Weekly Vulnerabilities Reports > July 1 to 7, 2019
Overview
355 new vulnerabilities reported during this period, including 39 critical vulnerabilities and 101 high severity vulnerabilities. This weekly summary report vulnerabilities in 363 products from 116 vendors including F5, IBM, Opensuse, Imagemagick, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-Site Request Forgery (CSRF)", "Out-of-bounds Write", and "Out-of-bounds Read".
- 301 reported vulnerabilities are remotely exploitables.
- 8 reported vulnerabilities have public exploit available.
- 110 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 271 reported vulnerabilities are exploitable by an anonymous user.
- F5 has the most reported vulnerabilities, with 26 reported vulnerabilities.
- Dlink has the most reported critical vulnerabilities, with 9 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
39 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-07-05 | CVE-2019-13352 | Wolfvision | Use of Hard-coded Credentials vulnerability in Wolfvision Cynap WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic secret for generating support PINs for the 'forgot password' feature. | 10.0 |
2019-07-05 | CVE-2019-12971 | G U | Unrestricted Upload of File with Dangerous Type vulnerability in G-U BKS EBK Ethernet-Buskoppler PRO Firmware BKS EBK Ethernet-Buskoppler Pro before 3.01 allows Unrestricted Upload of a File with a Dangerous Type. | 10.0 |
2019-07-05 | CVE-2018-14528 | Invoxia | Use of Hard-coded Credentials vulnerability in Invoxia Nvx220 Firmware Invoxia NVX220 devices allow TELNET access as admin with a default password. | 10.0 |
2019-07-04 | CVE-2019-13294 | Arox | Improper Authentication vulnerability in Arox School-Erp AROX School-ERP Pro has a command execution vulnerability. | 10.0 |
2019-07-03 | CVE-2017-6900 | Riello UPS | Credentials Management vulnerability in Riello-Ups Netman 204 Firmware 142/152 An issue was discovered in Riello NetMan 204 14-2 and 15-2. | 10.0 |
2019-07-02 | CVE-2017-8415 | Dlink | Use of Hard-coded Credentials vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. | 10.0 |
2019-07-02 | CVE-2017-8410 | Dlink | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. | 10.0 |
2019-07-02 | CVE-2019-7257 | Nortekcontrol | Unrestricted Upload of File with Dangerous Type vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow Unrestricted File Upload. | 10.0 |
2019-07-02 | CVE-2017-8404 | Dlink | Command Injection vulnerability in Dlink Dcs-1130 Firmware An issue was discovered on D-Link DCS-1130 devices. | 10.0 |
2019-07-02 | CVE-2019-7268 | Nortekcontrol | Unrestricted Upload of File with Dangerous Type vulnerability in Nortekcontrol products Linear eMerge 50P/5000P devices allow Unauthenticated File Upload. | 10.0 |
2019-07-02 | CVE-2019-7263 | Nortekcontrol | Source Code vulnerability in Nortekcontrol products Linear eMerge E3-Series devices have a Version Control Failure. | 10.0 |
2019-07-01 | CVE-2019-7276 | Optergy | Unspecified vulnerability in Optergy Enterprise and Proton Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console. | 10.0 |
2019-07-06 | CVE-2019-13375 | Dlink | SQL Injection vulnerability in Dlink Central Wifimanager 1.03 A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 in PayAction.class.php with the index.php/Pay/passcodeAuth parameter passcode. | 9.8 |
2019-07-06 | CVE-2019-13373 | Dlink | SQL Injection vulnerability in Dlink Central Wifimanager 1.03 An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. | 9.8 |
2019-07-06 | CVE-2019-13372 | Dlink | Code Injection vulnerability in Dlink Central Wifimanager /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication. | 9.8 |
2019-07-03 | CVE-2019-13207 | Nlnetlabs | Out-of-bounds Write vulnerability in Nlnetlabs Name Server Daemon 4.2.0 nsd-checkzone in NLnet Labs NSD 4.2.0 has a Stack-based Buffer Overflow in the dname_concatenate() function in dname.c. | 9.8 |
2019-07-03 | CVE-2019-7165 | Dosbox Debian Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A buffer overflow in DOSBox 0.74-2 allows attackers to execute arbitrary code. | 9.8 |
2019-07-02 | CVE-2019-10137 | Redhat | Path Traversal vulnerability in Redhat Satellite and Spacewalk A path traversal flaw was found in spacewalk-proxy, all versions through 2.9, in the way the proxy processes cached client tokens. | 9.8 |
2019-07-02 | CVE-2019-7256 | Nortekcontrol | OS Command Injection vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow Command Injections. | 9.8 |
2019-07-02 | CVE-2019-7261 | Nortekcontrol | Use of Hard-coded Credentials vulnerability in Nortekcontrol products Linear eMerge E3-Series devices have Hard-coded Credentials. | 9.8 |
2019-07-02 | CVE-2019-7269 | Nortekcontrol | OS Command Injection vulnerability in Nortekcontrol products Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution. | 9.8 |
2019-07-02 | CVE-2019-7267 | Nortekcontrol | Path Traversal vulnerability in Nortekcontrol products Linear eMerge 50P/5000P devices allow Cookie Path Traversal. | 9.8 |
2019-07-02 | CVE-2019-7266 | Nortekcontrol | Reliance on Cookies without Validation and Integrity Checking vulnerability in Nortekcontrol products Linear eMerge 50P/5000P devices allow Authentication Bypass. | 9.8 |
2019-07-02 | CVE-2019-7265 | Nortekcontrol | Use of Hard-coded Credentials vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow Remote Code Execution (root access over SSH). | 9.8 |
2019-07-02 | CVE-2019-12594 | Dosbox Debian | DOSBox 0.74-2 has Incorrect Access Control. | 9.8 |
2019-07-02 | CVE-2017-8408 | Dlink | Command Injection vulnerability in Dlink Dcs-1130 Firmware An issue was discovered on D-Link DCS-1130 devices. | 9.8 |
2019-07-02 | CVE-2019-4087 | IBM | Out-of-bounds Write vulnerability in IBM Spectrum Protect Operations Center IBM Spectrum Protect Servers 7.1 and 8.1 and Storage Agents are vulnerable to a stack-based buffer overflow, caused by improper bounds checking by servers and storage agents in response to specifically crafted communication exchanges. | 9.8 |
2019-07-01 | CVE-2019-7274 | Optergy | Unrestricted Upload of File with Dangerous Type vulnerability in Optergy Enterprise and Proton Optergy Proton/Enterprise devices allow Authenticated File Upload with Code Execution as root. | 9.8 |
2019-07-01 | CVE-2019-7667 | Primasystems | Use of Insufficiently Random Values vulnerability in Primasystems Flexair 2.3.38 Prima Systems FlexAir, Versions 2.3.38 and prior. | 9.8 |
2019-07-01 | CVE-2019-4336 | IBM | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Robotic Process Automation With Automation Anywhere IBM Robotic Process Automation with Automation Anywhere 11 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | 9.8 |
2019-07-04 | CVE-2019-1855 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco Jabber A vulnerability in the loading mechanism of specific dynamic link libraries in Cisco Jabber for Windows could allow an authenticated, local attacker to perform a DLL preloading attack. | 9.3 |
2019-07-02 | CVE-2017-8411 | Dlink | Command Injection vulnerability in Dlink Dcs-1130 Firmware An issue was discovered on D-Link DCS-1130 devices. | 9.3 |
2019-07-07 | CVE-2019-13379 | Avtech | Exposure of Resource to Wrong Sphere vulnerability in Avtech Room Alert 3E Firmware On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device's web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults&src=RA reset and using the default credentials to get in. | 9.0 |
2019-07-06 | CVE-2019-1894 | Cisco | Improper Input Validation vulnerability in Cisco Enterprise NFV Infrastructure Software 3.9.1 A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker with administrator privileges to overwrite or read arbitrary files on the underlying operating system (OS) of an affected device. | 9.0 |
2019-07-04 | CVE-2019-1889 | Cisco | Improper Input Validation vulnerability in Cisco Application Policy Infrastructure Controller 4.1(1J) A vulnerability in the REST API for software device management in Cisco Application Policy Infrastructure Controller (APIC) Software could allow an authenticated, remote attacker to escalate privileges to root on an affected device. | 9.0 |
2019-07-03 | CVE-2018-14860 | Odoo | OS Command Injection vulnerability in Odoo 10.0/11.0/8.0 Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system. | 9.0 |
2019-07-03 | CVE-2019-5602 | Freebsd | Incorrect Authorization vulnerability in Freebsd 11.2/11.3/12.0 In FreeBSD 12.0-STABLE before r349628, 12.0-RELEASE before 12.0-RELEASE-p7, 11.3-PRERELEASE before r349629, 11.3-RC3 before 11.3-RC3-p1, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in the cdrom driver allows users with read access to the cdrom device to arbitrarily overwrite kernel memory when media is present thereby allowing a malicious user in the operator group to gain root privileges. | 9.0 |
2019-07-01 | CVE-2019-13024 | Centreon | Command Injection vulnerability in Centreon 19.04.0 Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands). | 9.0 |
2019-07-01 | CVE-2019-13128 | Dlink | OS Command Injection vulnerability in Dlink Dir-823G Firmware 1.02B03 An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. | 9.0 |
101 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-07-06 | CVE-2019-13370 | Ignitedcms | Cross-Site Request Forgery (CSRF) vulnerability in Ignitedcms 1.0.0/1.0.1 index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator. | 8.8 |
