RSS National Vulnerability Database
  • CVE-2019-17512 October 16, 2019
    There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can clear the router's log file via act=clear&logtype=sysact to log_clear.php, which could be used to erase attack traces.
  • CVE-2019-17436 October 16, 2019
    A Local Privilege Escalation vulnerability exists in GlobalProtect Agent for Linux and Mac OS X version 5.0.4 and earlier and version 4.1.12 and earlier, that can allow non-root users to overwrite root files on the file system.
  • CVE-2019-17435 October 16, 2019
    A Local Privilege Escalation vulnerability exists in the GlobalProtect Agent for Windows 5.0.3 and earlier, and GlobalProtect Agent for Windows 4.1.12 and earlier, in which the auto-update feature can allow for modification of a GlobalProtect Agent MSI installer package on disk before installation.
  • CVE-2019-16682 October 16, 2019
    The url_redirect (aka URL redirect) extension through 1.2.1 for TYPO3 fails to properly sanitize user input and is susceptible to SQL Injection.
  • CVE-2019-16698 October 16, 2019
    The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter.
  • CVE-2019-15962 October 16, 2019
    A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to write files to the /root directory of an affected device. The vulnerability is due to improper permission assignment. An attacker could exploit this vulnerability by logging in as the remotesupport user and writing files to the […]
  • CVE-2019-15281 October 16, 2019
    A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The attacker must have valid administrator credentials. The vulnerability is due to insufficient validation of […]
  • CVE-2019-16699 October 16, 2019
    The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5.2 and below for TYPO3 fails to sanitize user input, which allows execution of arbitrary Extbase actions, resulting in Remote Code Execution.
  • CVE-2019-16700 October 16, 2019
    The slub_events (aka SLUB: Event Registration) extension through 3.0.2 for TYPO3 allows uploading of arbitrary files to the webserver. For versions 1.2.2 and below, this results in Remote Code Execution. In versions later than 1.2.2, this can result in Denial of Service, since the web space can be filled up with arbitrary files.
  • CVE-2019-15277 October 16, 2019
    A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to execute code with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating as the remote support user and sending malicious traffic to a listener who is internal […]
  • CVE-2019-15280 October 16, 2019
    A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit […]
  • CVE-2019-15282 October 16, 2019
    A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an unauthenticated, remote attacker read tcpdump files generated on an affected device. The vulnerability is due an issue in the authentication logic of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to […]
  • CVE-2019-15274 October 16, 2019
    A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to perform command injections. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating as an administrative level user within the restricted shell and submitting malicious input to a specific command. […]
  • CVE-2019-15275 October 16, 2019
    A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating as the remote support user and submitting malicious input to a specific command. A […]
  • CVE-2019-15266 October 16, 2019
    A vulnerability in the CLI of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, local attacker to view system files that should be restricted. This vulnerability is due to improper sanitization of user-supplied input in command-line parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit […]
RSS National Vulnerability Database
  • CVE-2019-17629 (cms_made_simple) October 16, 2019
    CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen.
  • CVE-2019-17630 (cms_made_simple) October 16, 2019
    CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen.
  • CVE-2019-17397 (doordash) October 15, 2019
    In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
  • CVE-2019-10759 (safer-eval) October 15, 2019
    safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
  • CVE-2019-10760 (safer-eval) October 15, 2019
    safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
  • CVE-2019-17195 (nimbus_jose+jwt) October 15, 2019
    Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
  • CVE-2019-17600 (iwr_1000n_firmware) October 15, 2019
    Intelbras IWR 1000N 1.6.4 devices allows disclosure of the administrator login name and password because v1/system/user is mishandled.
  • CVE-2019-12944 (glue_smart_lock_firmware) October 15, 2019
    Glue Smart Lock 2.7.8 devices do not properly block guest access in certain situations where the network connection is unavailable.
  • CVE-2019-17223 (dolibarr) October 15, 2019
    There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.
  • CVE-2019-17593 (jizhicms) October 14, 2019
    JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
  • CVE-2019-16279 (nostromo_nhttpd) October 14, 2019
    Directory Traversal in the function SSL_accept in nostromo nhttpd through 1.9.6 allows an attacker to trigger a denial of service via a crafted HTTP request.
  • CVE-2019-14227 (open-xchange_appsuite) October 14, 2019
    OX App Suite 7.10.1 and 7.10.2 allows XSS.
  • CVE-2019-14225 (open-xchange_appsuite) October 14, 2019
    OX App Suite 7.10.1 and 7.10.2 allows SSRF.
  • CVE-2019-16278 (nostromo_nhttpd) October 14, 2019
    Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.
  • CVE-2019-17580 (dormsystem) October 14, 2019
    tonyy dormsystem through 1.3 allows SQL Injection in admin.php.