Search Results (83152 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-12807 2 Estsoft, Microsoft 2 Alzip, Windows 2024-11-21 7.8 High
Alzip 10.83 and earlier version contains a stack-based buffer overflow vulnerability, caused by improper bounds checking during the parsing of crafted ISO archive file format. By persuading a victim to open a specially-crafted ISO archive file, an attacker could execution arbitrary code.
CVE-2019-12806 2 Crosscert, Microsoft 2 Unisign, Windows 2024-11-21 8.8 High
UniSign 2.0.4.0 and earlier version contains a stack-based buffer overflow vulnerability which can overwrite the stack with arbitrary data, due to a buffer overflow in a library. That leads remote attacker to execute arbitrary code via crafted https packets.
CVE-2019-12805 1 Ncsoft 1 Nc Launcher2 2024-11-21 8.8 High
NCSOFT Game Launcher, NC Launcher2 2.4.1.691 and earlier versions have a vulnerability in the custom protocol handler that could allow remote attacker to execute arbitrary command. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page. This can be leveraged for code execution in the context of the current user.
CVE-2019-12801 1 Seeddms 1 Seeddms 2024-11-21 N/A
out/out.GroupMgr.php in SeedDMS 5.1.11 has Stored XSS by making a new group with a JavaScript payload as the "GROUP" Name.
CVE-2019-12797 1 Elmelectronics 2 Elm27, Elm27 Firmware 2024-11-21 9.8 Critical
A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle.
CVE-2019-12792 1 Vestacp 1 Control Panel 2024-11-21 N/A
A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root.
CVE-2019-12788 1 Photodex 1 Proshow Producer 2024-11-21 7.8 High
An issue was discovered in Photodex ProShow Producer v9.0.3797 (an application that runs with Administrator privileges). It is possible to perform a buffer overflow via a crafted file.
CVE-2019-12787 1 Dlink 2 Dir-818lw, Dir-818lw Firmware 2024-11-21 8.8 High
An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the Gateway key.
CVE-2019-12786 1 Dlink 2 Dir-818lw, Dir-818lw Firmware 2024-11-21 8.8 High
An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the IPAddress key.
CVE-2019-12780 1 Belkin 2 Crock-pot Smart Slow Cooker With Wemo, Crock-pot Smart Slow Cooker With Wemo Firmware 2024-11-21 N/A
The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an attacker to execute commands without authentication.
CVE-2019-12777 1 Enttec 8 Datagate Mk2, Datagate Mk2 Firmware, E-streamer Mk2 and 5 more 2024-11-21 N/A
An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They replace secure and protected directory permissions (set as default by the underlying operating system) with highly insecure read, write, and execute directory permissions for all users. By default, /usr/local and all of its subdirectories should have permissions set to only allow non-privileged users to read and execute from the tree structure, and to deny users from creating or editing files in this location. The ENTTEC firmware startup script permits all users to read, write, and execute (rwxrwxrwx) from the /usr, /usr/local, /usr/local/dmxis, and /usr/local/bin/ directories.
CVE-2019-12776 1 Enttec 8 Datagate Mk2, Datagate Mk2 Firmware, E-streamer Mk2 and 5 more 2024-11-21 N/A
An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They include a hard-coded SSH backdoor for remote SSH and SCP access as the root user. A command in the relocate and relocate_revB scripts copies the hardcoded key to the root user's authorized_keys file, enabling anyone with the associated private key to gain remote root access to all affected products.
CVE-2019-12774 1 Enttec 8 Datagate Mk2, Datagate Mk2 Firmware, E-streamer Mk2 and 5 more 2024-11-21 N/A
A number of stored XSS vulnerabilities have been identified in the web configuration feature in ENTTEC Datagate Mk2 70044_update_05032019-482 that could allow an unauthenticated threat actor to inject malicious code directly into the application. This affects, for example, the Profile Description field in JSON data to the Profile Editor.
CVE-2019-12773 1 Verint 1 Impact 360 2024-11-21 6.1 Medium
An issue was discovered in Verint Impact 360 15.1. At wfo/help/help_popup.jsp, the helpURL parameter can be changed to embed arbitrary content inside of an iFrame. Attackers may use this in conjunction with social engineering to embed malicious scripts or phishing pages on a site where this product is installed, given the attacker can convince a victim to visit a crafted link.
CVE-2019-12771 1 Thinstation Project 1 Thinstation 2024-11-21 N/A
Command injection is possible in ThinStation through 6.1.1 via shell metacharacters after the cgi-bin/CdControl.cgi action= substring, or after the cgi-bin/VolControl.cgi OK= substring.
CVE-2019-12767 1 Dlink 2 Dap-1650, Dap-1650 Firmware 2024-11-21 9.8 Critical
An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H Hot Fix. Attackers can execute arbitrary commands.
CVE-2019-12766 1 Joomla 1 Joomla\! 2024-11-21 6.1 Medium
An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors.
CVE-2019-12754 1 Symantec 1 Vip 2024-11-21 N/A
Symantec My VIP portal, previous version which has already been auto updated, was susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users or potentially bypass access controls such as the same-origin policy.
CVE-2019-12748 1 Typo3 1 Typo3 2024-11-21 6.1 Medium
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.
CVE-2019-12745 1 Seeddms 1 Seeddms 2024-11-21 N/A
out/out.UsrMgr.php in SeedDMS before 5.1.11 allows Stored Cross-Site Scripting (XSS) via the name field.