An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files. Date published :...
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and...
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker...
data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page. Date published : 2019-02-19 http://www.securityfocus.com/bid/107171 https://github.com/Tautulli/Tautulli-Issues/issues/161
Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter. Date published : 2019-02-19 https://www.netsparker.com/web-applications-advisories/ns-18-052-reflected-cross-site-scripting-in-collabtive/
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. Date published : 2019-02-19 https://github.com/sqlalchemy/sqlalchemy/issues/4481 https://www.oracle.com/security-alerts/cpujan2021.html
Missing URI encoding of untrusted input in DevTools in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform a Dangling Markup Injection attack via a crafted HTML page. Date published : 2019-02-19...
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Date published : 2019-02-19 http://www.securityfocus.com/bid/106767 https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html
Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. Date published...
Insufficient restrictions on what can be done with Apple Events in Google Chrome on macOS prior to 72.0.3626.81 allowed a local attacker to execute JavaScript via Apple Events. Date published : 2019-02-19 http://www.securityfocus.com/bid/106767 https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html
Insufficient policy validation in ServiceWorker in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Date published : 2019-02-19 http://www.securityfocus.com/bid/106767 https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html
A missing case for handling special schemes in permission request checks in Extensions in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to bypass extension...
Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. Date published...
Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. Date published...