Weekly Vulnerabilities Reports > July 8 to 14, 2019
Overview
262 new vulnerabilities reported during this period, including 31 critical vulnerabilities and 52 high severity vulnerabilities. This weekly summary report vulnerabilities in 279 products from 132 vendors including Debian, Gitlab, Google, Canonical, and SAP. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "OS Command Injection", "Information Exposure", and "Improper Access Control".
- 222 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 121 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 195 reported vulnerabilities are exploitable by an anonymous user.
- Debian has the most reported vulnerabilities, with 26 reported vulnerabilities.
- Fedoraproject has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
31 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-07-14 | CVE-2019-13598 | Getvera | OS Command Injection vulnerability in Getvera Vera Edge Firmware 1.7.4452 LuaUPnP in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via the code parameter to /port_3480/data_request because the "No unsafe lua allowed" code block is skipped. | 10.0 |
2019-07-11 | CVE-2019-10970 | Rockwellautomation | Improper Access Control vulnerability in Rockwellautomation Panelview 5510 Firmware In Rockwell Automation PanelView 5510 (all versions manufactured before March 13, 2019 that have never been updated to v4.003, v5.002, or later), a remote, unauthenticated threat actor with access to an affected PanelView 5510 Graphic Display, upon successful exploit, may boot-up the terminal and gain root-level access to the device’s file system. | 10.0 |
2019-07-11 | CVE-2019-7003 | Avaya | SQL Injection vulnerability in Avaya Control Manager A SQL injection vulnerability in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system. | 10.0 |
2019-07-11 | CVE-2019-13561 | Dlink | OS Command Injection vulnerability in Dlink Dir-655 Firmware 3.02B05 D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to execute arbitrary commands via shell metacharacters in the online_firmware_check.cgi check_fw_url parameter. | 10.0 |
2019-07-10 | CVE-2019-13278 | Trendnet | OS Command Injection vulnerability in Trendnet Tew-827Dru Firmware TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains multiple command injections when processing user input for the setup wizard, allowing an unauthenticated user to run arbitrary commands on the device. | 10.0 |
2019-07-09 | CVE-2019-3950 | Arlo | Use of Hard-coded Credentials vulnerability in Arlo products Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to. | 10.0 |
2019-07-11 | CVE-2019-12525 | Squid Cache Debian Opensuse Fedoraproject Canonical | Out-of-bounds Write vulnerability in multiple products An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. | 9.8 |
2019-07-11 | CVE-2019-11062 | SUN NET | OS Command Injection vulnerability in Sun.Net Wmpro 5.0/5.1 The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". | 9.8 |
2019-07-11 | CVE-2019-12838 | Schedmd Debian Fedoraproject Opensuse | SQL Injection vulnerability in multiple products SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL Injection. | 9.8 |
2019-07-10 | CVE-2019-12803 | Hunesion | Unrestricted Upload of File with Dangerous Type vulnerability in Hunesion I-Onenet In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell. | 9.8 |
2019-07-10 | CVE-2019-13132 | Zeromq Debian Canonical Fedoraproject | Out-of-bounds Write vulnerability in multiple products In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. | 9.8 |
2019-07-10 | CVE-2017-12652 | Libpng Netapp | Improper Input Validation vulnerability in multiple products libpng before 1.6.32 does not properly check the length of chunks against the user limit. | 9.8 |
2019-07-10 | CVE-2019-13224 | Oniguruma Project PHP Fedoraproject Debian Canonical | Use After Free vulnerability in multiple products A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. | 9.8 |
2019-07-10 | CVE-2018-14496 | Vivotek | Out-of-bounds Write vulnerability in Vivotek Fd8136 Firmware 0301A Vivotek FD8136 devices allow remote memory corruption and remote code execution because of a stack-based buffer overflow, related to sprintf, vlocal_buff_4326, and set_getparam.cgi. | 9.8 |
2019-07-10 | CVE-2018-14495 | Vivotek | OS Command Injection vulnerability in Vivotek Fd8136 Firmware 0301A Vivotek FD8136 devices allow Remote Command Injection, aka "another command injection vulnerability in our target device," a different issue than CVE-2018-14494. | 9.8 |
2019-07-10 | CVE-2018-14494 | Vivotek | OS Command Injection vulnerability in Vivotek Fd8136 Firmware 0301A Vivotek FD8136 devices allow Remote Command Injection, related to BusyBox and wget. | 9.8 |
2019-07-09 | CVE-2019-13478 | Yoast | Cross-site Scripting vulnerability in Yoast SEO The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions. | 9.8 |
2019-07-09 | CVE-2018-11307 | Fasterxml Redhat Oracle | Deserialization of Untrusted Data vulnerability in multiple products An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. | 9.8 |
2019-07-08 | CVE-2019-13413 | Boiteasite | SQL Injection vulnerability in Boiteasite Rencontre The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection via inc/rencontre_widget.php. | 9.8 |
2019-07-09 | CVE-2019-11991 | HP | Information Exposure vulnerability in HP 3Par Service Processor Firmware HPE has identified a vulnerability in HPE 3PAR Service Processor (SP) version 4.1 through 4.4. | 9.7 |
2019-07-11 | CVE-2019-12574 | Londontrustmedia Microsoft | Untrusted Search Path vulnerability in Londontrustmedia Private Internet Access VPN Client 1.0 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. | 9.3 |
2019-07-08 | CVE-2019-2109 | Out-of-bounds Write vulnerability in Google Android In MakeMPEG4VideoCodecSpecificData of AVIExtractor.cpp, there is a possible out of bounds write due to an incorrect bounds check. | 9.3 | |
2019-07-08 | CVE-2019-2107 | Out-of-bounds Write vulnerability in Google Android In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. | 9.3 | |
2019-07-08 | CVE-2019-2106 | Out-of-bounds Write vulnerability in Google Android In ihevcd_sao_shift_ctb of ihevcd_sao.c, there is a possible out of bounds write due to a missing bounds check. | 9.3 | |
2019-07-10 | CVE-2019-0330 | SAP | Code Injection vulnerability in SAP Diagnostics Agent 7.20 The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application. | 9.1 |
2019-07-11 | CVE-2018-19588 | Alarm | Improper Access Control vulnerability in Alarm Adc-V522Ir Firmware 0100B9 Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control. | 9.0 |
2019-07-10 | CVE-2019-13482 | Dlink | OS Command Injection vulnerability in Dlink Dir-818Lw Firmware 2.06 An issue was discovered on D-Link DIR-818LW devices with firmware 2.06betab01. | 9.0 |
