Unknown · CVSS Not scored
An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HMIWeb Browser client packages allows remote attackers to execute arbitrary code via a crafted HTML document.
Published Feb 24, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The search function in Cisco Webex Social (formerly Cisco Quad) allows remote authenticated users to read files via unspecified parameters, aka Bug ID CSCud40235.
Published Feb 6, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cisco Small Business Wireless Access Points WAP200, WAP2000, WAP200E, and WET200 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted SSID that is not properly handled during a site survey, aka Bug IDs CSCua86182, CSCua91196, CSCud36155, and CSCua86190.
Published Feb 13, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The HTTP server in Cisco IOS on Catalyst switches does not properly handle TCP socket events, which allows remote attackers to cause a denial of service (device crash) via crafted packets on TCP port (1) 80 or (2) 443, aka Bug ID CSCuc53853.
Published Feb 13, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The Cisco ATA 187 Analog Telephone Adaptor with firmware 9.2.1.0 and 9.2.3.1 before ES build 4 does not properly implement access control, which allows remote attackers to execute operating-system commands via vectors involving a session on TCP port 7870, aka Bug ID CSCtz67038.
Published Feb 13, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
NEC Universal RAID Utility 1.40 Rev 680 and earlier, 2.31 Rev 1492 and earlier, and 2.5 Rev 2244 and earlier does not provide access control, which allows remote attackers to perform arbitrary RAID disk operations via unspecified vectors.
Published Feb 22, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple cross-site request forgery (CSRF) vulnerabilities in the server in Cisco Unified MeetingPlace before 7.1(2.2000) allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCuc64903. NOTE: some of these details are obtained from third party information.
Published Feb 15, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Integer overflow in the gdk_cairo_set_source_pixbuf function in gdk/gdkcairo.c in GTK+ before 3.9.8, as used in eom, gnome-photos, eog, gambas3, thunar, pinpoint, and possibly other applications, allows remote attackers to cause a denial of service (crash) via a large image file, which triggers a large memory allocation.
Published Feb 17, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
A flaw was found in StarWind iSCSI target. StarWind service does not limit client connections and allocates memory on each connection attempt. An attacker could create a denial of service state by trying to connect a non-existent target multiple times. This affects iSCSI SAN (Windows Native) Version 6.0, build 2013-01-16.
Published Feb 6, 2022 · Updated Aug 6, 2024
Medium · CVSS 5.5
A vulnerability was found in fanzila WebFinance 0.5 and classified as critical. This issue affects some unknown processing of the file htdocs/admin/save_taxes.php. The manipulation of the argument id leads to sql injection. The patch is named 306f170ca2a8203ae3d8f51fb219ba9e05b945e1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-220055.
Published Feb 3, 2023 · Updated Aug 6, 2024
Medium · CVSS 5.5
A vulnerability has been found in fanzila WebFinance 0.5 and classified as critical. This vulnerability affects unknown code of the file htdocs/admin/save_Contract_Signer_Role.php. The manipulation of the argument n/v leads to sql injection. The patch is identified as abad81af614a9ceef3f29ab22ca6bae517619e06. It is recommended to apply a patch to fix this issue. VDB-220054 is the identifier assigned to this vulnerability.
Published Feb 3, 2023 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.
Published Feb 24, 2015 · Updated Aug 6, 2024
Medium · CVSS 5.5
A vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-220056.
Published Feb 3, 2023 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.
Published Feb 15, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
Published Feb 21, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in wiki.c in didiwiki allows remote attackers to read arbitrary files via the page parameter to api/page/get.
Published Feb 23, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml.
Published Feb 1, 2018 · Updated Aug 6, 2024
Unknown · CVSS Not scored
libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify.
Published Feb 12, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node.js allows remote attackers to execute arbitrary commands.
Published Feb 12, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
MobileIron VSP < 5.9.1 and Sentry < 5.0 has a weak password obfuscation algorithm
Published Feb 12, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in D-Link DAP-2253 Access Point (Rev. A1) with firmware before 1.30 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Feb 6, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Absolute path traversal vulnerability in cantata before 1.2.2 allows local users to read arbitrary files via a full pathname in a request to the internal httpd server. NOTE: this vulnerability can be leveraged by remote attackers using CVE-2013-7301.
