The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2008-7320 | ** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision. | LOW | Dec 17, 2018 | n/a |
| CVE-2010-4001 | ** DISPUTED ** GMXRC.bash in Gromacs 4.5.1 and earlier places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. NOTE: CVE disputes this issue because the GMXLDLIB value is always added to the beginning of LD_LIBRARY_PATH at a later point in the script. | Medium | Nov 8, 2010 | n/a |
| CVE-2012-0039 | ** DISPUTED ** GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application. | Medium | Jan 16, 2012 | n/a |
| CVE-2018-10220 | ** DISPUTED ** Glastopf 3.1.3-dev has SSRF, as demonstrated by the abc.php a parameter. NOTE: the vendor indicates that this is intentional behavior because the product is a web application honeypot, and modules/handlers/emulators/rfi.py supports Remote File Inclusion emulation. | MEDIUM | May 24, 2018 | n/a |
| CVE-2008-4950 | ** DISPUTED ** gccross in dpkg-cross 2.3.0 allows local users to overwrite arbitrary files via a symlink attack on the tmp/gccross2.log temporary file. NOTE: the vendor disputes this vulnerability, stating that There is no sense in this bug - the script ... is called under specific cross-building environments within a chroot. | Medium | Nov 6, 2008 | n/a |
| CVE-2018-6393 | ** DISPUTED ** FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can directly modify SQL tables ... [or] run shell scripts ... once ... logged in to the administration interface; there is no need to try to find input validation errors. | MEDIUM | Jan 29, 2018 | n/a |
| CVE-2017-11191 | ** DISPUTED ** FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session. NOTE: Vendor states that issue does not exist in product and does not recognize this report as a valid security concern. | MEDIUM | Oct 11, 2017 | n/a |
| CVE-2017-8769 | ** DISPUTED ** Facebook WhatsApp Messenger before 2.16.323 for Android uses the SD card for cleartext storage of files (Audio, Documents, Images, Video, and Voice Notes) associated with a chat, even after that chat is deleted. There may be users who expect file deletion to occur upon chat deletion, or who expect encryption (consistent with the application\'s use of an encrypted database to store chat text). NOTE: the vendor reportedly indicates that they do not consider these to be security issues because a user may legitimately want to preserve any file for use in other apps like the Google Photos gallery regardless of whether its associated chat is deleted. | LOW | Oct 4, 2019 | n/a |
| CVE-2017-17515 | ** DISPUTED ** etc/ObjectList in Metview 4.7.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the code to access this environment variable is not enabled in the shipped product. | MEDIUM | Jan 3, 2018 | n/a |
| CVE-2015-5377 | ** DISPUTED ** Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability. | HIGH | Mar 29, 2018 | n/a |
| CVE-2018-10021 | ** DISPUTED ** drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables. | MEDIUM | Apr 11, 2018 | 10.17.41.8 (Wind River Linux LTS 17) |
| CVE-2010-4931 | ** DISPUTED ** Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party. | High | Oct 10, 2011 | n/a |
| CVE-2008-6878 | ** DISPUTED ** Directory traversal vulnerability in admin/includes/languages/english.php in Zen Cart 1.3.8a, 1.3.8, and earlier, when .htaccess is not supported, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the _SESSION[language] parameter. NOTE: the vendor disputes this issue, stating at worst, the use of this vulnerability will reveal some local file paths. | Medium | Jul 28, 2009 | n/a |
| CVE-2017-17527 | ** DISPUTED ** delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer has indicated that the code referencing the BROWSER environment variable is never used. | MEDIUM | Jan 3, 2018 | n/a |
| CVE-2017-17533 | ** DISPUTED ** default.tcl in Tkabber 1.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the attack cannot occur because of the argument-parsing behavior of the Tcl exec function. | MEDIUM | Jan 3, 2018 | n/a |
| CVE-2018-11682 | ** DISPUTED ** Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine. | HIGH | Jun 8, 2018 | n/a |
| CVE-2018-11681 | ** DISPUTED ** Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine. | HIGH | Jun 8, 2018 | n/a |
| CVE-2018-11629 | ** DISPUTED ** Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine. | HIGH | Jun 8, 2018 | n/a |
| CVE-2018-15474 | ** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated this is not a security problem in DokuWiki. | MEDIUM | Oct 31, 2018 | n/a |
| CVE-2018-12433 | ** DISPUTED ** cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. NOTE: the vendor does not include side-channel attacks within its threat model. | LOW | Aug 9, 2018 | n/a |