2019-07-10 | CVE-2019-13481 | Dlink | OS Command Injection vulnerability in Dlink Dir-818Lw Firmware 2.06 An issue was discovered on D-Link DIR-818LW devices with firmware 2.06betab01. | 9.0 |
2019-07-10 | CVE-2019-0328 | SAP | OS Command Injection vulnerability in SAP Netweaver Process Integration ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) of SAP NetWeaver Process Integration enables an attacker the execution of OS commands with privileged rights. | 9.0 |
2019-07-08 | CVE-2019-10973 | Quest | Improper Input Validation vulnerability in Quest Kace Systems Management Appliance Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface. | 9.0 |
2019-07-08 | CVE-2019-13398 | Fortinet | OS Command Injection vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0 Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrl_save_profile.cgi (save parameter) and cgi-bin/ddns.cgi. | 9.0 |
52 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-07-11 | CVE-2018-17196 | Apache | Unspecified vulnerability in Apache Kafka In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. | 8.8 |
2019-07-11 | CVE-2019-12527 | Squid Cache Fedoraproject Debian Canonical Redhat | Out-of-bounds Write vulnerability in multiple products An issue was discovered in Squid 4.0.23 through 4.7. | 8.8 |
2019-07-11 | CVE-2019-10351 | Jenkins | Cleartext Storage of Sensitive Information vulnerability in Jenkins Caliper CI 2.3 Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | 8.8 |
2019-07-11 | CVE-2019-10350 | Jenkins | Cleartext Storage of Sensitive Information vulnerability in Jenkins Port Allocator Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | 8.8 |
2019-07-11 | CVE-2019-10348 | Jenkins | Cleartext Storage of Sensitive Information vulnerability in Jenkins Gogs Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | 8.8 |
2019-07-11 | CVE-2019-10347 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Mashup Portlets Jenkins Mashup Portlets Plugin stored credentials unencrypted on the Jenkins master where they can be viewed by users with access to the master file system. | 8.8 |
2019-07-11 | CVE-2019-10340 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Docker A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |
2019-07-10 | CVE-2018-14550 | Libpng Oracle Netapp | Out-of-bounds Write vulnerability in multiple products An issue has been found in third-party PNM decoding associated with libpng 1.6.35. | 8.8 |
2019-07-09 | CVE-2019-12747 | Typo3 | Deserialization of Untrusted Data vulnerability in Typo3 TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. | 8.8 |
2019-07-14 | CVE-2019-13602 | Videolan Debian Canonical Opensuse | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and crash) or possibly have unspecified other impact via a crafted .mp4 file. | 7.8 |
2019-07-11 | CVE-2019-11133 | Intel | Unspecified vulnerability in Intel Processor Diagnostic Tool Improper access control in the Intel(R) Processor Diagnostic Tool before version 4.1.2.24 may allow an authenticated user to potentially enable escalation of privilege, information disclosure or denial of service via local access. | 7.8 |
2019-07-11 | CVE-2019-0053 | Juniper Debian | Out-of-bounds Write vulnerability in multiple products Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS. | 7.8 |
2019-07-11 | CVE-2019-0052 | Juniper | Resource Exhaustion vulnerability in Juniper Junos The srxpfe process may crash on SRX Series services gateways when the UTM module processes a specific fragmented HTTP packet. | 7.8 |
2019-07-10 | CVE-2019-1873 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly. | 7.8 |
2019-07-09 | CVE-2019-11890 | Sony | Resource Exhaustion vulnerability in Sony Bravia Firmware Sony Bravia Smart TV devices allow remote attackers to cause a denial of service (device hang or reboot) via a SYN flood attack over a wired or Wi-Fi LAN. | 7.8 |
2019-07-09 | CVE-2019-11889 | Sony | Unspecified vulnerability in Sony Bravia Firmware Sony BRAVIA Smart TV devices allow remote attackers to cause a denial of service (device hang) via a crafted web page over HbbTV. | 7.8 |
2019-07-08 | CVE-2019-13404 | Python | Files or Directories Accessible to External Parties vulnerability in Python The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. | 7.8 |
2019-07-10 | CVE-2018-19571 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks. | 7.7 |
2019-07-14 | CVE-2019-13597 | Sahipro | OS Command Injection vulnerability in Sahipro Sahi PRO 8.0.0 _s_/sprm/_s_/dyn/Player_setScriptFile in Sahi Pro 8.0.0 allows command execution. | 7.5 |
2019-07-14 | CVE-2019-13589 | Anjlab | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Anjlab Paranoid2 1.1.6 The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. | 7.5 |
2019-07-12 | CVE-2019-13027 | Realization | SQL Injection vulnerability in Realization Concerto Critical Chain Planner 5.10.8071 Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter. | 7.5 |
2019-07-11 | CVE-2019-12751 | Symantec | Unspecified vulnerability in Symantec Message Gateway Symantec Messaging Gateway, prior to 10.7.1, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | 7.5 |
2019-07-11 | CVE-2019-4193 | IBM | Information Exposure vulnerability in IBM Jazz for Service Management IBM Jazz for Service Management 1.1.3 and 1.1.3.2 stores sensitive information in URL parameters. | 7.5 |
2019-07-11 | CVE-2019-10651 | Ivanti | Unspecified vulnerability in Ivanti Endpoint Manager 2017.3/2018.1/2018.3 An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. | 7.5 |
2019-07-11 | CVE-2019-13507 | Hidea | SQL Injection vulnerability in Hidea AZ Admin 1.0 hidea.com AZ Admin 1.0 has news_det.php?cod= SQL Injection. | 7.5 |
2019-07-11 | CVE-2019-13503 | Cesanta | Out-of-bounds Read vulnerability in Cesanta Mongoose 6.15 mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer over-read. | 7.5 |
2019-07-10 | CVE-2019-13489 | Trape Project | SQL Injection vulnerability in Trape Project Trape 20190508 Trape through 2019-05-08 has SQL injection via the data[2] variable in core/db.py, as demonstrated by the /bs t parameter. | 7.5 |
2019-07-10 | CVE-2019-13279 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-827Dru Firmware TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains multiple stack-based buffer overflows when processing user input for the setup wizard, allowing an unauthenticated user to execute arbitrary code. | 7.5 |
2019-07-10 | CVE-2019-13276 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-827Dru Firmware TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains a stack-based buffer overflow in the ssi binary. | 7.5 |
