Archive for March, 2019

CVE-2019-10678

Domoticz before 4.10579 neglects to categorize n and r as insecure argument options.
Source: NIST
CVE-2019-10678

CVE-2019-10675

** DISPUTED ** WordPress 5.1.1 allows remote authenticated authors to obtain sensitive information via a modified PNG file to the wp-admin/media-new.php?browser-uploader Media Uploader feature, which reveals the full path in a wp-includes/functions.php exif_imagetype() error message, even when the “display_errors = Off” setting is used and wp_config.php has debugging disabled. NOTE: the vendor cannot reproduce this.
Source: NIST
CVE-2019-10675

CVE-2019-10672

treeRead in hdf/btree.c in libmysofa before 0.7 does not properly validate multiplications and additions.
Source: NIST
CVE-2019-10672

CVE-2019-10664

Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.
Source: NIST
CVE-2019-10664

CVE-2019-10657

Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.
Source: NIST
CVE-2019-10657

CVE-2019-10663

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.
Source: NIST
CVE-2019-10663

CVE-2019-10662

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.
Source: NIST
CVE-2019-10662

CVE-2019-10661

On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.
Source: NIST
CVE-2019-10661

CVE-2019-10659

Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.
Source: NIST
CVE-2019-10659

CVE-2019-10658

Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.
Source: NIST
CVE-2019-10658