Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2017-13717 Starry Station (aka Starry Router) sets the Access-Control-Allow-Origin header to "*". This allows any hosted file on any domain to make calls to the device's webserver and brute force the credentials... | N/A | NONE | β | 0 |
| CVE-2017-13718 The HTTP API supported by Starry Station (aka Starry Router) allows brute forcing the PIN setup by the user on the device, and this allows an attacker to change the Wi-Fi settings and PIN, as well as ... | N/A | NONE | β | 0 |
| CVE-2019-10226 HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report becau... | N/A | NONE | β | 0 |
| CVE-2019-10331 A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-s... | N/A | NONE | β | 0 |
| CVE-2019-10332 A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attac... | 4.3 | MEDIUM | β | 0 |
| CVE-2019-10333 Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin ... | 4.3 | MEDIUM | β | 0 |
| CVE-2019-10334 Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files. | N/A | NONE | β | 0 |
| CVE-2019-13256 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000032e849. | N/A | NONE | β | 0 |
| CVE-2019-10335 A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject... | N/A | NONE | β | 0 |
| CVE-2019-10336 A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaSc... | N/A | NONE | β | 0 |
| CVE-2019-10337 An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve... | N/A | NONE | β | 0 |
| CVE-2019-10338 A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an attacker-spec... | N/A | NONE | β | 0 |
| CVE-2019-10339 A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacker... | 8.8 | HIGH | β | 0 |
| CVE-2019-13257 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x00000000003273aa. | N/A | NONE | β | 0 |
| CVE-2018-11800 SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table. | N/A | NONE | β | 0 |
| CVE-2018-11801 SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table. | N/A | NONE | β | 0 |
| CVE-2019-12794 An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's u... | N/A | NONE | β | 0 |
| CVE-2019-11334 An authentication bypass in website post requests in the Tzumi Electronics Klic Lock application 1.0.9 for mobile devices allows attackers to access resources (that are not otherwise accessible withou... | 3.7 | LOW | β | 0 |
| CVE-2019-12764 An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users. | 6.5 | MEDIUM | β | 0 |
| CVE-2019-12765 An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-3410 All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by Cross-Site Request Forgery vulnerability,which stems from the fact that WEB applications do not adequately... | N/A | NONE | β | 0 |
| CVE-2019-3411 All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by information leak vulnerability. Due to some interfaces can obtain the WebUI login password without login, an attacker can exploit th... | 7.5 | HIGH | β | 0 |
| CVE-2019-3412 All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by command execution vulnerability. Due to some interfaces do not adequately verify parameters, an attacker can execute arbitrary comma... | N/A | NONE | β | 0 |
| CVE-2019-3413 All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an XSS vulnerability. Due to the lack of correct validation of client data in WEB applications, which results in users being hijacked... | N/A | NONE | β | 0 |
| CVE-2009-5156 An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string. | N/A | NONE | β | 0 |
| CVE-2009-5157 On Linksys WAG54G2 1.00.10 devices, there is authenticated command injection via shell metacharacters in the setup.cgi c4_ping_ipaddr variable. | N/A | NONE | β | 0 |
| CVE-2019-0220 A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule ... | N/A | NONE | β | 0 |
| CVE-2013-7471 An issue was discovered in soap.cgi?service=WANIPConn1 on D-Link DIR-845 before v1.02b03, DIR-600 before v2.17b01, DIR-645 before v1.04b11, DIR-300 rev. B, and DIR-865 devices. There is Command Inject... | 9.8 | CRITICAL | β | 0 |
| CVE-2016-10760 On Seowon Intech routers, there is a Command Injection vulnerability in diagnostic.cgi via shell metacharacters in the ping_ipaddr parameter. | N/A | NONE | β | 0 |
| CVE-2017-18377 An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd variable, as demonstrated by a set_ftp.cgi... | 9.8 | CRITICAL | β | 0 |
| CVE-2017-18378 In NETGEAR ReadyNAS Surveillance before 1.4.3-17 x86 and before 1.1.4-7 ARM, $_GET['uploaddir'] is not escaped and is passed to system() through $tmp_upload_dir, leading to upgrade_handle.php?cmd=writ... | N/A | NONE | β | 0 |
| CVE-2018-20841 HooToo TripMate Titan HT-TM05 and HT-05 routers with firmware 2.000.022 and 2.000.082 allow remote command execution via shell metacharacters in the mac parameter of a protocol.csp?function=set&fname=... | N/A | NONE | β | 0 |
| CVE-2019-12153 Lack of validation in the HTML parser in RealObjects PDFreactor before 10.1.10722 leads to SSRF, allowing attackers to access network or file resources on behalf of the server by supplying malicious H... | N/A | NONE | β | 0 |
| CVE-2019-12154 XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file conte... | N/A | NONE | β | 0 |
| CVE-2019-0196 A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the... | N/A | NONE | β | 0 |
| CVE-2019-0197 A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 ... | 4.2 | MEDIUM | β | 0 |
| CVE-2019-12149 SQL injection vulnerability in silverstripe/restfulserver module 1.0.x before 1.0.9, 2.0.x before 2.0.4, and 2.1.x before 2.1.2 and silverstripe/registry module 2.1.x before 2.1.1 and 2.2.x before 2.2... | N/A | NONE | β | 0 |
| CVE-2019-3946 Fuji Electric V-Server before 6.0.33.0 is vulnerable to denial of service via a crafted UDP message sent to port 8005. An unauthenticated, remote attacker can crash vserver.exe due to an integer overf... | N/A | NONE | β | 0 |
| CVE-2019-12795 daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attac... | N/A | NONE | β | 0 |
| CVE-2017-15123 A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentia... | N/A | NONE | β | 0 |
| CVE-2019-10150 It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect ... | N/A | NONE | β | 0 |
| CVE-2019-10155 The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integr... | 3.1 | LOW | β | 0 |
| CVE-2019-10157 It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use thi... | N/A | NONE | β | 0 |
| CVE-2025-26996 Improper Control of Generation of Code ('Code Injection') vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Code Injection.This issue affects Sign-up Sheets: from n/a through <= 2.3.... | N/A | NONE | β | 0 |
| CVE-2019-10925 A vulnerability has been identified in SIMATIC MV400 family (All Versions < V7.0.6). An authenticated attacker could escalate privileges by sending specially crafted requests to the integrated webserv... | 7.1 | HIGH | β | 0 |
| CVE-2019-10926 A vulnerability has been identified in SIMATIC MV400 family (All Versions < V7.0.6). Communication with the device is not encrypted. Data transmitted between the device and the user can be obtained by... | N/A | NONE | β | 0 |
| CVE-2019-3872 It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious scri... | N/A | NONE | β | 0 |
| CVE-2019-3873 It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve ... | N/A | NONE | β | 0 |
| CVE-2019-3947 Fuji Electric V-Server before 6.0.33.0 stores database credentials in project files as plaintext. An attacker that can gain access to the project file can recover the database credentials and gain acc... | N/A | NONE | β | 0 |
| CVE-2019-3875 A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided i... | N/A | NONE | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.