News aggregator

CVE-2019-13578

National Vulnerability Database - Thu, 08/15/2019 - 12:15
A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/payments/class-payments-query.php.
Categories: Security News

CVE-2019-3417

National Vulnerability Database - Thu, 08/15/2019 - 11:15
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by command injection vulnerability. Due to insufficient parameter validation check, an authorized user can exploit this vulnerability to take control of user router system.
Categories: Security News

CVE-2019-3418

National Vulnerability Database - Thu, 08/15/2019 - 11:15
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS). Due to incomplete input validation, an authorized user can exploit this vulnerability to execute malicious scripts.
Categories: Security News

CVE-2019-14800

National Vulnerability Database - Thu, 08/15/2019 - 11:15
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1 URI.
Categories: Security News

CVE-2019-15081

National Vulnerability Database - Thu, 08/15/2019 - 11:15
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
Categories: Security News

CVE-2019-14755

National Vulnerability Database - Thu, 08/15/2019 - 11:15
The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type.
Categories: Security News

CVE-2019-14790

National Vulnerability Database - Thu, 08/15/2019 - 11:15
The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter,
Categories: Security News

CVE-2019-14795

National Vulnerability Database - Thu, 08/15/2019 - 11:15
The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter.
Categories: Security News

CVE-2019-15062

National Vulnerability Database - Wed, 08/14/2019 - 19:15
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)
Categories: Security News

CVE-2019-14427

National Vulnerability Database - Wed, 08/14/2019 - 18:15
XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.
Categories: Security News

CVE-2019-1228

National Vulnerability Database - Wed, 08/14/2019 - 17:15
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1227.
Categories: Security News

CVE-2019-1229

National Vulnerability Database - Wed, 08/14/2019 - 17:15
An elevation of privilege vulnerability exists in Dynamics On-Premise v9, aka 'Dynamics On-Premise Elevation of Privilege Vulnerability'.
Categories: Security News

CVE-2019-1258

National Vulnerability Database - Wed, 08/14/2019 - 17:15
An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens, aka 'Azure Active Directory Authentication Library Elevation of Privilege Vulnerability'.
Categories: Security News

CVE-2019-9584

National Vulnerability Database - Wed, 08/14/2019 - 17:15
eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages.
Categories: Security News

CVE-2019-9585

National Vulnerability Database - Wed, 08/14/2019 - 17:15
eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of Metadata.
Categories: Security News

CVE-2019-1202

National Vulnerability Database - Wed, 08/14/2019 - 17:15
An information disclosure vulnerability exists in the way Microsoft SharePoint handles session objects, aka 'Microsoft SharePoint Information Disclosure Vulnerability'.
Categories: Security News

CVE-2019-1203

National Vulnerability Database - Wed, 08/14/2019 - 17:15
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.
Categories: Security News

CVE-2019-1204

National Vulnerability Database - Wed, 08/14/2019 - 17:15
An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages, aka 'Microsoft Outlook Elevation of Privilege Vulnerability'.
Categories: Security News

CVE-2019-1205

National Vulnerability Database - Wed, 08/14/2019 - 17:15
A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1201.
Categories: Security News

CVE-2019-1206

National Vulnerability Database - Wed, 08/14/2019 - 17:15
A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server, aka 'Windows DHCP Server Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-1212.
Categories: Security News

Pages