Viernes, Agosto 23, 2019

Buscar en el sitio:

NIST NVD - Últimas Amenazas

  • CVE-2019-15518
    Swoole before 4.2.13 allows directory traversal in swPort_http_static_handler.

  • CVE-2019-15516
    Cuberite before 2019-06-11 allows webadmin directory traversal via ....// because the protection mechanism simply removes one ../ substring.

  • CVE-2019-15517
    jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal.

  • CVE-2019-15519
    Power-Response before 2019-02-02 allows directory traversal (up to the application's main directory) via a plugin.

  • CVE-2019-15520
    comelz Quark before 2019-03-26 allows directory traversal to locations outside of the project directory.

  • CVE-2019-13423
    Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an authenticated Kibana user could impersonate as kibanaserver user when providing wrong credentials when all of the following conditions a-c are true: a) Kibana is configured to use Single-Sign-On as authentication method, one of Kerberos, JWT, Proxy, Client certificate. b) The kibanaserver user is configured to use HTTP Basic as the authentication method. c) Search Guard is configured to use an SSO authentication domain and HTTP Basic at the same time

  • CVE-2019-8444
    The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.

  • CVE-2019-11589
    The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.

  • CVE-2019-13421
    Search Guard versions before 23.1 had an issue that an administrative user is able to retrieve bcrypt password hashes of other users configured in the internal user database.

  • CVE-2019-8447
    The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2019-13422
    Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an attacker can redirect the user to a potentially malicious site upon Kibana login.

  • CVE-2019-11588
    The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2019-11587
    Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).

  • CVE-2019-14999
    The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator.

  • CVE-2019-8445
    Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check.

  • CVE-2019-8446
    The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.

  • CVE-2019-11584
    The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.

  • CVE-2019-11585
    The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

  • CVE-2019-11586
    The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2019-15491
    openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21.

  • CVE-2019-15490
    openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21.

  • CVE-2019-15486
    django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline.

  • CVE-2019-15485
    Bolt before 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php.

  • CVE-2019-15514
    The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region's assigned phone numbers.

  • CVE-2019-15487
    DfE School Experience before v16333-GA has XSS via a teacher training URL.

  • CVE-2019-15493
    openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21.

  • CVE-2019-15482
    selectize-plugin-a11y before 1.1.0 has XSS via the msg field.

  • CVE-2019-15488
    Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test.

  • CVE-2019-15494
    openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21.

  • CVE-2019-15483
    Bolt before 3.6.10 has XSS via a title that is mishandled in the system log.

Síguenos en Facebook   Síguenos en Twitter