| CVE-2014-6392 | ** DISPUTED ** Cross-site scripting (XSS) vulnerability in the Facebook app 14.0 and the Facebook Messenger app 10.0 for iOS allows remote attackers to inject arbitrary web script or HTML via a crafted filename extension that is improperly handled during MIME sniffing of chat traffic. NOTE: the vendor disputes the significance of this report, because the user must accept an interstitial warning before the HTML file content is rendered, and because the HTML content's origin is a sandbox domain. | Medium | Sep 23, 2014 | n/a |
| CVE-2014-1607 | ** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future. | Medium | Jan 31, 2014 | n/a |
| CVE-2013-6357 | ** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator. | Medium | Nov 14, 2013 | n/a |
| CVE-2018-8811 | ** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows only registered users to upload different kind of content artifacts (SVG, .doc, .docx). The uploaded content is stored in the CMS content repository as is. In case of scripts inside an SVG, this may or may not be malicious, there is no way of knowing if the uploaded SVG contains the script for a reason. To exploit the issue, a user must have an account in the CMS as a content manager. | MEDIUM | Mar 20, 2018 | n/a |
| CVE-2007-6752 | ** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the security benefit against platform complexity and performance impact and concluding that a change to the logout behavior is not planned because for most sites it is not worth the trade-off. | Medium | Mar 28, 2012 | n/a |
| CVE-2014-2941 | ** DISPUTED ** Cobham Sailor 6000 satellite terminals have hardcoded Tbus 2 credentials, which allows remote attackers to obtain access via a TBUS2 command. NOTE: the vendor reportedly states there is no possibility to exploit another user's credentials.<a href=http://cwe.mitre.org/data/definitions/798.html>CWE-798: Use of Hard-coded Credentials</a> | High | Aug 15, 2014 | n/a |
| CVE-2017-8912 | ** DISPUTED ** CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is a feature, not a bug. | MEDIUM | Aug 16, 2017 | n/a |
| CVE-2018-18586 | ** DISPUTED ** chmextract.c in the chmextract sample program, as distributed with libmspack before 0.8alpha, does not protect against absolute/relative pathnames in CHM files, leading to Directory Traversal. NOTE: the vendor disputes that this is a libmspack vulnerability, because chmextract.c was only intended as a source-code example, not a supported application. | MEDIUM | Apr 3, 2019 | n/a |
| CVE-2007-5690 | ** DISPUTED ** Buffer overflow in sethdlc.c in the Asterisk Zaptel 1.4.5.1 might allow local users to gain privileges via a long device name (interface name) in the ifr_name field. NOTE: the vendor disputes this issue, stating that the application requires root access, so privilege boundaries are not crossed. | Medium | Oct 31, 2007 | n/a |
| CVE-2017-8459 | ** DISPUTED ** Brave 0.12.4 has a Status Bar Obfuscation issue in which a redirection target is shown in a possibly unexpected way. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) the display of web-search results. | MEDIUM | Oct 3, 2019 | n/a |
| CVE-2017-17514 | ** DISPUTED ** boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that this product does not use the BROWSER environment variable. | MEDIUM | Jan 2, 2018 | n/a |
| CVE-2017-9442 | ** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\\admin\\modules\\developer\\extensions\\install\\unpack.php and core\\admin\\modules\\developer\\packages\\install\\unpack.php. NOTE: the vendor states You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | MEDIUM | Jun 9, 2017 | n/a |
| CVE-2017-9443 | ** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\\admin\\modules\\developer\\extensions\\install\\process.php and core\\admin\\modules\\developer\\packages\\install\\process.php. NOTE: the vendor states You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | MEDIUM | Jun 9, 2017 | n/a |
| CVE-2018-20405 | ** DISPUTED ** BigTree 4.3 allows full path disclosure via authenticated admin/news/ input that triggers a syntax error. NOTE: This has been disputed with the following reasoning: The issue reported requires full developer level access to the content management system where cross site scripting is not an issue -- you already have full control of the CMS including running arbitrary PHP. | MEDIUM | Dec 23, 2018 | n/a |
| CVE-2017-7397 | ** DISPUTED ** BackBox Linux 4.6 allows remote attackers to cause a denial of service (ksoftirqd CPU consumption) via a flood of packets with Martian source IP addresses (as defined in RFC 1812 section 5.3.7). This product enables net.ipv4.conf.all.log_martians by default. NOTE: the vendor reports It has been proved that this vulnerability has no foundation and it is totally fake and based on false assumptions. | MEDIUM | Oct 3, 2019 | n/a |
