New vulnerabilities from the NVD: CVE-2016-10937 | | |
New vulnerabilities from the NVD: CVE-2019-10666 | | An issue was discovered in LibreNMS through 1.47. Several of the scripts perform dynamic script inclusion via the include() function on user supplied input without sanitizing the values by calling basename() or a similar function. An attacker can leverage this to execute PHP code from the included file. Exploitation of these scripts is made difficult by additional text being appended (typically .inc.php), which means an attacker would need to be able to control both a filename and its content on the server. However, exploitation can be achieved as demonstrated by the csv.php?report=../ substring. Published at: September 09, 2019 at 04:15PM View on website September 09, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2019-10665 | | An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php script. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, file content, denial of service, or writing arbitrary files. Published at: September 09, 2019 at 04:15PM View on website September 09, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2018-21014 | | |
New vulnerabilities from the NVD: CVE-2018-21013 | | The Swape theme before 1.2.1 for WordPress has incorrect access control, as demonstrated by allowing new administrator accounts via vectors involving xmlPath to wp-admin/admin-ajax.php. Published at: September 09, 2019 at 04:15PM View on website September 09, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2018-21012 | | |
New vulnerabilities from the NVD: CVE-2018-21011 | | The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation details. Published at: September 09, 2019 at 04:15PM View on website September 09, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2019-10253 | | A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace existing uploaded files with malicious/forged files). The specific flaw exists within the handling of Upload/DomainObjectDocumentUpload.ashx requests because of failure to validate a CSRF token before handling a POST request. Published at: September 10, 2019 at 12:15AM View on website September 10, 2019 at 03:24AM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18599 | | |
New vulnerabilities from the NVD: CVE-2017-18598 | | The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php. Published at: September 10, 2019 at 02:15PM View on website September 10, 2019 at 05:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18597 | | The jtrt-responsive-tables plugin before 4.1.2 for WordPress has SQL Injection via the admin/class-jtrt-responsive-tables-admin.php tableId parameter. Published at: September 10, 2019 at 02:15PM View on website September 10, 2019 at 05:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18596 | | The elementor plugin before 1.8.0 for WordPress has incorrect access control for internal functions. Published at: September 10, 2019 at 02:15PM View on website September 10, 2019 at 05:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18611 | | The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-field-css parameter. Published at: September 10, 2019 at 03:15PM View on website September 10, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18610 | | The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-group-id parameter. Published at: September 10, 2019 at 03:15PM View on website September 10, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18609 | | The magic-fields plugin before 1.7.2 for WordPress has XSS via the custom-write-panel-id parameter. Published at: September 10, 2019 at 03:15PM View on website September 10, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18608 | | |
New vulnerabilities from the NVD: CVE-2017-18607 | | |
New vulnerabilities from the NVD: CVE-2017-18606 | | |
New vulnerabilities from the NVD: CVE-2017-18605 | | |
New vulnerabilities from the NVD: CVE-2017-18604 | | The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request. Published at: September 10, 2019 at 03:15PM View on website September 10, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18603 | | The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postman_email_log page parameter. Published at: September 10, 2019 at 03:15PM View on website September 10, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18602 | | The examapp plugin 1.0 for WordPress has SQL injection via the wp-admin/admin.php?page=examapp_UserResult id parameter. Published at: September 10, 2019 at 03:15PM View on website September 10, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2017-18601 | | |
New vulnerabilities from the NVD: CVE-2017-18600 | | The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field. Published at: September 10, 2019 at 03:15PM View on website September 10, 2019 at 07:24PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2019-0189 | | The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16 Published at: September 12, 2019 at 12:15AM View on website September 12, 2019 at 02:29AM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2018-17200 | | The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+1850019 Published at: September 12, 2019 at 12:15AM View on website September 12, 2019 at 02:29AM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2016-10955 | | The cysteme-finder plugin before 1.4 for WordPress has unrestricted file upload because of incorrect session tracking. Published at: September 13, 2019 at 04:15PM View on website September 13, 2019 at 06:29PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2016-10954 | | |
New vulnerabilities from the NVD: CVE-2016-10953 | | |
New vulnerabilities from the NVD: CVE-2016-10952 | | The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter. Published at: September 13, 2019 at 04:15PM View on website September 13, 2019 at 06:29PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2016-10951 | | |
New vulnerabilities from the NVD: CVE-2016-10950 | | |
New vulnerabilities from the NVD: CVE-2016-10949 | | The Relevanssi Premium plugin before 1.14.6.1 for WordPress has SQL injection with resultant unsafe unserialization. Published at: September 13, 2019 at 04:15PM View on website September 13, 2019 at 06:29PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2016-10948 | | The Post Indexer plugin before 3.0.6.2 for WordPress has incorrect handling of data passed to the unserialize function. Published at: September 13, 2019 at 04:15PM View on website September 13, 2019 at 06:29PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2016-10947 | | The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin. Published at: September 13, 2019 at 04:15PM View on website September 13, 2019 at 06:29PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2016-10946 | | |
New vulnerabilities from the NVD: CVE-2016-10945 | | |
New vulnerabilities from the NVD: CVE-2016-10944 | | The multisite-post-duplicator plugin before 1.1.3 for WordPress has wp-admin/tools.php?page=mpd CSRF. Published at: September 13, 2019 at 03:15PM View on website September 13, 2019 at 06:29PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2016-10943 | | |
New vulnerabilities from the NVD: CVE-2016-10942 | | The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF. Published at: September 13, 2019 at 03:15PM View on website September 13, 2019 at 06:29PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2016-10941 | | The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF. Published at: September 13, 2019 at 03:15PM View on website September 13, 2019 at 06:29PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2016-10940 | | |
New vulnerabilities from the NVD: CVE-2016-10939 | | |
New vulnerabilities from the NVD: CVE-2016-10938 | | The copy-me plugin 1.0.0 for WordPress has CSRF for copying non-public posts to a public location. Published at: September 13, 2019 at 03:15PM View on website September 13, 2019 at 06:29PM via National Vulnerability Database |
New vulnerabilities from the NVD: CVE-2010-5333 | | The web server in Integard Pro and Home before 2.0.0.9037 and 2.2.x before 2.2.0.9037 has a buffer overflow via a long password in an administration login POST request, leading to arbitrary code execution. Published at: September 13, 2019 at 07:15PM View on website September 13, 2019 at 10:29PM via National Vulnerability Database |
Няма коментари:
Публикуване на коментар