CVE-2019-16743
eBrigade before 5.0 has evenement_ical.php evenement SQL Injection.
Source: CVE-2019-16743
CVE-2019-16743
eBrigade before 5.0 has evenement_ical.php evenement SQL Injection.
Source: CVE-2019-16743
CVE-2019-16745
eBrigade before 5.0 has evenement_choice.php chxCal SQL Injection.
Source: CVE-2019-16745
CVE-2017-18636
CDG through 2017-01-01 allows downloadDocument.jsp?command=download&pathAndName= directory traversal.
Source: CVE-2017-18636
CVE-2019-16676
Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.
Source: CVE-2019-16676
CVE-2019-16993
In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them.
Source: CVE-2019-16993
CVE-2019-16992
The Keybase app 2.13.2 for iOS provides potentially insufficient notice that it is employing a user’s private key to sign a certain cryptocurrency attestation (that an address at keybase.io can be used for Stellar payments to the user), which might be incompatible with a user’s personal position on the semantics of an attestation.
Source: CVE-2019-16992
CVE-2019-16930
Zcashd in Zcash before 2.0.7-3 allows discovery of the IP address of a full node that owns a shielded address, related to mishandling of exceptions during deserialization of note plaintexts. This affects anyone who has disclosed their zaddr to a third party.
Source: CVE-2019-16930
CVE-2019-16941
NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).
Source: CVE-2019-16941
CVE-2019-16935
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
Source: CVE-2019-16935
CVE-2019-16925
Flower 1.0.0 has XSS via the name parameter in an @app.task call.
Source: CVE-2019-16925