| CVE-2018-17538 | ** DISPUTED ** Axon (formerly TASER International) Evidence Sync 3.15.89 is vulnerable to process injection. NOTE: the vendor\'s position is that this CVE is not associated with information that supports any finding of any type of vulnerability. | HIGH | Dec 20, 2018 | n/a |
| CVE-2013-3926 | ** DISPUTED ** Atlassian Crowd 2.6.3 allows remote attackers to execute arbitrary commands via unspecified vectors related to a symmetric backdoor. NOTE: as of 20130704, the vendor could not reproduce the issue, stating We\'ve been unable to substantiate the existence of [CVE-2013-3926]. The author of the article has not contacted Atlassian and has provided no detail, making it difficult to validate the claim... If we can confirm that there is a vulnerability, a patch will be issued.Per: http://cwe.mitre.org/data/definitions/77.html \'CWE-77: Improper Neutralization of Special Elements used in a Command (\'Command Injection\')\' | High | Jul 8, 2013 | n/a |
| CVE-2018-7046 | ** DISPUTED ** Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a Pages -> Edit -> Template -> Edit template properties -> Layout box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout. | HIGH | Feb 28, 2019 | n/a |
| CVE-2013-0346 | ** DISPUTED ** Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated The tomcat log directory does not contain any sensitive information. | Low | Feb 18, 2014 | n/a |
| CVE-2018-11692 | ** DISPUTED ** An issue was discovered on Canon LBP6650, LBP3370, LBP3460, and LBP7750C devices. It is possible to bypass the Administrator Mode authentication for /tlogin.cgi via vectors involving frame.cgi?page=DevStatus. NOTE: the vendor reportedly responded that this issue occurs when a customer keeps the default settings without using the countermeasures and best practices shown in the documentation. | HIGH | Jun 8, 2018 | n/a |
| CVE-2018-9156 | ** DISPUTED ** An issue was discovered on AXIS P1354 (IP camera) Firmware version 5.90.1.1 devices. The upload web page doesn\'t verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with <!--#exec cmd= support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality. | HIGH | May 15, 2018 | n/a |
| CVE-2018-9157 | ** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. The upload web page doesn\'t verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with <!--#exec cmd= support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality. | HIGH | May 15, 2018 | n/a |
| CVE-2018-11209 | ** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. zb_system/cmd.php?act=verify relies on MD5 for the password parameter, which might make it easier for attackers to bypass intended access restrictions via a dictionary or rainbow-table attack. NOTE: the vendor declined to accept this as a valid issue. | MEDIUM | Oct 3, 2019 | n/a |
| CVE-2018-11208 | ** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the copyright information office field. NOTE: the vendor indicates that the product was not intended to block this type of XSS by a user with the admin privilege. | LOW | Apr 16, 2019 | n/a |
| CVE-2018-10682 | ** DISPUTED ** An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using anonymous access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. NOTE: the vendor indicates that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server. | HIGH | May 9, 2018 | n/a |
| CVE-2018-15542 | ** DISPUTED ** An issue was discovered in the org.telegram.messenger application 4.8.11 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method\'s return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-15543 | ** DISPUTED ** An issue was discovered in the org.telegram.messenger application 4.8.11 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the fingerprint API in conjunction with the Android keyGenerator class is not implemented. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred. | MEDIUM | Nov 24, 2018 | n/a |
| CVE-2018-15660 | ** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions, then the attacker can read certain Ola Money data such as a credit card number, expiration date, bank account number, and transaction history. NOTE: the vendor does not agree that this is a security issue requiring a fix. | MEDIUM | Oct 3, 2019 | n/a |
| CVE-2018-15661 | ** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions and the ability to read SMS messages, then the Forgot Password screen can be used to bypass authentication. NOTE: the vendor does not agree that this is a security issue requiring a fix. | LOW | Aug 19, 2019 | n/a |
| CVE-2018-18320 | ** DISPUTED ** An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because exec.php has a popen call. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution. | HIGH | Jan 9, 2019 | n/a |