2019-07-05 | CVE-2019-5984 | Waspthemes | Cross-Site Request Forgery (CSRF) vulnerability in Waspthemes Custom CSS PRO Cross-site request forgery (CSRF) vulnerability in Custom CSS Pro 1.0.3 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |
2019-07-05 | CVE-2019-5983 | FLA Shop | Cross-Site Request Forgery (CSRF) vulnerability in Fla-Shop Html5 Maps Cross-site request forgery (CSRF) vulnerability in HTML5 Maps 1.6.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |
2019-07-05 | CVE-2019-5980 | Meomundo | Cross-Site Request Forgery (CSRF) vulnerability in Meomundo Related Youtube Videos Cross-site request forgery (CSRF) vulnerability in Related YouTube Videos versions prior to 1.9.9 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |
2019-07-05 | CVE-2019-5979 | Najeebmedia | Cross-Site Request Forgery (CSRF) vulnerability in Najeebmedia Personalized Woocommerce Cart Page Cross-site request forgery (CSRF) vulnerability in Personalized WooCommerce Cart Page 2.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |
2019-07-05 | CVE-2019-5973 | Sukimalab | Cross-Site Request Forgery (CSRF) vulnerability in Sukimalab Online Lesson Booking Cross-site request forgery (CSRF) vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |
2019-07-05 | CVE-2019-13308 | Imagemagick Canonical Debian Opensuse | Out-of-bounds Write vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in MagickCore/fourier.c in ComplexImage. | 8.8 |
2019-07-05 | CVE-2019-13303 | Imagemagick Opensuse | Out-of-bounds Read vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read in MagickCore/composite.c in CompositeImage. | 8.8 |
2019-07-05 | CVE-2019-13302 | Imagemagick Opensuse | Out-of-bounds Read vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read in MagickCore/fourier.c in ComplexImages. | 8.8 |
2019-07-05 | CVE-2019-13300 | Imagemagick Debian Canonical Opensuse | Out-of-bounds Write vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling columns. | 8.8 |
2019-07-05 | CVE-2019-13299 | Imagemagick Opensuse | Out-of-bounds Read vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/pixel-accessor.h in GetPixelChannel. | 8.8 |
2019-07-05 | CVE-2019-13298 | Imagemagick Opensuse | Out-of-bounds Write vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/pixel-accessor.h in SetPixelViaPixelInfo because of a MagickCore/enhance.c error. | 8.8 |
2019-07-02 | CVE-2019-7258 | Nortekcontrol | Incorrect Authorization vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow Privilege Escalation. | 8.8 |
2019-07-02 | CVE-2019-7262 | Nortekcontrol | Cross-Site Request Forgery (CSRF) vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow Cross-Site Request Forgery (CSRF). | 8.8 |
2019-07-02 | CVE-2019-7259 | Nortekcontrol | Information Exposure vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow Authorization Bypass with Information Disclosure. | 8.8 |
2019-07-02 | CVE-2019-7270 | Nortekcontrol | Cross-Site Request Forgery (CSRF) vulnerability in Nortekcontrol products Linear eMerge 50P/5000P devices allow Cross-Site Request Forgery (CSRF). | 8.8 |
2019-07-02 | CVE-2019-4292 | IBM | Unrestricted Upload of File with Dangerous Type vulnerability in IBM Security Guardium 10.5 IBM Security Guardium 10.5 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable web server. | 8.8 |
2019-07-01 | CVE-2019-7273 | Optergy | Cross-Site Request Forgery (CSRF) vulnerability in Optergy Enterprise and Proton Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CSRF). | 8.8 |
2019-07-01 | CVE-2019-6642 | F5 | Unspecified vulnerability in F5 products In BIG-IP 15.0.0, 14.0.0-14.1.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.2, and 11.5.2-11.6.4, BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, authenticated users with the ability to upload files (via scp, for example) can escalate their privileges to allow root shell access from within the TMOS Shell (tmsh) interface. | 8.8 |
2019-07-01 | CVE-2019-13135 | Imagemagick Debian Canonical F5 | Use of Uninitialized Resource vulnerability in multiple products ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c. | 8.8 |
2019-07-01 | CVE-2019-7669 | Primasystems | Unrestricted Upload of File with Dangerous Type vulnerability in Primasystems Flexair 2.3.38 Prima Systems FlexAir, Versions 2.3.38 and prior. | 8.8 |
2019-07-01 | CVE-2019-7666 | Primasystems | Improper Authentication vulnerability in Primasystems Flexair 2.3.38 Prima Systems FlexAir, Versions 2.3.38 and prior. | 8.8 |
2019-07-01 | CVE-2019-7281 | Primasystems | Cross-Site Request Forgery (CSRF) vulnerability in Primasystems Flexair 2.3.38 Prima Systems FlexAir, Versions 2.3.38 and prior. | 8.8 |
2019-07-01 | CVE-2019-7280 | Primasystems | Insufficient Session Expiration vulnerability in Primasystems Flexair 2.3.38 Prima Systems FlexAir, Versions 2.3.38 and prior. | 8.8 |
2019-07-03 | CVE-2019-6636 | F5 | Cross-Site Request Forgery (CSRF) vulnerability in F5 products On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. | 8.5 |
2019-07-02 | CVE-2017-8416 | Dlink | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. | 8.3 |
2019-07-02 | CVE-2017-8413 | Dlink | Command Injection vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. | 8.3 |
2019-07-03 | CVE-2019-10103 | Jetbrains | Missing Encryption of Sensitive Data vulnerability in Jetbrains Kotlin JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. | 8.1 |
2019-07-03 | CVE-2019-10102 | Jetbrains | Cleartext Transmission of Sensitive Information vulnerability in Jetbrains Kotlin and Ktor JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. | 8.1 |
2019-07-03 | CVE-2019-10101 | Jetbrains | Cleartext Transmission of Sensitive Information vulnerability in Jetbrains Kotlin JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. | 8.1 |
2019-07-02 | CVE-2019-13178 | Calamares | Race Condition vulnerability in Calamares modules/luksbootkeyfile/main.py in Calamares versions 3.1 through 3.2.10 has a race condition between the time when the LUKS encryption keyfile is created and when secure permissions are set. | 8.1 |
2019-07-06 | CVE-2019-1922 | Cisco | NULL Pointer Dereference vulnerability in Cisco products A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800 Series and 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected phone. | 7.8 |
2019-07-05 | CVE-2019-13314 | Redhat | Information Exposure vulnerability in Redhat Virt-Bootstrap 1.1.0 virt-bootstrap 1.1.0 allows local users to discover a root password by listing a process, because this password may be present in the --root-password option to virt_bootstrap.py. | 7.8 |
2019-07-05 | CVE-2019-13313 | Libosinfo Fedoraproject Redhat | Information Exposure vulnerability in multiple products libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line. | 7.8 |
2019-07-05 | CVE-2019-13307 | Imagemagick Debian Canonical Opensuse | Out-of-bounds Write vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling rows. | 7.8 |
2019-07-05 | CVE-2019-13306 | Imagemagick Debian Canonical Opensuse | Off-by-one Error vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of off-by-one errors. | 7.8 |
2019-07-05 | CVE-2019-13305 | Imagemagick Debian Canonical Opensuse | Off-by-one Error vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced strncpy and an off-by-one error. | 7.8 |
2019-07-05 | CVE-2019-13304 | Imagemagick Debian Canonical Opensuse | Out-of-bounds Write vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced assignment. | 7.8 |
2019-07-04 | CVE-2019-13290 | Artifex | Out-of-bounds Write vulnerability in Artifex Mupdf 1.15.0 Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c, allowing remote attackers to execute arbitrary code via a crafted PDF file. | 7.8 |
2019-07-04 | CVE-2019-13283 | Glyphandcog Fedoraproject | Out-of-bounds Read vulnerability in multiple products In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in strncpy from FoFiType1::parse in fofi/FoFiType1.cc because it does not ensure the source string has a valid length before making a fixed-length copy. | 7.8 |
2019-07-04 | CVE-2019-13282 | Glyphandcog Fedoraproject | Out-of-bounds Read vulnerability in multiple products In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in SampledFunction::transform in Function.cc when using a large index for samples. | 7.8 |
2019-07-04 | CVE-2019-13281 | Glyphandcog Fedoraproject | Out-of-bounds Write vulnerability in multiple products In Xpdf 4.01.01, a heap-based buffer overflow could be triggered in DCTStream::decodeImage() in Stream.cc when writing to frameBuf memory. | 7.8 |
2019-07-04 | CVE-2019-13241 | Flightcrew Project Canonical | Path Traversal vulnerability in multiple products FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction. | 7.8 |
2019-07-03 | CVE-2019-13074 | Mikrotik | Allocation of Resources Without Limits or Throttling vulnerability in Mikrotik Routeros A vulnerability in the FTP daemon on MikroTik routers through 6.44.3 could allow remote attackers to exhaust all available memory, causing the device to reboot because of uncontrolled resource management. | 7.8 |
2019-07-03 | CVE-2018-11424 | Moxa | Out-of-bounds Write vulnerability in Moxa products There is Memory corruption in the web interface of Moxa OnCell G3470A-LTE Series version 1.6 Build 18021314 and prior, a different vulnerability than CVE-2018-11425. | 7.8 |
2019-07-03 | CVE-2018-11423 | Moxa | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Moxa products There is Memory corruption in the web interface Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior, different vulnerability than CVE-2018-11420. | 7.8 |
2019-07-03 | CVE-2019-13164 | Qemu Debian Opensuse Canonical | qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. | 7.8 |
2019-07-02 | CVE-2019-5599 | Freebsd | Allocation of Resources Without Limits or Throttling vulnerability in Freebsd 12.0 In FreeBSD 12.0-STABLE before r349197 and 12.0-RELEASE before 12.0-RELEASE-p6, a bug in the non-default RACK TCP stack can allow an attacker to cause several linked lists to grow unbounded and cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. | 7.8 |
2019-07-02 | CVE-2019-4088 | IBM | Unspecified vulnerability in IBM Spectrum Protect Operations Center IBM Spectrum Protect Servers 7.1 and 8.1 and Storage Agents could allow a local attacker to gain elevated privileges on the system, caused by loading a specially crafted library loaded by the dsmqsan module. | 7.8 |
2019-07-01 | CVE-2019-13136 | Imagemagick | Integer Overflow or Wraparound vulnerability in Imagemagick ImageMagick before 7.0.8-50 has an integer overflow vulnerability in the function TIFFSeekCustomStream in coders/tiff.c. | 7.8 |
2019-07-01 | CVE-2019-4322 | IBM | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. | 7.8 |
2019-07-01 | CVE-2019-4154 | IBM | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. | 7.8 |
2019-07-01 | CVE-2019-13129 | Motorola | Uncontrolled Recursion vulnerability in Motorola Cx2L Mwr04L Firmware 1.01 On the Motorola router CX2L MWR04L 1.01, there is a stack consumption (infinite recursion) issue in scopd via TCP port 8010 and UDP port 8080. | 7.8 |
2019-07-05 | CVE-2019-10639 | Linux | Inadequate Encryption Strength vulnerability in Linux Kernel The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. | 7.5 |
2019-07-05 | CVE-2019-13144 | Mytinytodo | Improper Neutralization of Formula Elements in a CSV File vulnerability in Mytinytodo myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. | 7.5 |
2019-07-04 | CVE-2019-13292 | Weberp | SQL Injection vulnerability in Weberp 4.15 A SQL Injection issue was discovered in webERP 4.15. | 7.5 |
2019-07-04 | CVE-2019-13275 | Veronalabs | SQL Injection vulnerability in Veronalabs WP Statistics An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress. | 7.5 |
2019-07-03 | CVE-2019-9827 | Hawt | Server-Side Request Forgery (SSRF) vulnerability in Hawt Hawtio Hawt Hawtio through 2.5.0 is vulnerable to SSRF, allowing a remote attacker to trigger an HTTP request from an affected server to an arbitrary host via the initial /proxy/ substring of a URI. | 7.5 |
2019-07-03 | CVE-2015-3907 | Codeigniter Restserver Project | XXE vulnerability in Codeigniter-Restserver Project Codeigniter-Restserver 2.7.1 CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE attacks. | 7.5 |
2019-07-03 | CVE-2019-12852 | Jetbrains | Server-Side Request Forgery (SSRF) vulnerability in Jetbrains Youtrack An SSRF attack was possible on a JetBrains YouTrack server. | 7.5 |
2019-07-03 | CVE-2017-8226 | Amcrest | Use of Hard-coded Credentials vulnerability in Amcrest Ipm-721S Firmware Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default credentials that are hardcoded in the firmware and can be extracted by anyone who reverses the firmware to identify them. | 7.5 |
2019-07-03 | CVE-2017-13719 | Amcrest | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Amcrest Ipm-721S Firmware Amcrestipcawxxengnv2.420.Ac00.17.R.20170322 The Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 allows HTTP requests that permit enabling various functionalities of the camera by using HTTP APIs, instead of the web management interface that is provided by the application. | 7.5 |
2019-07-03 | CVE-2019-9186 | Jetbrains | Improper Input Validation vulnerability in Jetbrains Intellij Idea In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). | 7.5 |
2019-07-03 | CVE-2019-5600 | Freebsd | Out-of-bounds Write vulnerability in Freebsd 11.2/11.3/12.0 In FreeBSD 12.0-STABLE before r349622, 12.0-RELEASE before 12.0-RELEASE-p7, 11.3-PRERELEASE before r349624, 11.3-RC3 before 11.3-RC3-p1, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in iconv implementation may allow an attacker to write past the end of an output buffer. | 7.5 |
2019-07-03 | CVE-2019-12867 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack. | 7.5 |
2019-07-03 | CVE-2019-12866 | Jetbrains | Authorization Bypass Through User-Controlled Key vulnerability in Jetbrains Youtrack An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. | 7.5 |
2019-07-03 | CVE-2019-12850 | Jetbrains | SQL Injection vulnerability in Jetbrains Youtrack A query injection was possible in JetBrains YouTrack. | 7.5 |
2019-07-03 | CVE-2019-10104 | Jetbrains | Unspecified vulnerability in Jetbrains Intellij Idea In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. | 7.5 |
2019-07-03 | CVE-2019-10100 | Jetbrains | Code Injection vulnerability in Jetbrains Youtrack Integration In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it was possible to achieve Server Side Template Injection. | 7.5 |
2019-07-03 | CVE-2019-6631 | F5 | Unspecified vulnerability in F5 products On BIG-IP 11.5.1-11.6.4, iRules performing HTTP header manipulation may cause an interruption to service when processing traffic handled by a Virtual Server with an associated HTTP profile, in specific circumstances, when the requests do not strictly conform to RFCs. | 7.5 |
2019-07-03 | CVE-2019-6629 | F5 | Unspecified vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, undisclosed SSL traffic to a virtual server configured with a Client SSL profile may cause TMM to fail and restart. | 7.5 |
2019-07-03 | CVE-2018-18326 | Dnnsoftware | Insufficient Entropy vulnerability in Dnnsoftware Dotnetnuke DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. | 7.5 |
2019-07-03 | CVE-2018-18325 | Dnnsoftware | Inadequate Encryption Strength vulnerability in Dnnsoftware Dotnetnuke DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. | 7.5 |
2019-07-03 | CVE-2018-15812 | Dnnsoftware | Insufficient Entropy vulnerability in Dnnsoftware Dotnetnuke 9.2/9.2.0/9.2.1 DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy. | 7.5 |
2019-07-03 | CVE-2018-15811 | Dnnsoftware | Inadequate Encryption Strength vulnerability in Dnnsoftware Dotnetnuke 9.2/9.2.0/9.2.1 DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters. | 7.5 |
2019-07-03 | CVE-2018-11686 | Flowpaper | Improper Input Validation vulnerability in Flowpaper Flexpaper The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php. | 7.5 |
2019-07-03 | CVE-2017-18346 | WEB Gooroo | SQL Injection vulnerability in Web-Gooroo CMS Web-Gooroo SQL injection vulnerability in /wbg/core/_includes/authorization.inc.php in CMS Web-Gooroo through 2013-01-19 allows remote attackers to execute arbitrary SQL commands via the wbg_login parameter. | 7.5 |
2019-07-03 | CVE-2018-11425 | Moxa | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Moxa products Memory corruption issue was discovered in Moxa OnCell G3470A-LTE Series version 1.6 Build 18021314 and prior, a different vulnerability than CVE-2018-11424. | 7.5 |
2019-07-03 | CVE-2018-11422 | Moxa | Cleartext Transmission of Sensitive Information vulnerability in Moxa products Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary configuration protocol that does not provide confidentiality, integrity, and authenticity security controls. | 7.5 |
2019-07-03 | CVE-2018-11420 | Moxa | Out-of-bounds Write vulnerability in Moxa products There is Memory corruption in the web interface of Moxa OnCell G3100-HSPA Series version 1.5 Build 17042015 and prio,r a different vulnerability than CVE-2018-11423. | 7.5 |
2019-07-03 | CVE-2018-11215 | Cloudera | Information Exposure vulnerability in Cloudera Data Science Workbench Remote code execution is possible in Cloudera Data Science Workbench version 1.3.0 and prior releases via unspecified attack vectors. | 7.5 |
2019-07-03 | CVE-2018-11426 | Moxa | Improper Authentication vulnerability in Moxa products A weak Cookie parameter is used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. | 7.5 |
2019-07-02 | CVE-2019-13179 | Calamares | Insufficiently Protected Credentials vulnerability in Calamares Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption. | 7.5 |
2019-07-02 | CVE-2019-6623 | F5 | Unspecified vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, undisclosed traffic sent to BIG-IP iSession virtual server may cause the Traffic Management Microkernel (TMM) to restart, resulting in a Denial-of-Service (DoS). | 7.5 |
2019-07-02 | CVE-2019-13177 | Django Rest Registration Project | Improper Verification of Cryptographic Signature vulnerability in Django-Rest-Registration Project Django-Rest-Registration verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. | 7.5 |
2019-07-02 | CVE-2019-7253 | Nortekcontrol | Path Traversal vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow Directory Traversal. | 7.5 |
2019-07-02 | CVE-2019-7264 | Nortekcontrol | Out-of-bounds Write vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow a Stack-based Buffer Overflow on the ARM platform. | 7.5 |
2019-07-01 | CVE-2019-5497 | Netapp | Insecure Default Initialization of Resource vulnerability in Netapp AFF A700S Firmware and Clustered Data Ontap NetApp AFF A700s Baseboard Management Controller (BMC) firmware versions 1.22 and higher were shipped with a default account enabled that could allow unauthorized arbitrary command execution. | 7.5 |
2019-07-01 | CVE-2019-10979 | Sick | Use of Hard-coded Credentials vulnerability in Sick Msc800 Firmware SICK MSC800 all versions prior to Version 4.0, the affected firmware versions contain a hard-coded customer account password. | 7.5 |
2019-07-01 | CVE-2019-7279 | Optergy | Use of Hard-coded Credentials vulnerability in Optergy Enterprise and Proton Optergy Proton/Enterprise devices have Hard-coded Credentials. | 7.5 |
2019-07-01 | CVE-2019-13131 | Supermicro | Missing Authentication for Critical Function vulnerability in Supermicro Superdoctor 5 Super Micro SuperDoctor 5, when restrictions are not implemented in agent.cfg, allows remote attackers to execute arbitrary commands via NRPE. | 7.5 |
2019-07-06 | CVE-2019-1932 | Cisco | Insufficient Verification of Data Authenticity vulnerability in Cisco Advanced Malware Protection FOR Endpoints 6.2(3) A vulnerability in Cisco Advanced Malware Protection (AMP) for Endpoints for Windows could allow an authenticated, local attacker with administrator privileges to execute arbitrary code. | 7.2 |
2019-07-06 | CVE-2019-1893 | Cisco | OS Command Injection vulnerability in Cisco Enterprise NFV Infrastructure Software 3.9.1 A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device as root. | 7.2 |
2019-07-04 | CVE-2018-20850 | Stormshield | Cross-site Scripting vulnerability in Stormshield Network Security Stormshield Network Security 2.0.0 through 2.13.0 and 3.0.0 through 3.7.1 has self-XSS in the command line interface of the SNS web server. | 7.2 |
2019-07-02 | CVE-2019-6621 | F5 | OS Command Injection vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user. | 7.2 |
2019-07-02 | CVE-2017-8414 | Dlink | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. | 7.2 |
2019-07-01 | CVE-2019-7670 | Primasystems | OS Command Injection vulnerability in Primasystems Flexair 2.3.38 Prima Systems FlexAir, Versions 2.3.38 and prior. | 7.2 |
2019-07-02 | CVE-2019-4140 | IBM | Information Exposure vulnerability in IBM Spectrum Protect IBM Tivoli Storage Manager Server (IBM Spectrum Protect 7.1 and 8.1) could allow a local user to replace existing databases by restoring old data. | 7.1 |
2019-07-01 | CVE-2019-4298 | IBM | Unspecified vulnerability in IBM Robotic Process Automation With Automation Anywhere IBM Robotic Process Automation with Automation Anywhere 11 uses a high privileged PostgreSQL account for database access which could allow a local user to perform actions they should not have privileges to execute. | 7.1 |
2019-07-04 | CVE-2019-13233 | Linux | Use After Free vulnerability in Linux Kernel In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation. | 7.0 |
2019-07-04 | CVE-2019-13226 | Deepin Fedoraproject | Link Following vulnerability in multiple products deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. | 7.0 |
203 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-07-07 | CVE-2019-13391 | Imagemagick | Out-of-bounds Read vulnerability in Imagemagick 7.0.850 In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has a heap-based buffer over-read because of incorrect calls to GetCacheViewVirtualPixels. | 6.8 |
2019-07-07 | CVE-2019-13183 | Flarum | Cross-Site Request Forgery (CSRF) vulnerability in Flarum 0.1.0 Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings. | 6.8 |
2019-07-06 | CVE-2019-13362 | Codedoc Project | Out-of-bounds Write vulnerability in Codedoc Project Codedoc 3.2 Codedoc v3.2 has a stack-based buffer overflow in add_variable in codedoc.c, related to codedoc_strlcpy. | 6.8 |
2019-07-05 | CVE-2019-13351 | Jackaudio Alsa Project | posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running. | 6.8 |
2019-07-05 | CVE-2019-5981 | Sony | Unspecified vulnerability in Sony Vaio Update 7.3.0.03150 Improper authorization vulnerability in VAIO Update 7.3.0.03150 and earlier allows an attackers to execute arbitrary executable file with administrative privilege via unspecified vectors. | 6.8 |
2019-07-05 | CVE-2019-5974 | Contest Gallery | Cross-Site Request Forgery (CSRF) vulnerability in Contest-Gallery Contest Gallery Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 6.8 |
2019-07-05 | CVE-2019-5971 | Sukimalab | Cross-Site Request Forgery (CSRF) vulnerability in Sukimalab Attendance Manager Cross-site request forgery (CSRF) vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 6.8 |
2019-07-05 | CVE-2019-5968 | Weseek | Cross-Site Request Forgery (CSRF) vulnerability in Weseek Growi Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user's 'Basic Info'. | 6.8 |
2019-07-05 | CVE-2019-5963 | Zoho | Cross-Site Request Forgery (CSRF) vulnerability in Zoho Salesiq Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 6.8 |
2019-07-05 | CVE-2019-5960 | Custom4Web | Cross-Site Request Forgery (CSRF) vulnerability in Custom4Web WP Open Graph Cross-site request forgery (CSRF) vulnerability in WP Open Graph 1.6.1 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 6.8 |
2019-07-05 | CVE-2019-13312 | Ffmpeg | Out-of-bounds Read vulnerability in Ffmpeg 4.1.3 block_cmp() in libavcodec/zmbvenc.c in FFmpeg 4.1.3 has a heap-based buffer over-read. | 6.8 |
2019-07-05 | CVE-2019-13297 | Imagemagick Debian Canonical Opensuse | Out-of-bounds Read vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a height of zero is mishandled. | 6.8 |
2019-07-05 | CVE-2019-13295 | Imagemagick Debian Opensuse Canonical | Out-of-bounds Read vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a width of zero is mishandled. | 6.8 |
2019-07-04 | CVE-2019-13289 | Glyphandcog | Use After Free vulnerability in Glyphandcog Xpdfreader 4.01.01 In Xpdf 4.01.01, there is a use-after-free vulnerability in the function JBIG2Stream::close() located at JBIG2Stream.cc. | 6.8 |
2019-07-04 | CVE-2019-13262 | Xnview | Unspecified vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x00000000003283eb. | 6.8 |
2019-07-04 | CVE-2019-13261 | Xnview | Unspecified vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000328384. | 6.8 |
2019-07-04 | CVE-2019-13260 | Xnview | Unspecified vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000327a07. | 6.8 |
2019-07-04 | CVE-2019-13259 | Xnview | Unspecified vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000032e566. | 6.8 |
2019-07-04 | CVE-2019-13258 | Xnview | Unspecified vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000328165. | 6.8 |
2019-07-04 | CVE-2019-13257 | Xnview | Unspecified vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x00000000003273aa. | 6.8 |
2019-07-04 | CVE-2019-13256 | Xnview | Unspecified vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000032e849. | 6.8 |
2019-07-04 | CVE-2019-13255 | Xnview | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000327464. | 6.8 |
2019-07-04 | CVE-2019-13254 | Xnview | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000032e808. | 6.8 |
2019-07-04 | CVE-2019-13253 | Xnview | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Xnview 2.48 XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000385474. | 6.8 |
2019-07-04 | CVE-2019-13252 | Acdsee | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21 ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000001172b0. | 6.8 |
2019-07-04 | CVE-2019-13251 | Acdsee | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21 ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000c47ff. | 6.8 |
2019-07-04 | CVE-2019-13250 | Acdsee | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21 ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9c2f. | 6.8 |
2019-07-04 | CVE-2019-13249 | Acdsee | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21 ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9e7a. | 6.8 |
2019-07-04 | CVE-2019-13248 | Acdsee | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21 ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x0000000000002450. | 6.8 |
2019-07-04 | CVE-2019-13247 | Acdsee | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21 ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x00000000000024ed. | 6.8 |
2019-07-04 | CVE-2019-13246 | Faststone | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Faststone Image Viewer 7.0 FastStone Image Viewer 7.0 has a User Mode Write AV starting at image00400000+0x00000000001a9601. | 6.8 |
2019-07-04 | CVE-2019-13245 | Faststone | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Faststone Image Viewer 7.0 FastStone Image Viewer 7.0 has a User Mode Write AV starting at image00400000+0x00000000001a95b1. | 6.8 |
2019-07-04 | CVE-2019-13244 | Faststone | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Faststone Image Viewer 7.0 FastStone Image Viewer 7.0 has a User Mode Write AV starting at image00400000+0x0000000000002d7d. | 6.8 |
2019-07-04 | CVE-2019-13243 | Irfanview | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Irfanview 4.52 IrfanView 4.52 has a User Mode Write AV starting at image00400000+0x00000000000249c6. | 6.8 |
2019-07-04 | CVE-2019-13242 | Irfanview | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Irfanview 4.52 IrfanView 4.52 has a User Mode Write AV starting at image00400000+0x0000000000013a98. | 6.8 |
2019-07-03 | CVE-2017-8228 | Amcrest | Permissions, Privileges, and Access Controls vulnerability in Amcrest Ipm-721S Firmware Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle reboots within the past two hours. | 6.8 |
2019-07-03 | CVE-2019-5052 | Libsdl Debian Opensuse Canonical | Integer Overflow or Wraparound vulnerability in multiple products An exploitable integer overflow vulnerability exists when loading a PCX file in SDL2_image 2.0.4. | 6.8 |
2019-07-03 | CVE-2019-5051 | Libsdl Debian Opensuse Canonical | Improper Handling of Exceptional Conditions vulnerability in multiple products An exploitable heap-based buffer overflow vulnerability exists when loading a PCX file in SDL2_image, version 2.0.4. | 6.8 |
2019-07-03 | CVE-2019-12851 | Jetbrains | Cross-Site Request Forgery (CSRF) vulnerability in Jetbrains Youtrack A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. | 6.8 |
2019-07-03 | CVE-2019-5630 | Rapid7 | Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Nexpose A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. | 6.8 |
2019-07-03 | CVE-2018-10986 | Open Xchange | Cross-Site Request Forgery (CSRF) vulnerability in Open-Xchange OX Guard 2.8.0 OX Guard 2.8.0 has CSRF. | 6.8 |
2019-07-03 | CVE-2018-11427 | Moxa | Cross-Site Request Forgery (CSRF) vulnerability in Moxa products CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator. | 6.8 |
2019-07-02 | CVE-2017-8406 | Dlink | Cross-Site Request Forgery (CSRF) vulnerability in Dlink Dcs-1130 Firmware An issue was discovered on D-Link DCS-1130 devices. | 6.8 |
2019-07-02 | CVE-2017-8407 | Dlink | Cross-Site Request Forgery (CSRF) vulnerability in Dlink Dcs-1130 Firmware An issue was discovered on D-Link DCS-1130 devices. | 6.8 |
2019-07-02 | CVE-2019-13056 | Cyberpanel | Cross-Site Request Forgery (CSRF) vulnerability in Cyberpanel An issue was discovered in CyberPanel through 1.8.4. | 6.8 |
2019-07-01 | CVE-2019-12826 | Wpchef | Cross-Site Request Forgery (CSRF) vulnerability in Wpchef Widget Logic A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code. | 6.8 |
2019-07-01 | CVE-2019-13125 | Tencent | Permissions, Privileges, and Access Controls vulnerability in Tencent Habomalhunter 2.0.0.2/2.0.0.3 HaboMalHunter through 2.0.0.3 in Tencent Habo allows attackers to evade dynamic malware analysis via PIE compilation. | 6.8 |
2019-07-01 | CVE-2019-4383 | IBM | Unspecified vulnerability in IBM Spectrum Protect Plus 10.1.1/10.1.2/10.1.3 When using IBM Spectrum Protect Plus 10.1.0, 10.1.2, and 10.1.3 to protect Oracle or MongoDB databases, a redirected restore operation may result in an escalation of user privileges. | 6.7 |
2019-07-01 | CVE-2019-4357 | IBM | Unspecified vulnerability in IBM Spectrum Protect Plus 10.1.1/10.1.2/10.1.3 When using IBM Spectrum Protect Plus 10.1.0, 10.1.2, and 10.1.3 to protect Oracle, DB2 or MongoDB databases, a redirected restore operation specifying a target path may allow execution of arbitrary code on the system. | 6.7 |
2019-07-01 | CVE-2019-4057 | IBM | Unspecified vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow malicious user with access to the DB2 instance account to leverage a fenced execution process to execute arbitrary code as root. | 6.7 |
2019-07-02 | CVE-2019-10975 | Fujielectric | Out-of-bounds Read vulnerability in Fujielectric Alpha7 PC Loader Firmware 1.1 An out-of-bounds read vulnerability has been identified in Fuji Electric Alpha7 PC Loader Versions 1.1 and prior, which may crash the system. | 6.6 |
2019-07-05 | CVE-2019-13311 | Imagemagick Canonical Debian Opensuse | Memory Leak vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error. | 6.5 |
2019-07-05 | CVE-2019-13310 | Imagemagick Canonical Opensuse | Memory Leak vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of an error in MagickWand/mogrify.c. | 6.5 |
2019-07-05 | CVE-2019-13309 | Imagemagick Debian Canonical Opensuse | Memory Leak vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. | 6.5 |
2019-07-05 | CVE-2019-13301 | Imagemagick Debian Canonical Opensuse | Memory Leak vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error. | 6.5 |
2019-07-05 | CVE-2019-13296 | Imagemagick Opensuse | Memory Leak vulnerability in multiple products ImageMagick 7.0.8-50 Q16 has direct memory leaks in AcquireMagickMemory because of an error in CLIListOperatorImages in MagickWand/operation.c for a NULL value. | 6.5 |
2019-07-03 | CVE-2019-6641 | F5 | Unspecified vulnerability in F5 products On BIG-IP 12.1.0-12.1.4.1, undisclosed requests can cause iControl REST processes to crash. | 6.5 |
2019-07-03 | CVE-2019-6638 | F5 | Infinite Loop vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process. | 6.5 |
2019-07-03 | CVE-2019-12570 | Xpertsol | SQL Injection vulnerability in Xpertsol Server Status BY Hostname/Ip 4.6 A SQL injection vulnerability in the Xpert Solution "Server Status by Hostname/IP" plugin 4.6 for WordPress allows an authenticated user to execute arbitrary SQL commands via GET parameters. | 6.5 |
2019-07-03 | CVE-2018-12250 | Elitecms | SQL Injection vulnerability in Elitecms Elite CMS 2.01 An issue was discovered in Elite CMS Pro 2.01. | 6.5 |
2019-07-02 | CVE-2019-6622 | F5 | Command Injection vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, an undisclosed iControl REST worker is vulnerable to command injection by an administrator or resource administrator user. | 6.5 |
2019-07-02 | CVE-2019-6620 | F5 | OS Command Injection vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user. | 6.5 |
2019-07-02 | CVE-2019-13155 | Trendnet | OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. | 6.5 |
2019-07-02 | CVE-2019-13154 | Trendnet | OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. | 6.5 |
2019-07-02 | CVE-2019-13153 | Trendnet | OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. | 6.5 |
2019-07-02 | CVE-2019-13152 | Trendnet | Command Injection vulnerability in Trendnet Tew-827Dru Firmware An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. | 6.5 |
2019-07-02 | CVE-2019-13151 | Trendnet | OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. | 6.5 |
2019-07-02 | CVE-2019-13150 | Trendnet | Command Injection vulnerability in Trendnet Tew-827Dru Firmware An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. | 6.5 |
2019-07-02 | CVE-2019-13149 | Trendnet | OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. | 6.5 |
2019-07-02 | CVE-2019-13148 | Trendnet | Command Injection vulnerability in Trendnet Tew-827Dru Firmware An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. | 6.5 |
2019-07-02 | CVE-2019-13147 | Audio File Library Project Debian | NULL Pointer Dereference vulnerability in multiple products In Audio File Library (aka audiofile) 0.3.6, there exists one NULL pointer dereference bug in ulaw2linear_buf in G711.cpp in libmodules.a that allows an attacker to cause a denial of service via a crafted file. | 6.5 |
2019-07-01 | CVE-2019-1577 | Paloaltonetworks | Code Injection vulnerability in Paloaltonetworks Traps 5.0/5.0.5 Code injection vulnerability in Palo Alto Networks Traps 5.0.5 and earlier may allow an authenticated attacker to inject arbitrary JavaScript or HTML. | 6.5 |
2019-07-01 | CVE-2019-4386 | IBM | Exposed Dangerous Method or Function vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow an authenticated user to execute a function that would cause the server to crash. | 6.5 |
2019-07-03 | CVE-2017-9325 | Cloudera | Improper Authorization vulnerability in Cloudera CDH The provided secure solrconfig.xml sample configuration does not enforce Sentry authorization on /update/json/docs. | 6.4 |
2019-07-02 | CVE-2019-13173 | Fstream Project | Link Following vulnerability in Fstream Project Fstream fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. | 6.4 |
2019-07-01 | CVE-2019-7278 | Optergy | Improper Privilege Management vulnerability in Optergy Enterprise and Proton Optergy Proton/Enterprise devices have an Unauthenticated SMS Sending Service. | 6.4 |
2019-07-06 | CVE-2019-13374 | Dlink | Cross-site Scripting vulnerability in Dlink Central Wifimanager 1.03 A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the index.php/Pay/passcodeAuth passcode parameter. | 6.1 |
2019-07-05 | CVE-2019-13345 | Squid Cache Debian | Cross-site Scripting vulnerability in multiple products The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter. | 6.1 |
2019-07-02 | CVE-2017-11580 | Blipcare | Resource Management Errors vulnerability in Blipcare Wi-Fi Blood Pressure Monitor Firmware Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory corruption that results in Denial of Service. | 6.1 |
2019-07-02 | CVE-2019-7255 | Nortekcontrol | Cross-site Scripting vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow XSS. | 6.1 |
2019-07-02 | CVE-2019-4134 | IBM | Cross-site Scripting vulnerability in IBM Planning Analytics 2.0 IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. | 6.1 |
2019-07-01 | CVE-2019-7275 | Optergy | Open Redirect vulnerability in Optergy Enterprise and Proton Optergy Proton/Enterprise devices allow Open Redirect. | 6.1 |
2019-07-01 | CVE-2019-4102 | IBM | Inadequate Encryption Strength vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.9 |
2019-07-05 | CVE-2018-12621 | Eventum Project | Open Redirect vulnerability in Eventum Project Eventum 3.5.0 An issue was discovered in Eventum 3.5.0. | 5.8 |
2019-07-05 | CVE-2019-5969 | Weseek | Open Redirect vulnerability in Weseek Growi Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login. | 5.8 |
