CVE-2019-15526

An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Type field to SetWanSettings, a related issue to CVE-2019-13482.

Source: CVE-2019-15526

CVE-2019-10746

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Source: CVE-2019-10746

CVE-2019-10747

set-value is vulnerable to Prototype Pollution in versions before 2.0.1 and version 3.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.

Source: CVE-2019-10747

CVE-2019-10750

deeply is vulnerable to Prototype Pollution in versions before 3.1.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using using a _proto_ payload.

Source: CVE-2019-10750

CVE-2019-15525

There is Missing SSL Certificate Validation in the pw3270 terminal emulator before version 5.1.

Source: CVE-2019-15525

CVE-2019-15516

Cuberite before 2019-06-11 allows webadmin directory traversal via ….// because the protection mechanism simply removes one ../ substring.

Source: CVE-2019-15516

CVE-2019-15520

comelz Quark before 2019-03-26 allows directory traversal to locations outside of the project directory.

Source: CVE-2019-15520

CVE-2019-15518

Swoole before 4.2.13 allows directory traversal in swPort_http_static_handler.

Source: CVE-2019-15518

CVE-2019-15517

jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal.

Source: CVE-2019-15517

CVE-2019-15519

Power-Response before 2019-02-02 allows directory traversal (up to the application’s main directory) via a plugin.

Source: CVE-2019-15519