Export limit exceeded: 346636 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 79002 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (79002 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-12408 | 1 Apache | 1 Arrow | 2024-11-21 | 7.5 High |
| It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats. | ||||
| CVE-2019-12402 | 4 Apache, Fedoraproject, Oracle and 1 more | 20 Commons Compress, Fedora, Banking Payments and 17 more | 2024-11-21 | 7.5 High |
| The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. | ||||
| CVE-2019-12401 | 1 Apache | 1 Solr | 2024-11-21 | 7.5 High |
| Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs. | ||||
| CVE-2019-12399 | 3 Apache, Oracle, Redhat | 14 Kafka, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 11 more | 2024-11-21 | 7.5 High |
| When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables. | ||||
| CVE-2019-12393 | 1 Anviz | 1 Management System | 2024-11-21 | 7.5 High |
| Anviz access control devices are vulnerable to replay attacks which could allow attackers to intercept and replay open door requests. | ||||
| CVE-2019-12391 | 1 Anviz | 1 Management System | 2024-11-21 | 7.5 High |
| The Anviz Management System for access control has insufficient logging for device events such as door open requests. | ||||
| CVE-2019-12389 | 1 Anviz | 1 Anviz Firmware | 2024-11-21 | 7.5 High |
| Anviz access control devices expose credentials (names and passwords) by allowing remote attackers to query this information without credentials via port tcp/5010. | ||||
| CVE-2019-12388 | 1 Anviz | 1 Anviz Firmware | 2024-11-21 | 7.5 High |
| Anviz access control devices perform cleartext transmission of sensitive information (passwords/pins and names) when replying to query on port tcp/5010. | ||||
| CVE-2019-12360 | 1 Glyphandcog | 1 Xpdfreader | 2024-11-21 | 7.1 High |
| A stack-based buffer over-read exists in FoFiTrueType::dumpString in fofi/FoFiTrueType.cc in Xpdf 4.01.01. It can, for example, be triggered by sending crafted TrueType data in a PDF document to the pdftops tool. It might allow an attacker to cause Denial of Service or leak memory data into dump content. | ||||
| CVE-2019-12359 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.2 High |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter. | ||||
| CVE-2019-12358 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 8.8 High |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendsms.php (when the attacker has dls_print authority) via a dlid cookie. | ||||
| CVE-2019-12357 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.2 High |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php (when the attacker has admin authority) via the id parameter. | ||||
| CVE-2019-12356 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 8.8 High |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_download.php (when the attacker has dls_download authority) via the id parameter. | ||||
| CVE-2019-12355 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 8.8 High |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_print.php (when the attacker has dls_print authority) via the id parameter. | ||||
| CVE-2019-12354 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.2 High |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter. | ||||
| CVE-2019-12353 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.2 High |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dl_sendmail.php (when the attacker has admin authority) via the id parameter. | ||||
| CVE-2019-12352 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 8.8 High |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie. | ||||
| CVE-2019-12331 | 1 Phpoffice | 1 Phpspreadsheet | 2024-11-21 | 8.8 High |
| PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack. | ||||
| CVE-2019-12325 | 1 Htek | 2 Uc902, Uc902 Firmware | 2024-11-21 | 8.8 High |
| The Htek UC902 VoIP phone web management interface contains several buffer overflow vulnerabilities in the firmware version 2.0.4.4.46, which allow an attacker to crash the device (DoS) without authentication or execute code (authenticated as a user) to spawn a remote shell as a root user. | ||||
| CVE-2019-12295 | 4 Canonical, Debian, F5 and 1 more | 16 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 13 more | 2024-11-21 | 7.5 High |
| In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion. | ||||