Search Results (83231 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-17121 1 Vanderbilt 1 Redcap 2024-11-21 5.4 Medium
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
CVE-2019-17120 1 Wikidsystems 1 2fa Enterprise Server 2024-11-21 6.1 Medium
A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/adm_usrs.jsp. The usr parameter is vulnerable: the reflected cross-site scripting occurs immediately after the user is created. The malicious script is stored and will be executed whenever /WiKIDAdmin/adm_usrs.jsp is visited.
CVE-2019-17116 1 Wikidsystems 1 Two Factor Authentication Enterprise Server 2024-11-21 6.1 Medium
A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/groups.jsp. The groupName parameter is vulnerable: the reflected cross-site scripting occurs immediately after the group is created. The malicious script is stored and will be executed again whenever /WiKIDAdmin/groups.jsp is visited.
CVE-2019-17115 1 Wikidsystems 1 Two Factor Authentication Enterprise Server 2024-11-21 6.1 Medium
Multiple cross-site scripting (XSS) vulnerabilities in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML that is triggered when Logs.jsp is visited. The rendered_message column is retrieved and displayed, unsanitized, on Logs.jsp. A remote attack can populate the rendered_message column with malicious values via: (1) H parameter to /wikid/servlet/com.wikidsystems.server.GetDomainHash (2) S parameter to: - /wikid/DomainData - /wikid/PreRegisterLookup - /wikid/PreRegister - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S - /servlet/com.wikidsystems.server.InitDevice2S - /servlet/com.wikidsystems.server.InitDevice3S - /servlet/com.wikidsystems.server.InitDevice4S - /wikid/servlet/com.wikidsystems.server.InitDevice4AES - /wikid/servlet/com.wikidsystems.server.InitDevice5AES (3) a parameter to: - /wikid/PreRegisterLookup - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S - /servlet/com.wikidsystems.server.InitDevice2S - /servlet/com.wikidsystems.server.InitDevice3S - /servlet/com.wikidsystems.server.InitDevice4S - /wikid/servlet/com.wikidsystems.server.InitDevice4AES - /wikid/servlet/com.wikidsystems.server.InitDevice5AES.
CVE-2019-17114 1 Wikidsystems 1 Two Factor Authentication Enterprise Server 2024-11-21 6.1 Medium
A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allows remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/userPreregistration.jsp. The preRegistrationData parameter is vulnerable: a reflected cross-site scripting occurs immediately after a .csv file is uploaded. The malicious script is stored and can be executed again when the List Pre-Registration functionality is used.
CVE-2019-17108 1 Centreon 1 Centreon Web 2024-11-21 6.1 Medium
Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user.
CVE-2019-17107 1 Centreon 1 Centreon Web 2024-11-21 8.8 High
minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect.
CVE-2019-17101 1 Netatmo 2 Smart Indoor Camera, Smart Indoor Camera Firmware 2024-11-21 5.7 Medium
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in firmware versions prior to x.xx of Netatmo Smart Indoor Camera allows an attacker to execute commands on the device. This issue affects: Netatmo Smart Indoor Camera version and prior versions.
CVE-2019-17098 1 August 3 August Home, Connect Wi-fi Bridge, Connect Wi-fi Bridge Firmware 2024-11-21 3.5 Low
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior versions on Android. August Connect Firmware version 2.2.12 and prior versions.
CVE-2019-17096 1 Bitdefender 3 Box 2, Box 2 Firmware, Central 2024-11-21 9 Critical
A OS Command Injection vulnerability in the bootstrap stage of Bitdefender BOX 2 allows the manipulation of the `get_image_url()` function in special circumstances to inject a system command.
CVE-2019-17095 1 Bitdefender 2 Box 2, Box 2 Firmware 2024-11-21 8.1 High
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.
CVE-2019-17094 1 Belkin 2 Wemo Insight Switch, Wemo Insight Switch Firmware 2024-11-21 8.3 High
A Stack-based Buffer Overflow vulnerability in libbelkin_api.so component of Belkin WeMo Insight Switch firmware allows a local attacker to obtain code execution on the device. This issue affects: Belkin WeMo Insight Switch firmware version 2.00.11396 and prior versions.
CVE-2019-17092 1 Openproject 1 Openproject 2024-11-21 6.1 Medium
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.
CVE-2019-17091 2 Eclipse, Oracle 23 Mojarra, Application Testing Suite, Banking Enterprise Product Manufacturing and 20 more 2024-11-21 6.1 Medium
faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.
CVE-2019-17074 1 Xunruicms 1 Xunruicms 2024-11-21 5.4 Medium
An issue was discovered in XunRuiCMS 4.3.1. There is a stored XSS in the module_category area.
CVE-2019-17071 1 Realbigplugins 1 Client Dash 2024-11-21 6.1 Medium
The client-dash (aka Client Dash) plugin 2.1.4 for WordPress allows XSS.
CVE-2019-17070 2 Lqd, Microsoft 2 Liquid Speech Balloon, Internet Explorer 2024-11-21 6.1 Medium
The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin before 1.0.7 for WordPress allows XSS with Internet Explorer.
CVE-2019-17068 2 Opensuse, Putty 2 Leap, Putty 2024-11-21 7.5 High
PuTTY before 0.73 mishandles the "bracketed paste mode" protection mechanism, which may allow a session to be affected by malicious clipboard content.
CVE-2019-17067 2 Microsoft, Putty 2 Windows, Putty 2024-11-21 9.8 Critical
PuTTY before 0.73 on Windows improperly opens port-forwarding listening sockets, which allows attackers to listen on the same port to steal an incoming connection.
CVE-2019-17059 1 Sophos 2 Cyberoam, Cyberoamos 2024-11-21 9.8 Critical
A shell injection vulnerability on the Sophos Cyberoam firewall appliance with CyberoamOS before 10.6.6 MR-6 allows remote attackers to execute arbitrary commands via the Web Admin and SSL VPN consoles.