11-21 N/A
The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability.
CVE-2019-5471 1 Gitlab 1 Gitlab 2024-11-21 5.4 Medium
An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was addressed in GitLab 12.1.2, 12.0.4, and 11.11.6.
CVE-2019-5467 1 Gitlab 1 Gitlab 2024-11-21 5.4 Medium
An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
CVE-2019-5458 1 Http-file-server Project 1 Http-file-server 2024-11-21 5.4 Medium
Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.
CVE-2019-5457 1 Min-http-server Project 1 Min-http-server 2024-11-21 5.4 Medium
Cross-site scripting (XSS) vulnerability in min-http-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.
CVE-2019-5450 1 Nextcloud 1 Nextcloud 2024-11-21 6.8 Medium
Improper sanitization of HTML in directory names in the Nextcloud Android app prior to version 3.7.0 allowed to style the directory name in the header bar when using basic HTML.
CVE-2019-5446 1 Ui 12 Edgeswitch Firmware, Ep-s16., Es-12f and 9 more 2024-11-21 7.2 High
Command Injection in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to execute commands as root.
CVE-2019-5442 1 Pippo 1 Pippo 2024-11-21 7.5 High
XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system.
CVE-2019-5425 1 Ui 1 Edgeswitch X 2024-11-21 N/A
In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an authenticated user can execute arbitrary shell commands over the SSH interface bypassing the CLI interface, which allow them to escalate privileges to root.
CVE-2019-5424 1 Ui 1 Edgeswitch X 2024-11-21 8.8 High
In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, a privileged user can execute arbitrary shell commands over the SSH CLI interface. This allows to execute shell commands under the root user.
CVE-2019-5422 1 Buttle Project 1 Buttle 2024-11-21 N/A
XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the server.
CVE-2019-5420 3 Debian, Fedoraproject, Rubyonrails 3 Debian Linux, Fedora, Rails 2024-11-21 9.8 Critical
A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.
CVE-2019-5419 5 Debian, Fedoraproject, Opensuse and 2 more 8 Debian Linux, Fedora, Leap and 5 more 2024-11-21 7.5 High
There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.
CVE-2019-5414 1 Kill-port Project 1 Kill-port 2024-11-21 N/A
If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port < 1.3.2.
CVE-2019-5413 1 Morgan Project 1 Morgan 2024-11-21 N/A
An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.