2019-07-10 | CVE-2019-12468 | Mediawiki Debian | Missing Authentication for Critical Function vulnerability in multiple products An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. | 7.5 |
2019-07-10 | CVE-2019-10653 | Hsycms | SQL Injection vulnerability in Hsycms 1.1 An issue was discovered in Hsycms V1.1. | 7.5 |
2019-07-10 | CVE-2019-12723 | Teclib Edition | SQL Injection vulnerability in Teclib-Edition Fields An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. | 7.5 |
2019-07-10 | CVE-2019-10122 | EQ 3 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware eQ-3 HomeMatic CCU2 devices before 2.41.9 and CCU3 devices before 3.43.16 have buffer overflows in the ReGa ise GmbH HTTP-Server 2.0 component, aka HMCCU-179. | 7.5 |
2019-07-10 | CVE-2019-10121 | EQ 3 | Missing Authentication for Critical Function vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.15 use session IDs for authentication but lack authorization checks. | 7.5 |
2019-07-10 | CVE-2019-10119 | EQ 3 | Missing Authentication for Critical Function vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. | 7.5 |
2019-07-09 | CVE-2019-13470 | Matrixssl | Out-of-bounds Read vulnerability in Matrixssl MatrixSSL before 4.2.1 has an out-of-bounds read during ASN.1 handling. | 7.5 |
2019-07-09 | CVE-2019-11512 | Contao | SQL Injection vulnerability in Contao Contao 4.x allows SQL Injection. | 7.5 |
2019-07-09 | CVE-2019-3949 | Arlo | Configuration vulnerability in Arlo products Arlo Basestation firmware 1.12.0.1_27940 and prior firmware contain a networking misconfiguration that allows access to restricted network interfaces. | 7.5 |
2019-07-08 | CVE-2019-9629 | Sonatype | Improper Authentication vulnerability in Sonatype Nexus Repository Manager Sonatype Nexus Repository Manager before 3.17.0 establishes a default administrator user with weak defaults (fixed credentials). | 7.5 |
2019-07-08 | CVE-2019-2111 | Use After Free vulnerability in Google Android 9.0 In loop of DnsTlsSocket.cpp, there is a possible heap memory corruption due to a use after free. | 7.5 | |
2019-07-08 | CVE-2019-13354 | Strong Password Project | Code Injection vulnerability in Strong Password Project Strong Password 0.0.7 The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. | 7.5 |
2019-07-13 | CVE-2019-5629 | Rapid7 | Uncontrolled Search Path Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path. | 7.2 |
2019-07-12 | CVE-2019-12731 | Mikogo Microsoft | Improper Privilege Management vulnerability in Mikogo The Windows versions of Snapview Mikogo, versions before 5.10.2 are affected by insecure implementations which allow local attackers to escalate privileges. | 7.2 |
2019-07-11 | CVE-2019-12579 | Londontrustmedia | OS Command Injection vulnerability in Londontrustmedia Private Internet Access VPN Client 82 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges. | 7.2 |
2019-07-11 | CVE-2019-12578 | Londontrustmedia Linux | Argument Injection or Modification vulnerability in Londontrustmedia Private Internet Access VPN Client 82 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges. | 7.2 |
2019-07-11 | CVE-2019-12577 | Londontrustmedia | Incorrect Permission Assignment for Critical Resource vulnerability in Londontrustmedia Private Internet Access VPN Client 82 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges. | 7.2 |
2019-07-11 | CVE-2019-12576 | Londontrustmedia | Untrusted Search Path vulnerability in Londontrustmedia Private Internet Access VPN Client 82 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges. | 7.2 |
2019-07-11 | CVE-2019-12575 | Londontrustmedia Linux | Uncontrolled Search Path Element vulnerability in Londontrustmedia Private Internet Access VPN Client 82 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges. | 7.2 |
2019-07-11 | CVE-2019-10135 | Osbs Client Project | Deserialization of Untrusted Data vulnerability in Osbs-Client Project Osbs-Client A flaw was found in the yaml.load() function in the osbs-client versions since 0.46 before 0.56.1. | 7.2 |
2019-07-10 | CVE-2019-5446 | UI | Command Injection vulnerability in UI Edgeswitch Firmware 1.7.3 Command Injection in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to execute commands as root. | 7.2 |
2019-07-08 | CVE-2019-2112 | Use After Free vulnerability in Google Android 8.0/8.1/9.0 In several functions of alarm.cc, there is possible memory corruption due to a use after free. | 7.2 | |
2019-07-08 | CVE-2019-12174 | Hide | Missing Authentication for Critical Function vulnerability in Hide Hide.Me hide.me before 2.4.4 on macOS suffers from a privilege escalation vulnerability in the connectWithExecutablePath:configFilePath:configFileName method of the me_hide_vpnhelper.Helper class in the me.hide.vpnhelper macOS privilege helper tool. | 7.2 |
162 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-07-14 | CVE-2019-13594 | Mirumee | Cross-Site Request Forgery (CSRF) vulnerability in Mirumee Saleor 2.7.0 In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server. | 6.8 |
2019-07-12 | CVE-2019-13567 | Zoom | OS Command Injection vulnerability in Zoom The Zoom Client before 4.4.53932.0709 on macOS allows remote code execution, a different vulnerability than CVE-2019-13450. | 6.8 |
2019-07-12 | CVE-2019-13494 | Castlerock | Out-of-bounds Write vulnerability in Castlerock Simple Network Management Protocol Console nodeimp.exe in Castle Rock SNMPc before 9.0.12.1 and 10.x before 10.0.9 has a stack-based buffer overflow via a long variable string in a Map Objects text file. | 6.8 |
2019-07-12 | CVE-2019-13574 | Minimagick Project Debian | OS Command Injection vulnerability in multiple products In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command. | 6.8 |
2019-07-11 | CVE-2018-18095 | Intel | Improper Authentication vulnerability in Intel SSD DC S4500 Firmware and SSD DC S4600 Firmware Improper authentication in firmware for Intel(R) SSD DC S4500 Series and Intel(R) SSD DC S4600 Series before SCV10150 may allow an unprivileged user to potentially enable escalation of privilege via physical access. | 6.8 |
2019-07-11 | CVE-2019-13563 | Dlink | Cross-Site Request Forgery (CSRF) vulnerability in Dlink Dir-655 Firmware 3.02B05 D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console. | 6.8 |
2019-07-11 | CVE-2019-12363 | Mybb 2FA Project | Cross-Site Request Forgery (CSRF) vulnerability in Mybb-2Fa Project Mybb-2Fa 20141105 An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. | 6.8 |
2019-07-11 | CVE-2018-11744 | Cloudera | Improper Access Control vulnerability in Cloudera Manager Cloudera Manager through 5.15 has Incorrect Access Control. | 6.8 |
2019-07-10 | CVE-2019-12466 | Mediawiki Debian | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Wikimedia MediaWiki through 1.32.1 allows CSRF. | 6.8 |
