Search Results (83245 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-18459 1 Gitlab 1 Gitlab 2024-11-21 5.3 Medium
An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 in the protected environments feature. It has Insecure Permissions (issue 3 of 4).
CVE-2019-18456 1 Gitlab 1 Gitlab 2024-11-21 5.3 Medium
An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. It has Insecure Permissions (issue 1 of 4).
CVE-2019-18454 1 Gitlab 1 Gitlab 2024-11-21 6.1 Medium
An issue was discovered in GitLab Community and Enterprise Edition 10.5 through 12.4 in link validation for RDoc wiki pages feature. It has XSS.
CVE-2019-18453 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. It has Insecure Permissions.
CVE-2019-18452 1 Gitlab 1 Gitlab 2024-11-21 5.3 Medium
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions.
CVE-2019-18450 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. It has Insecure Permissions.
CVE-2019-18449 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2).
CVE-2019-18447 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Insecure Permissions.
CVE-2019-18446 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. It has Insecure Permissions (issue 1 of 2).
CVE-2019-18424 4 Debian, Fedoraproject, Opensuse and 1 more 4 Debian Linux, Fedora, Leap and 1 more 2024-11-21 6.8 Medium
An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. This occurs because passed through PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
CVE-2019-18422 3 Debian, Fedoraproject, Xen 3 Debian Linux, Fedora, Xen 2024-11-21 8.8 High
An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified.
CVE-2019-18419 1 Clonos 1 Clonos 2024-11-21 6.1 Medium
A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
CVE-2019-18416 1 Restaurant Management System Project 1 Restaurant Management System 2024-11-21 6.1 Medium
Sourcecodester Restaurant Management System 1.0 allows XSS via the Last Name field of a member.
CVE-2019-18415 1 Restaurant Management System Project 1 Restaurant Management System 2024-11-21 6.1 Medium
Sourcecodester Restaurant Management System 1.0 allows XSS via the "send a message" screen.
CVE-2019-18413 1 Typestack Class-validator Project 1 Typestack Class-validator 2024-11-21 3.7 Low
In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.
CVE-2019-18409 1 Zenspider 1 Ruby Parser-legacy 2024-11-21 7.8 High
The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used, a local user can insert malicious code into the ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.
CVE-2019-18396 1 Technicolor 2 Td5130v2, Td5130v2 Firmware 2024-11-21 7.2 High
An issue was discovered in certain Oi third-party firmware that may be installed on Technicolor TD5130v2 devices. A Command Injection in the Ping module in the Web Interface in OI_Fw_V20 allows remote attackers to execute arbitrary OS commands in the pingAddr parameter to mnt_ping.cgi. NOTE: This may overlap CVE-2017–14127.
CVE-2019-18391 4 Debian, Opensuse, Redhat and 1 more 4 Debian Linux, Leap, Enterprise Linux and 1 more 2024-11-21 5.5 Medium
A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.
CVE-2019-18389 4 Debian, Opensuse, Redhat and 1 more 4 Debian Linux, Leap, Enterprise Linux and 1 more 2024-11-21 7.8 High
A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service, or QEMU guest-to-host escape and code execution, via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.
CVE-2019-18378 1 Symantec 1 Messaging Gateway 2024-11-21 4.8 Medium
Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy.