Services Security Vulnerabilities

CVE-2020-2677

Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Login). Supported versions that are affected are 5.5 and 5.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA...

CVE-2020-2730

Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: File Upload). Supported versions that are affected are 2.7.0.0, 2.7.0.1 and 2.8.0.0. Easily exploitable vulnerability allows low privileged attacker with...

CVE-2020-2688

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Object Migration). Supported versions that are affected are 8.0.4-8.0.8. Easily exploitable vulnerability allows low privileged attacker with network.....

CVE-2020-2676

Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Printing). The supported version that is affected is 5.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5....

CVE-2020-2675

Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Login). The supported version that is affected is 5.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5....

CVE-2019-1332

A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka 'Microsoft SQL Server Reporting Services XSS...

CVE-2016-5285

A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime, which could let a remote malicious user cause a Denial of...

CVE-2019-1446

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka 'Microsoft Excel Information Disclosure...

CVE-2019-15282

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an unauthenticated, remote attacker read tcpdump files generated on an affected device. The vulnerability is due an issue in the authentication logic of the web-based management...

CVE-2019-12638

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web-based management interface. The vulnerability is due to insufficient validation of...

CVE-2019-12637

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web-based management interface. The vulnerabilities are due to insufficient...

CVE-2019-15281

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The attacker must...

CVE-2019-2907

Vulnerability in the Oracle Web Services product of Oracle Fusion Middleware (component: SOAP with Attachments API for Java). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web....

CVE-2019-1331

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from...

CVE-2019-12631

A vulnerability in the web-based guest portal of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of...

CVE-2019-0364

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to enumerate open...

CVE-2019-0363

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model), before version 1.0.118, to overload the server or retrieve information about internal network...

CVE-2019-12644

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists....

CVE-2019-0351

A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Because of this, an attacker can exploit Services Registry potentially enabling them to take complete control of the product, including viewing, changing,....

CVE-2019-2823

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure component of Oracle Financial Services Applications (subcomponent: Infrastructure). Supported versions that are affected are 8.0.5-8.0.8. Easily exploitable vulnerability allows low privileged attacker with...

CVE-2019-1942

A vulnerability in the sponsor portal web interface for Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input....

CVE-2019-1941

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because.....

CVE-2019-1876

A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could...

CVE-2019-0306

SAP HANA Extended Application Services (advanced model), version 1, allows authenticated low privileged XS Advanced Platform users such as SpaceAuditors to execute requests to obtain a complete list of SAP HANA user IDs and...

CVE-2019-1851

A vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to generate arbitrary certificates signed by the Internal Certificate Authority (CA) Services on ISE. This vulnerability is due to an incorrect...

CVE-2019-0280

SAP Treasury and Risk Management (EA-FINSERV 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18 and 8.0; S4CORE 1.01, 1.02 and 1.03), does not perform necessary authorization checks for authorization objects T_DEAL_DP and T_DEAL_PD , resulting in escalation of...

CVE-2019-11204

The web interface component of TIBCO Software Inc.'s TIBCO Spotfire Statistics Services contains a vulnerability that might theoretically allow an authenticated user to access sensitive information needed by the Spotfire Statistics Services server. The sensitive information that might be affected.....

CVE-2019-1867

A vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API. The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted...

CVE-2018-12404

A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS...

CVE-2018-12384

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS...

CVE-2019-1719

A vulnerability in the web-based guest portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of...

CVE-2019-1718

A vulnerability in the web interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to trigger high CPU usage, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of Secure Sockets Layer (SSL) renegotiation...

CVE-2019-1003073

Jenkins VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file...

CVE-2018-12199

Buffer overflow in an OS component in Intel CSME before versions 11.8.60, 11.11.60, 11.22.60 or 12.0.20 and Intel TXE version before 3.1.60 or 4.0.10 may allow a privileged user to potentially execute arbitrary code via physical...