2019-07-05 | CVE-2019-5966 | Joruri | Authorization Bypass Through User-Controlled Key vulnerability in Joruri Mail 2.1.4 Joruri Mail 2.1.4 and earlier does not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and alter/disclose the information via unspecified vectors. | 5.8 |
2019-07-05 | CVE-2019-5965 | Joruri | Open Redirect vulnerability in Joruri Mail 2.1.4 Open redirect vulnerability in Joruri Mail 2.1.4 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 5.8 |
2019-07-05 | CVE-2019-5964 | Idoors | Improper Authentication vulnerability in Idoors Reader 2.10.17 iDoors Reader 2.10.17 and earlier allows an attacker on the same network segment to bypass authentication to access the management console and operate the product via unspecified vectors. | 5.8 |
2019-07-05 | CVE-2019-5961 | Mastodon Tootdon | Improper Certificate Validation vulnerability in Mastodon-Tootdon Tootdon FOR Mastodon The Android App 'Tootdon for Mastodon' version 3.4.1 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.8 |
2019-07-03 | CVE-2019-10721 | Dotnetblogengine | Open Redirect vulnerability in Dotnetblogengine Blogengine.Net 3.3.7.0 BlogEngine.NET 3.3.7.0 allows a Client Side URL Redirect via the ReturnUrl parameter, related to BlogEngine/BlogEngine.Core/Services/Security/Security.cs, login.aspx, and register.aspx. | 5.8 |
2019-07-02 | CVE-2017-8412 | Dlink | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. | 5.8 |
2019-07-02 | CVE-2019-13175 | Readthedocs | Open Redirect vulnerability in Readthedocs Read the Docs Read the Docs before 3.5.1 has an Open Redirect if certain user-defined redirects are used. | 5.8 |
2019-07-04 | CVE-2019-13286 | Glyphandcog Fedoraproject | Out-of-bounds Read vulnerability in multiple products In Xpdf 4.01.01, there is a heap-based buffer over-read in the function JBIG2Stream::readTextRegionSeg() located at JBIG2Stream.cc. | 5.5 |
2019-07-04 | CVE-2019-13229 | Deepin | Link Following vulnerability in Deepin Clone deepin-clone before 1.1.3 uses a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, and follows symlinks there. | 5.5 |
2019-07-04 | CVE-2019-13227 | Deepin | Link Following vulnerability in Deepin Deepin-Clone In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there. | 5.5 |
2019-07-03 | CVE-2018-14859 | Odoo | Improper Access Control vulnerability in Odoo 10.0/11.0/9.0 Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token. | 5.5 |
2019-07-03 | CVE-2018-14863 | Odoo | Improper Access Control vulnerability in Odoo 10.0/11.0/9.0 Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC. | 5.5 |
2019-07-03 | CVE-2018-14862 | Odoo | Incorrect Permission Assignment for Critical Resource vulnerability in Odoo 10.0/11.0/9.0 Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request. | 5.5 |
2019-07-03 | CVE-2019-10717 | Dotnetblogengine | Path Traversal vulnerability in Dotnetblogengine Blogengine.Net 3.3.7.0 BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter. | 5.5 |
2019-07-01 | CVE-2019-4299 | IBM | Information Exposure Through Log Files vulnerability in IBM Robotic Process Automation With Automation Anywhere IBM Robotic Process Automation with Automation Anywhere 11 could allow a local user to obtain highly sensitive information from log files when debugging is enabled. | 5.5 |
2019-07-05 | CVE-2019-5982 | Sony | Download of Code Without Integrity Check vulnerability in Sony Vaio Update 7.3.0.03150 Improper download file verification vulnerability in VAIO Update 7.3.0.03150 and earlier allows remote attackers to conduct a man-in-the-middle attack via a malicous wireless LAN access point. | 5.4 |
2019-07-01 | CVE-2019-4410 | IBM | Cross-site Scripting vulnerability in IBM products IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19.0.0.1 is vulnerable to cross-site scripting. | 5.4 |
2019-07-01 | CVE-2019-4297 | IBM | LDAP Injection vulnerability in IBM Robotic Process Automation With Automation Anywhere IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote authenticated attacker to conduct an LDAP injection. | 5.4 |
2019-07-01 | CVE-2019-4237 | IBM | Cross-site Scripting vulnerability in IBM products A Cross-Frame Scripting vulnerability in IBM InfoSphere Information Server 11.3, 11.5, and 11.7 can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. | 5.4 |
2019-07-03 | CVE-2019-6640 | F5 | Cleartext Transmission of Sensitive Information vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. | 5.3 |
2019-07-02 | CVE-2019-4260 | IBM | Unspecified vulnerability in IBM Daeja Viewone IBM Daeja ViewONE Professional, Standard & Virtual 5.0 through 5.0.5 could allow an unauthorized user to download server files resulting in sensitive information disclosure. | 5.3 |
2019-07-02 | CVE-2019-4129 | IBM | Information Exposure Through an Error Message vulnerability in IBM Spectrum Protect Operations Center IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remote attacker to obtain sensitive information, caused by an error message containing a stack trace. | 5.3 |
2019-07-01 | CVE-2019-4337 | IBM | Missing Authentication for Critical Function vulnerability in IBM Robotic Process Automation With Automation Anywhere 11.0.0.0/11.0.0.1/11.0.0.2 IBM Robotic Process Automation with Automation Anywhere 11 could allow an attacker to obtain sensitive information due to missing authentication in Ignite nodes. | 5.3 |
2019-07-01 | CVE-2019-12781 | Djangoproject Canonical Debian | Cleartext Transmission of Sensitive Information vulnerability in multiple products An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. | 5.3 |
2019-07-01 | CVE-2019-13118 | Xmlsoft Opensuse Netapp Oracle Fedoraproject Canonical Apple | Type Confusion vulnerability in multiple products In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data. | 5.3 |
2019-07-01 | CVE-2019-13117 | Xmlsoft Debian Canonical Fedoraproject Opensuse Oracle | Use of Uninitialized Resource vulnerability in multiple products In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. | 5.3 |
2019-07-06 | CVE-2019-1921 | Cisco | Improper Input Validation vulnerability in Cisco Email Security Appliance 12.0.0419 A vulnerability in the attachment scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured content filters on the device. | 5.0 |
2019-07-06 | CVE-2019-1892 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products A vulnerability in the Secure Sockets Layer (SSL) input packet processor of Cisco Small Business 200, 300, and 500 Series Managed Switches could allow an unauthenticated, remote attacker to cause a memory corruption on an affected device. | 5.0 |
2019-07-06 | CVE-2019-1891 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the web interface of Cisco Small Business 200, 300, and 500 Series Managed Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 5.0 |
2019-07-06 | CVE-2019-1887 | Cisco | Out-of-bounds Write vulnerability in Cisco Unified Communications Manager A vulnerability in the Session Initiation Protocol (SIP) protocol implementation of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. | 5.0 |
2019-07-05 | CVE-2019-13358 | Opencats | XXE vulnerability in Opencats lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. | 5.0 |
2019-07-05 | CVE-2018-16386 | Swift | Improper Encoding or Escaping of Output vulnerability in Swift Alliance web Platform 7.1.23 An issue was discovered in SWIFT Alliance Web Platform 7.1.23. | 5.0 |
2019-07-05 | CVE-2018-14733 | Odoo | Improper Input Validation vulnerability in Odoo The Odoo Community Association (OCA) dbfilter_from_header module makes Odoo 8.x, 9.x, 10.x, and 11.x vulnerable to ReDoS (regular expression denial of service) under certain circumstances. | 5.0 |
2019-07-05 | CVE-2018-14529 | Invoxia | Information Exposure vulnerability in Invoxia Nvx220 Firmware Invoxia NVX220 devices allow access to /bin/sh via escape from a restricted CLI, leading to disclosure of password hashes. | 5.0 |
2019-07-05 | CVE-2019-13344 | Crudlab | Missing Authentication for Critical Function vulnerability in Crudlab WP Like Button An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. | 5.0 |
2019-07-04 | CVE-2019-1886 | Cisco | Improper Certificate Validation vulnerability in Cisco Asyncos and web Security Appliance A vulnerability in the HTTPS decryption feature of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. | 5.0 |
2019-07-04 | CVE-2019-13238 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 1.5.1.0 An issue was discovered in Bento4 1.5.1.0. | 5.0 |
2019-07-03 | CVE-2019-12845 | Jetbrains | Improper Authentication vulnerability in Jetbrains Teamcity The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. | 5.0 |
2019-07-03 | CVE-2019-12841 | Jetbrains | Improper Input Validation vulnerability in Jetbrains Teamcity Incorrect handling of user input in ZIP extraction was detected in JetBrains TeamCity. | 5.0 |
2019-07-03 | CVE-2017-8229 | Amcrest | Credentials Management vulnerability in Amcrest Ipm-721S Firmware Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials. | 5.0 |
2019-07-03 | CVE-2017-8227 | Amcrest | 7PK - Security Features vulnerability in Amcrest Ipm-721S Firmware Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout policy to wait for 5 minutes in case 30 incorrect password attempts are detected using the Web and HTTP API interface provided by the device. | 5.0 |
2019-07-03 | CVE-2019-9873 | Jetbrains | Cleartext Storage of Sensitive Information vulnerability in Jetbrains Intellij Idea In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. | 5.0 |
2019-07-03 | CVE-2019-9823 | Jetbrains | Cleartext Storage of Sensitive Information vulnerability in Jetbrains Intellij Idea In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files. | 5.0 |
2019-07-03 | CVE-2019-6630 | F5 | Unspecified vulnerability in F5 SSL Orchestrator On F5 SSL Orchestrator 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, undisclosed traffic flow may cause TMM to restart under certain circumstances. | 5.0 |
2019-07-03 | CVE-2019-6628 | F5 | Unspecified vulnerability in F5 Big-Ip Policy Enforcement Manager On BIG-IP PEM 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, under certain conditions, the TMM process may terminate and restart while processing BIG-IP PEM traffic with the OpenVPN classifier. | 5.0 |
2019-07-03 | CVE-2018-11421 | Moxa | Cleartext Transmission of Sensitive Information vulnerability in Moxa products Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary monitoring protocol that does not provide confidentiality, integrity, and authenticity security controls. | 5.0 |
2019-07-02 | CVE-2019-6624 | F5 | Unspecified vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, an undisclosed traffic pattern sent to a BIG-IP UDP virtual server may lead to a denial-of-service (DoS). | 5.0 |
2019-07-02 | CVE-2017-8409 | Dlink | Improper Authorization vulnerability in Dlink Dcs-1130 Firmware An issue was discovered on D-Link DCS-1130 devices. | 5.0 |
2019-07-02 | CVE-2017-8405 | Dlink | Improper Authentication vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware An issue was discovered on D-Link DCS-1130 and DCS-1100 devices. | 5.0 |
2019-07-02 | CVE-2019-7254 | Nortekcontrol | Path Traversal vulnerability in Nortekcontrol products Linear eMerge E3-Series devices allow File Inclusion. | 5.0 |
2019-07-02 | CVE-2019-7252 | Nortekcontrol | Insecure Default Initialization of Resource vulnerability in Nortekcontrol products Linear eMerge E3-Series devices have Default Credentials. | 5.0 |
2019-07-02 | CVE-2019-7260 | Nortekcontrol | Insufficiently Protected Credentials vulnerability in Nortekcontrol products Linear eMerge E3-Series devices have Cleartext Credentials in a Database. | 5.0 |
2019-07-01 | CVE-2019-7272 | Optergy | Missing Authorization vulnerability in Optergy Enterprise and Proton Optergy Proton/Enterprise devices allow Username Disclosure. | 5.0 |
2019-07-01 | CVE-2019-7271 | Nortekcontrol | Insufficiently Protected Credentials vulnerability in Nortekcontrol products Nortek Linear eMerge 50P/5000P devices have Default Credentials. | 5.0 |
2019-07-01 | CVE-2019-7277 | Optergy | Information Exposure vulnerability in Optergy Enterprise and Proton Optergy Proton/Enterprise devices allow Unauthenticated Internal Network Information Disclosure. | 5.0 |
2019-07-01 | CVE-2019-7668 | Primasystems | Insecure Default Initialization of Resource vulnerability in Primasystems Flexair 2.3.38 Prima Systems FlexAir devices have Default Credentials. | 5.0 |
2019-07-03 | CVE-2019-3619 | Mcafee | Cleartext Transmission of Sensitive Information vulnerability in Mcafee Epolicy Orchestrator 5.10.0/5.9.0/5.9.1 Information Disclosure vulnerability in the Agent Handler in McAfee ePolicy Orchestrator (ePO) 5.9.x and 5.10.0 prior to 5.10.0 update 4 allows remote unauthenticated attacker to view sensitive information in plain text via sniffing the traffic between the Agent Handler and the SQL server. | 4.9 |
2019-07-01 | CVE-2019-4295 | IBM | Unspecified vulnerability in IBM Robotic Process Automation With Automation Anywhere IBM Robotic Process Automation with Automation Anywhere 11 could allow an attacker with specialized access to obtain highly sensitive from the credential vault. | 4.9 |
2019-07-03 | CVE-2019-6639 | F5 | Cross-site Scripting vulnerability in F5 Big-Ip Advanced Firewall Manager On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. | 4.8 |
2019-07-02 | CVE-2017-11579 | Blipcare | 7PK - Security Features vulnerability in Blipcare Wi-Fi Blood Pressure Monitor Firmware In the most recent firmware for Blipcare, the device provides an open Wireless network called "Blip" for communicating with the device. | 4.8 |
2019-07-04 | CVE-2019-13228 | Deepin | Link Following vulnerability in Deepin Deepin-Clone deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there. | 4.7 |
2019-07-06 | CVE-2019-1911 | Cisco | Containment Errors (Container Errors) vulnerability in Cisco Hosted Collaboration Solution A vulnerability in the CLI of Cisco Unified Communications Domain Manager (Cisco Unified CDM) Software could allow an authenticated, local attacker to escape the restricted shell. | 4.6 |
2019-07-01 | CVE-2019-9703 | Symantec | Unspecified vulnerability in Symantec Endpoint Encryption Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. | 4.6 |
2019-07-01 | CVE-2019-9702 | Symantec | Unspecified vulnerability in Symantec Endpoint Encryption Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. | 4.6 |
2019-07-03 | CVE-2019-13208 | Maxx | Incorrect Permission Assignment for Critical Resource vulnerability in Maxx Waves Maxx Audio 1.9.29.0 WavesSysSvc in Waves MAXX Audio allows privilege escalation because the General registry key has Full Control access for the Users group, leading to DLL side loading. | 4.4 |
2019-07-03 | CVE-2019-6635 | F5 | Unspecified vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, when the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass Appliance mode restrictions. | 4.4 |
2019-07-03 | CVE-2019-6633 | F5 | Unspecified vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, when the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions. | 4.4 |
2019-07-02 | CVE-2019-5443 | Haxx Oracle Netapp | Uncontrolled Search Path Element vulnerability in multiple products A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. | 4.4 |
2019-07-07 | CVE-2019-13390 | Ffmpeg | Divide By Zero vulnerability in Ffmpeg 4.1.3 In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in libavformat/rawenc.c. | 4.3 |
2019-07-06 | CVE-2019-1933 | Cisco | Improper Input Validation vulnerability in Cisco Email Security Appliance 11.1.2023 A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. | 4.3 |
2019-07-06 | CVE-2019-1931 | Cisco | Cross-site Scripting vulnerability in Cisco Firepower Management Center Multiple vulnerabilities in the RSS dashboard in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. | 4.3 |
2019-07-06 | CVE-2019-1930 | Cisco | Cross-site Scripting vulnerability in Cisco Firepower Management Center Multiple vulnerabilities in the RSS dashboard in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. | 4.3 |
2019-07-06 | CVE-2019-1909 | Cisco | Improper Input Validation vulnerability in Cisco IOS XR A vulnerability in the implementation of Border Gateway Protocol (BGP) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. | 4.3 |
2019-07-05 | CVE-2019-10638 | Linux | Inadequate Encryption Strength vulnerability in Linux Kernel In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). | 4.3 |
2019-07-05 | CVE-2018-14027 | Digisol | Cross-site Scripting vulnerability in Digisol Dg-Hr-3300 Firmware Digisol Wireless Wifi Home Router HR-3300 allows XSS via the userid or password parameter to the admin login page. | 4.3 |
2019-07-05 | CVE-2019-5972 | Sukimalab | Cross-site Scripting vulnerability in Sukimalab Online Lesson Booking Cross-site scripting vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2019-07-05 | CVE-2019-5970 | Sukimalab | Cross-site Scripting vulnerability in Sukimalab Attendance Manager Cross-site scripting vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2019-07-05 | CVE-2019-5967 | Joruri | Cross-site Scripting vulnerability in Joruri CMS 2017 Release1/Release2 Cross-site scripting vulnerability in Joruri CMS 2017 Release2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2019-07-05 | CVE-2019-5962 | Zoho | Cross-site Scripting vulnerability in Zoho Salesiq Cross-site scripting vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2019-07-04 | CVE-2019-13291 | Glyphandcog | Out-of-bounds Read vulnerability in Glyphandcog Xpdfreader 4.01.01 In Xpdf 4.01.01, there is a heap-based buffer over-read in the function DCTStream::readScan() located at Stream.cc. | 4.3 |
2019-07-04 | CVE-2019-13288 | Glyphandcog | Uncontrolled Recursion vulnerability in Glyphandcog Xpdfreader 4.01.01 In Xpdf 4.01.01, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. | 4.3 |
2019-07-04 | CVE-2019-13287 | Glyphandcog | Out-of-bounds Read vulnerability in Glyphandcog Xpdfreader 4.01.01 In Xpdf 4.01.01, there is an out-of-bounds read vulnerability in the function SplashXPath::strokeAdjust() located at splash/SplashXPath.cc. | 4.3 |
2019-07-04 | CVE-2019-13239 | Glpi Project | Cross-site Scripting vulnerability in Glpi-Project Glpi inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture. | 4.3 |
2019-07-03 | CVE-2019-12844 | Jetbrains | Code Injection vulnerability in Jetbrains Teamcity A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. | 4.3 |
2019-07-03 | CVE-2019-12843 | Jetbrains | Code Injection vulnerability in Jetbrains Teamcity A possible stored JavaScript injection requiring a deliberate server administrator action was detected. | 4.3 |
2019-07-03 | CVE-2019-12842 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Teamcity A reflected XSS on a user page was detected on one of the JetBrains TeamCity pages. | 4.3 |