2019-07-10 | CVE-2019-13071 | Cyberpowersystems | Cross-Site Request Forgery (CSRF) vulnerability in Cyberpowersystems Powerpanel 3.4.0 CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. | 6.8 |
2019-07-10 | CVE-2018-12628 | Eventum Project | Cross-Site Request Forgery (CSRF) vulnerability in Eventum Project Eventum An issue was discovered in Eventum 3.5.0. | 6.8 |
2019-07-09 | CVE-2019-13475 | Mobatek | Argument Injection or Modification vulnerability in Mobatek Mobaxterm 11.1 In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. | 6.8 |
2019-07-08 | CVE-2019-2105 | Use of Uninitialized Resource vulnerability in Google Android In FileInputStream::Read of file_input_stream.cc, there is a possible memory corruption due to uninitialized data. | 6.8 | |
2019-07-08 | CVE-2019-13401 | Fortinet | Cross-Site Request Forgery (CSRF) vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0 Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/. | 6.8 |
2019-07-11 | CVE-2019-12573 | Londontrustmedia | Link Following vulnerability in Londontrustmedia Private Internet Access VPN Client 82 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files. | 6.6 |
2019-07-11 | CVE-2019-12571 | Londontrustmedia | Link Following vulnerability in Londontrustmedia Private Internet Access VPN Client 0.9.8 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files. | 6.6 |
2019-07-09 | CVE-2019-13142 | Razer | Incorrect Permission Assignment for Critical Resource vulnerability in Razer Surround 1.1.63.0 The RzSurroundVADStreamingService (RzSurroundVADStreamingService.exe) in Razer Surround 1.1.63.0 runs as the SYSTEM user using an executable located in %PROGRAMDATA%\Razer\Synapse\Devices\Razer Surround\Driver\. | 6.6 |
2019-07-11 | CVE-2019-10935 | Siemens | Unrestricted Upload of File with Dangerous Type vulnerability in Siemens Simatic PCS 7, Simatic Wincc and Simatic Wincc Runtime A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd 11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC Professional (TIA Portal V13) (All versions), SIMATIC WinCC Professional (TIA Portal V14) (All versions < V14 SP1 Upd 9), SIMATIC WinCC Professional (TIA Portal V15) (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). | 6.5 |
2019-07-11 | CVE-2019-10193 | Redislabs Redhat Debian Canonical Oracle | Out-of-bounds Write vulnerability in multiple products A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. | 6.5 |
2019-07-11 | CVE-2019-10192 | Redislabs Redhat Debian Canonical Oracle | Out-of-bounds Write vulnerability in multiple products A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. | 6.5 |
2019-07-11 | CVE-2019-10341 | Jenkins | Missing Authorization vulnerability in Jenkins Docker A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2019-07-11 | CVE-2019-13504 | Exiv2 Debian | Out-of-bounds Read vulnerability in multiple products There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp in Exiv2 through 0.27.2. | 6.5 |
2019-07-10 | CVE-2019-0327 | SAP | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. | 6.5 |
2019-07-10 | CVE-2018-19583 | Gitlab | Information Exposure Through Log Files vulnerability in Gitlab GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user's token. | 6.5 |
2019-07-10 | CVE-2018-19569 | Gitlab | Improper Authorization vulnerability in Gitlab GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an authorization vulnerability that allows access to the web-UI as a user using a Personal Access Token of any scope. | 6.5 |
2019-07-10 | CVE-2019-13225 | Oniguruma Project Fedoraproject | NULL Pointer Dereference vulnerability in multiple products A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. | 6.5 |
2019-07-10 | CVE-2018-20851 | Helpy IO | Unspecified vulnerability in Helpy.Io Helpy Helpy before 2.2.0 allows agents to edit admins. | 6.5 |
2019-07-10 | CVE-2019-10120 | EQ 3 | Session Fixation vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154. | 6.5 |
2019-07-09 | CVE-2019-13280 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-827Dru Firmware TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains a stack-based buffer overflow while returning an error message to the user about failure to resolve a hostname during a ping or traceroute attempt. | 6.5 |
2019-07-09 | CVE-2019-13450 | Ringcentral Zoom | Missing Authorization vulnerability in multiple products In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. | 6.5 |
2019-07-09 | CVE-2019-13449 | Zoom | Improper Input Validation vulnerability in Zoom In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421. | 6.5 |
2019-07-08 | CVE-2019-12926 | Mailenable | Missing Authorization vulnerability in Mailenable MailEnable Enterprise Premium 10.23 did not use appropriate access control checks in a number of areas. | 6.5 |
2019-07-08 | CVE-2019-12925 | Mailenable | Path Traversal vulnerability in Mailenable MailEnable Enterprise Premium 10.23 was vulnerable to multiple directory traversal issues, with which authenticated users could add, remove, or potentially read files in arbitrary folders accessible by the IIS user. | 6.5 |
2019-07-08 | CVE-2019-13402 | Fortinet | Improper Cross-boundary Removal of Sensitive Data vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0 /usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v1.2.0.0 devices implement an incomplete factory-reset process. | 6.5 |
2019-07-11 | CVE-2019-10930 | Siemens | Unrestricted Upload of File with Dangerous Type vulnerability in Siemens products A vulnerability has been identified in All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions ), DIGSI 5 engineering software (All versions < V7.90), SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87 and 7VE85 with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions < V7.90), SIPROTEC 5 device types 7SS85 and 7KE85 (All versions < V8.01), SIPROTEC 5 device types with CPU variants CP200 and the respective Ethernet communication modules (All versions). | 6.4 |
2019-07-10 | CVE-2018-19576 | Gitlab | Improper Access Control vulnerability in Gitlab GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential. | 6.4 |
2019-07-09 | CVE-2019-9149 | Mailvelope | Incorrect Authorization vulnerability in Mailvelope Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. | 6.4 |
2019-07-11 | CVE-2019-0046 | Juniper | Resource Exhaustion vulnerability in Juniper Junos A vulnerability in the pfe-chassisd Chassis Manager (CMLC) daemon of Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) to the EX4300 when specific valid broadcast packets create a broadcast storm condition when received on the me0 interface of the EX4300 Series device. | 6.1 |
2019-07-11 | CVE-2014-3798 | Citrix | Improper Input Validation vulnerability in Citrix Xenserver The Windows Guest Tools in Citrix XenServer 6.2 SP1 and earlier allows remote attackers to cause a denial of service (guest OS crash) via a crafted Ethernet frame. | 6.1 |
2019-07-11 | CVE-2019-13564 | Pingidentity | Cross-site Scripting vulnerability in Pingidentity Agentless Integration KIT XSS exists in Ping Identity Agentless Integration Kit before 1.5. | 6.1 |
2019-07-11 | CVE-2019-12597 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.5 An issue was discovered in Zoho ManageEngine AssetExplorer. | 6.1 |
2019-07-11 | CVE-2019-12596 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.5 An issue was discovered in Zoho ManageEngine AssetExplorer. | 6.1 |
2019-07-11 | CVE-2019-12595 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.5 An issue was discovered in Zoho ManageEngine AssetExplorer. | 6.1 |
2019-07-11 | CVE-2019-12537 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.5 An issue was discovered in Zoho ManageEngine AssetExplorer. | 6.1 |
2019-07-11 | CVE-2019-10346 | Jenkins | Cross-site Scripting vulnerability in Jenkins Embeddable Build Status A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin. | 6.1 |
2019-07-11 | CVE-2019-13505 | Dwbooster | Cross-site Scripting vulnerability in Dwbooster Appointment Hour Booking 1.1.44 The Appointment Hour Booking plugin 1.1.44 for WordPress allows XSS via the E-mail field, as demonstrated by email_1. | 6.1 |
2019-07-10 | CVE-2019-0321 | SAP | Cross-site Scripting vulnerability in SAP products ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2019-07-09 | CVE-2019-13397 | Enhancesoft | Cross-site Scripting vulnerability in Enhancesoft Osticket 1.10.1 Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via arbitrary file extension while creating a support ticket. | 6.1 |
2019-07-09 | CVE-2019-12748 | Typo3 | Cross-site Scripting vulnerability in Typo3 TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. | 6.1 |
2019-07-08 | CVE-2019-13414 | Boiteasite | Cross-site Scripting vulnerability in Boiteasite Rencontre The Rencontre plugin before 3.1.3 for WordPress allows XSS via inc/rencontre_widget.php. | 6.1 |
2019-07-11 | CVE-2019-12529 | Squid Cache Debian Fedoraproject Opensuse Canonical | Out-of-bounds Read vulnerability in multiple products An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. | 5.9 |
2019-07-10 | CVE-2019-11650 | Microfocus | Unspecified vulnerability in Microfocus Netiq Advanced Authentication A potential Man in the Middle attack (MITM) was found in NetIQ Advanced Authentication Framework versions prior to 6.0. | 5.9 |
2019-07-14 | CVE-2019-13590 | Sound Exchange Project | NULL Pointer Dereference vulnerability in Sound Exchange Project Sound Exchange 14.4.2 An issue was discovered in libsox.a in SoX 14.4.2. | 5.5 |
2019-07-11 | CVE-2019-1010319 | Wavpack Fedoraproject Canonical Debian | Use of Uninitialized Resource vulnerability in multiple products WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. | 5.5 |
2019-07-11 | CVE-2019-1010317 | Wavpack Fedoraproject Canonical Debian | Use of Uninitialized Resource vulnerability in multiple products WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. | 5.5 |
2019-07-11 | CVE-2019-1010315 | Wavpack Fedoraproject Debian Canonical | Divide By Zero vulnerability in multiple products WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. | 5.5 |
2019-07-11 | CVE-2019-10194 | Ovirt Redhat | Information Exposure Through Log Files vulnerability in multiple products Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. | 5.5 |
2019-07-11 | CVE-2018-17152 | Intersystems | XXE vulnerability in Intersystems Cache 2017.2.2.865.0/2018.1.2 Intersystems Cache 2017.2.2.865.0 allows XXE. | 5.5 |
2019-07-11 | CVE-2018-17151 | Intersystems | Improper Access Control vulnerability in Intersystems Cache 2017.2.2.865.0/2018.1.2 Intersystems Cache 2017.2.2.865.0 has Incorrect Access Control. | 5.5 |
2019-07-10 | CVE-2019-12804 | Hunesion | Insufficient Verification of Data Authenticity vulnerability in Hunesion I-Onenet In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, due to the lack of update file integrity checking in the upgrade process, an attacker can craft malicious file and use it as an update. | 5.5 |
2019-07-09 | CVE-2019-12782 | Thoughtspot | Authorization Bypass Through User-Controlled Key vulnerability in Thoughtspot 4.4.1/4.5.1/5.1.1 An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of another user in the application by spoofing GUIDs in pinboard update requests, effectively deleting them. | 5.5 |
2019-07-11 | CVE-2019-3889 | Redhat | Cross-site Scripting vulnerability in Redhat Openshift Container Platform A reflected XSS vulnerability exists in authorization flow of OpenShift Container Platform versions: openshift-online-3, openshift-enterprise-3.4 through 3.7 and openshift-enterprise-3.9 through 3.11. | 5.4 |
2019-07-11 | CVE-2019-10349 | Jenkins | Cross-site Scripting vulnerability in Jenkins Dependency Graph Viewer A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | 5.4 |
2019-07-10 | CVE-2018-19574 | Gitlab | Cross-site Scripting vulnerability in Gitlab GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page. | 5.4 |
2019-07-10 | CVE-2018-19573 | Gitlab | Cross-site Scripting vulnerability in Gitlab GitLab CE/EE, versions 10.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via Mermaid. | 5.4 |
2019-07-10 | CVE-2018-19570 | Gitlab | Cross-site Scripting vulnerability in Gitlab GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags. | 5.4 |
2019-07-13 | CVE-2018-20852 | Python | Improper Input Validation vulnerability in Python http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. | 5.3 |
2019-07-11 | CVE-2018-1968 | IBM | Information Exposure vulnerability in IBM Security Identity Manager Virtual Appliance 7.0.1/7.0.1.12 IBM Security Identity Manager 7.0.1 discloses sensitive information to unauthorized users. | 5.3 |
2019-07-10 | CVE-2019-5444 | Serve Here JS Project | Path Traversal vulnerability in Serve-Here.Js Project Serve-Here.Js Path traversal vulnerability in version up to v1.1.3 in serve-here.js npm module allows attackers to list any file in arbitrary folder. | 5.3 |
2019-07-10 | CVE-2018-19577 | Gitlab | Improper Access Control vulnerability in Gitlab Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an incorrect access control vulnerability that displays to an unauthorized user the title and namespace of a confidential issue. | 5.3 |
