CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 3CVE-2019-8331 – bootstrap: XSS in the tooltip or popover data-template attribute
https://notcve.org/view.php?id=CVE-2019-8331
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. En Bootstrap, en versiones anteriores a la 3.4.1 y versiones 4.3.x anteriores a la 4.3.1, es posible Cross-Site Scripting (XSS) en los atributos de data-template tooltip o popover. A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired. • https://github.com/Thampakon/CVE-2019-8331 https://github.com/ossf-cve-benchmark/CVE-2019-8331 https://github.com/Snorlyd/https-nj.gov---CVE-2019-8331 http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html http://seclists.org/fulldisclosure/2019/May/10 http://seclists.org/fulldisclosure/2019/May/11 http://seclists.org/fulldisclosure/2019/May/13 http://www.securityfocus.com/bid/107375 https://access.redhat.com/errata/RHSA-2019:1456 https://access.re • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 4%CPEs: 60EXPL: 3CVE-2019-6974 – Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference
https://notcve.org/view.php?id=CVE-2019-6974
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free. En el kernel de Linux en versiones anteriores a la 4.20.8, kvm_ioctl_create_device en virt/kvm/kvm_main.c gestiona de manera incorrecta el conteo de referencias debido a una condición de carrera, lo que conduce a un uso de memoria previamente liberada. A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller's file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. • https://www.exploit-db.com/exploits/46388 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cfa39381173d5f969daf43582c95ad679189cbc9 http://www.securityfocus.com/bid/107127 https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0818 https://access.redhat.com/errata/RHSA-2019:0833 https://access.redhat.com/errata/RHSA-2019:2809 https://access.redhat.com/errata/RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2020:0103&# • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 52EXPL: 0CVE-2019-6589
https://notcve.org/view.php?id=CVE-2019-6589
On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, and 11.6.0-11.6.3.2, a reflected Cross Site Scripting (XSS) vulnerability is present in an undisclosed page of the BIG-IP TMUI (Traffic Management User Interface) also known as the BIG-IP configuration utility. En BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7 y 11.6.0-11.6.3.2, hay una vulnerabilidad Cross-Site Scripting (XSS) reflejado en una página sin revelar de BIG-IP TMUI (Traffic Management User Interface), también conocido como la utilidad de configuración de BIG-IP. • https://support.f5.com/csp/article/K23566124 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 52EXPL: 0CVE-2018-15333
https://notcve.org/view.php?id=CVE-2018-15333
On versions 11.2.1. and greater, unrestricted Snapshot File Access allows BIG-IP system's user with any role, including Guest Role, to have access and download previously generated and available snapshot files on the BIG-IP configuration utility such as QKView and TCPDumps. En versiones 11.2.1. y posteriores, el acceso a los archivos de instantánea sin restricciones permite que un usuario del sistema BIG-IP con cualquier rol, incluyendo Guest, tenga acceso y descargue archivos de captura previamente generados y disponibles en la utilidad de configuración de BIG-IP, como QKView y TCPDumps. • http://www.securityfocus.com/bid/106380 https://support.f5.com/csp/article/K53620021 https://support.f5.com/csp/article/K53620021?utm_source=f5support&%3Butm_medium=RSS • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 40EXPL: 0CVE-2018-15329
https://notcve.org/view.php?id=CVE-2018-15329
On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. En BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, o 12.1.0-12.1.3.7; o Enterprise Manager 3.1.1, cuando los usuarios administrativos autenticados ejecutan comandos en el TMUI (Traffic Management User Interface), también llamado utilidad BIG-IP Configuration, podrían no aplicarse las restricciones sobre los comandos permitidos. • https://support.f5.com/csp/article/K61620494 • CWE-862: Missing Authorization •