Domoticz before 4.10579 neglects to categorize n and r as insecure argument options.
Source: NIST
CVE-2019-10678
March 2019
CVE-2019-10675
** DISPUTED ** WordPress 5.1.1 allows remote authenticated authors to obtain sensitive information via a modified PNG file to the wp-admin/media-new.php?browser-uploader Media Uploader feature, which reveals the full path in a wp-includes/functions.php exif_imagetype() error message, even when the “display_errors = Off” setting is used and wp_config.php has debugging disabled. NOTE: the vendor cannot reproduce this.
Source: NIST
CVE-2019-10675
CVE-2019-10672
treeRead in hdf/btree.c in libmysofa before 0.7 does not properly validate multiplications and additions.
Source: NIST
CVE-2019-10672
CVE-2019-10664
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.
Source: NIST
CVE-2019-10664
CVE-2019-10657
Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.
Source: NIST
CVE-2019-10657
CVE-2019-10663
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.
Source: NIST
CVE-2019-10663
CVE-2019-10662
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.
Source: NIST
CVE-2019-10662
CVE-2019-10661
On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.
Source: NIST
CVE-2019-10661
CVE-2019-10659
Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.
Source: NIST
CVE-2019-10659
CVE-2019-10658
Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.
Source: NIST
CVE-2019-10658