|
212321
|
8.8 |
HIGH
Network
|
indexhibit
|
indexhibit
|
In Indexhibit 2.1.5, remote attackers can execute arbitrary code via the v parameter (in conjunction with the id parameter) in a upd_jxcode=true action to the ndxzstudio/?a=system URI.
|
CWE-20
Improper Input Validation
|
CVE-2019-8954
|
2024-11-21 13:50 |
2019-02-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
212322
|
6.1 |
MEDIUM
Network
|
netgate
|
haproxy
|
The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php.
|
CWE-79
Cross-site Scripting
|
CVE-2019-8953
|
2024-11-21 13:50 |
2019-02-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
212323
|
9.8 |
CRITICAL
Network
|
dasannetworks
|
h665_firmware
|
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2019-8950
|
2024-11-21 13:50 |
2019-02-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
212324
|
9.8 |
CRITICAL
Network
|
papercut
|
papercut_mf
papercut_ng
|
PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
|
CWE-74
Injection
|
CVE-2019-8948
|
2024-11-21 13:50 |
2019-02-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
212325
|
6.5 |
MEDIUM
Network
|
octopus
|
octopus_deploy
octopus_server
|
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variab…
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2019-8944
|
2024-11-21 13:50 |
2019-02-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
212326
|
6.5 |
MEDIUM
Network
|
wordpress
|
wordpress
|
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two …
|
CWE-22
Path Traversal
|
CVE-2019-8943
|
2024-11-21 13:50 |
2019-02-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
212327
|
8.8 |
HIGH
Network
|
wordpress
debian
|
wordpress
debian_linux
|
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php su…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2019-8942
|
2024-11-21 13:50 |
2019-02-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
212328
|
6.1 |
MEDIUM
Network
|
tautulli
|
tautulli
|
data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page.
|
CWE-79
Cross-site Scripting
|
CVE-2019-8939
|
2024-11-21 13:50 |
2019-02-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
212329
|
5.4 |
MEDIUM
Network
|
o-dyn
|
collabtive
|
Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter.
|
CWE-79
Cross-site Scripting
|
CVE-2019-8935
|
2024-11-21 13:50 |
2019-02-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
212330
|
8.8 |
HIGH
Network
|
dedecms
|
dedecms
|
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2019-8933
|
2024-11-21 13:50 |
2019-02-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