2019-07-11 | CVE-2019-10931 | Siemens | Unspecified vulnerability in Siemens products A vulnerability has been identified in All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions ), DIGSI 5 engineering software (All versions < V7.90), SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87 and 7VE85 with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions < V7.90), SIPROTEC 5 device types 7SS85 and 7KE85 (All versions < V8.01), SIPROTEC 5 device types with CPU variants CP200 and the respective Ethernet communication modules (All versions < V7.59), SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet communication modules (All versions < V7.59). | 5.0 |
2019-07-11 | CVE-2019-5528 | Vmware | Unspecified vulnerability in VMWare Esxi 6.5/6.7 VMware ESXi 6.5 suffers from partial denial of service vulnerability in hostd process. | 5.0 |
2019-07-11 | CVE-2019-4131 | IBM | Unspecified vulnerability in IBM Cloud Application Performance Management 8.1.4 IBM Application Performance Management (IBM Monitoring 8.1.4) could allow a remote attacker to induce the application to perform server-side DNS lookups of arbitrary domain names. | 5.0 |
2019-07-11 | CVE-2019-0049 | Juniper | Unspecified vulnerability in Juniper Junos On Junos devices with the BGP graceful restart helper mode enabled or the BGP graceful restart mechanism enabled, a certain sequence of BGP session restart on a remote peer that has the graceful restart mechanism enabled may cause the local routing protocol daemon (RPD) process to crash and restart. | 5.0 |
2019-07-11 | CVE-2019-0048 | Juniper | 7PK - Security Features vulnerability in Juniper Junos On EX4300 Series switches with TCAM optimization enabled, incoming multicast traffic matches an implicit loopback filter rule first, since it has high priority. | 5.0 |
2019-07-11 | CVE-2019-9886 | Eclass | Improper Access Control vulnerability in Eclass IP 2.5 Any URLs with download_attachment.php under templates or home folders can allow arbitrary files downloaded without login in BroadLearning eClass before version ip.2.5.10.2.1. | 5.0 |
2019-07-11 | CVE-2019-13560 | Dlink | Credentials Management vulnerability in Dlink Dir-655 Firmware 3.02B05 D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to force a blank password via the apply_sec.cgi setup_wizard parameter. | 5.0 |
2019-07-10 | CVE-2019-0322 | SAP | Unspecified vulnerability in SAP Commerce Cloud SAP Commerce Cloud (previously known as SAP Hybris Commerce), (HY_COM, versions 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | 5.0 |
2019-07-10 | CVE-2019-0319 | SAP | Injection vulnerability in SAP Gateway and UI5 The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. | 5.0 |
2019-07-10 | CVE-2019-10966 | GE | Improper Authentication vulnerability in GE products In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms. | 5.0 |
2019-07-10 | CVE-2018-19584 | Gitlab | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups. | 5.0 |
2019-07-10 | CVE-2018-19581 | Gitlab | Improper Authorization vulnerability in Gitlab GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure object reference vulnerability that allows a Guest user to set the weight of an issue they create. | 5.0 |
2019-07-10 | CVE-2018-19580 | Gitlab | Improper Input Validation vulnerability in Gitlab All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not send an email to the old email address when an email address change is made. | 5.0 |
2019-07-10 | CVE-2019-12474 | Mediawiki Debian | Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. | 5.0 |
2019-07-10 | CVE-2019-12473 | Mediawiki Debian | Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. | 5.0 |
2019-07-10 | CVE-2019-12472 | Mediawiki | Unspecified vulnerability in Mediawiki An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. | 5.0 |
2019-07-10 | CVE-2018-10531 | Americasarmy | Improper Input Validation vulnerability in Americasarmy Proving Grounds An issue was discovered in the America's Army Proving Grounds platform for the Unreal Engine. | 5.0 |
2019-07-10 | CVE-2019-12467 | Mediawiki Debian | MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). | 5.0 |
2019-07-10 | CVE-2017-7189 | PHP | Improper Input Validation vulnerability in PHP main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. | 5.0 |
2019-07-10 | CVE-2019-13396 | Getflightpath | Path Traversal vulnerability in Getflightpath Flightpath FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit POST request because of an include_once in system_handle_form_submit in modules/system/system.module. | 5.0 |
2019-07-09 | CVE-2019-9150 | Mailvelope | Key Management Errors vulnerability in Mailvelope Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. | 5.0 |
2019-07-09 | CVE-2019-13277 | Trendnet | Unspecified vulnerability in Trendnet Tew-827Dru Firmware TRENDnet TEW-827DRU with firmware up to and including 2.04B03 allows an unauthenticated attacker to execute setup wizard functionality, giving this attacker the ability to change configuration values, potentially leading to a denial of service. | 5.0 |
2019-07-09 | CVE-2019-13338 | Weseek | Information Exposure vulnerability in Weseek Growi In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. | 5.0 |
2019-07-09 | CVE-2019-13337 | Weseek | Authorization Bypass Through User-Controlled Key vulnerability in Weseek Growi In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). | 5.0 |
2019-07-09 | CVE-2019-13464 | Modsecurity | Unrestricted Upload of File with Dangerous Type vulnerability in Modsecurity Owasp Modsecurity Core Rule SET 3.0.2 An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. | 5.0 |
2019-07-09 | CVE-2019-13461 | Prestashop | Authorization Bypass Through User-Controlled Key vulnerability in Prestashop In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. | 5.0 |
2019-07-09 | CVE-2019-13146 | Field Test Project | Injection vulnerability in Field Test Project Field Test 0.3.0 The field_test gem 0.3.0 for Ruby has unvalidated input. | 5.0 |
2019-07-09 | CVE-2019-11020 | Ddrt | Missing Authentication for Critical Function vulnerability in Ddrt Dashcom Live Firmware 20190509 Lack of authentication in file-viewing components in DDRT Dashcom Live 2019-05-09 allows anyone to remotely access all claim details by visiting easily guessable dashboard/uploads/claim_files/claim_id_ URLs. | 5.0 |
2019-07-09 | CVE-2019-11019 | Ddrt | Missing Authentication for Critical Function vulnerability in Ddrt Dashcom Live Firmware Lack of authentication in case-exporting components in DDRT Dashcom Live through 2019-05-08 allows anyone to remotely access all claim details by visiting easily guessable exportpdf/all_claim_detail.php?claim_id= URLs. | 5.0 |
2019-07-08 | CVE-2019-12924 | Mailenable | Missing Encryption of Sensitive Data vulnerability in Mailenable MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. | 5.0 |
2019-07-08 | CVE-2019-9630 | Sonatype | Incorrect Default Permissions vulnerability in Sonatype Nexus Repository Manager Sonatype Nexus Repository Manager before 3.17.0 has a weak default of giving any unauthenticated user read permissions on the repository files and images. | 5.0 |
2019-07-08 | CVE-2019-2116 | Out-of-bounds Read vulnerability in Google Android In save_attr_seq of sdp_discovery.cc, there is a possible out-of-bound read due to a missing bounds check. | 5.0 | |
2019-07-08 | CVE-2019-13400 | Fortinet | Insufficiently Protected Credentials vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0 Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext. | 5.0 |
2019-07-10 | CVE-2019-5445 | UI | Resource Exhaustion vulnerability in UI Edgeswitch Firmware 1.7.3 DoS in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to Crash the SSH CLI interface by using crafted commands. | 4.9 |
2019-07-10 | CVE-2019-0325 | SAP | Missing Authorization vulnerability in SAP ERP HCM 3.0 SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. | 4.9 |
2019-07-12 | CVE-2019-8998 | Blackberry | Information Exposure vulnerability in Blackberry QNX Software Development Platform 6.4.0/6.4.1/6.5.0 An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space. | 4.6 |
2019-07-11 | CVE-2019-10915 | Siemens | Permissions, Privileges, and Access Controls vulnerability in Siemens TIA Administrator 1.0 A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). | 4.6 |
2019-07-11 | CVE-2019-1010316 | Pyxtrlock Project | Improper Access Control vulnerability in Pyxtrlock Project Pyxtrlock 0.1/0.2/0.3 pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. | 4.6 |
2019-07-11 | CVE-2019-9657 | Alarm | Insufficiently Protected Credentials vulnerability in Alarm Adc-V522Ir Firmware 0100B9 Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control, a different issue than CVE-2018-19588. | 4.6 |
2019-07-08 | CVE-2018-11563 | Otrs Debian | An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. | 4.6 |
2019-07-11 | CVE-2019-4118 | IBM | Unspecified vulnerability in IBM Multicloud Manager 3.1.0/3.1.1/3.1.2 IBM Multicloud Manager 3.1.0, 3.1.1, and 3.1.2 ibm-mcm-chart could allow a local attacker with admin privileges to obtain highly sensitive information upon deployment. | 4.4 |
2019-07-12 | CVE-2019-11242 | Cohesity | Improper Certificate Validation vulnerability in Cohesity Dataplatform A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. | 4.3 |
2019-07-11 | CVE-2019-10933 | Siemens | Cross-site Scripting vulnerability in Siemens products A vulnerability has been identified in Spectrum Power 3 (Corporate User Interface) (All versions <= v3.11), Spectrum Power 4 (Corporate User Interface) (Version v4.75), Spectrum Power 5 (Corporate User Interface) (All versions < v5.50), Spectrum Power 7 (Corporate User Interface) (All versions <= v2.20). | 4.3 |
2019-07-11 | CVE-2019-4263 | IBM | Inclusion of Functionality from Untrusted Control Sphere vulnerability in IBM Content Navigator 3.0.0 IBM Content Navigator 3.0CD is vulnerable to local file inclusion, allowing an attacker to access a configuration file in the ICN server. | 4.3 |
2019-07-11 | CVE-2019-1010314 | Gitea | Cross-site Scripting vulnerability in Gitea 1.7.2/1.7.3 Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). | 4.3 |
2019-07-11 | CVE-2018-17150 | Intersystems | Cross-site Scripting vulnerability in Intersystems Cache 2017.2.2.865.0/2018.1.2 Intersystems Cache 2017.2.2.865.0 allows XSS. | 4.3 |
2019-07-11 | CVE-2019-13562 | Dlink | Cross-site Scripting vulnerability in Dlink Dir-655 Firmware 3.02B05 D-Link DIR-655 C devices before 3.02B05 BETA03 allow XSS, as demonstrated by the /www/ping_response.cgi ping_ipaddr parameter, the /www/ping6_response.cgi ping6_ipaddr parameter, and the /www/apply_sec.cgi html_response_return_page parameter. | 4.3 |
2019-07-11 | CVE-2019-13506 | Nuxtjs | Cross-site Scripting vulnerability in Nuxtjs @Nuxt/Devalue and Nuxt.Js @nuxt/devalue before 1.2.3, as used in Nuxt.js before 2.6.2, mishandles object keys, leading to XSS. | 4.3 |
2019-07-11 | CVE-2019-12540 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Servicedesk Plus 10.5 An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. | 4.3 |
2019-07-11 | CVE-2019-12539 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Servicedesk Plus 10.5 An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. | 4.3 |
2019-07-11 | CVE-2019-10342 | Jenkins | Missing Authorization vulnerability in Jenkins Docker A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | 4.3 |
2019-07-10 | CVE-2019-13488 | Trape Project | Cross-site Scripting vulnerability in Trape Project Trape 20190508 A cross-site scripting (XSS) vulnerability in static/js/trape.js in Trape through 2019-05-08 allows remote attackers to inject arbitrary web script or HTML via the country, query, or refer parameter to the /register URI, because the jQuery prepend() method is used. | 4.3 |
2019-07-10 | CVE-2019-0329 | SAP | Cross-site Scripting vulnerability in SAP Information Steward 4.2 SAP Information Steward, version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.3 |
2019-07-10 | CVE-2019-0326 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3 SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.3 |
2019-07-10 | CVE-2019-0281 | SAP | Cross-site Scripting vulnerability in SAP Openui5 SAPUI5 and OpenUI5, before versions 1.38.39, 1.44.39, 1.52.25, 1.60.6 and 1.63.0, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.3 |
2019-07-10 | CVE-2018-11734 | E107 | Cross-site Scripting vulnerability in E107 2.1.7 In e107 v2.1.7, output without filtering results in XSS. | 4.3 |
2019-07-10 | CVE-2019-13122 | Ozlabs | Cross-site Scripting vulnerability in Ozlabs Patchwork A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. | 4.3 |
2019-07-10 | CVE-2019-12471 | Mediawiki Debian | Cross-site Scripting vulnerability in multiple products Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. | 4.3 |
2019-07-10 | CVE-2018-19572 | Gitlab | Race Condition vulnerability in Gitlab GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. | 4.3 |
2019-07-10 | CVE-2018-19493 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. | 4.3 |
2019-07-10 | CVE-2017-6217 | Paypal | Cross-site Scripting vulnerability in Paypal Adaptive Payments SDK 3.9.2 paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution | 4.3 |
2019-07-10 | CVE-2019-13240 | Glpi Project | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Glpi-Project Glpi An issue was discovered in GLPI before 9.4.1. | 4.3 |
2019-07-10 | CVE-2019-12724 | Teclib Edition | Cross-site Scripting vulnerability in Teclib-Edition News An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI. | 4.3 |
2019-07-10 | CVE-2018-12627 | Eventum Project | Cross-site Scripting vulnerability in Eventum Project Eventum An issue was discovered in Eventum 3.5.0. | 4.3 |
