| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2015-9550 |
668 |
|
|
2020-11-24 |
2020-12-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface. |
|
2 |
CVE-2015-9551 |
|
|
Exec Code |
2020-11-24 |
2020-12-04 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter. |
|
3 |
CVE-2017-15680 |
862 |
|
|
2020-11-27 |
2020-11-28 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data. |
|
4 |
CVE-2017-15681 |
22 |
|
Dir. Trav. |
2020-11-27 |
2020-11-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE. |
|
5 |
CVE-2017-15682 |
79 |
|
XSS |
2020-11-27 |
2020-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel. |
|
6 |
CVE-2017-15683 |
91 |
|
|
2020-11-27 |
2020-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. |
|
7 |
CVE-2017-15684 |
22 |
|
Dir. Trav. |
2020-11-27 |
2020-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system. |
|
8 |
CVE-2017-15685 |
91 |
|
|
2020-11-27 |
2020-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. |
|
9 |
CVE-2017-15686 |
79 |
|
XSS |
2020-11-27 |
2020-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies. |
|
10 |
CVE-2017-18926 |
787 |
|
Overflow |
2020-11-06 |
2020-11-19 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml). |
|
11 |
CVE-2018-1725 |
|
|
|
2020-11-05 |
2020-11-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM QRadar SIEM 7.3 and 7.4 n a multi tenant configuration could be vulnerable to information disclosure. IBM X-Force ID: 147440. |
|
12 |
CVE-2018-16719 |
20 |
|
DoS |
2020-11-23 |
2020-11-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Jingyun Antivirus v2.4.2.39, the driver file (hookbody.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00221482. |
|
13 |
CVE-2018-16720 |
20 |
|
DoS |
2020-11-23 |
2020-11-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x1236001c, a related issue to CVE-2018-16304. |
|
14 |
CVE-2018-16721 |
20 |
|
DoS |
2020-11-23 |
2020-11-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360090, a related issue to CVE-2018-16306. |
|
15 |
CVE-2018-16722 |
20 |
|
DoS |
2020-11-23 |
2020-11-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360094, a related issue to CVE-2018-16305. |
|
16 |
CVE-2018-16723 |
20 |
|
DoS |
2020-11-23 |
2020-11-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12364020. |
|
17 |
CVE-2018-17932 |
294 |
|
|
2020-11-02 |
2020-11-12 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
JUUKO K-800 (Firmware versions prior to numbers ending ...9A, ...9B, ...9C, etc.) is vulnerable to a replay attack and command forgery, which could allow attackers to replay commands, control the device, view commands, or cause the device to stop running. |
|
18 |
CVE-2018-19025 |
294 |
|
Exec Code |
2020-11-02 |
2020-11-12 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
In JUUKO K-808, an attacker could specially craft a packet that encodes an arbitrary command, which could be executed on the K-808 (Firmware versions prior to numbers ending ...9A, ...9B, ...9C, etc.). |
|
19 |
CVE-2018-19950 |
78 |
|
Exec Code |
2020-11-02 |
2020-11-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
If exploited, this command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11. |
|
20 |
CVE-2018-19951 |
79 |
|
XSS |
2020-11-02 |
2020-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11. |
|
21 |
CVE-2018-19952 |
89 |
|
Sql +Info |
2020-11-02 |
2020-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
If exploited, this SQL injection vulnerability could allow remote attackers to obtain application information. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11. |
|
22 |
CVE-2018-19954 |
79 |
|
XSS |
2020-11-02 |
2020-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10. |
|
23 |
CVE-2018-19955 |
79 |
|
XSS |
2020-11-02 |
2020-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10. |
|
24 |
CVE-2018-19956 |
79 |
|
XSS |
2020-11-02 |
2020-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10. |
|
25 |
CVE-2018-20802 |
|
|
DoS |
2020-11-23 |
2020-11-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3. |
|
26 |
CVE-2018-20803 |
835 |
|
DoS |
2020-11-23 |
2020-12-02 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4 versions prior to 3.4.19. |
|
27 |
CVE-2018-20804 |
20 |
|
DoS |
2020-11-23 |
2020-11-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13. |
|
28 |
CVE-2018-20805 |
834 |
|
DoS |
2020-11-23 |
2020-11-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Server 3.6 versions prior to 3.6.10; 4.0 versions prior to 4.0.5. |
|
29 |
CVE-2019-2392 |
190 |
|
DoS Overflow |
2020-11-23 |
2020-11-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20. |
|
30 |
CVE-2019-2393 |
416 |
|
DoS |
2020-11-23 |
2020-11-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15. |
|
31 |
CVE-2019-4349 |
200 |
|
+Info |
2020-11-03 |
2020-11-10 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 applications can be installed on a deprecated operating system version that could compromised the confidentiality and integrity of the service. IBM X-Force ID: 161486 |
|
32 |
CVE-2019-7356 |
79 |
|
XSS |
2020-11-04 |
2020-11-10 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter. |
|
33 |
CVE-2019-7357 |
352 |
|
CSRF |
2020-11-10 |
2020-11-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins. |
|
34 |
CVE-2019-11121 |
732 |
|
|
2020-11-12 |
2020-11-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Improper file permissions in the installer for the Intel(R) Media SDK for Windows before version 2019 R1 may allow an authenticated user to potentially enable escalation of privilege via local access. |
|
35 |
CVE-2019-12412 |
476 |
|
DoS |
2020-11-19 |
2020-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack. |
|
36 |
CVE-2019-14553 |
287 |
|
|
2020-11-23 |
2020-11-25 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access. |
|
37 |
CVE-2019-14559 |
401 |
|
DoS |
2020-11-23 |
2022-01-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access. |
|
38 |
CVE-2019-14562 |
190 |
|
DoS Overflow |
2020-11-23 |
2022-01-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Integer overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access. |
|
39 |
CVE-2019-14563 |
787 |
|
|
2020-11-23 |
2022-01-01 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer truncation in EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. |
|
40 |
CVE-2019-14575 |
|
|
|
2020-11-23 |
2022-01-01 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Logic issue in DxeImageVerificationHandler() for EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. |
|
41 |
CVE-2019-14586 |
416 |
|
DoS |
2020-11-23 |
2022-01-01 |
5.2 |
None |
Local Network |
Low |
??? |
Partial |
Partial |
Partial |
|
Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access. |
|
42 |
CVE-2019-14587 |
|
|
DoS |
2020-11-23 |
2022-01-01 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access. |
|
43 |
CVE-2019-17566 |
918 |
|
|
2020-11-12 |
2022-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. |
|
44 |
CVE-2019-19556 |
287 |
|
Bypass +Info |
2020-11-16 |
2021-07-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An authentication bypass in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with physical access to device hardware to obtain system information. |
|
45 |
CVE-2019-19557 |
922 |
|
+Info |
2020-11-16 |
2020-11-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information. |
|
46 |
CVE-2019-19560 |
922 |
|
Bypass +Info |
2020-11-16 |
2021-07-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An authentication bypass in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with physical access to device hardware to obtain system information. |
|
47 |
CVE-2019-19561 |
922 |
|
+Info |
2020-11-16 |
2020-11-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information. |
|
48 |
CVE-2019-19562 |
922 |
|
Bypass +Info |
2020-11-16 |
2021-07-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information. |
|
49 |
CVE-2019-19563 |
|
|
+Info |
2020-11-16 |
2020-11-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A misconfiguration in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with direct physical access to device hardware to obtain cellular modem information. |
|
50 |
CVE-2019-19869 |
|
|
|
2020-11-27 |
2020-12-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. PVs could be changed (unencrypted) by using the IosHttp service and the JSON interface. |
