Total
3608 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-10753 | 5 Canonical, Fedoraproject, Linuxfoundation and 2 more | 6 Ubuntu Linux, Fedora, Ceph and 3 more | 2024-11-21 | 5.4 Medium |
| A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue. | ||||
| CVE-2020-10208 | 1 Amino | 12 Ak45x, Ak45x Firmware, Ak5xx and 9 more | 2024-11-21 | 9.9 Critical |
| Command Injection in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows authenticated remote attackers to execute arbitrary commands with root user privileges. | ||||
| CVE-2019-9900 | 2 Envoyproxy, Redhat | 3 Envoy, Openshift Service Mesh, Service Mesh | 2024-11-21 | 8.3 High |
| When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources. | ||||
| CVE-2019-9811 | 5 Debian, Mozilla, Novell and 2 more | 7 Debian Linux, Firefox, Firefox Esr and 4 more | 2024-11-21 | 8.3 High |
| As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | ||||
| CVE-2019-9614 | 1 Ofcms Project | 1 Ofcms | 2024-11-21 | N/A |
| An issue was discovered in OFCMS before 1.1.3. A command execution vulnerability exists via a template file with '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("' followed by the command. | ||||
| CVE-2019-9535 | 1 Iterm2 | 1 Iterm2 | 2024-11-21 | 9.8 Critical |
| A vulnerability exists in the way that iTerm2 integrates with tmux's control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content. | ||||
| CVE-2019-8948 | 1 Papercut | 2 Papercut Mf, Papercut Ng | 2024-11-21 | N/A |
| PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163. | ||||
| CVE-2019-8792 | 2 Apple, Google | 3 Iphone Os, Shazam, Android | 2024-11-21 | 8.8 High |
| An injection issue was addressed with improved validation. This issue is fixed in Shazam Android App Version 9.25.0, Shazam iOS App Version 12.11.0. Processing a maliciously crafted URL may lead to arbitrary javascript code execution. | ||||
| CVE-2019-8325 | 4 Debian, Opensuse, Redhat and 1 more | 9 Debian Linux, Leap, Cloudforms Managementengine and 6 more | 2024-11-21 | 7.5 High |
| An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) | ||||
| CVE-2019-8323 | 4 Debian, Opensuse, Redhat and 1 more | 9 Debian Linux, Leap, Cloudforms Managementengine and 6 more | 2024-11-21 | 7.5 High |
| An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. | ||||
| CVE-2019-8322 | 4 Debian, Opensuse, Redhat and 1 more | 9 Debian Linux, Leap, Cloudforms Managementengine and 6 more | 2024-11-21 | 7.5 High |
| An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. | ||||
| CVE-2019-8135 | 1 Magento | 1 Magento | 2024-11-21 | 9.8 Critical |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution. | ||||
| CVE-2019-7889 | 1 Magento | 1 Magento | 2024-11-21 | N/A |
| An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications. | ||||
| CVE-2019-7351 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | N/A |
| Log Injection exists in ZoneMinder through 1.32.3, as an attacker can entice the victim to visit a specially crafted link, which in turn will inject a custom Log message provided by the attacker in the 'log' view page, as demonstrated by the message=User%20'admin'%20Logged%20in value. | ||||
| CVE-2019-6802 | 1 Python | 1 Pypiserver | 2024-11-21 | N/A |
| CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI. | ||||
| CVE-2019-6800 | 1 Titanhq | 1 Spamtitan | 2024-11-21 | N/A |
| In TitanHQ SpamTitan through 7.03, a vulnerability exists in the spam rule update function. Updates are downloaded over HTTP, including scripts which are subsequently executed with root permissions. An attacker with a privileged network position is trivially able to inject arbitrary commands. | ||||
| CVE-2019-6034 | 1 Appleple | 1 A-blog Cms | 2024-11-21 | 6.1 Medium |
| a-blog cms versions prior to Ver.2.10.23 (Ver.2.10.x), Ver.2.9.26 (Ver.2.9.x), and Ver.2.8.64 (Ver.2.8.x) allows arbitrary scripts to be executed in the context of the application due to unspecified vectors. | ||||
| CVE-2019-5977 | 1 Cybozu | 1 Garoon | 2024-11-21 | 4.3 Medium |
| Mail header injection vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 may allow a remote authenticated attackers to alter mail header via the application 'E-Mail'. | ||||
| CVE-2019-5404 | 1 Hp | 1 3par Storeserv Management Console | 2024-11-21 | N/A |
| A remote script injection vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. | ||||
| CVE-2019-5314 | 1 Arubanetworks | 1 Arubaos | 2024-11-21 | 6.1 Medium |
| Some web components in the ArubaOS software are vulnerable to HTTP Response splitting (CRLF injection) and Reflected XSS. An attacker would be able to accomplish this by sending certain URL parameters that would trigger this vulnerability. | ||||