Search Results (83246 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-18856 1 Drupal 1 Svg Sanitizer 2024-11-21 7.5 High
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.
CVE-2019-18842 1 Usriot 8 Usr-wifi232-g2, Usr-wifi232-g2 Firmware, Usr-wifi232-h and 5 more 2024-11-21 6.1 Medium
A cross-site scripting (XSS) vulnerability in the configuration web interface of the Jinan USR IOT USR-WIFI232-S/T/G2/H Low Power WiFi Module with web version 1.2.2 allows attackers to leak credentials of the Wi-Fi access point the module is logged into, and the web interface login credentials, by opening a Wi-Fi access point nearby with a malicious SSID.
CVE-2019-18840 1 Wolfssl 1 Wolfssl 2024-11-21 7.5 High
In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer overflow inside the DecodedCert structure in GetName in wolfcrypt/src/asn.c because the domain name location index is mishandled. Because a pointer is overwritten, there is an invalid free.
CVE-2019-18839 1 Fudforum 1 Fudforum 2024-11-21 9.0 Critical
FUDForum 3.0.9 is vulnerable to Stored XSS via the nlogin parameter. This may result in remote code execution. An attacker can use a user account to fully compromise the system using a POST request. When the admin visits the user information, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
CVE-2019-18834 1 Woocommerce 1 Subscriptions 2024-11-21 6.1 Medium
Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php.
CVE-2019-18831 1 Barco 8 Clickshare Cs-100, Clickshare Cs-100 Firmware, Clickshare Cse-200 and 5 more 2024-11-21 5.3 Medium
Barco ClickShare Button R9861500D01 devices before 1.9.0 allow Information Exposure. The encrypted ClickShare Button firmware contains the private key of a test device-certificate.
CVE-2019-18830 1 Barco 8 Clickshare Cs-100, Clickshare Cs-100 Firmware, Clickshare Cse-200 and 5 more 2024-11-21 9.8 Critical
Barco ClickShare Button R9861500D01 devices before 1.9.0 allow OS Command Injection. The embedded 'dongle_bridge' program used to expose the functionalities of the ClickShare Button to a USB host, is vulnerable to OS command injection vulnerabilities. These vulnerabilities could lead to code execution on the ClickShare Button with the privileges of the user 'nobody'.
CVE-2019-18821 1 Eximioussoft 1 Logo Designer 2024-11-21 5.5 Medium
Eximious Logo Designer 3.82 has a User Mode Write AV starting at ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x0000000000000053.
CVE-2019-18820 1 Eximioussoft 1 Logo Designer 2024-11-21 5.5 Medium
Eximious Logo Designer 3.82 has Heap Corruption starting at ntdll!RtlpNtMakeTemporaryKey+0x0000000000001a78.
CVE-2019-18819 1 Eximioussoft 1 Logo Designer 2024-11-21 5.5 Medium
Eximious Logo Designer 3.82 has a User Mode Write AV starting at ExiVectorRender!StrokeText_Blend+0x00000000000003a7.
CVE-2019-18816 1 Popojicms 1 Popojicms 2024-11-21 6.1 Medium
po-admin/route.php?mod=post&act=edit in PopojiCMS 2.0.1 allows post[1][content]= stored XSS.
CVE-2019-18801 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-11-21 9.8 Critical
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1. This may be used to corrupt nearby heap contents (leading to a query-of-death scenario) or may be used to bypass Envoy's access control mechanisms such as path based routing. An attacker can also modify requests from other users that happen to be proximal temporally and spatially.
CVE-2019-18793 1 Parallels 1 Parallels Plesk Panel 2024-11-21 6.1 Medium
Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter.
CVE-2019-18791 1 Lexmark 160 6500e, 6500e Firmware, C734 and 157 more 2024-11-21 5.4 Medium
Lexmark printer MS812 and multiple older generation Lexmark devices have a stored XSS vulnerability in the embedded web server. The vulnerability can be exploited to expose session credentials and other information via the users web browser.
CVE-2019-18780 3 Linux, Microsoft, Veritas 8 Linux Kernel, Windows, Access and 5 more 2024-11-21 9.8 Critical
An arbitrary command injection vulnerability in the Cluster Server component of Veritas InfoScale allows an unauthenticated remote attacker to execute arbitrary commands as root or administrator. These Veritas products are affected: Access 7.4.2 and earlier, Access Appliance 7.4.2 and earlier, Flex Appliance 1.2 and earlier, InfoScale 7.3.1 and earlier, InfoScale between 7.4.0 and 7.4.1, Veritas Cluster Server (VCS) 6.2.1 and earlier on Linux/UNIX, Veritas Cluster Server (VCS) 6.1 and earlier on Windows, Storage Foundation HA (SFHA) 6.2.1 and earlier on Linux/UNIX, and Storage Foundation HA (SFHA) 6.1 and earlier on Windows.
CVE-2019-18677 4 Canonical, Fedoraproject, Redhat and 1 more 4 Ubuntu Linux, Fedora, Enterprise Linux and 1 more 2024-11-21 6.1 Medium
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.
CVE-2019-18676 5 Canonical, Debian, Fedoraproject and 2 more 5 Ubuntu Linux, Debian Linux, Fedora and 2 more 2024-11-21 7.5 High
An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.
CVE-2019-18671 1 Keepkey 2 Keepkey, Keepkey Firmware 2024-11-21 9.8 Critical
Insufficient checks in the USB packet handling of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow out-of-bounds writes in the .bss segment via crafted messages. The vulnerability could allow code execution or other forms of impact. It can be triggered by unauthenticated attackers and the interface is reachable via WebUSB.
CVE-2019-18668 1 Wpwham 1 Currency Switcher For Woocommerce 2024-11-21 6.5 Medium
An issue was discovered in the Currency Switcher addon before 2.11.2 for WooCommerce if a user provides a currency that was not added by the administrator. In this case, even though the currency does not exist, it will be selected, but a price amount will fall back to the default currency. This means that if an attacker provides a currency that does not exist and is worth less than this default, the attacker can eventually purchase an item for a significantly cheaper price.
CVE-2019-18667 1 Pfsense 1 Pfsense-pkg-freeradius3 2024-11-21 6.1 Medium
/usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD allows a user with an XSS payload as password or username to execute arbitrary javascript code on a victim browser.