2021

2020

CVE-2020-13756 (v3: 9.8) 3 Jun 2020

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

CVE-2020-10389 (v3: 7.2) 12 Mar 2020

admin/save-settings.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by injecting PHP code into any POST parameter when saving global settings.

CVE-2020-10386 (v3: 7.2) 12 Mar 2020

admin/imagepaster/image-upload.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by uploading a .php file in the admin/js/ directory.

2019

CVE-2019-18915 (v3: 7.8) 13 Feb 2020

A potential security vulnerability has been identified with certain versions of HP System Event Utility prior to version 1.4.33. This vulnerability may allow a local attacker to execute arbitrary code via an HP System Event Utility system service.

CVE-2019-11045 (v3: 5.9) 23 Dec 2019

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

CVE-2019-18909 (v3: 8) 22 Nov 2019

The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges.

CVE-2019-18910 (v3: 6.8) 22 Nov 2019

The Citrix Receiver wrapper function does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with local user privileges.

CVE-2019-17408 (v3: 9.8) 14 Oct 2019

parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.

CVE-2019-6333 (v3: 6.7) 11 Oct 2019

A potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version 4.1.4.2827. This vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service.

CVE-2019-16722 (v3: 9.8) 23 Sep 2019

ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation.

CVE-2019-11038 (v3: 5.3) 19 Jun 2019

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

CVE-2019-11958 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11960 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11967 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11968 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11980 (v3: 8.8) 5 Jun 2019

A remote code exection vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11942 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11943 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11944 (v3: 9.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11945 (v3: 9.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11948 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5338 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5339 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5340 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5341 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5344 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5347 (v3: 9.8) 5 Jun 2019

A remote authentication bypass vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5348 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5349 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5355 (v3: 7.5) 5 Jun 2019

A remote denial of service vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5362 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5363 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5364 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5365 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5366 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5368 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5369 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-5376 (v3: 8.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11458 (v3: 7.5) 8 May 2019

An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.

CVE-2019-9826 (v3: 7.5) 2 May 2019

The fulltext search component in phpBB before 3.2.6 allows Denial of Service.

CVE-2019-3479 (v3: 9.8) 25 Mar 2019

Mitigates a potential remote code execution issue in ArcSight Logger versions prior to 6.7.

CVE-2019-3484 (v3: 7.8) 25 Mar 2019

Mitigates a remote code execution issue in ArcSight Logger versions prior to 6.7.

CVE-2019-9082 (v3: 9.8) 24 Feb 2019

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

CVE-2019-7412 (v3: 9.8) 5 Feb 2019

The PS PHPCaptcha WP plugin before v1.2.0 for WordPress mishandles sanitization of input values.

2018

CVE-2018-7124 (v3: 9.8) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2018-7125 (v3: 6.3) 5 Jun 2019

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2018-20127 (v3: 7.5) 13 Dec 2018

An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.

CVE-2018-7116 (v3: 7.5) 3 Dec 2018

HPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P06) is vulnerable to a remote denial of service via dbman Opcode 10003 'Filename'. This problem is resolved in IMC PLAT 7.3 (E0605P06) or subsequent versions.

CVE-2018-19556 (v3: 4.3) 26 Nov 2018

** DISPUTED ** zb_system/admin/index.php?act=UploadMng in Z-BlogPHP 1.5 mishandles file preview, leading to content spoofing. NOTE: the software maintainer disputes that this is a vulnerability.

CVE-2018-18626 (v3: 7.5) 23 Oct 2018

An issue was discovered in PHPYun V4.6. There is a vulnerability that can delete any file or directory via the "admin/index.php?m=database&c=del" sql parameter because del_action() in admin/model/database.class.php mishandles this parameter.

CVE-2018-17836 (v3: 8.8) 1 Oct 2018

An issue was discovered in JTBC(PHP) 3.0.1.6. It allows remote attackers to execute arbitrary PHP code by using a /console/file/manage.php?type=action&action=addfile&path=..%2F substring to upload, in conjunction with a multipart/form-data PHP payload.

CVE-2018-17837 (v3: 7.5) 1 Oct 2018

An issue was discovered in JTBC(PHP) 3.0.1.6. Arbitrary file deletion is possible via a /console/file/manage.php?type=action&action=delete&path=c%3A%2F substring.

CVE-2018-7103 (v3: 9.8) 27 Sep 2018

A Remote Code Execution vulnerability was identified in HPE Intelligent Management Center (iMC) Wireless Services Manager Software earlier than version IMC WSM 7.3 E0506P02.

CVE-2018-7104 (v3: 9.8) 27 Sep 2018

A Remote Code Execution vulnerability was identified in HPE Intelligent Management Center (iMC) Wireless Services Manager Software earlier than version IMC WSM 7.3 E0506P02.

CVE-2018-7109 (v3: 6.5) 27 Sep 2018

HPE has addressed a remote arbitrary file modification vulnerability in HPE enhanced Internet Usage Manager (eIUM) v9.0FP1 with the cumulative patch for v9.0FP1 - eIUM90FP01XXX.YYYYMMDD-HHMM.

CVE-2018-7059 (v3: 8.8) 6 Aug 2018

Aruba ClearPass prior to 6.6.9 has a vulnerability in the API that helps to coordinate cluster actions. An authenticated user with the "mon" permission could use this vulnerability to obtain cluster credentials which could allow privilege escalation. This vulnerability is only present when authenticated as a user with "mon" permission.

CVE-2018-12492 (v3: 7.5) 15 Jun 2018

PHPOK 4.9.032 has an arbitrary file deletion vulnerability in the delfile_f function in framework/admin/tpl_control.php.

CVE-2018-6490 (v3: 7.5) 2 Mar 2018

Denial of Service vulnerability in Micro Focus Operations Orchestration Software, version 10.x. This vulnerability could be remotely exploited to allow Denial of Service.

2017

CVE-2017-7189 (v3: 7.5) 10 Jul 2019

main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.

CVE-2017-5805 (v3: 9.8) 15 Feb 2018

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.2 was found.

CVE-2017-5806 (v3: 9.8) 15 Feb 2018

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.2 was found.

CVE-2017-5808 (v3: 7.5) 15 Feb 2018

A Remote Arbitrary Code Execution vulnerability in HPE Data Protector version prior to 8.17 and 9.09 was found.

CVE-2017-5815 (v3: 9.8) 15 Feb 2018

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

CVE-2017-5816 (v3: 9.8) 15 Feb 2018

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

CVE-2017-5817 (v3: 9.8) 15 Feb 2018

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

CVE-2017-5818 (v3: 7.5) 15 Feb 2018

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

CVE-2017-5819 (v3: 9.8) 15 Feb 2018

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

CVE-2017-12487 (v3: 8.8) 15 Feb 2018

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version PLAT 7.3 (E0504) was found. The problem was resolved in HPE Intelligent Management Center PLAT v7.3 (E0506) or any subsequent version.

CVE-2017-12488 (v3: 8.8) 15 Feb 2018

CVE-2017-12489 (v3: 8.8) 15 Feb 2018

CVE-2017-12490 (v3: 8.8) 15 Feb 2018

CVE-2017-12491 (v3: 8.8) 15 Feb 2018

CVE-2017-12492 (v3: 8.8) 15 Feb 2018

CVE-2017-12493 (v3: 8.8) 15 Feb 2018

CVE-2017-12494 (v3: 8.8) 15 Feb 2018

CVE-2017-12495 (v3: 8.8) 15 Feb 2018

CVE-2017-12496 (v3: 8.8) 15 Feb 2018

CVE-2017-12497 (v3: 8.8) 15 Feb 2018

CVE-2017-12498 (v3: 8.8) 15 Feb 2018

CVE-2017-12499 (v3: 8.8) 15 Feb 2018

CVE-2017-12500 (v3: 8.8) 15 Feb 2018

CVE-2017-12501 (v3: 8.8) 15 Feb 2018

CVE-2017-12502 (v3: 8.8) 15 Feb 2018

CVE-2017-12503 (v3: 8.8) 15 Feb 2018

CVE-2017-12504 (v3: 8.8) 15 Feb 2018

CVE-2017-12505 (v3: 8.8) 15 Feb 2018

CVE-2017-12506 (v3: 8.8) 15 Feb 2018

CVE-2017-12507 (v3: 8.8) 15 Feb 2018

CVE-2017-12508 (v3: 8.8) 15 Feb 2018

CVE-2017-12509 (v3: 8.8) 15 Feb 2018

CVE-2017-12510 (v3: 8.8) 15 Feb 2018

CVE-2017-12511 (v3: 8.8) 15 Feb 2018

CVE-2017-12512 (v3: 8.8) 15 Feb 2018

CVE-2017-12513 (v3: 8.8) 15 Feb 2018

CVE-2017-12514 (v3: 8.8) 15 Feb 2018

CVE-2017-12515 (v3: 8.8) 15 Feb 2018

CVE-2017-12516 (v3: 8.8) 15 Feb 2018

CVE-2017-12517 (v3: 8.8) 15 Feb 2018

CVE-2017-12518 (v3: 8.8) 15 Feb 2018

CVE-2017-12519 (v3: 8.8) 15 Feb 2018

CVE-2017-12520 (v3: 8.8) 15 Feb 2018

CVE-2017-12521 (v3: 8.8) 15 Feb 2018

CVE-2017-12522 (v3: 8.8) 15 Feb 2018

CVE-2017-12523 (v3: 8.8) 15 Feb 2018

CVE-2017-12524 (v3: 8.8) 15 Feb 2018

CVE-2017-12525 (v3: 8.8) 15 Feb 2018

CVE-2017-12526 (v3: 8.8) 15 Feb 2018

CVE-2017-12527 (v3: 8.8) 15 Feb 2018

2016

CVE-2016-8521 (v3: 6.5) 15 Feb 2018

A Remote click jacking vulnerability in HPE Diagnostics version 9.24 IP1, 9.26 , 9.26IP1 was found.

CVE-2016-8530 (v3: 7.5) 15 Feb 2018

A remote denial of service vulnerability in HPE iMC PLAT version v7.2 E0403P06 and earlier was found. The problem was resolved in iMC PLAT 7.3 E0504 or subsequent version.

CVE-2016-8535 (v3: 3.5) 15 Feb 2018

A remote HTTP parameter Pollution vulnerability in HPE Matrix Operating Environment version 7.6 was found.

CVE-2016-10712 (v3: 7.5) 9 Feb 2018

In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker.

CVE-2016-10397 (v3: 7.5) 10 Jul 2017

In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).

CVE-2016-9955 (v3: 6.3) 17 Feb 2017

The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.

CVE-2016-4793 (v3: 7.5) 23 Jan 2017

The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.

CVE-2016-9860 (v3: 5.9) 11 Dec 2016

An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

CVE-2016-9863 (v3: 7.5) 11 Dec 2016

An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DoS) attack. All 4.6.x versions (prior to 4.6.5) are affected.

CVE-2016-6623 (v3: 6.5) 11 Dec 2016

An issue was discovered in phpMyAdmin. An authorized user can cause a denial-of-service (DoS) attack on a server by passing large values to a loop. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

CVE-2016-6630 (v3: 6.5) 11 Dec 2016

An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

CVE-2016-9858 (v3: 5.3) 11 Dec 2016

An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

CVE-2016-9859 (v3: 5.3) 11 Dec 2016

An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

CVE-2016-6372 (v3: 7.5) 28 Oct 2016

A vulnerability in the email message and content filtering for malformed Multipurpose Internet Mail Extensions (MIME) headers of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to bypass the filtering functionality of the targeted device. Emails that should have been quarantined could instead be processed. Affected Products: This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for Cisco ESA and Cisco WSA on both virtual and hardware appliances that are configured with message or content filters to scan incoming email attachments. More Information: CSCuy54740, CSCuy75174. Known Affected Releases: 9.7.1-066 9.5.0-575 WSA10.0.0-000. Known Fixed Releases: 10.0.0-125 9.1.1-038 9.7.2-047.

CVE-2016-4809 (v3: 7.5) 21 Sep 2016

The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink.

CVE-2016-7417 (v3: 9.8) 17 Sep 2016

ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.

CVE-2016-7129 (v3: 9.8) 12 Sep 2016

The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a dateTime element in a wddxPacket XML document.

CVE-2016-2775 (v3: 5.9) 19 Jul 2016

ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.

CVE-2016-4372 (v3: 9.8) 15 Jul 2016

HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC UAM_TAM before 7.2 E0405P05 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

CVE-2016-3092 (v3: 7.5) 4 Jul 2016

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

CVE-2016-4368 (v3: 9.8) 8 Jun 2016

HPE Universal CMDB 10.0 through 10.21, Universal CMDB Configuration Manager 10.0 through 10.21, and Universal Discovery 10.0 through 10.21 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

CVE-2016-0363 (v3: 8.1) 3 Jun 2016

The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) uses the invoke method of the java.lang.reflect.Method class in an AccessController doPrivileged block, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to a Proxy object instance implementing the java.lang.reflect.InvocationHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3009.

CVE-2016-4537 (v3: 9.8) 22 May 2016

The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.

CVE-2016-4538 (v3: 9.8) 22 May 2016

The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.

CVE-2016-4071 (v3: 9.8) 20 May 2016

Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.

CVE-2016-4072 (v3: 9.8) 20 May 2016

The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c.

CVE-2016-3185 (v3: 7.1) 16 May 2016

The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c.

CVE-2016-1997 (v3: 9.8) 22 Mar 2016

HPE Operations Orchestration 10.x before 10.51 and Operations Orchestration content before 1.7.0 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

CVE-2016-1998 (v3: 9.8) 22 Mar 2016

HPE Service Manager (SM) 9.3x before 9.35 P4 and 9.4x before 9.41.P2 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

CVE-2016-2562 (v3: 6.8) 1 Mar 2016

The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate.

CVE-2016-1987 (v3: 5.9) 18 Feb 2016

HPE IPFilter A.11.31.18.21 on HP-UX, when a certain keep-state configuration is enabled, allows remote attackers to cause a denial of service via unspecified UDP packets.

2015

CVE-2015-8980 (v3: 9.8) 4 Nov 2019

The plural form formula in ngettext family of calls in php-gettext before 1.0.12 allows remote attackers to execute arbitrary code.

CVE-2015-3639 (v3: 8.8) 21 Jul 2017

phpMyBackupPro 2.5 and earlier does not properly sanitize input strings, which allows remote authenticated users to execute arbitrary PHP code by storing a crafted string in a user configuration file.

CVE-2015-8879 (v3: 7.5) 22 May 2016

The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.

CVE-2015-8873 (v3: 7.5) 16 May 2016

Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (segmentation fault) via recursive method calls.

CVE-2015-4598 (v3: 6.5) 16 May 2016

PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.

CVE-2015-4604 (v3: 7.5) 16 May 2016

The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relationship, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a "Python script text executable" rule.

CVE-2015-5589 (v3: 9.8) 16 May 2016

The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call.

CVE-2015-4605 (v3: 7.5) 16 May 2016

The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a "Python script text executable" rule.

CVE-2015-6863 (v3: 7.3) 16 Jan 2016

HPE ArcSight Logger before 6.1P1 allows remote attackers to execute arbitrary code via unspecified input to the (1) Intellicus or (2) client-certificate upload component.

CVE-2015-6864 (v3: 6.3) 16 Jan 2016

HPE ArcSight Logger before 6.1P1 allows remote authenticated users to execute arbitrary code via unspecified input to the (1) Intellicus or (2) client-certificate upload component.

CVE-2015-5255 (v2: 4.3) 18 Nov 2015

Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before Update 7 and LiveCycle Data Services 3.0.x before 3.0.0.354175, 3.1.x before 3.1.0.354180, 4.5.x before 4.5.1.354177, 4.6.2.x before 4.6.2.354178, and 4.7.x before 4.7.0.354178, allows remote attackers to send HTTP traffic to intranet servers via a crafted XML document, related to a Server-Side Request Forgery (SSRF) issue.

CVE-2015-5234 (v2: 6.8) 9 Oct 2015

IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

CVE-2015-2974 (v2: 5) 29 Jul 2015

LEMON-S PHP Gazou BBS plus before 2.36 allows remote attackers to upload arbitrary HTML documents via vectors involving a crafted image file.

2014

CVE-2014-7840 (v2: 7.5) 12 Dec 2014

The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.

CVE-2014-3710 (v2: 5) 5 Nov 2014

The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.

CVE-2014-2645 (v2: 4.3) 5 Oct 2014

HP Systems Insight Manager (SIM) before 7.4 allows remote attackers to conduct clickjacking attacks via unknown vectors.

CVE-2014-2642 (v2: 4.3) 2 Oct 2014

HP System Management Homepage (SMH) before 7.4 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

CVE-2014-5120 (v2: 6.4) 23 Aug 2014

gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.

CVE-2014-3480 (v2: 4.3) 9 Jul 2014

The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.

CVE-2014-3487 (v2: 4.3) 9 Jul 2014

The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.

CVE-2014-0255 (v2: 5) 14 May 2014

Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold and R2 allow remote attackers to cause a denial of service (iSCSI service outage) by sending many crafted packets, aka "iSCSI Target Remote Denial of Service Vulnerability."

CVE-2014-0256 (v2: 5) 14 May 2014

Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold allow remote attackers to cause a denial of service (iSCSI service outage) by sending many crafted packets, aka "iSCSI Target Remote Denial of Service Vulnerability."

2013

CVE-2013-6815 (v2: 5) 20 Nov 2013

The SHSTI_UPLOAD_XML function in the Application Server for ABAP (AS ABAP) in SAP NetWeaver 7.31 and earlier allows remote attackers to cause a denial of service via unspecified vectors, related to an XML External Entity (XXE) issue.

CVE-2013-4811 (v2: 10) 16 Sep 2013

UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the adCert argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743.

CVE-2013-4812 (v2: 10) 16 Sep 2013

UpdateCertificatesServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the fileName argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743.

