Total
5442 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-0288 | 1 Dokuwiki | 1 Dokuwiki | 2019-09-23 | 7.5 HIGH | N/A |
| A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010. | |||||
| CVE-2019-11245 | 1 Kubernetes | 1 Kubernetes | 2019-09-19 | 4.6 MEDIUM | 7.8 HIGH |
| In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0. | |||||
| CVE-2019-2102 | 1 Google | 1 Android | 2019-09-12 | 8.3 HIGH | 8.8 HIGH |
| In the Bluetooth Low Energy (BLE) specification, there is a provided example Long Term Key (LTK). If a BLE device were to use this as a hardcoded LTK, it is theoretically possible for a proximate attacker to remotely inject keystrokes on a paired Android host due to improperly used crypto. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-128843052. | |||||
| CVE-2019-10709 | 1 Asus | 1 Precision Touchpad | 2019-09-05 | 7.5 HIGH | 9.8 CRITICAL |
| AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call. | |||||
| CVE-2019-14257 | 1 Zenoss | 1 Zenoss | 2019-08-27 | 7.2 HIGH | 7.8 HIGH |
| pyraw in Zenoss 2.5.3 allows local privilege escalation by modifying environment variables to redirect execution before privileges are dropped, aka ZEN-31765. | |||||
| CVE-2016-10922 | 1 Visser | 1 Store Toolkit For Woocommerce | 2019-08-26 | 7.5 HIGH | 9.8 CRITICAL |
| The woocommerce-store-toolkit plugin before 1.5.7 for WordPress has privilege escalation. | |||||
| CVE-2017-18584 | 1 Post Pay Counter Project | 1 Post Pay Counter | 2019-08-26 | 5.0 MEDIUM | 7.5 HIGH |
| The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action. | |||||
| CVE-2016-10923 | 1 Visser | 1 Store Toolkit For Woocommerce | 2019-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| The woocommerce-store-toolkit plugin before 1.5.8 for WordPress has privilege escalation. | |||||
| CVE-2016-10929 | 1 Advanced Ajax Page Loader Project | 1 Advanced Ajax Page Loader | 2019-08-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| The advanced-ajax-page-loader plugin before 2.7.7 for WordPress has no protection against the reading of uploaded files when not logged in. | |||||
| CVE-2019-2122 | 1 Google | 1 Android | 2019-08-22 | 6.9 MEDIUM | 7.3 HIGH |
| In LockTaskController.lockKeyguardIfNeeded of the LockTaskController.java, there was a difference in the handling of the default case between the WindowManager and the Settings. This could lead to a local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-127605586. | |||||
| CVE-2017-18399 | 1 Cpanel | 1 Cpanel | 2019-08-13 | 4.3 MEDIUM | 3.7 LOW |
| cPanel before 68.0.15 allows attackers to read root's crontab file during a short time interval upon enabling or disabling sqloptimizer (SEC-332). | |||||
| CVE-2014-0116 | 1 Apache | 1 Struts | 2019-08-12 | 5.8 MEDIUM | N/A |
| CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. | |||||
| CVE-2014-0113 | 1 Apache | 1 Struts | 2019-08-12 | 7.5 HIGH | N/A |
| CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. | |||||
| CVE-2014-0112 | 1 Apache | 1 Struts | 2019-08-12 | 7.5 HIGH | N/A |
| ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. | |||||
| CVE-2011-5057 | 1 Apache | 1 Struts | 2019-08-12 | 5.0 MEDIUM | N/A |
| Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor." | |||||
| CVE-2017-18413 | 1 Cpanel | 1 Cpanel | 2019-08-12 | 4.6 MEDIUM | 7.8 HIGH |
| In cPanel before 67.9999.103, the backup system overwrites root's home directory when a mount disappears (SEC-299). | |||||
| CVE-2014-3514 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 7.5 HIGH | N/A |
| activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls. | |||||
| CVE-2013-0155 | 2 Debian, Rubyonrails | 3 Debian Linux, Rails, Ruby On Rails | 2019-08-08 | 6.4 MEDIUM | N/A |
| Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694. | |||||
| CVE-2012-2660 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2019-08-08 | 6.4 MEDIUM | N/A |
| actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694. | |||||
| CVE-2012-2694 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2019-08-08 | 4.3 MEDIUM | N/A |
| actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660. | |||||