| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An issue was discovered in OpenCV before 4.1.1. There is a NULL pointer dereference in the function cv::XMLParser::parse at modules/core/src/persistence.cpp. |
| An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service. |
| AdRem NetCrunch 10.6.0.4587 allows Credentials Disclosure. Every user can read the BSD, Linux, MacOS and Solaris private keys, private keys' passwords, and root passwords stored in the credential manager. Every administrator can read the ESX and Windows passwords stored in the credential manager. |
| AdRem NetCrunch 10.6.0.4587 allows Remote Code Execution. In the NetCrunch web client, a read-only administrator can execute arbitrary code on the server running the NetCrunch server software. |
| The Social Photo Gallery plugin 1.0 for WordPress allows Remote Code Execution by creating an album and attaching a malicious PHP file in the cover photo album, because the file extension is not checked. |
| fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-based buffer overflow. |
| nfdump 1.6.17 and earlier is affected by an integer overflow in the function Process_ipfix_template_withdraw in ipfix.c that can be abused in order to crash the process remotely (denial of service). |
| VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of service via a crafted HTTP header. |
| An issue was discovered in Comelit "App lejos de casa (web)" 2.8.0. It allows privilege escalation via modified domus and logged fields, related to js/bridge.min.js and login.json. For example, an attacker can achieve high privileges (installer or administrator) for the graphical interface via a 1C000000000S value for domus, in conjunction with a zero value for logged. |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. |
| A Remote Code Execution (RCE) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to execute system commands as root remotely via a simple HTTP request. |
| An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. When uploading an application bundle, a directory traversal vulnerability allows a VRP user with sufficient privileges to overwrite any file in the VRP virtual machine. A malicious VRP user could use this to replace existing files to take control of the VRP virtual machine. |
| An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. An arbitrary command execution vulnerability allows a malicious VRP user to execute commands with root privilege within the VRP virtual machine, related to resiliency plans and custom script functionality. |
| Slack-Chat through 1.5.5 leaks a Slack Access Token in source code. An attacker can obtain a lot of information about the victim's Slack (channels, members, etc.). |
| WP SlackSync plugin through 1.8.5 for WordPress leaks a Slack Access Token in source code. An attacker can obtain a lot of information about the victim's Slack (channels, members, etc.). |
| The Intercom plugin through 1.2.1 for WordPress leaks a Slack Access Token in source code. An attacker can obtain a lot of information about the victim's Slack (channels, members, etc.). |
| Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unprivileged users (editor or developer) to create an administrator account via admin/user/add, as demonstrated by a Python PoC script. |
| An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is use of weak ciphers for SSH such as diffie-hellman-group1-sha1. |
| An issue was discovered in AndyOS Andy versions up to 46.11.113. By default, it starts telnet and ssh (ports 22 and 23) with root privileges in the emulated Android system. This can be exploited by remote attackers to gain full access to the device, or by malicious apps installed inside the emulator to perform privilege escalation from a normal user to root (unlike with standard methods of getting root privileges on Android - e.g., the SuperSu program - the user is not asked for consent). There is no authentication performed - access to a root shell is given upon a successful connection. NOTE: although this was originally published with a slightly different CVE ID number, the correct ID for this Andy vulnerability has always been CVE-2019-14326. |
| SSDP Responder 1.x through 1.5 mishandles incoming network messages, leading to a stack-based buffer overflow by 1 byte. This results in a crash of the server, but only when strict stack checking is enabled. This is caused by an off-by-one error in ssdp_recv in ssdpd.c. |
