Search Results (83115 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-10799 1 Compile-sass Project 1 Compile-sass 2024-11-21 8.2 High
compile-sass prior to 1.0.5 allows execution of arbritary commands. The function "setupCleanupOnExit(cssPath)" within "dist/index.js" is executed as part of the "rm" command without any sanitization.
CVE-2019-10796 1 Rpi Project 1 Rpi 2024-11-21 9.8 Critical
rpi through 0.0.3 allows execution of arbritary commands. The variable pinNumbver in function GPIO within src/lib/gpio.js is used as part of the arguement of exec function without any sanitization.
CVE-2019-10795 1 Undefsafe Project 1 Undefsafe 2024-11-21 6.3 Medium
undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
CVE-2019-10794 1 Component-flatten Project 1 Component-flatten 2024-11-21 6.3 Medium
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
CVE-2019-10793 1 Dot-object Project 1 Dot-object 2024-11-21 6.3 Medium
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
CVE-2019-10792 1 Bodymen Project 1 Bodymen 2024-11-21 6.3 Medium
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
CVE-2019-10791 1 Promise-probe Project 1 Promise-probe 2024-11-21 9.8 Critical
promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
CVE-2019-10789 1 Curling Project 1 Curling 2024-11-21 9.8 Critical
All versions of curling.js are vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization.
CVE-2019-10788 1 Dnt 1 Im-metadata 2024-11-21 9.8 Critical
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.
CVE-2019-10787 1 Dnt 1 Im-resize 2024-11-21 9.8 Critical
im-resize through 2.3.2 allows remote attackers to execute arbitrary commands via the "exec" argument. The cmd argument used within index.js, can be controlled by user without any sanitization.
CVE-2019-10786 1 Network-manager Project 1 Network-manager 2024-11-21 9.8 Critical
network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync()" argument.
CVE-2019-10785 2 Debian, Linuxfoundation 2 Debian Linux, Dojox 2024-11-21 6.1 Medium
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
CVE-2019-10783 1 Isof Project 1 Isof 2024-11-21 9.8 Critical
All versions including 0.0.4 of lsof npm module are vulnerable to Command Injection. Every exported method used by the package uses the exec function to parse user input.
CVE-2019-10780 1 Bibtex-ruby Project 1 Bibtex-ruby 2024-11-21 9.8 Critical
BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open.
CVE-2019-10779 1 Gchq 1 Stroom 2024-11-21 6.1 Medium
All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user.
CVE-2019-10778 1 Devcert-sanscache Project 1 Devcert-sanscache 2024-11-21 9.8 Critical
devcert-sanscache before 0.4.7 allows remote attackers to execute arbitrary code or cause a Command Injection via the exec function. The variable `commonName` controlled by user input is used as part of the `exec` function without any sanitization.
CVE-2019-10777 1 Amazon 1 Aws Lambda 2024-11-21 9.8 Critical
In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName".
CVE-2019-10776 1 Git-diff-apply Project 1 Git-diff-apply 2024-11-21 9.8 Critical
In "index.js" file line 240, the run command executes the git command with a user controlled variable called remoteUrl. This affects git-diff-apply all versions prior to 0.22.2.
CVE-2019-10774 1 Php-shellcommand Project 1 Php-shellcommand 2024-11-21 9.8 Critical
php-shellcommand versions before 1.6.1 have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-10772 1 Svg-sanitizer Project 1 Svg-sanitizer 2024-11-21 6.1 Medium
It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer.