Weekly Vulnerabilities Reports > July 8 to 14, 2019

Overview

262 new vulnerabilities reported during this period, including 31 critical vulnerabilities and 52 high severity vulnerabilities. This weekly summary report vulnerabilities in 279 products from 132 vendors including Debian, Gitlab, Google, Canonical, and SAP. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "OS Command Injection", "Information Exposure", and "Improper Access Control".

  • 222 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 121 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 195 reported vulnerabilities are exploitable by an anonymous user.
  • Debian has the most reported vulnerabilities, with 26 reported vulnerabilities.
  • Fedoraproject has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

31 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-14 CVE-2019-13598 Getvera OS Command Injection vulnerability in Getvera Vera Edge Firmware 1.7.4452

LuaUPnP in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via the code parameter to /port_3480/data_request because the "No unsafe lua allowed" code block is skipped.

10.0
2019-07-11 CVE-2019-10970 Rockwellautomation Improper Access Control vulnerability in Rockwellautomation Panelview 5510 Firmware

In Rockwell Automation PanelView 5510 (all versions manufactured before March 13, 2019 that have never been updated to v4.003, v5.002, or later), a remote, unauthenticated threat actor with access to an affected PanelView 5510 Graphic Display, upon successful exploit, may boot-up the terminal and gain root-level access to the device’s file system.

10.0
2019-07-11 CVE-2019-7003 Avaya SQL Injection vulnerability in Avaya Control Manager

A SQL injection vulnerability in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system.

10.0
2019-07-11 CVE-2019-13561 Dlink OS Command Injection vulnerability in Dlink Dir-655 Firmware 3.02B05

D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to execute arbitrary commands via shell metacharacters in the online_firmware_check.cgi check_fw_url parameter.

10.0
2019-07-10 CVE-2019-13278 Trendnet OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware

TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains multiple command injections when processing user input for the setup wizard, allowing an unauthenticated user to run arbitrary commands on the device.

10.0
2019-07-09 CVE-2019-3950 Arlo Use of Hard-coded Credentials vulnerability in Arlo products

Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to.

10.0
2019-07-11 CVE-2019-12525 Squid Cache
Debian
Opensuse
Fedoraproject
Canonical
Out-of-bounds Write vulnerability in multiple products

An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7.

9.8
2019-07-11 CVE-2019-11062 SUN NET OS Command Injection vulnerability in Sun.Net Wmpro 5.0/5.1

The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php".

9.8
2019-07-11 CVE-2019-12838 Schedmd
Debian
Fedoraproject
Opensuse
SQL Injection vulnerability in multiple products

SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL Injection.

9.8
2019-07-10 CVE-2019-12803 Hunesion Unrestricted Upload of File with Dangerous Type vulnerability in Hunesion I-Onenet

In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell.

9.8
2019-07-10 CVE-2019-13132 Zeromq
Debian
Canonical
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library.

9.8
2019-07-10 CVE-2017-12652 Libpng
Netapp
Improper Input Validation vulnerability in multiple products

libpng before 1.6.32 does not properly check the length of chunks against the user limit.

9.8
2019-07-10 CVE-2019-13224 Oniguruma Project
PHP
Fedoraproject
Debian
Canonical
Use After Free vulnerability in multiple products

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression.

9.8
2019-07-10 CVE-2018-14496 Vivotek Out-of-bounds Write vulnerability in Vivotek Fd8136 Firmware 0301A

Vivotek FD8136 devices allow remote memory corruption and remote code execution because of a stack-based buffer overflow, related to sprintf, vlocal_buff_4326, and set_getparam.cgi.

9.8
2019-07-10 CVE-2018-14495 Vivotek OS Command Injection vulnerability in Vivotek Fd8136 Firmware 0301A

Vivotek FD8136 devices allow Remote Command Injection, aka "another command injection vulnerability in our target device," a different issue than CVE-2018-14494.

9.8
2019-07-10 CVE-2018-14494 Vivotek OS Command Injection vulnerability in Vivotek Fd8136 Firmware 0301A

Vivotek FD8136 devices allow Remote Command Injection, related to BusyBox and wget.

9.8
2019-07-09 CVE-2019-13478 Yoast Cross-site Scripting vulnerability in Yoast SEO

The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions.

9.8
2019-07-09 CVE-2018-11307 Fasterxml
Redhat
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5.

9.8
2019-07-08 CVE-2019-13413 Boiteasite SQL Injection vulnerability in Boiteasite Rencontre

The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection via inc/rencontre_widget.php.

9.8
2019-07-09 CVE-2019-11991 HP Information Exposure vulnerability in HP 3Par Service Processor Firmware

HPE has identified a vulnerability in HPE 3PAR Service Processor (SP) version 4.1 through 4.4.

9.7
2019-07-11 CVE-2019-12574 Londontrustmedia
Microsoft
Untrusted Search Path vulnerability in Londontrustmedia Private Internet Access VPN Client 1.0

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

9.3
2019-07-08 CVE-2019-2109 Google Out-of-bounds Write vulnerability in Google Android

In MakeMPEG4VideoCodecSpecificData of AVIExtractor.cpp, there is a possible out of bounds write due to an incorrect bounds check.

9.3
2019-07-08 CVE-2019-2107 Google Out-of-bounds Write vulnerability in Google Android

In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check.

9.3
2019-07-08 CVE-2019-2106 Google Out-of-bounds Write vulnerability in Google Android

In ihevcd_sao_shift_ctb of ihevcd_sao.c, there is a possible out of bounds write due to a missing bounds check.

9.3
2019-07-10 CVE-2019-0330 SAP Code Injection vulnerability in SAP Diagnostics Agent 7.20

The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application.

9.1
2019-07-11 CVE-2018-19588 Alarm Improper Access Control vulnerability in Alarm Adc-V522Ir Firmware 0100B9

Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control.

9.0
2019-07-10 CVE-2019-13482 Dlink OS Command Injection vulnerability in Dlink Dir-818Lw Firmware 2.06

An issue was discovered on D-Link DIR-818LW devices with firmware 2.06betab01.

9.0
2019-07-10 CVE-2019-13481 Dlink OS Command Injection vulnerability in Dlink Dir-818Lw Firmware 2.06

An issue was discovered on D-Link DIR-818LW devices with firmware 2.06betab01.

9.0
2019-07-10 CVE-2019-0328 SAP OS Command Injection vulnerability in SAP Netweaver Process Integration

ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) of SAP NetWeaver Process Integration enables an attacker the execution of OS commands with privileged rights.

9.0
2019-07-08 CVE-2019-10973 Quest Improper Input Validation vulnerability in Quest Kace Systems Management Appliance

Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface.

9.0
2019-07-08 CVE-2019-13398 Fortinet OS Command Injection vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0

Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrl_save_profile.cgi (save parameter) and cgi-bin/ddns.cgi.

9.0

52 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-11 CVE-2018-17196 Apache Unspecified vulnerability in Apache Kafka

In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation.

8.8
2019-07-11 CVE-2019-12527 Squid Cache
Fedoraproject
Debian
Canonical
Redhat
Out-of-bounds Write vulnerability in multiple products

An issue was discovered in Squid 4.0.23 through 4.7.

8.8
2019-07-11 CVE-2019-10351 Jenkins Cleartext Storage of Sensitive Information vulnerability in Jenkins Caliper CI 2.3

Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

8.8
2019-07-11 CVE-2019-10350 Jenkins Cleartext Storage of Sensitive Information vulnerability in Jenkins Port Allocator

Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

8.8
2019-07-11 CVE-2019-10348 Jenkins Cleartext Storage of Sensitive Information vulnerability in Jenkins Gogs

Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

8.8
2019-07-11 CVE-2019-10347 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Mashup Portlets

Jenkins Mashup Portlets Plugin stored credentials unencrypted on the Jenkins master where they can be viewed by users with access to the master file system.

8.8
2019-07-11 CVE-2019-10340 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Docker

A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

8.8
2019-07-10 CVE-2018-14550 Libpng
Oracle
Netapp
Out-of-bounds Write vulnerability in multiple products

An issue has been found in third-party PNM decoding associated with libpng 1.6.35.

8.8
2019-07-09 CVE-2019-12747 Typo3 Deserialization of Untrusted Data vulnerability in Typo3

TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.

8.8
2019-07-14 CVE-2019-13602 Videolan
Debian
Canonical
Opensuse
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and crash) or possibly have unspecified other impact via a crafted .mp4 file.

7.8
2019-07-11 CVE-2019-11133 Intel Unspecified vulnerability in Intel Processor Diagnostic Tool

Improper access control in the Intel(R) Processor Diagnostic Tool before version 4.1.2.24 may allow an authenticated user to potentially enable escalation of privilege, information disclosure or denial of service via local access.

7.8
2019-07-11 CVE-2019-0053 Juniper
Debian
Out-of-bounds Write vulnerability in multiple products

Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS.

7.8
2019-07-11 CVE-2019-0052 Juniper Resource Exhaustion vulnerability in Juniper Junos

The srxpfe process may crash on SRX Series services gateways when the UTM module processes a specific fragmented HTTP packet.

7.8
2019-07-10 CVE-2019-1873 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly.

7.8
2019-07-09 CVE-2019-11890 Sony Resource Exhaustion vulnerability in Sony Bravia Firmware

Sony Bravia Smart TV devices allow remote attackers to cause a denial of service (device hang or reboot) via a SYN flood attack over a wired or Wi-Fi LAN.

7.8
2019-07-09 CVE-2019-11889 Sony Unspecified vulnerability in Sony Bravia Firmware

Sony BRAVIA Smart TV devices allow remote attackers to cause a denial of service (device hang) via a crafted web page over HbbTV.

7.8
2019-07-08 CVE-2019-13404 Python Files or Directories Accessible to External Parties vulnerability in Python

The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code.

7.8
2019-07-10 CVE-2018-19571 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.

7.7
2019-07-14 CVE-2019-13597 Sahipro OS Command Injection vulnerability in Sahipro Sahi PRO 8.0.0

_s_/sprm/_s_/dyn/Player_setScriptFile in Sahi Pro 8.0.0 allows command execution.

7.5
2019-07-14 CVE-2019-13589 Anjlab Inclusion of Functionality from Untrusted Control Sphere vulnerability in Anjlab Paranoid2 1.1.6

The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

7.5
2019-07-12 CVE-2019-13027 Realization SQL Injection vulnerability in Realization Concerto Critical Chain Planner 5.10.8071

Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter.

7.5
2019-07-11 CVE-2019-12751 Symantec Unspecified vulnerability in Symantec Message Gateway

Symantec Messaging Gateway, prior to 10.7.1, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

7.5
2019-07-11 CVE-2019-4193 IBM Information Exposure vulnerability in IBM Jazz for Service Management

IBM Jazz for Service Management 1.1.3 and 1.1.3.2 stores sensitive information in URL parameters.

7.5
2019-07-11 CVE-2019-10651 Ivanti Unspecified vulnerability in Ivanti Endpoint Manager 2017.3/2018.1/2018.3

An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution.

7.5
2019-07-11 CVE-2019-13507 Hidea SQL Injection vulnerability in Hidea AZ Admin 1.0

hidea.com AZ Admin 1.0 has news_det.php?cod= SQL Injection.

7.5
2019-07-11 CVE-2019-13503 Cesanta Out-of-bounds Read vulnerability in Cesanta Mongoose 6.15

mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer over-read.

7.5
2019-07-10 CVE-2019-13489 Trape Project SQL Injection vulnerability in Trape Project Trape 20190508

Trape through 2019-05-08 has SQL injection via the data[2] variable in core/db.py, as demonstrated by the /bs t parameter.

7.5
2019-07-10 CVE-2019-13279 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-827Dru Firmware

TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains multiple stack-based buffer overflows when processing user input for the setup wizard, allowing an unauthenticated user to execute arbitrary code.

7.5
2019-07-10 CVE-2019-13276 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-827Dru Firmware

TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains a stack-based buffer overflow in the ssi binary.

7.5
2019-07-10 CVE-2019-12468 Mediawiki
Debian
Missing Authentication for Critical Function vulnerability in multiple products

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1.

7.5
2019-07-10 CVE-2019-10653 Hsycms SQL Injection vulnerability in Hsycms 1.1

An issue was discovered in Hsycms V1.1.

7.5
2019-07-10 CVE-2019-12723 Teclib Edition SQL Injection vulnerability in Teclib-Edition Fields

An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI.

7.5
2019-07-10 CVE-2019-10122 EQ 3 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware

eQ-3 HomeMatic CCU2 devices before 2.41.9 and CCU3 devices before 3.43.16 have buffer overflows in the ReGa ise GmbH HTTP-Server 2.0 component, aka HMCCU-179.

7.5
2019-07-10 CVE-2019-10121 EQ 3 Missing Authentication for Critical Function vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware

eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.15 use session IDs for authentication but lack authorization checks.

7.5
2019-07-10 CVE-2019-10119 EQ 3 Missing Authentication for Critical Function vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware

eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks.

7.5
2019-07-09 CVE-2019-13470 Matrixssl Out-of-bounds Read vulnerability in Matrixssl

MatrixSSL before 4.2.1 has an out-of-bounds read during ASN.1 handling.

7.5
2019-07-09 CVE-2019-11512 Contao SQL Injection vulnerability in Contao

Contao 4.x allows SQL Injection.

7.5
2019-07-09 CVE-2019-3949 Arlo Configuration vulnerability in Arlo products

Arlo Basestation firmware 1.12.0.1_27940 and prior firmware contain a networking misconfiguration that allows access to restricted network interfaces.

7.5
2019-07-08 CVE-2019-9629 Sonatype Improper Authentication vulnerability in Sonatype Nexus Repository Manager

Sonatype Nexus Repository Manager before 3.17.0 establishes a default administrator user with weak defaults (fixed credentials).

7.5
2019-07-08 CVE-2019-2111 Google Use After Free vulnerability in Google Android 9.0

In loop of DnsTlsSocket.cpp, there is a possible heap memory corruption due to a use after free.

7.5
2019-07-08 CVE-2019-13354 Strong Password Project Code Injection vulnerability in Strong Password Project Strong Password 0.0.7

The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

7.5
2019-07-13 CVE-2019-5629 Rapid7 Uncontrolled Search Path Element vulnerability in Rapid7 Insight Agent

Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path.

7.2
2019-07-12 CVE-2019-12731 Mikogo
Microsoft
Improper Privilege Management vulnerability in Mikogo

The Windows versions of Snapview Mikogo, versions before 5.10.2 are affected by insecure implementations which allow local attackers to escalate privileges.

7.2
2019-07-11 CVE-2019-12579 Londontrustmedia OS Command Injection vulnerability in Londontrustmedia Private Internet Access VPN Client 82

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

7.2
2019-07-11 CVE-2019-12578 Londontrustmedia
Linux
Argument Injection or Modification vulnerability in Londontrustmedia Private Internet Access VPN Client 82

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

7.2
2019-07-11 CVE-2019-12577 Londontrustmedia Incorrect Permission Assignment for Critical Resource vulnerability in Londontrustmedia Private Internet Access VPN Client 82

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

7.2
2019-07-11 CVE-2019-12576 Londontrustmedia Untrusted Search Path vulnerability in Londontrustmedia Private Internet Access VPN Client 82

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

7.2
2019-07-11 CVE-2019-12575 Londontrustmedia
Linux
Uncontrolled Search Path Element vulnerability in Londontrustmedia Private Internet Access VPN Client 82

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

7.2
2019-07-11 CVE-2019-10135 Osbs Client Project Deserialization of Untrusted Data vulnerability in Osbs-Client Project Osbs-Client

A flaw was found in the yaml.load() function in the osbs-client versions since 0.46 before 0.56.1.

7.2
2019-07-10 CVE-2019-5446 UI Command Injection vulnerability in UI Edgeswitch Firmware 1.7.3

Command Injection in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to execute commands as root.

7.2
2019-07-08 CVE-2019-2112 Google Use After Free vulnerability in Google Android 8.0/8.1/9.0

In several functions of alarm.cc, there is possible memory corruption due to a use after free.

7.2
2019-07-08 CVE-2019-12174 Hide Missing Authentication for Critical Function vulnerability in Hide Hide.Me

hide.me before 2.4.4 on macOS suffers from a privilege escalation vulnerability in the connectWithExecutablePath:configFilePath:configFileName method of the me_hide_vpnhelper.Helper class in the me.hide.vpnhelper macOS privilege helper tool.

7.2

162 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-14 CVE-2019-13594 Mirumee Cross-Site Request Forgery (CSRF) vulnerability in Mirumee Saleor 2.7.0

In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.

6.8
2019-07-12 CVE-2019-13567 Zoom OS Command Injection vulnerability in Zoom

The Zoom Client before 4.4.53932.0709 on macOS allows remote code execution, a different vulnerability than CVE-2019-13450.

6.8
2019-07-12 CVE-2019-13494 Castlerock Out-of-bounds Write vulnerability in Castlerock Simple Network Management Protocol Console

nodeimp.exe in Castle Rock SNMPc before 9.0.12.1 and 10.x before 10.0.9 has a stack-based buffer overflow via a long variable string in a Map Objects text file.

6.8
2019-07-12 CVE-2019-13574 Minimagick Project
Debian
OS Command Injection vulnerability in multiple products

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

6.8
2019-07-11 CVE-2018-18095 Intel Improper Authentication vulnerability in Intel SSD DC S4500 Firmware and SSD DC S4600 Firmware

Improper authentication in firmware for Intel(R) SSD DC S4500 Series and Intel(R) SSD DC S4600 Series before SCV10150 may allow an unprivileged user to potentially enable escalation of privilege via physical access.

6.8
2019-07-11 CVE-2019-13563 Dlink Cross-Site Request Forgery (CSRF) vulnerability in Dlink Dir-655 Firmware 3.02B05

D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console.

6.8
2019-07-11 CVE-2019-12363 Mybb 2FA Project Cross-Site Request Forgery (CSRF) vulnerability in Mybb-2Fa Project Mybb-2Fa 20141105

An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB.

6.8
2019-07-11 CVE-2018-11744 Cloudera Improper Access Control vulnerability in Cloudera Manager

Cloudera Manager through 5.15 has Incorrect Access Control.

6.8
2019-07-10 CVE-2019-12466 Mediawiki
Debian
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Wikimedia MediaWiki through 1.32.1 allows CSRF.

6.8
2019-07-10 CVE-2019-13071 Cyberpowersystems Cross-Site Request Forgery (CSRF) vulnerability in Cyberpowersystems Powerpanel 3.4.0

CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application.

6.8
2019-07-10 CVE-2018-12628 Eventum Project Cross-Site Request Forgery (CSRF) vulnerability in Eventum Project Eventum

An issue was discovered in Eventum 3.5.0.

6.8
2019-07-09 CVE-2019-13475 Mobatek Argument Injection or Modification vulnerability in Mobatek Mobaxterm 11.1

In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL.

6.8
2019-07-08 CVE-2019-2105 Google Use of Uninitialized Resource vulnerability in Google Android

In FileInputStream::Read of file_input_stream.cc, there is a possible memory corruption due to uninitialized data.

6.8
2019-07-08 CVE-2019-13401 Fortinet Cross-Site Request Forgery (CSRF) vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0

Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/.

6.8
2019-07-11 CVE-2019-12573 Londontrustmedia Link Following vulnerability in Londontrustmedia Private Internet Access VPN Client 82

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files.

6.6
2019-07-11 CVE-2019-12571 Londontrustmedia Link Following vulnerability in Londontrustmedia Private Internet Access VPN Client 0.9.8

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files.

6.6
2019-07-09 CVE-2019-13142 Razer Incorrect Permission Assignment for Critical Resource vulnerability in Razer Surround 1.1.63.0

The RzSurroundVADStreamingService (RzSurroundVADStreamingService.exe) in Razer Surround 1.1.63.0 runs as the SYSTEM user using an executable located in %PROGRAMDATA%\Razer\Synapse\Devices\Razer Surround\Driver\.

6.6
2019-07-11 CVE-2019-10935 Siemens Unrestricted Upload of File with Dangerous Type vulnerability in Siemens Simatic PCS 7, Simatic Wincc and Simatic Wincc Runtime

A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd 11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC Professional (TIA Portal V13) (All versions), SIMATIC WinCC Professional (TIA Portal V14) (All versions < V14 SP1 Upd 9), SIMATIC WinCC Professional (TIA Portal V15) (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3).

6.5
2019-07-11 CVE-2019-10193 Redislabs
Redhat
Debian
Canonical
Oracle
Out-of-bounds Write vulnerability in multiple products

A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4.

6.5
2019-07-11 CVE-2019-10192 Redislabs
Redhat
Debian
Canonical
Oracle
Out-of-bounds Write vulnerability in multiple products

A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4.

6.5
2019-07-11 CVE-2019-10341 Jenkins Missing Authorization vulnerability in Jenkins Docker

A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2019-07-11 CVE-2019-13504 Exiv2
Debian
Out-of-bounds Read vulnerability in multiple products

There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp in Exiv2 through 0.27.2.

6.5
2019-07-10 CVE-2019-0327 SAP Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java

SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation.

6.5
2019-07-10 CVE-2018-19583 Gitlab Information Exposure Through Log Files vulnerability in Gitlab

GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user's token.

6.5
2019-07-10 CVE-2018-19569 Gitlab Improper Authorization vulnerability in Gitlab

GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an authorization vulnerability that allows access to the web-UI as a user using a Personal Access Token of any scope.

6.5
2019-07-10 CVE-2019-13225 Oniguruma Project
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression.

6.5
2019-07-10 CVE-2018-20851 Helpy IO Unspecified vulnerability in Helpy.Io Helpy

Helpy before 2.2.0 allows agents to edit admins.

6.5
2019-07-10 CVE-2019-10120 EQ 3 Session Fixation vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware

On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154.

6.5
2019-07-09 CVE-2019-13280 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-827Dru Firmware

TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains a stack-based buffer overflow while returning an error message to the user about failure to resolve a hostname during a ping or traceroute attempt.

6.5
2019-07-09 CVE-2019-13450 Ringcentral
Zoom
Missing Authorization vulnerability in multiple products

In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active.

6.5
2019-07-09 CVE-2019-13449 Zoom Improper Input Validation vulnerability in Zoom

In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421.

6.5
2019-07-08 CVE-2019-12926 Mailenable Missing Authorization vulnerability in Mailenable

MailEnable Enterprise Premium 10.23 did not use appropriate access control checks in a number of areas.

6.5
2019-07-08 CVE-2019-12925 Mailenable Path Traversal vulnerability in Mailenable

MailEnable Enterprise Premium 10.23 was vulnerable to multiple directory traversal issues, with which authenticated users could add, remove, or potentially read files in arbitrary folders accessible by the IIS user.

6.5
2019-07-08 CVE-2019-13402 Fortinet Improper Cross-boundary Removal of Sensitive Data vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0

/usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v1.2.0.0 devices implement an incomplete factory-reset process.

6.5
2019-07-11 CVE-2019-10930 Siemens Unrestricted Upload of File with Dangerous Type vulnerability in Siemens products

A vulnerability has been identified in All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions ), DIGSI 5 engineering software (All versions < V7.90), SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87 and 7VE85 with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions < V7.90), SIPROTEC 5 device types 7SS85 and 7KE85 (All versions < V8.01), SIPROTEC 5 device types with CPU variants CP200 and the respective Ethernet communication modules (All versions).

6.4
2019-07-10 CVE-2018-19576 Gitlab Improper Access Control vulnerability in Gitlab

GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential.

6.4
2019-07-09 CVE-2019-9149 Mailvelope Incorrect Authorization vulnerability in Mailvelope

Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API.

6.4
2019-07-11 CVE-2019-0046 Juniper Resource Exhaustion vulnerability in Juniper Junos

A vulnerability in the pfe-chassisd Chassis Manager (CMLC) daemon of Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) to the EX4300 when specific valid broadcast packets create a broadcast storm condition when received on the me0 interface of the EX4300 Series device.

6.1
2019-07-11 CVE-2014-3798 Citrix Improper Input Validation vulnerability in Citrix Xenserver

The Windows Guest Tools in Citrix XenServer 6.2 SP1 and earlier allows remote attackers to cause a denial of service (guest OS crash) via a crafted Ethernet frame.

6.1
2019-07-11 CVE-2019-13564 Pingidentity Cross-site Scripting vulnerability in Pingidentity Agentless Integration KIT

XSS exists in Ping Identity Agentless Integration Kit before 1.5.

6.1
2019-07-11 CVE-2019-12597 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.5

An issue was discovered in Zoho ManageEngine AssetExplorer.

6.1
2019-07-11 CVE-2019-12596 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.5

An issue was discovered in Zoho ManageEngine AssetExplorer.

6.1
2019-07-11 CVE-2019-12595 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.5

An issue was discovered in Zoho ManageEngine AssetExplorer.

6.1
2019-07-11 CVE-2019-12537 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.5

An issue was discovered in Zoho ManageEngine AssetExplorer.

6.1
2019-07-11 CVE-2019-10346 Jenkins Cross-site Scripting vulnerability in Jenkins Embeddable Build Status

A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin.

6.1
2019-07-11 CVE-2019-13505 Dwbooster Cross-site Scripting vulnerability in Dwbooster Appointment Hour Booking 1.1.44

The Appointment Hour Booking plugin 1.1.44 for WordPress allows XSS via the E-mail field, as demonstrated by email_1.

6.1
2019-07-10 CVE-2019-0321 SAP Cross-site Scripting vulnerability in SAP products

ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

6.1
2019-07-09 CVE-2019-13397 Enhancesoft Cross-site Scripting vulnerability in Enhancesoft Osticket 1.10.1

Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via arbitrary file extension while creating a support ticket.

6.1
2019-07-09 CVE-2019-12748 Typo3 Cross-site Scripting vulnerability in Typo3

TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.

6.1
2019-07-08 CVE-2019-13414 Boiteasite Cross-site Scripting vulnerability in Boiteasite Rencontre

The Rencontre plugin before 3.1.3 for WordPress allows XSS via inc/rencontre_widget.php.

6.1
2019-07-11 CVE-2019-12529 Squid Cache
Debian
Fedoraproject
Opensuse
Canonical
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7.

5.9
2019-07-10 CVE-2019-11650 Microfocus Unspecified vulnerability in Microfocus Netiq Advanced Authentication

A potential Man in the Middle attack (MITM) was found in NetIQ Advanced Authentication Framework versions prior to 6.0.

5.9
2019-07-14 CVE-2019-13590 Sound Exchange Project NULL Pointer Dereference vulnerability in Sound Exchange Project Sound Exchange 14.4.2

An issue was discovered in libsox.a in SoX 14.4.2.

5.5
2019-07-11 CVE-2019-1010319 Wavpack
Fedoraproject
Canonical
Debian
Use of Uninitialized Resource vulnerability in multiple products

WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable.

5.5
2019-07-11 CVE-2019-1010317 Wavpack
Fedoraproject
Canonical
Debian
Use of Uninitialized Resource vulnerability in multiple products

WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable.

5.5
2019-07-11 CVE-2019-1010315 Wavpack
Fedoraproject
Debian
Canonical
Divide By Zero vulnerability in multiple products

WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero.

5.5
2019-07-11 CVE-2019-10194 Ovirt
Redhat
Information Exposure Through Log Files vulnerability in multiple products

Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions.

5.5
2019-07-11 CVE-2018-17152 Intersystems XXE vulnerability in Intersystems Cache 2017.2.2.865.0/2018.1.2

Intersystems Cache 2017.2.2.865.0 allows XXE.

5.5
2019-07-11 CVE-2018-17151 Intersystems Improper Access Control vulnerability in Intersystems Cache 2017.2.2.865.0/2018.1.2

Intersystems Cache 2017.2.2.865.0 has Incorrect Access Control.

5.5
2019-07-10 CVE-2019-12804 Hunesion Insufficient Verification of Data Authenticity vulnerability in Hunesion I-Onenet

In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, due to the lack of update file integrity checking in the upgrade process, an attacker can craft malicious file and use it as an update.

5.5
2019-07-09 CVE-2019-12782 Thoughtspot Authorization Bypass Through User-Controlled Key vulnerability in Thoughtspot 4.4.1/4.5.1/5.1.1

An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of another user in the application by spoofing GUIDs in pinboard update requests, effectively deleting them.

5.5
2019-07-11 CVE-2019-3889 Redhat Cross-site Scripting vulnerability in Redhat Openshift Container Platform

A reflected XSS vulnerability exists in authorization flow of OpenShift Container Platform versions: openshift-online-3, openshift-enterprise-3.4 through 3.7 and openshift-enterprise-3.9 through 3.11.

5.4
2019-07-11 CVE-2019-10349 Jenkins Cross-site Scripting vulnerability in Jenkins Dependency Graph Viewer

A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

5.4
2019-07-10 CVE-2018-19574 Gitlab Cross-site Scripting vulnerability in Gitlab

GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page.

5.4
2019-07-10 CVE-2018-19573 Gitlab Cross-site Scripting vulnerability in Gitlab

GitLab CE/EE, versions 10.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via Mermaid.

5.4
2019-07-10 CVE-2018-19570 Gitlab Cross-site Scripting vulnerability in Gitlab

GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags.

5.4
2019-07-13 CVE-2018-20852 Python Improper Input Validation vulnerability in Python

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server.

5.3
2019-07-11 CVE-2018-1968 IBM Information Exposure vulnerability in IBM Security Identity Manager Virtual Appliance 7.0.1/7.0.1.12

IBM Security Identity Manager 7.0.1 discloses sensitive information to unauthorized users.

5.3
2019-07-10 CVE-2019-5444 Serve Here JS Project Path Traversal vulnerability in Serve-Here.Js Project Serve-Here.Js

Path traversal vulnerability in version up to v1.1.3 in serve-here.js npm module allows attackers to list any file in arbitrary folder.

5.3
2019-07-10 CVE-2018-19577 Gitlab Improper Access Control vulnerability in Gitlab

Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an incorrect access control vulnerability that displays to an unauthorized user the title and namespace of a confidential issue.

5.3
2019-07-11 CVE-2019-10931 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions ), DIGSI 5 engineering software (All versions < V7.90), SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87 and 7VE85 with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions < V7.90), SIPROTEC 5 device types 7SS85 and 7KE85 (All versions < V8.01), SIPROTEC 5 device types with CPU variants CP200 and the respective Ethernet communication modules (All versions < V7.59), SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet communication modules (All versions < V7.59).

5.0
2019-07-11 CVE-2019-5528 Vmware Unspecified vulnerability in VMWare Esxi 6.5/6.7

VMware ESXi 6.5 suffers from partial denial of service vulnerability in hostd process.

5.0
2019-07-11 CVE-2019-4131 IBM Unspecified vulnerability in IBM Cloud Application Performance Management 8.1.4

IBM Application Performance Management (IBM Monitoring 8.1.4) could allow a remote attacker to induce the application to perform server-side DNS lookups of arbitrary domain names.

5.0
2019-07-11 CVE-2019-0049 Juniper Unspecified vulnerability in Juniper Junos

On Junos devices with the BGP graceful restart helper mode enabled or the BGP graceful restart mechanism enabled, a certain sequence of BGP session restart on a remote peer that has the graceful restart mechanism enabled may cause the local routing protocol daemon (RPD) process to crash and restart.

5.0
2019-07-11 CVE-2019-0048 Juniper 7PK - Security Features vulnerability in Juniper Junos

On EX4300 Series switches with TCAM optimization enabled, incoming multicast traffic matches an implicit loopback filter rule first, since it has high priority.

5.0
2019-07-11 CVE-2019-9886 Eclass Improper Access Control vulnerability in Eclass IP 2.5

Any URLs with download_attachment.php under templates or home folders can allow arbitrary files downloaded without login in BroadLearning eClass before version ip.2.5.10.2.1.

5.0
2019-07-11 CVE-2019-13560 Dlink Credentials Management vulnerability in Dlink Dir-655 Firmware 3.02B05

D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to force a blank password via the apply_sec.cgi setup_wizard parameter.

5.0
2019-07-10 CVE-2019-0322 SAP Unspecified vulnerability in SAP Commerce Cloud

SAP Commerce Cloud (previously known as SAP Hybris Commerce), (HY_COM, versions 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.

5.0
2019-07-10 CVE-2019-0319 SAP Injection vulnerability in SAP Gateway and UI5

The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message.

5.0
2019-07-10 CVE-2019-10966 GE Improper Authentication vulnerability in GE products

In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms.

5.0
2019-07-10 CVE-2018-19584 Gitlab Authorization Bypass Through User-Controlled Key vulnerability in Gitlab

GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups.

5.0
2019-07-10 CVE-2018-19581 Gitlab Improper Authorization vulnerability in Gitlab

GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure object reference vulnerability that allows a Guest user to set the weight of an issue they create.

5.0
2019-07-10 CVE-2018-19580 Gitlab Improper Input Validation vulnerability in Gitlab

All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not send an email to the old email address when an email address change is made.

5.0
2019-07-10 CVE-2019-12474 Mediawiki
Debian
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak.
5.0
2019-07-10 CVE-2019-12473 Mediawiki
Debian
Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS.
5.0
2019-07-10 CVE-2019-12472 Mediawiki Unspecified vulnerability in Mediawiki

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1.

5.0
2019-07-10 CVE-2018-10531 Americasarmy Improper Input Validation vulnerability in Americasarmy Proving Grounds

An issue was discovered in the America's Army Proving Grounds platform for the Unreal Engine.

5.0
2019-07-10 CVE-2019-12467 Mediawiki
Debian
MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3).
5.0
2019-07-10 CVE-2017-7189 PHP Improper Input Validation vulnerability in PHP

main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80.

5.0
2019-07-10 CVE-2019-13396 Getflightpath Path Traversal vulnerability in Getflightpath Flightpath

FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit POST request because of an include_once in system_handle_form_submit in modules/system/system.module.

5.0
2019-07-09 CVE-2019-9150 Mailvelope Key Management Errors vulnerability in Mailvelope

Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page.

5.0
2019-07-09 CVE-2019-13277 Trendnet Unspecified vulnerability in Trendnet Tew-827Dru Firmware

TRENDnet TEW-827DRU with firmware up to and including 2.04B03 allows an unauthenticated attacker to execute setup wizard functionality, giving this attacker the ability to change configuration values, potentially leading to a denial of service.

5.0
2019-07-09 CVE-2019-13338 Weseek Information Exposure vulnerability in Weseek Growi

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata.

5.0
2019-07-09 CVE-2019-13337 Weseek Authorization Bypass Through User-Controlled Key vulnerability in Weseek Growi

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API).

5.0
2019-07-09 CVE-2019-13464 Modsecurity Unrestricted Upload of File with Dangerous Type vulnerability in Modsecurity Owasp Modsecurity Core Rule SET 3.0.2

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2.

5.0
2019-07-09 CVE-2019-13461 Prestashop Authorization Bypass Through User-Controlled Key vulnerability in Prestashop

In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout.

5.0
2019-07-09 CVE-2019-13146 Field Test Project Injection vulnerability in Field Test Project Field Test 0.3.0

The field_test gem 0.3.0 for Ruby has unvalidated input.

5.0
2019-07-09 CVE-2019-11020 Ddrt Missing Authentication for Critical Function vulnerability in Ddrt Dashcom Live Firmware 20190509

Lack of authentication in file-viewing components in DDRT Dashcom Live 2019-05-09 allows anyone to remotely access all claim details by visiting easily guessable dashboard/uploads/claim_files/claim_id_ URLs.

5.0
2019-07-09 CVE-2019-11019 Ddrt Missing Authentication for Critical Function vulnerability in Ddrt Dashcom Live Firmware

Lack of authentication in case-exporting components in DDRT Dashcom Live through 2019-05-08 allows anyone to remotely access all claim details by visiting easily guessable exportpdf/all_claim_detail.php?claim_id= URLs.

5.0
2019-07-08 CVE-2019-12924 Mailenable Missing Encryption of Sensitive Data vulnerability in Mailenable

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user.

5.0
2019-07-08 CVE-2019-9630 Sonatype Incorrect Default Permissions vulnerability in Sonatype Nexus Repository Manager

Sonatype Nexus Repository Manager before 3.17.0 has a weak default of giving any unauthenticated user read permissions on the repository files and images.

5.0
2019-07-08 CVE-2019-2116 Google Out-of-bounds Read vulnerability in Google Android

In save_attr_seq of sdp_discovery.cc, there is a possible out-of-bound read due to a missing bounds check.

5.0
2019-07-08 CVE-2019-13400 Fortinet Insufficiently Protected Credentials vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0

Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext.

5.0
2019-07-10 CVE-2019-5445 UI Resource Exhaustion vulnerability in UI Edgeswitch Firmware 1.7.3

DoS in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to Crash the SSH CLI interface by using crafted commands.

4.9
2019-07-10 CVE-2019-0325 SAP Missing Authorization vulnerability in SAP ERP HCM 3.0

SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area.

4.9
2019-07-12 CVE-2019-8998 Blackberry Information Exposure vulnerability in Blackberry QNX Software Development Platform 6.4.0/6.4.1/6.5.0

An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space.

4.6
2019-07-11 CVE-2019-10915 Siemens Permissions, Privileges, and Access Controls vulnerability in Siemens TIA Administrator 1.0

A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1).

4.6
2019-07-11 CVE-2019-1010316 Pyxtrlock Project Improper Access Control vulnerability in Pyxtrlock Project Pyxtrlock 0.1/0.2/0.3

pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control.

4.6
2019-07-11 CVE-2019-9657 Alarm Insufficiently Protected Credentials vulnerability in Alarm Adc-V522Ir Firmware 0100B9

Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control, a different issue than CVE-2018-19588.

4.6
2019-07-08 CVE-2018-11563 Otrs
Debian
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7.
4.6
2019-07-11 CVE-2019-4118 IBM Unspecified vulnerability in IBM Multicloud Manager 3.1.0/3.1.1/3.1.2

IBM Multicloud Manager 3.1.0, 3.1.1, and 3.1.2 ibm-mcm-chart could allow a local attacker with admin privileges to obtain highly sensitive information upon deployment.

