Total
258 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-20586 | 1 Bitcoin | 1 Bitcoin Core | 2024-08-05 | 5.3 Medium |
| bitcoind and Bitcoin-Qt prior to 0.17.1 allow injection of arbitrary data into the debug log via an RPC call. | ||||
| CVE-2018-18838 | 1 My-netdata | 1 Netdata | 2024-08-05 | N/A |
| An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry. | ||||
| CVE-2018-16386 | 1 Swift | 1 Alliance Web Platform | 2024-08-05 | N/A |
| An issue was discovered in SWIFT Alliance Web Platform 7.1.23. A log injection (and an arbitrary log filename) can be achieved via the PATH_INFO to swp/login/EJBRemoteService/, related to com.swift.ejbgwt.j2ee.client.EjBlnvocationException error log information containing null@java:comp/env/ error messages. | ||||
| CVE-2018-15494 | 2 Debian, Dojotoolkit | 2 Debian Linux, Dojo | 2024-08-05 | N/A |
| In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid. | ||||
| CVE-2018-9246 | 2 Ledgersmb, Pgobject-util-dbadmin Project | 2 Ledgersmb, Pgobject-util-dbadmin | 2024-08-05 | N/A |
| The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application. | ||||
| CVE-2018-8609 | 1 Microsoft | 1 Dynamics 365 | 2024-08-05 | N/A |
| A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests to an affected Dynamics server, aka "Microsoft Dynamics 365 (on-premises) version 8 Remote Code Execution Vulnerability." This affects Microsoft Dynamics 365. | ||||
| CVE-2018-2389 | 1 Sap | 1 Internet Graphics Server | 2024-08-05 | N/A |
| Under certain conditions a malicious user can inject log files of SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, hiding important information in the log file. | ||||
| CVE-2018-1048 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2024-08-05 | 7.5 High |
| It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files. | ||||
| CVE-2019-19714 | 1 Contao | 1 Contao | 2024-08-05 | 5.3 Medium |
| Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered. | ||||
| CVE-2019-15944 | 1 Valvesoftware | 1 Counter-strike\ | 2024-08-05 | 5.3 Medium |
| In Counter-Strike: Global Offensive before 8/29/2019, community game servers can display unsafe HTML in a disconnection message. | ||||
| CVE-2019-12463 | 1 Librenms | 1 Librenms | 2024-08-04 | 8.8 High |
| An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php and html/graph-realtime.php scripts. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, disclosing file content, denial of service, or writing arbitrary files. NOTE: relative to CVE-2019-10665, this requires authentication and the pathnames differ. | ||||
| CVE-2019-11717 | 5 Debian, Mozilla, Novell and 2 more | 7 Debian Linux, Firefox, Firefox Esr and 4 more | 2024-08-04 | 5.3 Medium |
| A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | ||||
| CVE-2019-11547 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 6.1 Medium |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially lead to XSS issues. | ||||
| CVE-2019-11325 | 1 Sensiolabs | 1 Symfony | 2024-08-04 | 9.8 Critical |
| An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. | ||||
| CVE-2019-10362 | 1 Jenkins | 1 Configuration As Code | 2024-08-04 | 5.4 Medium |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables. | ||||
| CVE-2019-10249 | 1 Eclipse | 2 Xtend, Xtext | 2024-08-04 | 8.1 High |
| All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised. | ||||
| CVE-2019-10074 | 1 Apache | 1 Ofbiz | 2024-08-04 | 9.8 Critical |
| An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533 | ||||
| CVE-2019-6109 | 9 Canonical, Debian, Fedoraproject and 6 more | 28 Ubuntu Linux, Debian Linux, Fedora and 25 more | 2024-08-04 | 6.8 Medium |
| An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. | ||||
| CVE-2019-4326 | 1 Hcltech | 1 Appscan | 2024-08-04 | 7.5 High |
| "HCL AppScan Enterprise security rules update administration section of the web application console is missing HTTP Strict-Transport-Security Header." | ||||
| CVE-2019-3571 | 1 Whatsapp | 1 Whatsapp | 2024-08-04 | N/A |
| An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension. | ||||