Weekly Vulnerabilities Reports > July 1 to 7, 2019

Overview

355 new vulnerabilities reported during this period, including 39 critical vulnerabilities and 101 high severity vulnerabilities. This weekly summary report vulnerabilities in 363 products from 116 vendors including F5, IBM, Opensuse, Imagemagick, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-Site Request Forgery (CSRF)", "Out-of-bounds Write", and "Out-of-bounds Read".

  • 301 reported vulnerabilities are remotely exploitables.
  • 8 reported vulnerabilities have public exploit available.
  • 110 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 271 reported vulnerabilities are exploitable by an anonymous user.
  • F5 has the most reported vulnerabilities, with 26 reported vulnerabilities.
  • Dlink has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

39 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-05 CVE-2019-13352 Wolfvision Use of Hard-coded Credentials vulnerability in Wolfvision Cynap

WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic secret for generating support PINs for the 'forgot password' feature.

10.0
2019-07-05 CVE-2019-12971 G U Unrestricted Upload of File with Dangerous Type vulnerability in G-U BKS EBK Ethernet-Buskoppler PRO Firmware

BKS EBK Ethernet-Buskoppler Pro before 3.01 allows Unrestricted Upload of a File with a Dangerous Type.

10.0
2019-07-05 CVE-2018-14528 Invoxia Use of Hard-coded Credentials vulnerability in Invoxia Nvx220 Firmware

Invoxia NVX220 devices allow TELNET access as admin with a default password.

10.0
2019-07-04 CVE-2019-13294 Arox Improper Authentication vulnerability in Arox School-Erp

AROX School-ERP Pro has a command execution vulnerability.

10.0
2019-07-03 CVE-2017-6900 Riello UPS Credentials Management vulnerability in Riello-Ups Netman 204 Firmware 142/152

An issue was discovered in Riello NetMan 204 14-2 and 15-2.

10.0
2019-07-02 CVE-2017-8415 Dlink Use of Hard-coded Credentials vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices.

10.0
2019-07-02 CVE-2017-8410 Dlink Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices.

10.0
2019-07-02 CVE-2019-7257 Nortekcontrol Unrestricted Upload of File with Dangerous Type vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow Unrestricted File Upload.

10.0
2019-07-02 CVE-2017-8404 Dlink Command Injection vulnerability in Dlink Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1130 devices.

10.0
2019-07-02 CVE-2019-7268 Nortekcontrol Unrestricted Upload of File with Dangerous Type vulnerability in Nortekcontrol products

Linear eMerge 50P/5000P devices allow Unauthenticated File Upload.

10.0
2019-07-02 CVE-2019-7263 Nortekcontrol Source Code vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices have a Version Control Failure.

10.0
2019-07-01 CVE-2019-7276 Optergy Unspecified vulnerability in Optergy Enterprise and Proton

Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.

10.0
2019-07-06 CVE-2019-13375 Dlink SQL Injection vulnerability in Dlink Central Wifimanager 1.03

A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 in PayAction.class.php with the index.php/Pay/passcodeAuth parameter passcode.

9.8
2019-07-06 CVE-2019-13373 Dlink SQL Injection vulnerability in Dlink Central Wifimanager 1.03

An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6.

9.8
2019-07-06 CVE-2019-13372 Dlink Code Injection vulnerability in Dlink Central Wifimanager

/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.

9.8
2019-07-03 CVE-2019-13207 Nlnetlabs Out-of-bounds Write vulnerability in Nlnetlabs Name Server Daemon 4.2.0

nsd-checkzone in NLnet Labs NSD 4.2.0 has a Stack-based Buffer Overflow in the dname_concatenate() function in dname.c.

9.8
2019-07-03 CVE-2019-7165 Dosbox
Debian
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

A buffer overflow in DOSBox 0.74-2 allows attackers to execute arbitrary code.

9.8
2019-07-02 CVE-2019-10137 Redhat Path Traversal vulnerability in Redhat Satellite and Spacewalk

A path traversal flaw was found in spacewalk-proxy, all versions through 2.9, in the way the proxy processes cached client tokens.

9.8
2019-07-02 CVE-2019-7256 Nortekcontrol OS Command Injection vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow Command Injections.

9.8
2019-07-02 CVE-2019-7261 Nortekcontrol Use of Hard-coded Credentials vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices have Hard-coded Credentials.

9.8
2019-07-02 CVE-2019-7269 Nortekcontrol OS Command Injection vulnerability in Nortekcontrol products

Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution.

9.8
2019-07-02 CVE-2019-7267 Nortekcontrol Path Traversal vulnerability in Nortekcontrol products

Linear eMerge 50P/5000P devices allow Cookie Path Traversal.

9.8
2019-07-02 CVE-2019-7266 Nortekcontrol Reliance on Cookies without Validation and Integrity Checking vulnerability in Nortekcontrol products

Linear eMerge 50P/5000P devices allow Authentication Bypass.

9.8
2019-07-02 CVE-2019-7265 Nortekcontrol Use of Hard-coded Credentials vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow Remote Code Execution (root access over SSH).

9.8
2019-07-02 CVE-2019-12594 Dosbox
Debian
DOSBox 0.74-2 has Incorrect Access Control.
9.8
2019-07-02 CVE-2017-8408 Dlink Command Injection vulnerability in Dlink Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1130 devices.

9.8
2019-07-02 CVE-2019-4087 IBM Out-of-bounds Write vulnerability in IBM Spectrum Protect Operations Center

IBM Spectrum Protect Servers 7.1 and 8.1 and Storage Agents are vulnerable to a stack-based buffer overflow, caused by improper bounds checking by servers and storage agents in response to specifically crafted communication exchanges.

9.8
2019-07-01 CVE-2019-7274 Optergy Unrestricted Upload of File with Dangerous Type vulnerability in Optergy Enterprise and Proton

Optergy Proton/Enterprise devices allow Authenticated File Upload with Code Execution as root.

9.8
2019-07-01 CVE-2019-7667 Primasystems Use of Insufficiently Random Values vulnerability in Primasystems Flexair 2.3.38

Prima Systems FlexAir, Versions 2.3.38 and prior.

9.8
2019-07-01 CVE-2019-4336 IBM Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Robotic Process Automation With Automation Anywhere

IBM Robotic Process Automation with Automation Anywhere 11 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.

9.8
2019-07-04 CVE-2019-1855 Cisco Uncontrolled Search Path Element vulnerability in Cisco Jabber

A vulnerability in the loading mechanism of specific dynamic link libraries in Cisco Jabber for Windows could allow an authenticated, local attacker to perform a DLL preloading attack.

9.3
2019-07-02 CVE-2017-8411 Dlink Command Injection vulnerability in Dlink Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1130 devices.

9.3
2019-07-07 CVE-2019-13379 Avtech Exposure of Resource to Wrong Sphere vulnerability in Avtech Room Alert 3E Firmware

On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device's web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults&src=RA reset and using the default credentials to get in.

9.0
2019-07-06 CVE-2019-1894 Cisco Improper Input Validation vulnerability in Cisco Enterprise NFV Infrastructure Software 3.9.1

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker with administrator privileges to overwrite or read arbitrary files on the underlying operating system (OS) of an affected device.

9.0
2019-07-04 CVE-2019-1889 Cisco Improper Input Validation vulnerability in Cisco Application Policy Infrastructure Controller 4.1(1J)

A vulnerability in the REST API for software device management in Cisco Application Policy Infrastructure Controller (APIC) Software could allow an authenticated, remote attacker to escalate privileges to root on an affected device.

9.0
2019-07-03 CVE-2018-14860 Odoo OS Command Injection vulnerability in Odoo 10.0/11.0/8.0

Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system.

9.0
2019-07-03 CVE-2019-5602 Freebsd Incorrect Authorization vulnerability in Freebsd 11.2/11.3/12.0

In FreeBSD 12.0-STABLE before r349628, 12.0-RELEASE before 12.0-RELEASE-p7, 11.3-PRERELEASE before r349629, 11.3-RC3 before 11.3-RC3-p1, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in the cdrom driver allows users with read access to the cdrom device to arbitrarily overwrite kernel memory when media is present thereby allowing a malicious user in the operator group to gain root privileges.

9.0
2019-07-01 CVE-2019-13024 Centreon Command Injection vulnerability in Centreon 19.04.0

Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

9.0
2019-07-01 CVE-2019-13128 Dlink OS Command Injection vulnerability in Dlink Dir-823G Firmware 1.02B03

An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03.

9.0

101 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-06 CVE-2019-13370 Ignitedcms Cross-Site Request Forgery (CSRF) vulnerability in Ignitedcms 1.0.0/1.0.1

index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator.

8.8
2019-07-05 CVE-2019-5984 Waspthemes Cross-Site Request Forgery (CSRF) vulnerability in Waspthemes Custom CSS PRO

Cross-site request forgery (CSRF) vulnerability in Custom CSS Pro 1.0.3 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

8.8
2019-07-05 CVE-2019-5983 FLA Shop Cross-Site Request Forgery (CSRF) vulnerability in Fla-Shop Html5 Maps

Cross-site request forgery (CSRF) vulnerability in HTML5 Maps 1.6.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

8.8
2019-07-05 CVE-2019-5980 Meomundo Cross-Site Request Forgery (CSRF) vulnerability in Meomundo Related Youtube Videos

Cross-site request forgery (CSRF) vulnerability in Related YouTube Videos versions prior to 1.9.9 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

8.8
2019-07-05 CVE-2019-5979 Najeebmedia Cross-Site Request Forgery (CSRF) vulnerability in Najeebmedia Personalized Woocommerce Cart Page

Cross-site request forgery (CSRF) vulnerability in Personalized WooCommerce Cart Page 2.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

8.8
2019-07-05 CVE-2019-5973 Sukimalab Cross-Site Request Forgery (CSRF) vulnerability in Sukimalab Online Lesson Booking

Cross-site request forgery (CSRF) vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

8.8
2019-07-05 CVE-2019-13308 Imagemagick
Canonical
Debian
Opensuse
Out-of-bounds Write vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in MagickCore/fourier.c in ComplexImage.

8.8
2019-07-05 CVE-2019-13303 Imagemagick
Opensuse
Out-of-bounds Read vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read in MagickCore/composite.c in CompositeImage.

8.8
2019-07-05 CVE-2019-13302 Imagemagick
Opensuse
Out-of-bounds Read vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read in MagickCore/fourier.c in ComplexImages.

8.8
2019-07-05 CVE-2019-13300 Imagemagick
Debian
Canonical
Opensuse
Out-of-bounds Write vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling columns.

8.8
2019-07-05 CVE-2019-13299 Imagemagick
Opensuse
Out-of-bounds Read vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/pixel-accessor.h in GetPixelChannel.

8.8
2019-07-05 CVE-2019-13298 Imagemagick
Opensuse
Out-of-bounds Write vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/pixel-accessor.h in SetPixelViaPixelInfo because of a MagickCore/enhance.c error.

8.8
2019-07-02 CVE-2019-7258 Nortekcontrol Incorrect Authorization vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow Privilege Escalation.

8.8
2019-07-02 CVE-2019-7262 Nortekcontrol Cross-Site Request Forgery (CSRF) vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow Cross-Site Request Forgery (CSRF).

8.8
2019-07-02 CVE-2019-7259 Nortekcontrol Information Exposure vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow Authorization Bypass with Information Disclosure.

8.8
2019-07-02 CVE-2019-7270 Nortekcontrol Cross-Site Request Forgery (CSRF) vulnerability in Nortekcontrol products

Linear eMerge 50P/5000P devices allow Cross-Site Request Forgery (CSRF).

8.8
2019-07-02 CVE-2019-4292 IBM Unrestricted Upload of File with Dangerous Type vulnerability in IBM Security Guardium 10.5

IBM Security Guardium 10.5 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable web server.

8.8
2019-07-01 CVE-2019-7273 Optergy Cross-Site Request Forgery (CSRF) vulnerability in Optergy Enterprise and Proton

Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CSRF).

8.8
2019-07-01 CVE-2019-6642 F5 Unspecified vulnerability in F5 products

In BIG-IP 15.0.0, 14.0.0-14.1.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.2, and 11.5.2-11.6.4, BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, authenticated users with the ability to upload files (via scp, for example) can escalate their privileges to allow root shell access from within the TMOS Shell (tmsh) interface.

8.8
2019-07-01 CVE-2019-13135 Imagemagick
Debian
Canonical
F5
Use of Uninitialized Resource vulnerability in multiple products

ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c.

8.8
2019-07-01 CVE-2019-7669 Primasystems Unrestricted Upload of File with Dangerous Type vulnerability in Primasystems Flexair 2.3.38

Prima Systems FlexAir, Versions 2.3.38 and prior.

8.8
2019-07-01 CVE-2019-7666 Primasystems Improper Authentication vulnerability in Primasystems Flexair 2.3.38

Prima Systems FlexAir, Versions 2.3.38 and prior.

8.8
2019-07-01 CVE-2019-7281 Primasystems Cross-Site Request Forgery (CSRF) vulnerability in Primasystems Flexair 2.3.38

Prima Systems FlexAir, Versions 2.3.38 and prior.

8.8
2019-07-01 CVE-2019-7280 Primasystems Insufficient Session Expiration vulnerability in Primasystems Flexair 2.3.38

Prima Systems FlexAir, Versions 2.3.38 and prior.

8.8
2019-07-03 CVE-2019-6636 F5 Cross-Site Request Forgery (CSRF) vulnerability in F5 products

On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list.

8.5
2019-07-02 CVE-2017-8416 Dlink Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices.

8.3
2019-07-02 CVE-2017-8413 Dlink Command Injection vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices.

8.3
2019-07-03 CVE-2019-10103 Jetbrains Missing Encryption of Sensitive Data vulnerability in Jetbrains Kotlin

JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack.

8.1
2019-07-03 CVE-2019-10102 Jetbrains Cleartext Transmission of Sensitive Information vulnerability in Jetbrains Kotlin and Ktor

JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

8.1
2019-07-03 CVE-2019-10101 Jetbrains Cleartext Transmission of Sensitive Information vulnerability in Jetbrains Kotlin

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

8.1
2019-07-02 CVE-2019-13178 Calamares Race Condition vulnerability in Calamares

modules/luksbootkeyfile/main.py in Calamares versions 3.1 through 3.2.10 has a race condition between the time when the LUKS encryption keyfile is created and when secure permissions are set.

8.1
2019-07-06 CVE-2019-1922 Cisco NULL Pointer Dereference vulnerability in Cisco products

A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800 Series and 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected phone.

7.8
2019-07-05 CVE-2019-13314 Redhat Information Exposure vulnerability in Redhat Virt-Bootstrap 1.1.0

virt-bootstrap 1.1.0 allows local users to discover a root password by listing a process, because this password may be present in the --root-password option to virt_bootstrap.py.

7.8
2019-07-05 CVE-2019-13313 Libosinfo
Fedoraproject
Redhat
Information Exposure vulnerability in multiple products

libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line.

7.8
2019-07-05 CVE-2019-13307 Imagemagick
Debian
Canonical
Opensuse
Out-of-bounds Write vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling rows.

7.8
2019-07-05 CVE-2019-13306 Imagemagick
Debian
Canonical
Opensuse
Off-by-one Error vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of off-by-one errors.

7.8
2019-07-05 CVE-2019-13305 Imagemagick
Debian
Canonical
Opensuse
Off-by-one Error vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced strncpy and an off-by-one error.

7.8
2019-07-05 CVE-2019-13304 Imagemagick
Debian
Canonical
Opensuse
Out-of-bounds Write vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced assignment.

7.8
2019-07-04 CVE-2019-13290 Artifex Out-of-bounds Write vulnerability in Artifex Mupdf 1.15.0

Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c, allowing remote attackers to execute arbitrary code via a crafted PDF file.

7.8
2019-07-04 CVE-2019-13283 Glyphandcog
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in strncpy from FoFiType1::parse in fofi/FoFiType1.cc because it does not ensure the source string has a valid length before making a fixed-length copy.

7.8
2019-07-04 CVE-2019-13282 Glyphandcog
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in SampledFunction::transform in Function.cc when using a large index for samples.

7.8
2019-07-04 CVE-2019-13281 Glyphandcog
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

In Xpdf 4.01.01, a heap-based buffer overflow could be triggered in DCTStream::decodeImage() in Stream.cc when writing to frameBuf memory.

7.8
2019-07-04 CVE-2019-13241 Flightcrew Project
Canonical
Path Traversal vulnerability in multiple products

FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.

7.8
2019-07-03 CVE-2019-13074 Mikrotik Allocation of Resources Without Limits or Throttling vulnerability in Mikrotik Routeros

A vulnerability in the FTP daemon on MikroTik routers through 6.44.3 could allow remote attackers to exhaust all available memory, causing the device to reboot because of uncontrolled resource management.

7.8
2019-07-03 CVE-2018-11424 Moxa Out-of-bounds Write vulnerability in Moxa products

There is Memory corruption in the web interface of Moxa OnCell G3470A-LTE Series version 1.6 Build 18021314 and prior, a different vulnerability than CVE-2018-11425.

7.8
2019-07-03 CVE-2018-11423 Moxa Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Moxa products

There is Memory corruption in the web interface Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior, different vulnerability than CVE-2018-11420.

7.8
2019-07-03 CVE-2019-13164 Qemu
Debian
Opensuse
Canonical
qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.
7.8
2019-07-02 CVE-2019-5599 Freebsd Allocation of Resources Without Limits or Throttling vulnerability in Freebsd 12.0

In FreeBSD 12.0-STABLE before r349197 and 12.0-RELEASE before 12.0-RELEASE-p6, a bug in the non-default RACK TCP stack can allow an attacker to cause several linked lists to grow unbounded and cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service.

7.8
2019-07-02 CVE-2019-4088 IBM Unspecified vulnerability in IBM Spectrum Protect Operations Center

IBM Spectrum Protect Servers 7.1 and 8.1 and Storage Agents could allow a local attacker to gain elevated privileges on the system, caused by loading a specially crafted library loaded by the dsmqsan module.

7.8
2019-07-01 CVE-2019-13136 Imagemagick Integer Overflow or Wraparound vulnerability in Imagemagick

ImageMagick before 7.0.8-50 has an integer overflow vulnerability in the function TIFFSeekCustomStream in coders/tiff.c.

7.8
2019-07-01 CVE-2019-4322 IBM Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.

7.8
2019-07-01 CVE-2019-4154 IBM Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.

7.8
2019-07-01 CVE-2019-13129 Motorola Uncontrolled Recursion vulnerability in Motorola Cx2L Mwr04L Firmware 1.01

On the Motorola router CX2L MWR04L 1.01, there is a stack consumption (infinite recursion) issue in scopd via TCP port 8010 and UDP port 8080.

7.8
2019-07-05 CVE-2019-10639 Linux Inadequate Encryption Strength vulnerability in Linux Kernel

The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass.

7.5
2019-07-05 CVE-2019-13144 Mytinytodo Improper Neutralization of Formula Elements in a CSV File vulnerability in Mytinytodo

myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection.

7.5
2019-07-04 CVE-2019-13292 Weberp SQL Injection vulnerability in Weberp 4.15

A SQL Injection issue was discovered in webERP 4.15.

7.5
2019-07-04 CVE-2019-13275 Veronalabs SQL Injection vulnerability in Veronalabs WP Statistics

An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress.

7.5
2019-07-03 CVE-2019-9827 Hawt Server-Side Request Forgery (SSRF) vulnerability in Hawt Hawtio

Hawt Hawtio through 2.5.0 is vulnerable to SSRF, allowing a remote attacker to trigger an HTTP request from an affected server to an arbitrary host via the initial /proxy/ substring of a URI.

7.5
2019-07-03 CVE-2015-3907 Codeigniter Restserver Project XXE vulnerability in Codeigniter-Restserver Project Codeigniter-Restserver 2.7.1

CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE attacks.

7.5
2019-07-03 CVE-2019-12852 Jetbrains Server-Side Request Forgery (SSRF) vulnerability in Jetbrains Youtrack

An SSRF attack was possible on a JetBrains YouTrack server.

7.5
2019-07-03 CVE-2017-8226 Amcrest Use of Hard-coded Credentials vulnerability in Amcrest Ipm-721S Firmware

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default credentials that are hardcoded in the firmware and can be extracted by anyone who reverses the firmware to identify them.

7.5
2019-07-03 CVE-2017-13719 Amcrest Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Amcrest Ipm-721S Firmware Amcrestipcawxxengnv2.420.Ac00.17.R.20170322

The Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 allows HTTP requests that permit enabling various functionalities of the camera by using HTTP APIs, instead of the web management interface that is provided by the application.

7.5
2019-07-03 CVE-2019-9186 Jetbrains Improper Input Validation vulnerability in Jetbrains Intellij Idea

In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface).

7.5
2019-07-03 CVE-2019-5600 Freebsd Out-of-bounds Write vulnerability in Freebsd 11.2/11.3/12.0

In FreeBSD 12.0-STABLE before r349622, 12.0-RELEASE before 12.0-RELEASE-p7, 11.3-PRERELEASE before r349624, 11.3-RC3 before 11.3-RC3-p1, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in iconv implementation may allow an attacker to write past the end of an output buffer.

7.5
2019-07-03 CVE-2019-12867 Jetbrains Unspecified vulnerability in Jetbrains Youtrack

Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack.

7.5
2019-07-03 CVE-2019-12866 Jetbrains Authorization Bypass Through User-Controlled Key vulnerability in Jetbrains Youtrack

An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack.

7.5
2019-07-03 CVE-2019-12850 Jetbrains SQL Injection vulnerability in Jetbrains Youtrack

A query injection was possible in JetBrains YouTrack.

7.5
2019-07-03 CVE-2019-10104 Jetbrains Unspecified vulnerability in Jetbrains Intellij Idea

In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only.

7.5
2019-07-03 CVE-2019-10100 Jetbrains Code Injection vulnerability in Jetbrains Youtrack Integration

In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it was possible to achieve Server Side Template Injection.

7.5
2019-07-03 CVE-2019-6631 F5 Unspecified vulnerability in F5 products

On BIG-IP 11.5.1-11.6.4, iRules performing HTTP header manipulation may cause an interruption to service when processing traffic handled by a Virtual Server with an associated HTTP profile, in specific circumstances, when the requests do not strictly conform to RFCs.

7.5
2019-07-03 CVE-2019-6629 F5 Unspecified vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, undisclosed SSL traffic to a virtual server configured with a Client SSL profile may cause TMM to fail and restart.

7.5
2019-07-03 CVE-2018-18326 Dnnsoftware Insufficient Entropy vulnerability in Dnnsoftware Dotnetnuke

DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy.

7.5
2019-07-03 CVE-2018-18325 Dnnsoftware Inadequate Encryption Strength vulnerability in Dnnsoftware Dotnetnuke

DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters.

7.5
2019-07-03 CVE-2018-15812 Dnnsoftware Insufficient Entropy vulnerability in Dnnsoftware Dotnetnuke 9.2/9.2.0/9.2.1

DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.

7.5
2019-07-03 CVE-2018-15811 Dnnsoftware Inadequate Encryption Strength vulnerability in Dnnsoftware Dotnetnuke 9.2/9.2.0/9.2.1

DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.

7.5
2019-07-03 CVE-2018-11686 Flowpaper Improper Input Validation vulnerability in Flowpaper Flexpaper

The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.

7.5
2019-07-03 CVE-2017-18346 WEB Gooroo SQL Injection vulnerability in Web-Gooroo CMS Web-Gooroo

SQL injection vulnerability in /wbg/core/_includes/authorization.inc.php in CMS Web-Gooroo through 2013-01-19 allows remote attackers to execute arbitrary SQL commands via the wbg_login parameter.

7.5
2019-07-03 CVE-2018-11425 Moxa Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Moxa products

Memory corruption issue was discovered in Moxa OnCell G3470A-LTE Series version 1.6 Build 18021314 and prior, a different vulnerability than CVE-2018-11424.

7.5
2019-07-03 CVE-2018-11422 Moxa Cleartext Transmission of Sensitive Information vulnerability in Moxa products

Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary configuration protocol that does not provide confidentiality, integrity, and authenticity security controls.

7.5
2019-07-03 CVE-2018-11420 Moxa Out-of-bounds Write vulnerability in Moxa products

There is Memory corruption in the web interface of Moxa OnCell G3100-HSPA Series version 1.5 Build 17042015 and prio,r a different vulnerability than CVE-2018-11423.

7.5
2019-07-03 CVE-2018-11215 Cloudera Information Exposure vulnerability in Cloudera Data Science Workbench

Remote code execution is possible in Cloudera Data Science Workbench version 1.3.0 and prior releases via unspecified attack vectors.

7.5
2019-07-03 CVE-2018-11426 Moxa Improper Authentication vulnerability in Moxa products

A weak Cookie parameter is used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior.

7.5
2019-07-02 CVE-2019-13179 Calamares Insufficiently Protected Credentials vulnerability in Calamares

Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.

7.5
2019-07-02 CVE-2019-6623 F5 Unspecified vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, undisclosed traffic sent to BIG-IP iSession virtual server may cause the Traffic Management Microkernel (TMM) to restart, resulting in a Denial-of-Service (DoS).

7.5
2019-07-02 CVE-2019-13177 Django Rest Registration Project Improper Verification of Cryptographic Signature vulnerability in Django-Rest-Registration Project Django-Rest-Registration

verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process.

7.5
2019-07-02 CVE-2019-7253 Nortekcontrol Path Traversal vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow Directory Traversal.

7.5
2019-07-02 CVE-2019-7264 Nortekcontrol Out-of-bounds Write vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow a Stack-based Buffer Overflow on the ARM platform.

7.5
2019-07-01 CVE-2019-5497 Netapp Insecure Default Initialization of Resource vulnerability in Netapp AFF A700S Firmware and Clustered Data Ontap

NetApp AFF A700s Baseboard Management Controller (BMC) firmware versions 1.22 and higher were shipped with a default account enabled that could allow unauthorized arbitrary command execution.

7.5
2019-07-01 CVE-2019-10979 Sick Use of Hard-coded Credentials vulnerability in Sick Msc800 Firmware

SICK MSC800 all versions prior to Version 4.0, the affected firmware versions contain a hard-coded customer account password.

7.5
2019-07-01 CVE-2019-7279 Optergy Use of Hard-coded Credentials vulnerability in Optergy Enterprise and Proton

Optergy Proton/Enterprise devices have Hard-coded Credentials.

7.5
2019-07-01 CVE-2019-13131 Supermicro Missing Authentication for Critical Function vulnerability in Supermicro Superdoctor 5

Super Micro SuperDoctor 5, when restrictions are not implemented in agent.cfg, allows remote attackers to execute arbitrary commands via NRPE.

7.5
2019-07-06 CVE-2019-1932 Cisco Insufficient Verification of Data Authenticity vulnerability in Cisco Advanced Malware Protection FOR Endpoints 6.2(3)

A vulnerability in Cisco Advanced Malware Protection (AMP) for Endpoints for Windows could allow an authenticated, local attacker with administrator privileges to execute arbitrary code.

7.2
2019-07-06 CVE-2019-1893 Cisco OS Command Injection vulnerability in Cisco Enterprise NFV Infrastructure Software 3.9.1

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device as root.

7.2
2019-07-04 CVE-2018-20850 Stormshield Cross-site Scripting vulnerability in Stormshield Network Security

Stormshield Network Security 2.0.0 through 2.13.0 and 3.0.0 through 3.7.1 has self-XSS in the command line interface of the SNS web server.

7.2
2019-07-02 CVE-2019-6621 F5 OS Command Injection vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user.

7.2
2019-07-02 CVE-2017-8414 Dlink Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices.

7.2
2019-07-01 CVE-2019-7670 Primasystems OS Command Injection vulnerability in Primasystems Flexair 2.3.38

Prima Systems FlexAir, Versions 2.3.38 and prior.

7.2
2019-07-02 CVE-2019-4140 IBM Information Exposure vulnerability in IBM Spectrum Protect

IBM Tivoli Storage Manager Server (IBM Spectrum Protect 7.1 and 8.1) could allow a local user to replace existing databases by restoring old data.

7.1
2019-07-01 CVE-2019-4298 IBM Unspecified vulnerability in IBM Robotic Process Automation With Automation Anywhere

IBM Robotic Process Automation with Automation Anywhere 11 uses a high privileged PostgreSQL account for database access which could allow a local user to perform actions they should not have privileges to execute.

7.1
2019-07-04 CVE-2019-13233 Linux Use After Free vulnerability in Linux Kernel

In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.

7.0
2019-07-04 CVE-2019-13226 Deepin
Fedoraproject
Link Following vulnerability in multiple products

deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root.

7.0

203 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-07 CVE-2019-13391 Imagemagick Out-of-bounds Read vulnerability in Imagemagick 7.0.850

In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has a heap-based buffer over-read because of incorrect calls to GetCacheViewVirtualPixels.

6.8
2019-07-07 CVE-2019-13183 Flarum Cross-Site Request Forgery (CSRF) vulnerability in Flarum 0.1.0

Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.

6.8
2019-07-06 CVE-2019-13362 Codedoc Project Out-of-bounds Write vulnerability in Codedoc Project Codedoc 3.2

Codedoc v3.2 has a stack-based buffer overflow in add_variable in codedoc.c, related to codedoc_strlcpy.

6.8
2019-07-05 CVE-2019-13351 Jackaudio
Alsa Project
posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running.
6.8
2019-07-05 CVE-2019-5981 Sony Unspecified vulnerability in Sony Vaio Update 7.3.0.03150

Improper authorization vulnerability in VAIO Update 7.3.0.03150 and earlier allows an attackers to execute arbitrary executable file with administrative privilege via unspecified vectors.

6.8
2019-07-05 CVE-2019-5974 Contest Gallery Cross-Site Request Forgery (CSRF) vulnerability in Contest-Gallery Contest Gallery

Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

6.8
2019-07-05 CVE-2019-5971 Sukimalab Cross-Site Request Forgery (CSRF) vulnerability in Sukimalab Attendance Manager

Cross-site request forgery (CSRF) vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

6.8
2019-07-05 CVE-2019-5968 Weseek Cross-Site Request Forgery (CSRF) vulnerability in Weseek Growi

Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user's 'Basic Info'.

6.8
2019-07-05 CVE-2019-5963 Zoho Cross-Site Request Forgery (CSRF) vulnerability in Zoho Salesiq

Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

6.8
2019-07-05 CVE-2019-5960 Custom4Web Cross-Site Request Forgery (CSRF) vulnerability in Custom4Web WP Open Graph

Cross-site request forgery (CSRF) vulnerability in WP Open Graph 1.6.1 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

6.8
2019-07-05 CVE-2019-13312 Ffmpeg Out-of-bounds Read vulnerability in Ffmpeg 4.1.3

block_cmp() in libavcodec/zmbvenc.c in FFmpeg 4.1.3 has a heap-based buffer over-read.

6.8
2019-07-05 CVE-2019-13297 Imagemagick
Debian
Canonical
Opensuse
Out-of-bounds Read vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a height of zero is mishandled.

6.8
2019-07-05 CVE-2019-13295 Imagemagick
Debian
Opensuse
Canonical
Out-of-bounds Read vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a width of zero is mishandled.

6.8
2019-07-04 CVE-2019-13289 Glyphandcog Use After Free vulnerability in Glyphandcog Xpdfreader 4.01.01

In Xpdf 4.01.01, there is a use-after-free vulnerability in the function JBIG2Stream::close() located at JBIG2Stream.cc.

6.8
2019-07-04 CVE-2019-13262 Xnview Unspecified vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x00000000003283eb.

6.8
2019-07-04 CVE-2019-13261 Xnview Unspecified vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000328384.

6.8
2019-07-04 CVE-2019-13260 Xnview Unspecified vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000327a07.

6.8
2019-07-04 CVE-2019-13259 Xnview Unspecified vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000032e566.

6.8
2019-07-04 CVE-2019-13258 Xnview Unspecified vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000328165.

6.8
2019-07-04 CVE-2019-13257 Xnview Unspecified vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x00000000003273aa.

6.8
2019-07-04 CVE-2019-13256 Xnview Unspecified vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000032e849.

6.8
2019-07-04 CVE-2019-13255 Xnview Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000327464.

6.8
2019-07-04 CVE-2019-13254 Xnview Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000032e808.

6.8
2019-07-04 CVE-2019-13253 Xnview Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Xnview 2.48

XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000385474.

6.8
2019-07-04 CVE-2019-13252 Acdsee Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21

ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000001172b0.

6.8
2019-07-04 CVE-2019-13251 Acdsee Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21

ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000c47ff.

6.8
2019-07-04 CVE-2019-13250 Acdsee Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21

ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9c2f.

6.8
2019-07-04 CVE-2019-13249 Acdsee Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21

ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9e7a.

6.8
2019-07-04 CVE-2019-13248 Acdsee Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21

ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x0000000000002450.

6.8
2019-07-04 CVE-2019-13247 Acdsee Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acdsee 1.1.21

ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x00000000000024ed.

6.8
2019-07-04 CVE-2019-13246 Faststone Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Faststone Image Viewer 7.0

FastStone Image Viewer 7.0 has a User Mode Write AV starting at image00400000+0x00000000001a9601.

6.8
2019-07-04 CVE-2019-13245 Faststone Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Faststone Image Viewer 7.0

FastStone Image Viewer 7.0 has a User Mode Write AV starting at image00400000+0x00000000001a95b1.

6.8
2019-07-04 CVE-2019-13244 Faststone Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Faststone Image Viewer 7.0

FastStone Image Viewer 7.0 has a User Mode Write AV starting at image00400000+0x0000000000002d7d.

6.8
2019-07-04 CVE-2019-13243 Irfanview Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Irfanview 4.52

IrfanView 4.52 has a User Mode Write AV starting at image00400000+0x00000000000249c6.

6.8
2019-07-04 CVE-2019-13242 Irfanview Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Irfanview 4.52

IrfanView 4.52 has a User Mode Write AV starting at image00400000+0x0000000000013a98.

6.8
2019-07-03 CVE-2017-8228 Amcrest Permissions, Privileges, and Access Controls vulnerability in Amcrest Ipm-721S Firmware

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle reboots within the past two hours.

6.8
2019-07-03 CVE-2019-5052 Libsdl
Debian
Opensuse
Canonical
Integer Overflow or Wraparound vulnerability in multiple products

An exploitable integer overflow vulnerability exists when loading a PCX file in SDL2_image 2.0.4.

6.8
2019-07-03 CVE-2019-5051 Libsdl
Debian
Opensuse
Canonical
Improper Handling of Exceptional Conditions vulnerability in multiple products

An exploitable heap-based buffer overflow vulnerability exists when loading a PCX file in SDL2_image, version 2.0.4.

6.8
2019-07-03 CVE-2019-12851 Jetbrains Cross-Site Request Forgery (CSRF) vulnerability in Jetbrains Youtrack

A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack.

6.8
2019-07-03 CVE-2019-5630 Rapid7 Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Nexpose

A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68.

6.8
2019-07-03 CVE-2018-10986 Open Xchange Cross-Site Request Forgery (CSRF) vulnerability in Open-Xchange OX Guard 2.8.0

OX Guard 2.8.0 has CSRF.

6.8
2019-07-03 CVE-2018-11427 Moxa Cross-Site Request Forgery (CSRF) vulnerability in Moxa products

CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator.

6.8
2019-07-02 CVE-2017-8406 Dlink Cross-Site Request Forgery (CSRF) vulnerability in Dlink Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1130 devices.

6.8
2019-07-02 CVE-2017-8407 Dlink Cross-Site Request Forgery (CSRF) vulnerability in Dlink Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1130 devices.

6.8
2019-07-02 CVE-2019-13056 Cyberpanel Cross-Site Request Forgery (CSRF) vulnerability in Cyberpanel

An issue was discovered in CyberPanel through 1.8.4.

6.8
2019-07-01 CVE-2019-12826 Wpchef Cross-Site Request Forgery (CSRF) vulnerability in Wpchef Widget Logic

A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code.

6.8
2019-07-01 CVE-2019-13125 Tencent Permissions, Privileges, and Access Controls vulnerability in Tencent Habomalhunter 2.0.0.2/2.0.0.3

HaboMalHunter through 2.0.0.3 in Tencent Habo allows attackers to evade dynamic malware analysis via PIE compilation.

6.8
2019-07-01 CVE-2019-4383 IBM Unspecified vulnerability in IBM Spectrum Protect Plus 10.1.1/10.1.2/10.1.3

When using IBM Spectrum Protect Plus 10.1.0, 10.1.2, and 10.1.3 to protect Oracle or MongoDB databases, a redirected restore operation may result in an escalation of user privileges.

6.7
2019-07-01 CVE-2019-4357 IBM Unspecified vulnerability in IBM Spectrum Protect Plus 10.1.1/10.1.2/10.1.3

When using IBM Spectrum Protect Plus 10.1.0, 10.1.2, and 10.1.3 to protect Oracle, DB2 or MongoDB databases, a redirected restore operation specifying a target path may allow execution of arbitrary code on the system.

6.7
2019-07-01 CVE-2019-4057 IBM Unspecified vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow malicious user with access to the DB2 instance account to leverage a fenced execution process to execute arbitrary code as root.

6.7
2019-07-02 CVE-2019-10975 Fujielectric Out-of-bounds Read vulnerability in Fujielectric Alpha7 PC Loader Firmware 1.1

An out-of-bounds read vulnerability has been identified in Fuji Electric Alpha7 PC Loader Versions 1.1 and prior, which may crash the system.

6.6
2019-07-05 CVE-2019-13311 Imagemagick
Canonical
Debian
Opensuse
Memory Leak vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error.

6.5
2019-07-05 CVE-2019-13310 Imagemagick
Canonical
Opensuse
Memory Leak vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of an error in MagickWand/mogrify.c.

6.5
2019-07-05 CVE-2019-13309 Imagemagick
Debian
Canonical
Opensuse
Memory Leak vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c.

6.5
2019-07-05 CVE-2019-13301 Imagemagick
Debian
Canonical
Opensuse
Memory Leak vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.

6.5
2019-07-05 CVE-2019-13296 Imagemagick
Opensuse
Memory Leak vulnerability in multiple products

ImageMagick 7.0.8-50 Q16 has direct memory leaks in AcquireMagickMemory because of an error in CLIListOperatorImages in MagickWand/operation.c for a NULL value.

6.5
2019-07-03 CVE-2019-6641 F5 Unspecified vulnerability in F5 products

On BIG-IP 12.1.0-12.1.4.1, undisclosed requests can cause iControl REST processes to crash.

6.5
2019-07-03 CVE-2019-6638 F5 Infinite Loop vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process.

6.5
2019-07-03 CVE-2019-12570 Xpertsol SQL Injection vulnerability in Xpertsol Server Status BY Hostname/Ip 4.6

A SQL injection vulnerability in the Xpert Solution "Server Status by Hostname/IP" plugin 4.6 for WordPress allows an authenticated user to execute arbitrary SQL commands via GET parameters.

6.5
2019-07-03 CVE-2018-12250 Elitecms SQL Injection vulnerability in Elitecms Elite CMS 2.01

An issue was discovered in Elite CMS Pro 2.01.

6.5
2019-07-02 CVE-2019-6622 F5 Command Injection vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, an undisclosed iControl REST worker is vulnerable to command injection by an administrator or resource administrator user.

6.5
2019-07-02 CVE-2019-6620 F5 OS Command Injection vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user.

6.5
2019-07-02 CVE-2019-13155 Trendnet OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11.

6.5
2019-07-02 CVE-2019-13154 Trendnet OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11.

6.5
2019-07-02 CVE-2019-13153 Trendnet OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11.

6.5
2019-07-02 CVE-2019-13152 Trendnet Command Injection vulnerability in Trendnet Tew-827Dru Firmware

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11.

6.5
2019-07-02 CVE-2019-13151 Trendnet OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11.

6.5
2019-07-02 CVE-2019-13150 Trendnet Command Injection vulnerability in Trendnet Tew-827Dru Firmware

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11.

6.5
2019-07-02 CVE-2019-13149 Trendnet OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11.

6.5
2019-07-02 CVE-2019-13148 Trendnet Command Injection vulnerability in Trendnet Tew-827Dru Firmware

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11.

6.5
2019-07-02 CVE-2019-13147 Audio File Library Project
Debian
NULL Pointer Dereference vulnerability in multiple products

In Audio File Library (aka audiofile) 0.3.6, there exists one NULL pointer dereference bug in ulaw2linear_buf in G711.cpp in libmodules.a that allows an attacker to cause a denial of service via a crafted file.

6.5
2019-07-01 CVE-2019-1577 Paloaltonetworks Code Injection vulnerability in Paloaltonetworks Traps 5.0/5.0.5

Code injection vulnerability in Palo Alto Networks Traps 5.0.5 and earlier may allow an authenticated attacker to inject arbitrary JavaScript or HTML.

6.5
2019-07-01 CVE-2019-4386 IBM Exposed Dangerous Method or Function vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow an authenticated user to execute a function that would cause the server to crash.

6.5
2019-07-03 CVE-2017-9325 Cloudera Improper Authorization vulnerability in Cloudera CDH

The provided secure solrconfig.xml sample configuration does not enforce Sentry authorization on /update/json/docs.

6.4
2019-07-02 CVE-2019-13173 Fstream Project Link Following vulnerability in Fstream Project Fstream

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite.

6.4
2019-07-01 CVE-2019-7278 Optergy Improper Privilege Management vulnerability in Optergy Enterprise and Proton

Optergy Proton/Enterprise devices have an Unauthenticated SMS Sending Service.

6.4
2019-07-06 CVE-2019-13374 Dlink Cross-site Scripting vulnerability in Dlink Central Wifimanager 1.03

A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the index.php/Pay/passcodeAuth passcode parameter.

6.1
2019-07-05 CVE-2019-13345 Squid Cache
Debian
Cross-site Scripting vulnerability in multiple products

The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.

6.1
2019-07-02 CVE-2017-11580 Blipcare Resource Management Errors vulnerability in Blipcare Wi-Fi Blood Pressure Monitor Firmware

Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory corruption that results in Denial of Service.

6.1
2019-07-02 CVE-2019-7255 Nortekcontrol Cross-site Scripting vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow XSS.

6.1
2019-07-02 CVE-2019-4134 IBM Cross-site Scripting vulnerability in IBM Planning Analytics 2.0

IBM Planning Analytics 2.0 is vulnerable to cross-site scripting.

6.1
2019-07-01 CVE-2019-7275 Optergy Open Redirect vulnerability in Optergy Enterprise and Proton

Optergy Proton/Enterprise devices allow Open Redirect.

6.1
2019-07-01 CVE-2019-4102 IBM Inadequate Encryption Strength vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.9
2019-07-05 CVE-2018-12621 Eventum Project Open Redirect vulnerability in Eventum Project Eventum 3.5.0

An issue was discovered in Eventum 3.5.0.

5.8
2019-07-05 CVE-2019-5969 Weseek Open Redirect vulnerability in Weseek Growi

Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login.

5.8
2019-07-05 CVE-2019-5966 Joruri Authorization Bypass Through User-Controlled Key vulnerability in Joruri Mail 2.1.4

Joruri Mail 2.1.4 and earlier does not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and alter/disclose the information via unspecified vectors.

5.8
2019-07-05 CVE-2019-5965 Joruri Open Redirect vulnerability in Joruri Mail 2.1.4

Open redirect vulnerability in Joruri Mail 2.1.4 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2019-07-05 CVE-2019-5964 Idoors Improper Authentication vulnerability in Idoors Reader 2.10.17

iDoors Reader 2.10.17 and earlier allows an attacker on the same network segment to bypass authentication to access the management console and operate the product via unspecified vectors.

5.8
2019-07-05 CVE-2019-5961 Mastodon Tootdon Improper Certificate Validation vulnerability in Mastodon-Tootdon Tootdon FOR Mastodon

The Android App 'Tootdon for Mastodon' version 3.4.1 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.8
2019-07-03 CVE-2019-10721 Dotnetblogengine Open Redirect vulnerability in Dotnetblogengine Blogengine.Net 3.3.7.0

BlogEngine.NET 3.3.7.0 allows a Client Side URL Redirect via the ReturnUrl parameter, related to BlogEngine/BlogEngine.Core/Services/Security/Security.cs, login.aspx, and register.aspx.

5.8
2019-07-02 CVE-2017-8412 Dlink Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices.

5.8
2019-07-02 CVE-2019-13175 Readthedocs Open Redirect vulnerability in Readthedocs Read the Docs

Read the Docs before 3.5.1 has an Open Redirect if certain user-defined redirects are used.

5.8
2019-07-04 CVE-2019-13286 Glyphandcog
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

In Xpdf 4.01.01, there is a heap-based buffer over-read in the function JBIG2Stream::readTextRegionSeg() located at JBIG2Stream.cc.

5.5
2019-07-04 CVE-2019-13229 Deepin Link Following vulnerability in Deepin Clone

deepin-clone before 1.1.3 uses a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, and follows symlinks there.

5.5
2019-07-04 CVE-2019-13227 Deepin Link Following vulnerability in Deepin Deepin-Clone

In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there.

5.5
2019-07-03 CVE-2018-14859 Odoo Improper Access Control vulnerability in Odoo 10.0/11.0/9.0

Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token.

5.5
2019-07-03 CVE-2018-14863 Odoo Improper Access Control vulnerability in Odoo 10.0/11.0/9.0

Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC.

5.5
2019-07-03 CVE-2018-14862 Odoo Incorrect Permission Assignment for Critical Resource vulnerability in Odoo 10.0/11.0/9.0

Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request.

5.5
2019-07-03 CVE-2019-10717 Dotnetblogengine Path Traversal vulnerability in Dotnetblogengine Blogengine.Net 3.3.7.0

BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter.

5.5
2019-07-01 CVE-2019-4299 IBM Information Exposure Through Log Files vulnerability in IBM Robotic Process Automation With Automation Anywhere

IBM Robotic Process Automation with Automation Anywhere 11 could allow a local user to obtain highly sensitive information from log files when debugging is enabled.

5.5
2019-07-05 CVE-2019-5982 Sony Download of Code Without Integrity Check vulnerability in Sony Vaio Update 7.3.0.03150

Improper download file verification vulnerability in VAIO Update 7.3.0.03150 and earlier allows remote attackers to conduct a man-in-the-middle attack via a malicous wireless LAN access point.

5.4
2019-07-01 CVE-2019-4410 IBM Cross-site Scripting vulnerability in IBM products

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19.0.0.1 is vulnerable to cross-site scripting.

5.4
2019-07-01 CVE-2019-4297 IBM LDAP Injection vulnerability in IBM Robotic Process Automation With Automation Anywhere

IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote authenticated attacker to conduct an LDAP injection.

5.4
2019-07-01 CVE-2019-4237 IBM Cross-site Scripting vulnerability in IBM products

A Cross-Frame Scripting vulnerability in IBM InfoSphere Information Server 11.3, 11.5, and 11.7 can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page.

5.4
2019-07-03 CVE-2019-6640 F5 Cleartext Transmission of Sensitive Information vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels.

5.3
2019-07-02 CVE-2019-4260 IBM Unspecified vulnerability in IBM Daeja Viewone

IBM Daeja ViewONE Professional, Standard & Virtual 5.0 through 5.0.5 could allow an unauthorized user to download server files resulting in sensitive information disclosure.

5.3
2019-07-02 CVE-2019-4129 IBM Information Exposure Through an Error Message vulnerability in IBM Spectrum Protect Operations Center

IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remote attacker to obtain sensitive information, caused by an error message containing a stack trace.

5.3
2019-07-01 CVE-2019-4337 IBM Missing Authentication for Critical Function vulnerability in IBM Robotic Process Automation With Automation Anywhere 11.0.0.0/11.0.0.1/11.0.0.2

IBM Robotic Process Automation with Automation Anywhere 11 could allow an attacker to obtain sensitive information due to missing authentication in Ignite nodes.

5.3
2019-07-01 CVE-2019-12781 Djangoproject
Canonical
Debian
Cleartext Transmission of Sensitive Information vulnerability in multiple products

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3.

5.3
2019-07-01 CVE-2019-13118 Xmlsoft
Opensuse
Netapp
Oracle
Fedoraproject
Canonical
Apple
Type Confusion vulnerability in multiple products

In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

5.3
2019-07-01 CVE-2019-13117 Xmlsoft
Debian
Canonical
Fedoraproject
Opensuse
Oracle
Use of Uninitialized Resource vulnerability in multiple products

In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers.

5.3
2019-07-06 CVE-2019-1921 Cisco Improper Input Validation vulnerability in Cisco Email Security Appliance 12.0.0419

A vulnerability in the attachment scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured content filters on the device.

5.0
2019-07-06 CVE-2019-1892 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products

A vulnerability in the Secure Sockets Layer (SSL) input packet processor of Cisco Small Business 200, 300, and 500 Series Managed Switches could allow an unauthenticated, remote attacker to cause a memory corruption on an affected device.

5.0
2019-07-06 CVE-2019-1891 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the web interface of Cisco Small Business 200, 300, and 500 Series Managed Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

5.0
2019-07-06 CVE-2019-1887 Cisco Out-of-bounds Write vulnerability in Cisco Unified Communications Manager

A vulnerability in the Session Initiation Protocol (SIP) protocol implementation of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

5.0
2019-07-05 CVE-2019-13358 Opencats XXE vulnerability in Opencats

lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system.

5.0
2019-07-05 CVE-2018-16386 Swift Improper Encoding or Escaping of Output vulnerability in Swift Alliance web Platform 7.1.23

An issue was discovered in SWIFT Alliance Web Platform 7.1.23.

5.0
2019-07-05 CVE-2018-14733 Odoo Improper Input Validation vulnerability in Odoo

The Odoo Community Association (OCA) dbfilter_from_header module makes Odoo 8.x, 9.x, 10.x, and 11.x vulnerable to ReDoS (regular expression denial of service) under certain circumstances.

5.0
2019-07-05 CVE-2018-14529 Invoxia Information Exposure vulnerability in Invoxia Nvx220 Firmware

Invoxia NVX220 devices allow access to /bin/sh via escape from a restricted CLI, leading to disclosure of password hashes.

5.0
2019-07-05 CVE-2019-13344 Crudlab Missing Authentication for Critical Function vulnerability in Crudlab WP Like Button

An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings.

5.0
2019-07-04 CVE-2019-1886 Cisco Improper Certificate Validation vulnerability in Cisco Asyncos and web Security Appliance

A vulnerability in the HTTPS decryption feature of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

5.0
2019-07-04 CVE-2019-13238 Axiosys NULL Pointer Dereference vulnerability in Axiosys Bento4 1.5.1.0

An issue was discovered in Bento4 1.5.1.0.

5.0
2019-07-03 CVE-2019-12845 Jetbrains Improper Authentication vulnerability in Jetbrains Teamcity

The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts.

5.0
2019-07-03 CVE-2019-12841 Jetbrains Improper Input Validation vulnerability in Jetbrains Teamcity

Incorrect handling of user input in ZIP extraction was detected in JetBrains TeamCity.

5.0
2019-07-03 CVE-2017-8229 Amcrest Credentials Management vulnerability in Amcrest Ipm-721S Firmware

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials.

5.0
2019-07-03 CVE-2017-8227 Amcrest 7PK - Security Features vulnerability in Amcrest Ipm-721S Firmware

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout policy to wait for 5 minutes in case 30 incorrect password attempts are detected using the Web and HTTP API interface provided by the device.

5.0
2019-07-03 CVE-2019-9873 Jetbrains Cleartext Storage of Sensitive Information vulnerability in Jetbrains Intellij Idea

In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files.

5.0
2019-07-03 CVE-2019-9823 Jetbrains Cleartext Storage of Sensitive Information vulnerability in Jetbrains Intellij Idea

In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files.

5.0
2019-07-03 CVE-2019-6630 F5 Unspecified vulnerability in F5 SSL Orchestrator

On F5 SSL Orchestrator 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, undisclosed traffic flow may cause TMM to restart under certain circumstances.

5.0
2019-07-03 CVE-2019-6628 F5 Unspecified vulnerability in F5 Big-Ip Policy Enforcement Manager

On BIG-IP PEM 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, under certain conditions, the TMM process may terminate and restart while processing BIG-IP PEM traffic with the OpenVPN classifier.

5.0
2019-07-03 CVE-2018-11421 Moxa Cleartext Transmission of Sensitive Information vulnerability in Moxa products

Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary monitoring protocol that does not provide confidentiality, integrity, and authenticity security controls.

5.0
2019-07-02 CVE-2019-6624 F5 Unspecified vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, an undisclosed traffic pattern sent to a BIG-IP UDP virtual server may lead to a denial-of-service (DoS).

5.0
2019-07-02 CVE-2017-8409 Dlink Improper Authorization vulnerability in Dlink Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1130 devices.

5.0
2019-07-02 CVE-2017-8405 Dlink Improper Authentication vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1130 and DCS-1100 devices.

5.0
2019-07-02 CVE-2019-7254 Nortekcontrol Path Traversal vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices allow File Inclusion.

5.0
2019-07-02 CVE-2019-7252 Nortekcontrol Insecure Default Initialization of Resource vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices have Default Credentials.

5.0
2019-07-02 CVE-2019-7260 Nortekcontrol Insufficiently Protected Credentials vulnerability in Nortekcontrol products

Linear eMerge E3-Series devices have Cleartext Credentials in a Database.

5.0
2019-07-01 CVE-2019-7272 Optergy Missing Authorization vulnerability in Optergy Enterprise and Proton

Optergy Proton/Enterprise devices allow Username Disclosure.

5.0
2019-07-01 CVE-2019-7271 Nortekcontrol Insufficiently Protected Credentials vulnerability in Nortekcontrol products

Nortek Linear eMerge 50P/5000P devices have Default Credentials.

5.0
2019-07-01 CVE-2019-7277 Optergy Information Exposure vulnerability in Optergy Enterprise and Proton

Optergy Proton/Enterprise devices allow Unauthenticated Internal Network Information Disclosure.

5.0
2019-07-01 CVE-2019-7668 Primasystems Insecure Default Initialization of Resource vulnerability in Primasystems Flexair 2.3.38

Prima Systems FlexAir devices have Default Credentials.

5.0
2019-07-03 CVE-2019-3619 Mcafee Cleartext Transmission of Sensitive Information vulnerability in Mcafee Epolicy Orchestrator 5.10.0/5.9.0/5.9.1

Information Disclosure vulnerability in the Agent Handler in McAfee ePolicy Orchestrator (ePO) 5.9.x and 5.10.0 prior to 5.10.0 update 4 allows remote unauthenticated attacker to view sensitive information in plain text via sniffing the traffic between the Agent Handler and the SQL server.

4.9
2019-07-01 CVE-2019-4295 IBM Unspecified vulnerability in IBM Robotic Process Automation With Automation Anywhere

IBM Robotic Process Automation with Automation Anywhere 11 could allow an attacker with specialized access to obtain highly sensitive from the credential vault.

4.9
2019-07-03 CVE-2019-6639 F5 Cross-site Scripting vulnerability in F5 Big-Ip Advanced Firewall Manager

On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue.

4.8
2019-07-02 CVE-2017-11579 Blipcare 7PK - Security Features vulnerability in Blipcare Wi-Fi Blood Pressure Monitor Firmware

In the most recent firmware for Blipcare, the device provides an open Wireless network called "Blip" for communicating with the device.

4.8
2019-07-04 CVE-2019-13228 Deepin Link Following vulnerability in Deepin Deepin-Clone

deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there.

4.7
2019-07-06 CVE-2019-1911 Cisco Containment Errors (Container Errors) vulnerability in Cisco Hosted Collaboration Solution

A vulnerability in the CLI of Cisco Unified Communications Domain Manager (Cisco Unified CDM) Software could allow an authenticated, local attacker to escape the restricted shell.

4.6
2019-07-01 CVE-2019-9703 Symantec Unspecified vulnerability in Symantec Endpoint Encryption

Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels.

4.6
2019-07-01 CVE-2019-9702 Symantec Unspecified vulnerability in Symantec Endpoint Encryption

Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels.

4.6
2019-07-03 CVE-2019-13208 Maxx Incorrect Permission Assignment for Critical Resource vulnerability in Maxx Waves Maxx Audio 1.9.29.0

WavesSysSvc in Waves MAXX Audio allows privilege escalation because the General registry key has Full Control access for the Users group, leading to DLL side loading.

4.4
2019-07-03 CVE-2019-6635 F5 Unspecified vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, when the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass Appliance mode restrictions.

4.4
2019-07-03 CVE-2019-6633 F5 Unspecified vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, when the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions.

4.4
2019-07-02 CVE-2019-5443 Haxx
Oracle
Netapp
Uncontrolled Search Path Element vulnerability in multiple products

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation.

4.4
2019-07-07 CVE-2019-13390 Ffmpeg Divide By Zero vulnerability in Ffmpeg 4.1.3

In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in libavformat/rawenc.c.

4.3
2019-07-06 CVE-2019-1933 Cisco Improper Input Validation vulnerability in Cisco Email Security Appliance 11.1.2023

A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device.

4.3
2019-07-06 CVE-2019-1931 Cisco Cross-site Scripting vulnerability in Cisco Firepower Management Center

Multiple vulnerabilities in the RSS dashboard in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

4.3
2019-07-06 CVE-2019-1930 Cisco Cross-site Scripting vulnerability in Cisco Firepower Management Center

Multiple vulnerabilities in the RSS dashboard in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

4.3
2019-07-06 CVE-2019-1909 Cisco Improper Input Validation vulnerability in Cisco IOS XR

A vulnerability in the implementation of Border Gateway Protocol (BGP) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system.

4.3
2019-07-05 CVE-2019-10638 Linux Inadequate Encryption Strength vulnerability in Linux Kernel

In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP).

4.3
2019-07-05 CVE-2018-14027 Digisol Cross-site Scripting vulnerability in Digisol Dg-Hr-3300 Firmware

Digisol Wireless Wifi Home Router HR-3300 allows XSS via the userid or password parameter to the admin login page.

4.3
2019-07-05 CVE-2019-5972 Sukimalab Cross-site Scripting vulnerability in Sukimalab Online Lesson Booking

Cross-site scripting vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-07-05 CVE-2019-5970 Sukimalab Cross-site Scripting vulnerability in Sukimalab Attendance Manager

Cross-site scripting vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-07-05 CVE-2019-5967 Joruri Cross-site Scripting vulnerability in Joruri CMS 2017 Release1/Release2

Cross-site scripting vulnerability in Joruri CMS 2017 Release2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-07-05 CVE-2019-5962 Zoho Cross-site Scripting vulnerability in Zoho Salesiq

Cross-site scripting vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-07-04 CVE-2019-13291 Glyphandcog Out-of-bounds Read vulnerability in Glyphandcog Xpdfreader 4.01.01

In Xpdf 4.01.01, there is a heap-based buffer over-read in the function DCTStream::readScan() located at Stream.cc.

4.3
2019-07-04 CVE-2019-13288 Glyphandcog Uncontrolled Recursion vulnerability in Glyphandcog Xpdfreader 4.01.01

In Xpdf 4.01.01, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file.

4.3
2019-07-04 CVE-2019-13287 Glyphandcog Out-of-bounds Read vulnerability in Glyphandcog Xpdfreader 4.01.01

In Xpdf 4.01.01, there is an out-of-bounds read vulnerability in the function SplashXPath::strokeAdjust() located at splash/SplashXPath.cc.

4.3
2019-07-04 CVE-2019-13239 Glpi Project Cross-site Scripting vulnerability in Glpi-Project Glpi

inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.

4.3
2019-07-03 CVE-2019-12844 Jetbrains Code Injection vulnerability in Jetbrains Teamcity

A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages.

4.3
2019-07-03 CVE-2019-12843 Jetbrains Code Injection vulnerability in Jetbrains Teamcity

A possible stored JavaScript injection requiring a deliberate server administrator action was detected.

4.3
2019-07-03 CVE-2019-12842 Jetbrains Cross-site Scripting vulnerability in Jetbrains Teamcity

A reflected XSS on a user page was detected on one of the JetBrains TeamCity pages.

4.3
2019-07-03 CVE-2019-9872 Jetbrains Cleartext Storage of Sensitive Information vulnerability in Jetbrains Intellij Idea

In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files.

