Search Results (83149 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-12427 1 Zimbra 1 Collaboration Server 2024-11-21 4.8 Medium
Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS via the Admin Console.
CVE-2019-12425 1 Apache 1 Ofbiz 2024-11-21 7.5 High
Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host
CVE-2019-12417 1 Apache 1 Airflow 2024-11-21 4.8 Medium
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.
CVE-2019-12416 1 Apache 1 Deltaspike 2024-11-21 6.1 Medium
we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default.
CVE-2019-12407 1 Apache 1 Jspwiki 2024-11-21 6.1 Medium
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
CVE-2019-12406 3 Apache, Oracle, Redhat 8 Cxf, Commerce Guided Search, Flexcube Private Banking and 5 more 2024-11-21 6.5 Medium
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
CVE-2019-12404 1 Apache 1 Jspwiki 2024-11-21 6.1 Medium
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
CVE-2019-12401 1 Apache 1 Solr 2024-11-21 7.5 High
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
CVE-2019-12398 1 Apache 1 Airflow 2024-11-21 4.8 Medium
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
CVE-2019-12397 1 Apache 1 Ranger 2024-11-21 N/A
Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.
CVE-2019-12386 1 Ampache 1 Ampache 2024-11-21 N/A
An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.
CVE-2019-12376 1 Ivanti 1 Landesk Management Suite 2024-11-21 N/A
Use of a hard-coded encryption key in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to full managed endpoint compromise by an authenticated user with read privileges.
CVE-2019-12373 1 Ivanti 1 Landesk Management Suite 2024-11-21 N/A
Improper access control and open directories in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to remote disclosure of administrator passwords.
CVE-2019-12370 1 Readdle 1 Spark 2024-11-21 6.1 Medium
The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVE-2019-12369 1 Typeapp 1 Typeapp 2024-11-21 6.1 Medium
The TypeApp application through 1.9.5.35 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVE-2019-12368 1 Edison 1 Edison Mail 2024-11-21 6.1 Medium
The Edison Mail application through 1.7.1 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVE-2019-12367 1 Blixhq 1 Bluemail 2024-11-21 6.1 Medium
The BlueMail application through 1.9.5.36 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVE-2019-12366 1 9folders 1 Nine 2024-11-21 6.1 Medium
The Nine application through 4.5.3a for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVE-2019-12365 1 Cloudmagic 1 Newton 2024-11-21 6.1 Medium
The Newton application through 10.0.23 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVE-2019-12362 1 Phome 1 Empirecms 2024-11-21 N/A
EmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/doaction.php.