List of latest published vulnerabilities.

Exploit-DB

• [local] Ross Video DashBoard 8.5.1 - Insecure Permissions April 23, 2019
  Ross Video DashBoard 8.5.1 - Insecure Permissions
• [dos] systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit April 23, 2019
  systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit
• [dos] Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition April 23, 2019
  Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition
• [dos] Linux - 'page->_refcount' Overflow via FUSE April 23, 2019
  Linux - 'page->_refcount' Overflow via FUSE
• [webapps] WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion April 22, 2019
  WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion
• [shellcode] Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes) April 22, 2019
  Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)
• [dos] Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC) April 22, 2019
  Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)
• [local] LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret) April 22, 2019
  LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)
• [webapps] 74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User) April 22, 2019
  74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)
• [webapps] Msvod 10 - Cross-Site Request Forgery (Change User Information) April 22, 2019
  Msvod 10 - Cross-Site Request Forgery (Change User Information)

National Vulnerability Database

• CVE-2019-9734 April 24, 2019
  aquaverde Aquarius CMS through 4.3.5 writes POST and GET parameters (including passwords) to a log file because of incorrect if/else usage in the Log-File writer component.
• CVE-2019-7213 April 24, 2019
  SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execution on the server for instance by putting files inside the web directories.
• CVE-2019-9928 April 24, 2019
  GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.
• CVE-2019-7214 April 24, 2019
  SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.
• CVE-2019-7211 April 24, 2019
  SmarterTools SmarterMail 16.x before build 6995 has stored XSS. JavaScript code could be executed on the application by opening a malicious email or when viewing a malicious file attachment.
• CVE-2019-7212 April 24, 2019
  SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access other users? emails and file attachments. It was also possible to interact with mailing lists.
• CVE-2019-11081 April 24, 2019
  A default username and password in Dentsply Sirona Sidexis 4.2 and possibly others allows an attacker to gain administrative access to the application server.
• CVE-2019-11032 April 24, 2019
  In EasyToRecruit (E2R) before 2.11, the upload feature and the Candidate Profile Management feature are prone to Cross Site Scripting (XSS) injection in multiple locations.
• CVE-2019-10239 April 24, 2019
  Robotronic RunAsSpc 3.7.0.0 protects stored credentials insufficiently, which allows locally authenticated attackers (under the same user context) to obtain cleartext credentials of the stored account.
• CVE-2018-13443 April 24, 2019
  EOS.IO jit-wasm 4.1 has a heap-based buffer overflow via a crafted wast file.