4.3
2019-07-03 CVE-2019-6627 F5 Race Condition vulnerability in F5 SSL Orchestrator

On F5 SSL Orchestrator 14.1.0-14.1.0.5, on rare occasions, specific to a certain race condition, TMM may restart when SSL Forward Proxy enforces the bypass action for an SSL Orchestrator transparent virtual server with SNAT enabled.

4.3
2019-07-03 CVE-2019-6626 F5 Cross-site Scripting vulnerability in F5 products

On BIG-IP (AFM, Analytics, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.3.4, A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration utility.

4.3
2019-07-03 CVE-2019-6625 F5 Cross-site Scripting vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility.

4.3
2019-07-03 CVE-2018-12715 Digisol Cross-site Scripting vulnerability in Digisol Dg-Hr3400 Firmware

DIGISOL DG-HR3400 devices have XSS via a modified SSID when the apssid value is unchanged.

4.3
2019-07-03 CVE-2019-13186 1234N Cross-site Scripting vulnerability in 1234N Minicms 1.10

In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box.

4.3
2019-07-03 CVE-2017-6216 Novaksolutions Cross-site Scripting vulnerability in Novaksolutions Infusionsoft-PHP-Sdk 20161031

novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable to a reflected XSS in the leadscoring.php resulting code execution

4.3
2019-07-03 CVE-2017-17972 Archon Project Cross-site Scripting vulnerability in Archon Project Archon 3.21

packages/subjects/pub/subjects.php in Archon 3.21 rev-1 has XSS in the referer parameter in an index.php?subjecttypeid=xxx request, aka Open Bug Bounty ID OBB-466362.

4.3
2019-07-03 CVE-2018-11317 Intelliants Cross-site Scripting vulnerability in Intelliants Subrion

Subrion CMS before 4.1.4 has XSS.

4.3
2019-07-03 CVE-2018-11227 Monstra Cross-site Scripting vulnerability in Monstra CMS

Monstra CMS 3.0.4 and earlier has XSS via index.php.

4.3
2019-07-02 CVE-2017-11578 Blipcare Information Exposure vulnerability in Blipcare Wi-Fi Blood Pressure Monitor Firmware

It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol.

4.3
2019-07-02 CVE-2019-10136 Redhat Improper Verification of Cryptographic Signature vulnerability in Redhat Satellite and Spacewalk

It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums.

4.3
2019-07-01 CVE-2019-3962 Tenable Cross-site Scripting vulnerability in Tenable Nessus

Content Injection vulnerability in Tenable Nessus prior to 8.5.0 may allow an authenticated, local attacker to exploit this vulnerability by convincing another targeted Nessus user to view a malicious URL and use Nessus to send fraudulent messages.

4.3
2019-07-01 CVE-2019-13137 Imagemagick
Debian
Canonical
Memory Leak vulnerability in multiple products

ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadPSImage in coders/ps.c.

4.3
2019-07-01 CVE-2019-13134 Imagemagick
Opensuse
Memory Leak vulnerability in multiple products

ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c.

4.3
2019-07-01 CVE-2019-13133 Imagemagick
Opensuse
Memory Leak vulnerability in multiple products

ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.

4.3
2019-07-01 CVE-2019-1578 Paloaltonetworks Cross-site Scripting vulnerability in Paloaltonetworks Minemeld 0.9.60

Cross-site scripting vulnerability in Palo Alto Networks MineMeld version 0.9.60 and earlier may allow a remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser.

4.3
2019-07-01 CVE-2016-5235 F5 Cross-site Scripting vulnerability in F5 Websafe Alert Server 1.0.0/3.9.5

A Cross Site Scripting (XSS) vulnerability in versions of F5 WebSafe Dashboard 3.9.x and earlier, aka F5 WebSafe Alert Server, allows an unauthenticated user to inject HTML via a crafted alert.

4.3
2019-07-01 CVE-2019-13127 Draw
Jgraph
Cross-site Scripting vulnerability in multiple products

An issue was discovered in mxGraph through 4.0.0, related to the "draw.io Diagrams" plugin before 8.3.14 for Confluence and other products.

4.3
2019-07-01 CVE-2019-12970 Squirrelmail Cross-site Scripting vulnerability in Squirrelmail

XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2.

4.3
2019-07-04 CVE-2019-1884 Cisco Improper Input Validation vulnerability in Cisco Asyncos and web Security Appliance

A vulnerability in the web proxy functionality of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

4.0
2019-07-03 CVE-2019-12846 Jetbrains Unspecified vulnerability in Jetbrains Teamcity

A user without the required permissions could gain access to some JetBrains TeamCity settings.

4.0
2019-07-03 CVE-2017-8230 Amcrest Permissions, Privileges, and Access Controls vulnerability in Amcrest Ipm-721S Firmware

On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the users on the device are divided into 2 groups "admin" and "user".

4.0
2019-07-03 CVE-2019-6637 F5 Unspecified vulnerability in F5 Big-Ip Application Security Manager

On BIG-IP (ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system.

4.0
2019-07-03 CVE-2019-6634 F5 Unspecified vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process.

4.0
2019-07-03 CVE-2019-5601 Freebsd Information Exposure vulnerability in Freebsd 11.2/12.0

In FreeBSD 12.0-STABLE before r347474, 12.0-RELEASE before 12.0-RELEASE-p7, 11.2-STABLE before r347475, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in the FFS implementation causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding.

4.0
2019-07-03 CVE-2019-12847 Jetbrains Insufficiently Protected Credentials vulnerability in Jetbrains HUB

In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user.

4.0
2019-07-03 CVE-2018-14865 Odoo Information Exposure vulnerability in Odoo 10.0/11.0/9.0

Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files.

4.0
2019-07-03 CVE-2018-14864 Odoo Improper Access Control vulnerability in Odoo 10.0/8.0/9.0

Incorrect access control in asset bundles in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment.

4.0
2019-07-03 CVE-2018-14861 Odoo Incorrect Permission Assignment for Critical Resource vulnerability in Odoo 10.0/11.0

Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users.

4.0
2019-07-03 CVE-2018-14866 Odoo Incorrect Permission Assignment for Critical Resource vulnerability in Odoo 10.0/11.0/9.0

Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs.

4.0
2019-07-03 CVE-2017-9327 Cloudera Permission Issues vulnerability in Cloudera Manager 5.10.1/5.11.0/5.9.2

Secret data of processes managed by CM is not secured by file permissions.

4.0

12 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-05 CVE-2019-13341 1234N Cross-site Scripting vulnerability in 1234N Minicms 1.10

In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie.

3.5
2019-07-05 CVE-2019-13340 1234N Cross-site Scripting vulnerability in 1234N Minicms 1.10

In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box.

3.5
2019-07-05 CVE-2019-13339 1234N Cross-site Scripting vulnerability in 1234N Minicms 1.10

In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie.

3.5
2019-07-03 CVE-2017-9326 Cloudera Credentials Management vulnerability in Cloudera Manager 5.11.0

The keystore password for the Spark History Server may be exposed in unsecured files under the /var/run/cloudera-scm-agent directory managed by Cloudera Manager.

3.5
2019-07-01 CVE-2016-5236 F5 Cross-site Scripting vulnerability in F5 Websafe Alert Server 1.0.0/3.9.5

Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard 3.9.5 and earlier, aka F5 WebSafe Alert Server, allow privileged authenticated users to inject arbitrary web script or HTML when creating a new user, account or signature.

3.5
2019-07-04 CVE-2019-1890 Cisco Unspecified vulnerability in Cisco Application Policy Infrastructure Controller 7.3(0)Zn(0.113)

A vulnerability in the fabric infrastructure VLAN connection establishment of the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN.

3.3
2019-07-04 CVE-2019-13232 Unzip Project
Debian
Resource Exhaustion vulnerability in multiple products

Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.

3.3
2019-07-03 CVE-2019-10183 Redhat Information Exposure vulnerability in Redhat Enterprise Linux and Virt-Manager

Virt-install(1) utility used to provision new virtual machines has introduced an option '--unattended' to create VMs without user interaction.

3.3
2019-07-02 CVE-2017-8417 Dlink Credentials Management vulnerability in Dlink Dcs-1100 Firmware and Dcs-1130 Firmware

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices.

3.3
2019-07-01 CVE-2019-4296 IBM Information Exposure Through Log Files vulnerability in IBM Robotic Process Automation With Automation Anywhere 11.0.0.0/11.0.0.1/11.0.0.2

IBM Robotic Process Automation with Automation Anywhere 11 information disclosure could allow a local user to obtain e-mail contents from the client debug log file.

3.3
2019-07-03 CVE-2019-6632 F5 Cryptographic Issues vulnerability in F5 products

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness.

2.1
2019-07-01 CVE-2019-4101 IBM Unspecified vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1, 10.5, and 11.1 is vulnerable to a denial of service.

2.1