CVE-2018-12556
The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.
Source: CVE-2018-12556
CVE-2019-10112
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The construction of the HMAC key was insecurely derived.
Source: CVE-2019-10112
CVE-2019-12139
An XSS issue was discovered in the Admin UI in eZ Platform 2.x. This affects ezplatform-admin-ui 1.3.x before 1.3.5 and 1.4.x before 1.4.4, and ezplatform-page-builder 1.1.x before 1.1.5 and 1.2.x before 1.2.4.
Source: CVE-2019-12139
CVE-2019-11033
Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a form. This leads to an XSS vulnerability with a payload starting with the <iframe./> substring.
Source: CVE-2019-11033
CVE-2019-10116
An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Guests of a project were allowed to see Related Branches created for an issue.
Source: CVE-2019-10116
CVE-2019-10117
An Open Redirect issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. A redirect is triggered after successful authentication within the Oauth/:GeoAuthController for the secondary Geo node.
Source: CVE-2019-10117
CVE-2019-10115
An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The GitLab Releases feature could allow guest users access to private information like release details and code information.
Source: CVE-2019-10115
CVE-2019-10113
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Making concurrent GET /api/v4/projects/<id>/languages requests may allow Uncontrolled Resource Consumption.
Source: CVE-2019-10113
CVE-2018-17048
admin/Lib/Action/FpluginAction.class.php in FDCMS (aka Fangfa Content Manage System) 4.2 allows SQL Injection.
Source: CVE-2018-17048
CVE-2018-1975
IBM Rational DOORS Web Access 9.5.1 through 9.5.2.9, and 9.6 through 9.6.1.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153916.
Source: CVE-2018-1975