Total
288 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-19714 | 1 Contao | 1 Contao | 2024-11-21 | 5.3 Medium |
| Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered. | ||||
| CVE-2019-15944 | 1 Valvesoftware | 1 Counter-strike\ | 2024-11-21 | 5.3 Medium |
| In Counter-Strike: Global Offensive before 8/29/2019, community game servers can display unsafe HTML in a disconnection message. | ||||
| CVE-2019-12675 | 1 Cisco | 17 Firepower 4110, Firepower 4110 Firmware, Firepower 4115 and 14 more | 2024-11-21 | 8.8 High |
| Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances. | ||||
| CVE-2019-12674 | 1 Cisco | 17 Firepower 4110, Firepower 4110 Firmware, Firepower 4115 and 14 more | 2024-11-21 | 8.2 High |
| Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances. | ||||
| CVE-2019-12463 | 1 Librenms | 1 Librenms | 2024-11-21 | 8.8 High |
| An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php and html/graph-realtime.php scripts. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, disclosing file content, denial of service, or writing arbitrary files. NOTE: relative to CVE-2019-10665, this requires authentication and the pathnames differ. | ||||
| CVE-2019-11717 | 5 Debian, Mozilla, Novell and 2 more | 7 Debian Linux, Firefox, Firefox Esr and 4 more | 2024-11-21 | 5.3 Medium |
| A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | ||||
| CVE-2019-11547 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.1 Medium |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially lead to XSS issues. | ||||
| CVE-2019-11325 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. | ||||
| CVE-2019-11268 | 1 Pivotal Software | 1 Cloud Foundry Uaa-release | 2024-11-21 | 4.3 Medium |
| Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones. | ||||
| CVE-2019-10362 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 5.4 Medium |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables. | ||||
| CVE-2019-10249 | 1 Eclipse | 2 Xtend, Xtext | 2024-11-21 | 8.1 High |
| All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised. | ||||
| CVE-2019-10074 | 1 Apache | 1 Ofbiz | 2024-11-21 | 9.8 Critical |
| An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533 | ||||
| CVE-2019-0971 | 1 Microsoft | 2 Azure Devops Server, Team Foundation Server | 2024-11-21 | N/A |
| An information disclosure vulnerability exists when Azure DevOps Server and Microsoft Team Foundation Server do not properly sanitize a specially crafted authentication request to an affected server, aka 'Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability'. | ||||
| CVE-2019-0956 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Foundation | 2024-11-21 | N/A |
| An information disclosure vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Server Information Disclosure Vulnerability'. | ||||
| CVE-2019-0857 | 1 Microsoft | 1 Azure Devops Server | 2024-11-21 | N/A |
| A spoofing vulnerability that could allow a security feature bypass exists in when Azure DevOps Server does not properly sanitize user provided input, aka 'Azure DevOps Server Spoofing Vulnerability'. | ||||
| CVE-2018-9246 | 2 Ledgersmb, Pgobject-util-dbadmin Project | 2 Ledgersmb, Pgobject-util-dbadmin | 2024-11-21 | N/A |
| The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application. | ||||
| CVE-2018-8609 | 1 Microsoft | 1 Dynamics 365 | 2024-11-21 | N/A |
| A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests to an affected Dynamics server, aka "Microsoft Dynamics 365 (on-premises) version 8 Remote Code Execution Vulnerability." This affects Microsoft Dynamics 365. | ||||
| CVE-2018-2389 | 1 Sap | 1 Internet Graphics Server | 2024-11-21 | N/A |
| Under certain conditions a malicious user can inject log files of SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, hiding important information in the log file. | ||||
| CVE-2018-20586 | 1 Bitcoin | 1 Bitcoin Core | 2024-11-21 | 5.3 Medium |
| bitcoind and Bitcoin-Qt prior to 0.17.1 allow injection of arbitrary data into the debug log via an RPC call. | ||||
| CVE-2018-1048 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2024-11-21 | 7.5 High |
| It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files. | ||||