CVE-2013-4636 (v2: 4.3) 21 Jun 2013

The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo object.

CVE-2013-3573 (v2: 10) 14 Jun 2013

HP Insight Diagnostics 9.4.0.4710 allows remote attackers to conduct unspecified injection attacks via unknown vectors.

CVE-2013-3574 (v2: 7.8) 14 Jun 2013

Absolute path traversal vulnerability in hpdiags/frontend2/commands/saveCompareConfig.php in HP Insight Diagnostics 9.4.0.4710 allows remote attackers to write data to arbitrary files via a full pathname in the argument to the devicePath (aka mount) parameter.

CVE-2013-3575 (v2: 5) 14 Jun 2013

hpdiags/frontend2/help/pageview.php in HP Insight Diagnostics 9.4.0.4710 does not properly restrict PHP include or require statements, which allows remote attackers to include arbitrary hpdiags/frontend2/help/ .html files via the path parameter.

CVE-2013-3735 (v2: 5) 31 May 2013

** DISPUTED ** The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id."

2012

CVE-2012-6501 (v2: 4.3) 12 Jan 2013

The KillProcess method in the HP PKI ActiveX control (HPPKI.ocx) before 1.2.0.1 allows remote attackers to cause a denial of service (kill process) via the partial or full name of a process.

CVE-2012-4388 (v2: 4.3) 7 Sep 2012

The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398.

CVE-2012-1172 (v2: 5.8) 24 May 2012

The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.

CVE-2012-2611 (v2: 9.3) 15 May 2012

The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2, when a certain Developer Trace configuration is enabled, allows remote attackers to execute arbitrary code via a crafted SAP Diag packet.

CVE-2012-1823 (v2: 7.5) 11 May 2012

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

CVE-2012-2336 (v2: 5) 11 May 2012

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

CVE-2012-2002 (v2: 8.3) 2 May 2012

Open redirect vulnerability in HP SNMP Agents for Linux before 9.0.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

CVE-2012-0128 (v2: 5.8) 5 Apr 2012

HP Onboard Administrator (OA) before 3.50 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

CVE-2012-0788 (v2: 5) 14 Feb 2012

The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server.

CVE-2012-0831 (v2: 6.8) 10 Feb 2012

PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.

Key Capabilities

Automated survey templates

PIA/DPIA & TIA assessment

Data mapping

Automated risk assessment

Vendor risk management

Consent management

Privacy-by-design

Predefined document templates

Breach notification

Automated control selection

Continuous control testing

Security training

Cookie scanning

Multilingual

Key Capabilities

AI data discovery

Data Analysis

Data Visualisation

Data Linking

Key Capabilities

Automated pre-filled surveys

PIA/DPIA/TIA assessment

Automated vendor risk assessment

Automatic Schrems II contracts

Predefined document templates

Data mapping

Contract management

Legal basis for sharing data

Key Capabilities

Privacy regulation research

Regulation comparison tool

Latest privacy news tracking

Latest Threat Intelligence

Breach modelling and ROI calculator

Key Capabilities

Off the shelf web interface

Supports any privacy legislation

Pre-defined GDPR & CCPA templates

DSAR workflow management

Consumer messaging interface

Automated consumer data collection

Key Capabilities

Automatic control selection

Encode your legal position

Key Capabilities

Test each and every control

Key Capabilities

Cookie scanning

Website consent

Privacy notices

Key Capabilities

Simple GDPR surveys

Off the shelf web interface

Pre-defined GDPR templates

DSAR workflow management

Data subject messaging interface

Automated data subject info retrieval

Key Capabilities

Simple CCPA surveys

Off the shelf web interface

Pre-defined CCPA templates

Consumer request workflow management

Consumer messaging interface

Automated consumer data retrieval

Key Capabilities

Automatic Schrems II contracts

Key Capabilities

Privacy regulation research

Regulation comparison tool

Latest privacy news tracking

Latest Threat Intelligence

Breach modelling and ROI calculator

Key Capabilities

Defusing the GDPR time bomb

GDPR - And they’re off...

Proteus-Cyber Ltd- Threat Intelligence Tools for Data Privacy Protection

Proteus-Cyber Ltd- Privacy Impact Assessment GDPR

Proteus-Cyber Ltd- Threat Intelligence Tools - Update

Canada’s Proposed New Consumer Privacy Protection Act: The Good, the Bad, the Missed Opportunities

Proposition 24 – November 3rd, 2020 1879. (19-0021A1) AMENDS CONSUMER PRIVACY LAWS. INITIATIVE STATUTE.