2019-07-03 | CVE-2019-9872 | Jetbrains | Cleartext Storage of Sensitive Information vulnerability in Jetbrains Intellij Idea In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. | 4.3 |
2019-07-03 | CVE-2019-6627 | F5 | Race Condition vulnerability in F5 SSL Orchestrator On F5 SSL Orchestrator 14.1.0-14.1.0.5, on rare occasions, specific to a certain race condition, TMM may restart when SSL Forward Proxy enforces the bypass action for an SSL Orchestrator transparent virtual server with SNAT enabled. | 4.3 |
2019-07-03 | CVE-2019-6626 | F5 | Cross-site Scripting vulnerability in F5 products On BIG-IP (AFM, Analytics, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.3.4, A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration utility. | 4.3 |
2019-07-03 | CVE-2019-6625 | F5 | Cross-site Scripting vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility. | 4.3 |
2019-07-03 | CVE-2018-12715 | Digisol | Cross-site Scripting vulnerability in Digisol Dg-Hr3400 Firmware DIGISOL DG-HR3400 devices have XSS via a modified SSID when the apssid value is unchanged. | 4.3 |
2019-07-03 | CVE-2019-13186 | 1234N | Cross-site Scripting vulnerability in 1234N Minicms 1.10 In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. | 4.3 |
2019-07-03 | CVE-2017-6216 | Novaksolutions | Cross-site Scripting vulnerability in Novaksolutions Infusionsoft-PHP-Sdk 20161031 novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable to a reflected XSS in the leadscoring.php resulting code execution | 4.3 |
2019-07-03 | CVE-2017-17972 | Archon Project | Cross-site Scripting vulnerability in Archon Project Archon 3.21 packages/subjects/pub/subjects.php in Archon 3.21 rev-1 has XSS in the referer parameter in an index.php?subjecttypeid=xxx request, aka Open Bug Bounty ID OBB-466362. | 4.3 |
2019-07-03 | CVE-2018-11317 | Intelliants | Cross-site Scripting vulnerability in Intelliants Subrion Subrion CMS before 4.1.4 has XSS. | 4.3 |
2019-07-03 | CVE-2018-11227 | Monstra | Cross-site Scripting vulnerability in Monstra CMS Monstra CMS 3.0.4 and earlier has XSS via index.php. | 4.3 |
2019-07-02 | CVE-2017-11578 | Blipcare | Information Exposure vulnerability in Blipcare Wi-Fi Blood Pressure Monitor Firmware It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. | 4.3 |
2019-07-02 | CVE-2019-10136 | Redhat | Improper Verification of Cryptographic Signature vulnerability in Redhat Satellite and Spacewalk It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums. | 4.3 |
2019-07-01 | CVE-2019-3962 | Tenable | Cross-site Scripting vulnerability in Tenable Nessus Content Injection vulnerability in Tenable Nessus prior to 8.5.0 may allow an authenticated, local attacker to exploit this vulnerability by convincing another targeted Nessus user to view a malicious URL and use Nessus to send fraudulent messages. | 4.3 |
2019-07-01 | CVE-2019-13137 | Imagemagick Debian Canonical | Memory Leak vulnerability in multiple products ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadPSImage in coders/ps.c. | 4.3 |
2019-07-01 | CVE-2019-13134 | Imagemagick Opensuse | Memory Leak vulnerability in multiple products ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c. | 4.3 |
2019-07-01 | CVE-2019-13133 | Imagemagick Opensuse | Memory Leak vulnerability in multiple products ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c. | 4.3 |
2019-07-01 | CVE-2019-1578 | Paloaltonetworks | Cross-site Scripting vulnerability in Paloaltonetworks Minemeld 0.9.60 Cross-site scripting vulnerability in Palo Alto Networks MineMeld version 0.9.60 and earlier may allow a remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser. | 4.3 |
2019-07-01 | CVE-2016-5235 | F5 | Cross-site Scripting vulnerability in F5 Websafe Alert Server 1.0.0/3.9.5 A Cross Site Scripting (XSS) vulnerability in versions of F5 WebSafe Dashboard 3.9.x and earlier, aka F5 WebSafe Alert Server, allows an unauthenticated user to inject HTML via a crafted alert. | 4.3 |
2019-07-01 | CVE-2019-13127 | Draw Jgraph | Cross-site Scripting vulnerability in multiple products An issue was discovered in mxGraph through 4.0.0, related to the "draw.io Diagrams" plugin before 8.3.14 for Confluence and other products. | 4.3 |
2019-07-01 | CVE-2019-12970 | Squirrelmail | Cross-site Scripting vulnerability in Squirrelmail XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. | 4.3 |
2019-07-04 | CVE-2019-1884 | Cisco | Improper Input Validation vulnerability in Cisco Asyncos and web Security Appliance A vulnerability in the web proxy functionality of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 4.0 |
2019-07-03 | CVE-2019-12846 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity A user without the required permissions could gain access to some JetBrains TeamCity settings. | 4.0 |
2019-07-03 | CVE-2017-8230 | Amcrest | Permissions, Privileges, and Access Controls vulnerability in Amcrest Ipm-721S Firmware On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the users on the device are divided into 2 groups "admin" and "user". | 4.0 |
2019-07-03 | CVE-2019-6637 | F5 | Unspecified vulnerability in F5 Big-Ip Application Security Manager On BIG-IP (ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. | 4.0 |
2019-07-03 | CVE-2019-6634 | F5 | Unspecified vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. | 4.0 |
2019-07-03 | CVE-2019-5601 | Freebsd | Information Exposure vulnerability in Freebsd 11.2/12.0 In FreeBSD 12.0-STABLE before r347474, 12.0-RELEASE before 12.0-RELEASE-p7, 11.2-STABLE before r347475, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in the FFS implementation causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. | 4.0 |
2019-07-03 | CVE-2019-12847 | Jetbrains | Insufficiently Protected Credentials vulnerability in Jetbrains HUB In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. | 4.0 |
2019-07-03 | CVE-2018-14865 | Odoo | Information Exposure vulnerability in Odoo 10.0/11.0/9.0 Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files. | 4.0 |
2019-07-03 | CVE-2018-14864 | Odoo | Improper Access Control vulnerability in Odoo 10.0/8.0/9.0 Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment. | 4.0 |
2019-07-03 | CVE-2018-14861 | Odoo | Incorrect Permission Assignment for Critical Resource vulnerability in Odoo 10.0/11.0 Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users. | 4.0 |
2019-07-03 | CVE-2018-14866 | Odoo | Incorrect Permission Assignment for Critical Resource vulnerability in Odoo 10.0/11.0/9.0 Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs. | 4.0 |
2019-07-03 | CVE-2017-9327 | Cloudera | Permission Issues vulnerability in Cloudera Manager 5.10.1/5.11.0/5.9.2 Secret data of processes managed by CM is not secured by file permissions. | 4.0 |
12 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-07-05 | CVE-2019-13341 | 1234N | Cross-site Scripting vulnerability in 1234N Minicms 1.10 In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie. | 3.5 |
2019-07-05 | CVE-2019-13340 | 1234N | Cross-site Scripting vulnerability in 1234N Minicms 1.10 In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. | 3.5 |
2019-07-05 | CVE-2019-13339 | 1234N | Cross-site Scripting vulnerability in 1234N Minicms 1.10 In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie. | 3.5 |
2019-07-03 | CVE-2017-9326 | Cloudera | Credentials Management vulnerability in Cloudera Manager 5.11.0 The keystore password for the Spark History Server may be exposed in unsecured files under the /var/run/cloudera-scm-agent directory managed by Cloudera Manager. | 3.5 |
2019-07-01 | CVE-2016-5236 | F5 | Cross-site Scripting vulnerability in F5 Websafe Alert Server 1.0.0/3.9.5 Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard 3.9.5 and earlier, aka F5 WebSafe Alert Server, allow privileged authenticated users to inject arbitrary web script or HTML when creating a new user, account or signature. | 3.5 |
2019-07-04 | CVE-2019-1890 | Cisco | Unspecified vulnerability in Cisco Application Policy Infrastructure Controller 7.3(0)Zn(0.113) A vulnerability in the fabric infrastructure VLAN connection establishment of the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN. | 3.3 |
2019-07-04 | CVE-2019-13232 | Unzip Project Debian | Resource Exhaustion vulnerability in multiple products Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue. | 3.3 |
2019-07-03 | CVE-2019-10183 | Redhat | Information Exposure vulnerability in Redhat Enterprise Linux and Virt-Manager Virt-install(1) utility used to provision new virtual machines has introduced an option '--unattended' to create VMs without user interaction. | 3.3 |
2019-07-02 | CVE-2017-8417 | Dlink | Credentials Management vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. | 3.3 |
2019-07-01 | CVE-2019-4296 | IBM | Information Exposure Through Log Files vulnerability in IBM Robotic Process Automation With Automation Anywhere 11.0.0.0/11.0.0.1/11.0.0.2 IBM Robotic Process Automation with Automation Anywhere 11 information disclosure could allow a local user to obtain e-mail contents from the client debug log file. | 3.3 |
2019-07-03 | CVE-2019-6632 | F5 | Cryptographic Issues vulnerability in F5 products On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. | 2.1 |
2019-07-01 | CVE-2019-4101 | IBM | Unspecified vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1, 10.5, and 11.1 is vulnerable to a denial of service. | 2.1 |