CVE-2019-15230
LibreNMS v1.54 has XSS in the Create User, Inventory, Add Device, Notifications, Alert Rule, Create Maintenance, and Alert Template sections of the admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account.
Source: CVE-2019-15230
CVE-2019-15496
MyT Project Management 1.5.1 lacks CSRF protection and, for example, allows a user/create CSRF attack. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
Source: CVE-2019-15496
CVE-2019-9935
Various Lexmark products have Incorrect Access Control (issue 2 of 2).
Source: CVE-2019-9935
CVE-2019-13348
In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases.
Source: CVE-2019-13348
CVE-2019-13189
In Knowage through 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page.
Source: CVE-2019-13189
CVE-2019-10391
Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.
Source: CVE-2019-10391
CVE-2019-10390
A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
Source: CVE-2019-10390
CVE-2019-9934
Various Lexmark products have Incorrect Access Control (issue 1 of 2).
Source: CVE-2019-9934
CVE-2019-10384
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
Source: CVE-2019-10384
CVE-2019-10383
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
Source: CVE-2019-10383