Published Feb 2, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php.
Published Feb 14, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226.
Published Feb 18, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in D-Link DAP-2253 Access Point (Rev. A1) with firmware before 1.30 allows remote attackers to hijack the authentication of administrators for requests that modify configuration settings via unspecified vectors.
Published Feb 6, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Webkit-GTK 2.x (any version with HTML5 audio/video support based on GStreamer) allows remote attackers to trigger unexpectedly high sound volume via malicious javascript. NOTE: this WebKit-GTK behavior complies with existing W3C standards and existing practices for GNOME desktop integration.
Published Feb 17, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
MobileIron VSP < 5.9.1 and Sentry < 5.0 has an insecure encryption scheme.
Published Feb 13, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.
Published Feb 6, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cantata before 1.2.2 does not restrict access to files in the play queue, which allows remote attackers to obtain sensitive information by reading the songs in the queue.
Published Feb 2, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple integer signedness errors in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause a denial of service (application crash) or obtain sensitive information via an imagecrop function call with a negative value for the (1) x or (2) y dimension, a different vulnerability than CVE-2013-7226.
Published Feb 18, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
config/filter.d/postfix.conf in the postfix filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches an improperly designed regular expression.
Published Feb 1, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
cgi-bin/reboot.cgi on Seowon Intech SWC-9100 routers allows remote attackers to (1) cause a denial of service (reboot) via a default_reboot action or (2) reset all configuration values via a factory_default action.
Published Feb 4, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Integer overflow in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an imagecrop function call with a large x dimension value, leading to a heap-based buffer overflow.
Published Feb 18, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Belkin n750 routers have a buffer overflow.
Published Feb 13, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in user/ldap_user/add in Fortinet FortiOS 5.0.3 allows remote attackers to inject arbitrary web script or HTML via the filter parameter.
Published Feb 4, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
config/filter.d/cyrus-imap.conf in the cyrus-imap filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches an improperly designed regular expression.
Published Feb 1, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in firewall/schedule/recurrdlg in Fortinet FortiOS 5.0.5 allows remote attackers to inject arbitrary web script or HTML via the mkey parameter.
Published Feb 4, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The ping functionality in cgi-bin/diagnostic.cgi on Seowon Intech SWC-9100 routers allows remote attackers to execute arbitrary commands via shell metacharacters in the ping_ipaddr parameter.
Published Feb 4, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage.
Published Feb 6, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters
Published Feb 4, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script
Published Feb 4, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in the web based operator client in LiveZilla before 5.1.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name of an uploaded file or (2) customer name in a resource created from an uploaded file, a different vulnerability than CVE-2013-7003.
Published Feb 14, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
OpenConnect VPN client with GnuTLS before 5.02 contains a heap overflow if MTU is increased on reconnection.
Published Feb 13, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
D-Link DIR-100 4.03B07: cli.cgi CSRF
Published Feb 4, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
D-Link DIR-100 4.03B07 has PPTP and poe information disclosure
Published Feb 4, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
D-Link DIR-100 4.03B07: cli.cgi XSS
Published Feb 4, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Belkin WeMo Home Automation firmware before 3949 has a hardcoded GPG key, which makes it easier for remote attackers to spoof firmware updates and execute arbitrary code via crafted signed data.
Published Feb 22, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Belkin WeMo Home Automation firmware before 3949 does not use SSL for the distribution feed, which allows man-in-the-middle attackers to install arbitrary firmware by spoofing a distribution server.
Published Feb 22, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The peerAddresses API in the Belkin WeMo Home Automation firmware before 3949 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Published Feb 22, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Belkin WeMo Home Automation firmware before 3949 does not properly use the STUN and TURN protocols, which allows remote attackers to hijack connections and possibly have unspecified other impact by leveraging access to a single WeMo device.
Published Feb 22, 2014 · Updated Aug 6, 2024