|
224671
|
6.5 |
MEDIUM
Network
|
scytl
|
secure_vote
|
An issue was discovered in Scytl sVote 2.1. Because the IP address from an X-Forwarded-For header (which can be manipulated client-side) is used for the internal application logs, an attacker can inj…
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2019-25023
|
2024-11-21 13:39 |
2021-02-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224672
|
9.8 |
CRITICAL
Network
|
scytl
|
secure_vote
|
An issue was discovered in Scytl sVote 2.1. An attacker can inject code that gets executed by creating an election-event and injecting a payload over an event alias, because the application calls Run…
|
CWE-78
OS Command
|
CVE-2019-25022
|
2024-11-21 13:39 |
2021-02-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224673
|
7.5 |
HIGH
Network
|
scytl
|
secure_vote
|
An issue was discovered in Scytl sVote 2.1. Due to the implementation of the database manager, an attacker can access the OrientDB by providing admin as the admin password. A different password canno…
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2019-25021
|
2024-11-21 13:39 |
2021-02-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224674
|
7.5 |
HIGH
Network
|
scytl
|
secure_vote
|
An issue was discovered in Scytl sVote 2.1. Because the sdm-ws-rest API does not require authentication, an attacker can retrieve the administrative configuration by sending a POST request to the /sd…
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2019-25020
|
2024-11-21 13:39 |
2021-02-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224675
|
9.8 |
CRITICAL
Network
|
alleghenycreative
|
openrepeater
|
OpenRepeater (ORP) before 2.2 allows unauthenticated command injection via shell metacharacters in the functions/ajax_system.php post_service parameter.
|
CWE-78
OS Command
|
CVE-2019-25024
|
2024-11-21 13:39 |
2021-02-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224676
|
9.8 |
CRITICAL
Network
|
limesurvey
|
limesurvey
|
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
|
CWE-89
SQL Injection
|
CVE-2019-25019
|
2024-11-21 13:39 |
2021-02-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224677
|
7.5 |
HIGH
Network
|
mit
|
krb5-appl
|
In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. …
|
NVD-CWE-noinfo
|
CVE-2019-25018
|
2024-11-21 13:39 |
2021-02-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224678
|
5.9 |
MEDIUM
Network
|
mit
|
krb5-appl
|
An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, t…
|
CWE-863
Incorrect Authorization
|
CVE-2019-25017
|
2024-11-21 13:39 |
2021-02-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224679
|
6.5 |
MEDIUM
Network
|
istio
redhat
|
istio
openshift_service_mesh
|
A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is p…
|
CWE-476
NULL Pointer Dereference
|
CVE-2019-25014
|
2024-11-21 13:39 |
2021-01-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224680
|
8.8 |
HIGH
Network
|
opendoas_project
|
opendoas
|
In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed t…
|
CWE-459
CWE-909
Incomplete Cleanup
Missing Initialization of Resource
|
CVE-2019-25016
|
2024-11-21 13:39 |
2021-01-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