4.4
2019-07-12 CVE-2019-11242 Cohesity Improper Certificate Validation vulnerability in Cohesity Dataplatform

A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c.

4.3
2019-07-11 CVE-2019-10933 Siemens Cross-site Scripting vulnerability in Siemens products

A vulnerability has been identified in Spectrum Power 3 (Corporate User Interface) (All versions <= v3.11), Spectrum Power 4 (Corporate User Interface) (Version v4.75), Spectrum Power 5 (Corporate User Interface) (All versions < v5.50), Spectrum Power 7 (Corporate User Interface) (All versions <= v2.20).

4.3
2019-07-11 CVE-2019-4263 IBM Inclusion of Functionality from Untrusted Control Sphere vulnerability in IBM Content Navigator 3.0.0

IBM Content Navigator 3.0CD is vulnerable to local file inclusion, allowing an attacker to access a configuration file in the ICN server.

4.3
2019-07-11 CVE-2019-1010314 Gitea Cross-site Scripting vulnerability in Gitea 1.7.2/1.7.3

Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS).

4.3
2019-07-11 CVE-2018-17150 Intersystems Cross-site Scripting vulnerability in Intersystems Cache 2017.2.2.865.0/2018.1.2

Intersystems Cache 2017.2.2.865.0 allows XSS.

4.3
2019-07-11 CVE-2019-13562 Dlink Cross-site Scripting vulnerability in Dlink Dir-655 Firmware 3.02B05

D-Link DIR-655 C devices before 3.02B05 BETA03 allow XSS, as demonstrated by the /www/ping_response.cgi ping_ipaddr parameter, the /www/ping6_response.cgi ping6_ipaddr parameter, and the /www/apply_sec.cgi html_response_return_page parameter.

4.3
2019-07-11 CVE-2019-13506 Nuxtjs Cross-site Scripting vulnerability in Nuxtjs @Nuxt/Devalue and Nuxt.Js

@nuxt/devalue before 1.2.3, as used in Nuxt.js before 2.6.2, mishandles object keys, leading to XSS.

4.3
2019-07-11 CVE-2019-12540 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Servicedesk Plus 10.5

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5.

4.3
2019-07-11 CVE-2019-12539 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Servicedesk Plus 10.5

An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus.

4.3
2019-07-11 CVE-2019-10342 Jenkins Missing Authorization vulnerability in Jenkins Docker

A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

4.3
2019-07-10 CVE-2019-13488 Trape Project Cross-site Scripting vulnerability in Trape Project Trape 20190508

A cross-site scripting (XSS) vulnerability in static/js/trape.js in Trape through 2019-05-08 allows remote attackers to inject arbitrary web script or HTML via the country, query, or refer parameter to the /register URI, because the jQuery prepend() method is used.

4.3
2019-07-10 CVE-2019-0329 SAP Cross-site Scripting vulnerability in SAP Information Steward 4.2

SAP Information Steward, version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

4.3
2019-07-10 CVE-2019-0326 SAP Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3

SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

4.3
2019-07-10 CVE-2019-0281 SAP Cross-site Scripting vulnerability in SAP Openui5

SAPUI5 and OpenUI5, before versions 1.38.39, 1.44.39, 1.52.25, 1.60.6 and 1.63.0, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

4.3
2019-07-10 CVE-2018-11734 E107 Cross-site Scripting vulnerability in E107 2.1.7

In e107 v2.1.7, output without filtering results in XSS.

4.3
2019-07-10 CVE-2019-13122 Ozlabs Cross-site Scripting vulnerability in Ozlabs Patchwork

A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x.

4.3
2019-07-10 CVE-2019-12471 Mediawiki
Debian
Cross-site Scripting vulnerability in multiple products

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS.

4.3
2019-07-10 CVE-2018-19572 Gitlab Race Condition vulnerability in Gitlab

GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment.

4.3
2019-07-10 CVE-2018-19493 Gitlab Cross-site Scripting vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1.

4.3
2019-07-10 CVE-2017-6217 Paypal Cross-site Scripting vulnerability in Paypal Adaptive Payments SDK 3.9.2

paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution

4.3
2019-07-10 CVE-2019-13240 Glpi Project Weak Password Recovery Mechanism for Forgotten Password vulnerability in Glpi-Project Glpi

An issue was discovered in GLPI before 9.4.1.

4.3
2019-07-10 CVE-2019-12724 Teclib Edition Cross-site Scripting vulnerability in Teclib-Edition News

An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI.

4.3
2019-07-10 CVE-2018-12627 Eventum Project Cross-site Scripting vulnerability in Eventum Project Eventum

An issue was discovered in Eventum 3.5.0.

4.3
2019-07-10 CVE-2018-12626 Eventum Project Cross-site Scripting vulnerability in Eventum Project Eventum

An issue was discovered in Eventum 3.5.0.

4.3
2019-07-10 CVE-2018-12625 Eventum Project Cross-site Scripting vulnerability in Eventum Project Eventum

An issue was discovered in Eventum 3.5.0.

4.3
2019-07-10 CVE-2018-12623 Eventum Project Cross-site Scripting vulnerability in Eventum Project Eventum

An issue was discovered in Eventum 3.5.0.

4.3
2019-07-10 CVE-2018-12622 Eventum Project Cross-site Scripting vulnerability in Eventum Project Eventum

An issue was discovered in Eventum 3.5.0.

4.3
2019-07-09 CVE-2019-13472 Phpwind Cross-site Scripting vulnerability in PHPwind 9.1.0

PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file.

4.3
2019-07-09 CVE-2019-9148 Mailvelope Improper Certificate Validation vulnerability in Mailvelope

Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification.

4.3
2019-07-09 CVE-2019-9147 Mailvelope Improper Restriction of Rendered UI Layers or Frames vulnerability in Mailvelope

Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page.

4.3
2019-07-09 CVE-2019-13380 Keynto Cross-site Scripting vulnerability in Keynto Team Password Manager 1.5.0

KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault.

4.3
2019-07-09 CVE-2019-8920 Apachefriends Cross-site Scripting vulnerability in Apachefriends Xampp 1.7.0

iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569.

4.3
2019-07-09 CVE-2019-13454 Imagemagick
Debian
Canonical
Opensuse
Divide By Zero vulnerability in multiple products

ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.

4.3
2019-07-09 CVE-2018-14833 Intuit Improper Access Control vulnerability in Intuit Lacerte

Intuit Lacerte 2017 has Incorrect Access Control.

4.3
2019-07-08 CVE-2019-12927 Mailenable Cross-site Scripting vulnerability in Mailenable

MailEnable Enterprise Premium 10.23 was vulnerable to stored and reflected cross-site scripting (XSS) attacks.

4.3
2019-07-08 CVE-2019-12923 Mailenable Cross-Site Request Forgery (CSRF) vulnerability in Mailenable

In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request.

4.3
2019-07-08 CVE-2019-12930 Wikindx Project Cross-site Scripting vulnerability in Wikindx Project Wikindx

A cross-site scripting (XSS) vulnerability in noMenu() and noSubMenu() in core/navigation/MENU.php in WIKINDX prior to version 5.8.1 allows remote attackers to inject arbitrary web script or HTML via the method parameter.

4.3
2019-07-08 CVE-2019-12171 Dropbox Use of a Broken or Risky Cryptographic Algorithm vulnerability in Dropbox 71.4.108.0

Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation.

4.3
2019-07-08 CVE-2019-13399 Fortinet Use of Hard-coded Credentials vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0

Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation.

4.3
2019-07-12 CVE-2019-11360 Netfilter Out-of-bounds Write vulnerability in Netfilter Iptables 1.8.2

A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file.

4.2
2019-07-12 CVE-2019-12827 Digium Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Digium Asterisk and Certified Asterisk

Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13.21-cert3, 13.27.0, 15.7.2, 16.4.0 and earlier allows remote authenticated users to crash Asterisk by sending a specially crafted SIP MESSAGE message.

4.0
2019-07-11 CVE-2019-11268 Pivotal Software Information Exposure vulnerability in Pivotal Software Cloud Foundry Uaa-Release

Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping.

4.0
2019-07-10 CVE-2019-12470 Mediawiki
Debian
Missing Authorization vulnerability in multiple products

Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control.

4.0
2019-07-10 CVE-2019-12469 Mediawiki
Debian
Missing Authorization vulnerability in multiple products

MediaWiki through 1.32.1 has Incorrect Access Control.

4.0
2019-07-10 CVE-2018-19582 Gitlab Authorization Bypass Through User-Controlled Key vulnerability in Gitlab

GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user.

4.0
2019-07-10 CVE-2018-19578 Gitlab Improper Authorization vulnerability in Gitlab 11.5.0

GitLab EE, version 11.5 before 11.5.1, is vulnerable to an insecure object reference issue that permits a user with Reporter privileges to view the Jaeger Tracing Operations page.

4.0
2019-07-10 CVE-2018-19575 Gitlab Authorization Bypass Through User-Controlled Key vulnerability in Gitlab

GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to make comments on a locked issue.

4.0
2019-07-10 CVE-2018-19496 Gitlab Improper Access Control vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1.

4.0
2019-07-10 CVE-2018-19495 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1.

4.0
2019-07-10 CVE-2018-19494 Gitlab Improper Access Control vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1.

4.0
2019-07-10 CVE-2018-14831 Damicms Information Exposure vulnerability in Damicms 6.0.0

An arbitrary file read vulnerability in DamiCMS v6.0.0 allows remote authenticated administrators to read any files in the server via a crafted /admin.php?s=Tpl/Add/id/ URI.

4.0

17 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-12 CVE-2019-13161 Digium
Debian
NULL Pointer Dereference vulnerability in multiple products

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3.

3.5
2019-07-12 CVE-2019-1010310 Glpi Project Injection vulnerability in Glpi-Project Glpi 9.3.1

GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description.

3.5
2019-07-11 CVE-2019-13029 Vanderbilt Cross-site Scripting vulnerability in Vanderbilt Redcap

Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.

3.5
2019-07-11 CVE-2019-1010003 Leanote Cross-site Scripting vulnerability in Leanote

Leanote prior to version 2.6 is affected by: Cross Site Scripting (XSS).

3.5
2019-07-10 CVE-2019-0318 SAP Unspecified vulnerability in SAP Netweaver Application Server Java

Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted.

3.5
2019-07-10 CVE-2018-19579 Gitlab Cross-site Scripting vulnerability in Gitlab 11.5.0

GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page.

3.5
2019-07-10 CVE-2018-17147 Nagios Cross-site Scripting vulnerability in Nagios XI

Nagios XI before 5.5.4 has XSS in the auto login admin management page.

3.5
2019-07-09 CVE-2019-13070 Cyberpowersystems Cross-site Scripting vulnerability in Cyberpowersystems Powerpanel 3.4.0

A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form.

3.5
2019-07-10 CVE-2019-5221 Huawei Path Traversal vulnerability in Huawei Mate 20 X Firmware

There is a path traversal vulnerability on Huawei Share.

3.3
2019-07-11 CVE-2019-3415 ZTE Path Traversal vulnerability in ZTE Zxmw Nr8000 Firmware 2.4.4.03/2.4.4.04

ZTE MW NR8000V2.4.4.03 and NR8000V2.4.4.04 are impacted by path traversal vulnerability.

2.7
2019-07-10 CVE-2019-5220 Huawei Incorrect Authorization vulnerability in Huawei products

There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones.

2.1
2019-07-09 CVE-2018-15738 Stopzilla Improper Input Validation vulnerability in Stopzilla Antimalware 6.5.2.59

An issue was discovered in STOPzilla AntiMalware 6.5.2.59.

2.1
2019-07-08 CVE-2019-2119 Google Information Exposure vulnerability in Google Android 8.0/8.1/9.0

In multiple functions of key_store_service.cpp, there is a possible Information Disclosure due to improper locking.

2.1
2019-07-08 CVE-2019-2118 Google Information Exposure vulnerability in Google Android 8.0/8.1/9.0

In various functions of Parcel.cpp, there are uninitialized or partially initialized stack variables.

2.1
2019-07-08 CVE-2019-2117 Google Information Exposure vulnerability in Google Android

In checkQueryPermission of TelephonyProvider.java, there is a possible disclosure of secure data due to a missing permission check.

2.1
2019-07-08 CVE-2019-2113 Google Unspecified vulnerability in Google Android 9.0

In setup wizard there is a bypass of some checks when wifi connection is skipped.

2.1
2019-07-08 CVE-2019-2104 Google Information Exposure vulnerability in Google Android 8.0/8.1/9.0

In HIDL, safe_union, and other C++ structs/unions being sent to application processes, there are uninitialized fields.

2.1