CVE-2018-12190

Insufficient input validation in Intel(r) CSME subsystem before versions 11.8.60, 11.11.60, 11.22.60 or 12.0.20 or Intel(r) TXE before 3.1.60 or 4.0.10 may allow a privileged user to potentially enable an escalation of privilege via local...

CVE-2018-12192

Logic bug in Kernel subsystem in Intel CSME before version 11.8.60, 11.11.60, 11.22.60 or 12.0.20, or Intel(R) Server Platform Services before version SPS_E5_04.00.04.393.0 may allow an unauthenticated user to potentially bypass MEBx authentication via physical...

CVE-2018-12188

Insufficient input validation in Intel CSME before versions 11.8.60, 11.11.60, 11.22.60 or 12.0.20 or Intel TXE before version 3.1.60 or 4.0.10 may allow an unauthenticated user to potentially modify data via physical...

CVE-2018-12196

Insufficient input validation in Intel(R) AMT in Intel(R) CSME before version 11.8.60, 11.11.60, 11.22.60 or 12.0.20 may allow a privileged user to potentially execute arbitrary code via local...

CVE-2018-12198

Insufficient input validation in Intel(R) Server Platform Services HECI subsystem before version SPS_E5_04.00.04.393.0 may allow privileged user to potentially cause a denial of service via local...

CVE-2018-12191

Bounds check in Kernel subsystem in Intel CSME before version 11.8.60, 11.11.60, 11.22.60 or 12.0.20, or Intel(R) Server Platform Services before versions 4.00.04.383 or SPS 4.01.02.174, or Intel(R) TXE before versions 3.1.60 or 4.0.10 may allow an unauthenticated user to potentially execute...

CVE-2018-12185

Insufficient input validation in Intel(R) AMT in Intel(R) CSME before version 11.8.60, 11.11.60, 11.22.60 or 12.0.20 may allow an unauthenticated user to potentially execute arbitrary code via physical...

CVE-2018-12187

Insufficient input validation in Intel(R) Active Management Technology (Intel(R) AMT) before version 11.8.60, 11.11.60, 11.22.60 or 12.0.20 may allow an unauthenticated user to potentially cause a denial of service via network...

CVE-2018-12189

Unhandled exception in Content Protection subsystem in Intel CSME before versions 11.8.60, 11.11.60, 11.22.60 or 12.0.20 or Intel TXE before 3.1.60 or 4.0.10 may allow privileged user to potentially modify data via local...

CVE-2018-12200

Insufficient access control in Intel(R) Capability Licensing Service before version 1.50.638.1 may allow an unprivileged user to potentially escalate privileges via local...

CVE-2018-12208

Buffer overflow in HECI subsystem in Intel(R) CSME before versions 11.8.60, 11.11.60, 11.22.60 or 12.0.20 and Intel(R) TXE version before 3.1.60 or 4.0.10, or Intel(R) Server Platform Services before version 5.00.04.012 may allow an unauthenticated user to potentially execute arbitrary code via...

CVE-2019-1723

A vulnerability in the Cisco Common Services Platform Collector (CSPC) could allow an unauthenticated, remote attacker to access an affected device by using an account that has a default, static password. This account does not have administrator privileges. The vulnerability exists because the...

CVE-2019-0277

SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity...

CVE-2019-0276

Banking services from SAP 9.0 (FSAPPL version 5) and SAP S/4HANA Financial Products Subledger (S4FPSL, version 1) performs an inadequate authorization check for an authenticated user, potentially resulting in escalation of...

CVE-2019-0266

Under certain conditions SAP HANA Extended Application Services, version 1.0, advanced model (XS advanced) writes credentials of platform users to a trace file of the SAP HANA system. Even though this trace file is protected from unauthorized access, the risk of leaking information is...

CVE-2019-0261

Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. Fixed in 1.0.97 to 1.0.99 (running on SAP HANA 1 or SAP HANA 2 SPS0 (second S stands for...