Vulnerabilities - Yack CVE

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-8335 1Schoolcms 1Schoolcms Jun 17, 2026 Feb 13, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerability via index.php?a=Index&c=Channel&m=Home&id=[XSS].
CVE-2019-8334 1Schoolcms 1Schoolcms Jun 17, 2026 Feb 13, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerability via index.php?a=Index&c=Channel&m=Home&viewid=[XSS].
CVE-2019-8331 4F5 GetbootstrapRedhat+1 more 16Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+13 more Jun 17, 2026 Feb 20, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
CVE-2019-8325 3Debian OpensuseRubygems 3Debian Linux LeapRubygems Jun 17, 2026 Jun 17, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
CVE-2019-8324 4Debian OpensuseRedhat+1 more 4Debian Linux Enterprise LinuxLeap+1 more Jun 17, 2026 Jun 17, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eva...Show more An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.Show less
CVE-2019-8323 3Debian OpensuseRubygems 3Debian Linux LeapRubygems Jun 17, 2026 Jun 17, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence inj...Show more An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.Show less
CVE-2019-8322 3Debian OpensuseRubygems 3Debian Linux LeapRubygems Jun 17, 2026 Jun 17, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occ...Show more An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.Show less
CVE-2019-8321 3Debian OpensuseRubygems 3Debian Linux LeapRubygems Jun 17, 2026 Jun 17, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.
CVE-2019-8320 1Rubygems 1Rubygems Jun 17, 2026 Jun 6, 2019 N/A· v4 7.4 HIGH· v3 8.8 HIGH· v2 A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destin...Show more A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.Show less
CVE-2019-8319 1Dlink 1Dir 878 Firmware Jun 17, 2026 Feb 13, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allo...Show more An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetStaticRouteIPv4Settings API function, as demonstrated by shell metacharacters in the Gateway field.Show less
CVE-2019-8318 1Dlink 1Dir 878 Firmware Jun 17, 2026 Feb 13, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allo...Show more An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetSysEmailSettings API function, as demonstrated by shell metacharacters in the SMTPServerPort field.Show less
CVE-2019-8317 1Dlink 1Dir 878 Firmware Jun 17, 2026 Feb 13, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allo...Show more An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetStaticRouteIPv6Settings API function, as demonstrated by shell metacharacters in the DestNetwork field.Show less
CVE-2019-8316 1Dlink 1Dir 878 Firmware Jun 17, 2026 Feb 13, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allo...Show more An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetWebFilterSettings API function, as demonstrated by shell metacharacters in the WebFilterURLs field.Show less
CVE-2019-8315 1Dlink 1Dir 878 Firmware Jun 17, 2026 Feb 13, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allo...Show more An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetIPv4FirewallSettings API function, as demonstrated by shell metacharacters in the SrcIPv4AddressRangeStart field.Show less
CVE-2019-8314 1Dlink 1Dir 878 Firmware Jun 17, 2026 Feb 13, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allo...Show more An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetQoSSettings API function, as demonstrated by shell metacharacters in the IPAddress field.Show less
CVE-2019-8313 1Dlink 1Dir 878 Firmware Jun 17, 2026 Feb 13, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allo...Show more An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetIPv6FirewallSettings API function, as demonstrated by shell metacharacters in the SrcIPv6AddressRangeStart field.Show less
CVE-2019-8312 1Dlink 1Dir 878 Firmware Jun 17, 2026 Feb 13, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allo...Show more An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetSysLogSettings API function, as demonstrated by shell metacharacters in the IPAddress field.Show less
CVE-2019-8308 3Debian FlatpakRedhat 8Debian Linux Enterprise Linux DesktopEnterprise Linux Server+5 more Jun 17, 2026 Feb 12, 2019 N/A· v4 8.2 HIGH· v3 4.4 MEDIUM· v2 Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.
CVE-2019-8293 1Abcprintf 1Upload Image With Ajax Jun 17, 2026 Dec 23, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Due to a logic error in the code, upload-image-with-ajax v1.0 allows arbitrary files to be uploaded to the web root allowing code execution.
CVE-2019-8292 1Online Store System Project 1Online Store System Jun 17, 2026 Oct 1, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Online Store System v1.0 delete_product.php doesn't check to see if a user authtenticated or has administrative rights allowing arbitrary product deletion.
CVE-2019-8291 1Online Store System Project 1Online Store System Jun 17, 2026 Oct 1, 2019 N/A· v4 7.5 HIGH· v3 6.4 MEDIUM· v2 Online Store System v1.0 delete_file.php doesn't check to see if a user has administrative rights nor does it check for path traversal.
CVE-2019-8290 1Online Store System Project 1Online Store System Jun 17, 2026 Oct 1, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Vulnerability in Online Store v1.0, The registration form requirements for the member email format can be bypassed by posting directly to sent_register.php allowing special characters to be included and an XSS payload to...Show more Vulnerability in Online Store v1.0, The registration form requirements for the member email format can be bypassed by posting directly to sent_register.php allowing special characters to be included and an XSS payload to be injected.Show less
CVE-2019-8289 1Online Store System Project 1Online Store System Jun 17, 2026 Oct 1, 2019 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Vulnerability in Online Store v1.0, stored XSS in admin/user_view.php adidas_member_email variable
CVE-2019-8288 1Online Store System Project 1Online Store System Jun 17, 2026 Oct 1, 2019 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Vulnerability in Online Store v1.0, Stored XSS in user_view.php where adidas_member_user variable is not sanitized.
CVE-2019-8287 1Tightvnc 1Tightvnc Jun 17, 2026 Oct 29, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.

Previous 1...828384...14337 Next

Vulnerabilities (CVE)