Search Results (83115 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-10771 1 Iobroker 1 Iobroker.web 2024-11-21 6.1 Medium
Characters in the GET url path are not properly escaped and can be reflected in the server response.
CVE-2019-10770 1 Ratpack 1 Ratpack 2024-11-21 6.1 Medium
All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode.
CVE-2019-10756 1 Nodered 1 Node-red-dashboard 2024-11-21 5.4 Medium
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
CVE-2019-10742 1 Axios 1 Axios 2024-11-21 N/A
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
CVE-2019-10723 1 Podofo Project 1 Podofo 2024-11-21 N/A
An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class in doc/PdfPagesTreeCache.cpp has an attempted excessive memory allocation because nInitialSize is not validated.
CVE-2019-10715 1 Verodin 1 Director 2024-11-21 5.4 Medium
There is Stored XSS in Verodin Director 3.5.3.0 and earlier via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.
CVE-2019-10712 1 Wago 32 750-330, 750-330 Firmware, 750-352 and 29 more 2024-11-21 N/A
The Web-GUI on WAGO Series 750-88x (750-330, 750-352, 750-829, 750-831, 750-852, 750-880, 750-881, 750-882, 750-884, 750-885, 750-889) and Series 750-87x (750-830, 750-849, 750-871, 750-872, 750-873) devices has undocumented service access.
CVE-2019-10710 1 Hisilicon 2 Hi3510, Hi3510 Firmware 2024-11-21 N/A
Insecure permissions in the Web management portal on all IP cameras based on Hisilicon Hi3510 firmware allow authenticated attackers to receive a network's cleartext WiFi credentials via a specific HTTP request. This affects certain devices labeled as HI3510, HI3518, LOOSAFE, LEVCOECAM, Sywstoda, BESDER, WUSONGLUSAN, GADINAN, Unitoptek, ESCAM, etc.
CVE-2019-10694 1 Puppet 1 Puppet Enterprise 2024-11-21 9.8 Critical
The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.
CVE-2019-10688 1 Polycom 2 Better Together Over Ethernet Connector, Unified Communications Software 2024-11-21 N/A
VVX products with software versions including and prior to, UCS 5.9.2 with Better Together over Ethernet Connector (BToE) application 3.9.1, use hard-coded credentials to establish connections between the host application and the device.
CVE-2019-10685 1 Heidelberg 1 Prinect Archiver 2024-11-21 N/A
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Heidelberg Prinect Archiver v2013 release 1.0.
CVE-2019-10677 1 Dasanzhone 2 Znid Gpon 2426a Eu, Znid Gpon 2426a Eu Firmware 2024-11-21 N/A
Multiple Cross-Site Scripting (XSS) issues in the web interface on DASAN Zhone ZNID GPON 2426A EU version S3.1.285 devices allow a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameter: /zhndnsdisplay.cmd (name), /wlsecrefresh.wl (wlWscCfgMethod, wl_wsc_reg).
CVE-2019-10670 1 Librenms 1 Librenms 2024-11-21 6.1 Medium
An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqli_escape_real_string for filtering data. However, this is particularly ineffective when returning user supplied input in an HTML or a JavaScript context, resulting in unsafe data being injected into these contexts, leading to attacker controlled JavaScript executing in the browser. One example of this is the string parameter in html/pages/inventory.inc.php.
CVE-2019-10669 1 Librenms 1 Librenms 2024-11-21 7.2 High
An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru().
CVE-2019-10665 1 Librenms 1 Librenms 2024-11-21 9.8 Critical
An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php script. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, file content, denial of service, or writing arbitrary files.
CVE-2019-10662 1 Grandstream 2 Ucm6204, Ucm6204 Firmware 2024-11-21 8.8 High
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.
CVE-2019-10660 1 Grandstream 2 Gxv3611ir Hd, Gxv3611ir Hd Firmware 2024-11-21 8.8 High
Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.
CVE-2019-10659 1 Grandstream 4 Gxv3370, Gxv3370 Firmware, Wp820 and 1 more 2024-11-21 8.8 High
Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.
CVE-2019-10658 1 Grandstream 2 Gwn7610, Gwn7610 Firmware 2024-11-21 8.8 High
Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.
CVE-2019-10657 1 Grandstream 4 Gwn7000, Gwn7000 Firmware, Gwn7610 and 1 more 2024-11-21 6.5 Medium
Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.