2019-07-10 | CVE-2018-12626 | Eventum Project | Cross-site Scripting vulnerability in Eventum Project Eventum An issue was discovered in Eventum 3.5.0. | 4.3 |
2019-07-10 | CVE-2018-12625 | Eventum Project | Cross-site Scripting vulnerability in Eventum Project Eventum An issue was discovered in Eventum 3.5.0. | 4.3 |
2019-07-10 | CVE-2018-12623 | Eventum Project | Cross-site Scripting vulnerability in Eventum Project Eventum An issue was discovered in Eventum 3.5.0. | 4.3 |
2019-07-10 | CVE-2018-12622 | Eventum Project | Cross-site Scripting vulnerability in Eventum Project Eventum An issue was discovered in Eventum 3.5.0. | 4.3 |
2019-07-09 | CVE-2019-13472 | Phpwind | Cross-site Scripting vulnerability in PHPwind 9.1.0 PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file. | 4.3 |
2019-07-09 | CVE-2019-9148 | Mailvelope | Improper Certificate Validation vulnerability in Mailvelope Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. | 4.3 |
2019-07-09 | CVE-2019-9147 | Mailvelope | Improper Restriction of Rendered UI Layers or Frames vulnerability in Mailvelope Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. | 4.3 |
2019-07-09 | CVE-2019-13380 | Keynto | Cross-site Scripting vulnerability in Keynto Team Password Manager 1.5.0 KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault. | 4.3 |
2019-07-09 | CVE-2019-8920 | Apachefriends | Cross-site Scripting vulnerability in Apachefriends Xampp 1.7.0 iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. | 4.3 |
2019-07-09 | CVE-2019-13454 | Imagemagick Debian Canonical Opensuse | Divide By Zero vulnerability in multiple products ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c. | 4.3 |
2019-07-09 | CVE-2018-14833 | Intuit | Improper Access Control vulnerability in Intuit Lacerte Intuit Lacerte 2017 has Incorrect Access Control. | 4.3 |
2019-07-08 | CVE-2019-12927 | Mailenable | Cross-site Scripting vulnerability in Mailenable MailEnable Enterprise Premium 10.23 was vulnerable to stored and reflected cross-site scripting (XSS) attacks. | 4.3 |
2019-07-08 | CVE-2019-12923 | Mailenable | Cross-Site Request Forgery (CSRF) vulnerability in Mailenable In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. | 4.3 |
2019-07-08 | CVE-2019-12930 | Wikindx Project | Cross-site Scripting vulnerability in Wikindx Project Wikindx A cross-site scripting (XSS) vulnerability in noMenu() and noSubMenu() in core/navigation/MENU.php in WIKINDX prior to version 5.8.1 allows remote attackers to inject arbitrary web script or HTML via the method parameter. | 4.3 |
2019-07-08 | CVE-2019-12171 | Dropbox | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Dropbox 71.4.108.0 Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. | 4.3 |
2019-07-08 | CVE-2019-13399 | Fortinet | Use of Hard-coded Credentials vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0 Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation. | 4.3 |
2019-07-12 | CVE-2019-11360 | Netfilter | Out-of-bounds Write vulnerability in Netfilter Iptables 1.8.2 A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. | 4.2 |
2019-07-12 | CVE-2019-12827 | Digium | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Digium Asterisk and Certified Asterisk Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13.21-cert3, 13.27.0, 15.7.2, 16.4.0 and earlier allows remote authenticated users to crash Asterisk by sending a specially crafted SIP MESSAGE message. | 4.0 |
2019-07-11 | CVE-2019-11268 | Pivotal Software | Information Exposure vulnerability in Pivotal Software Cloud Foundry Uaa-Release Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. | 4.0 |
2019-07-10 | CVE-2019-12470 | Mediawiki Debian | Missing Authorization vulnerability in multiple products Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. | 4.0 |
2019-07-10 | CVE-2019-12469 | Mediawiki Debian | Missing Authorization vulnerability in multiple products MediaWiki through 1.32.1 has Incorrect Access Control. | 4.0 |
2019-07-10 | CVE-2018-19582 | Gitlab | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user. | 4.0 |
2019-07-10 | CVE-2018-19578 | Gitlab | Improper Authorization vulnerability in Gitlab 11.5.0 GitLab EE, version 11.5 before 11.5.1, is vulnerable to an insecure object reference issue that permits a user with Reporter privileges to view the Jaeger Tracing Operations page. | 4.0 |
2019-07-10 | CVE-2018-19575 | Gitlab | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to make comments on a locked issue. | 4.0 |
2019-07-10 | CVE-2018-19496 | Gitlab | Improper Access Control vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. | 4.0 |
2019-07-10 | CVE-2018-19495 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. | 4.0 |
2019-07-10 | CVE-2018-19494 | Gitlab | Improper Access Control vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. | 4.0 |
2019-07-10 | CVE-2018-14831 | Damicms | Information Exposure vulnerability in Damicms 6.0.0 An arbitrary file read vulnerability in DamiCMS v6.0.0 allows remote authenticated administrators to read any files in the server via a crafted /admin.php?s=Tpl/Add/id/ URI. | 4.0 |
17 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-07-12 | CVE-2019-13161 | Digium Debian | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. | 3.5 |
2019-07-12 | CVE-2019-1010310 | Glpi Project | Injection vulnerability in Glpi-Project Glpi 9.3.1 GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. | 3.5 |
2019-07-11 | CVE-2019-13029 | Vanderbilt | Cross-site Scripting vulnerability in Vanderbilt Redcap Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser. | 3.5 |
2019-07-11 | CVE-2019-1010003 | Leanote | Cross-site Scripting vulnerability in Leanote Leanote prior to version 2.6 is affected by: Cross Site Scripting (XSS). | 3.5 |
2019-07-10 | CVE-2019-0318 | SAP | Unspecified vulnerability in SAP Netweaver Application Server Java Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted. | 3.5 |
2019-07-10 | CVE-2018-19579 | Gitlab | Cross-site Scripting vulnerability in Gitlab 11.5.0 GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. | 3.5 |
2019-07-10 | CVE-2018-17147 | Nagios | Cross-site Scripting vulnerability in Nagios XI Nagios XI before 5.5.4 has XSS in the auto login admin management page. | 3.5 |
2019-07-09 | CVE-2019-13070 | Cyberpowersystems | Cross-site Scripting vulnerability in Cyberpowersystems Powerpanel 3.4.0 A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. | 3.5 |
2019-07-10 | CVE-2019-5221 | Huawei | Path Traversal vulnerability in Huawei Mate 20 X Firmware There is a path traversal vulnerability on Huawei Share. | 3.3 |
2019-07-11 | CVE-2019-3415 | ZTE | Path Traversal vulnerability in ZTE Zxmw Nr8000 Firmware 2.4.4.03/2.4.4.04 ZTE MW NR8000V2.4.4.03 and NR8000V2.4.4.04 are impacted by path traversal vulnerability. | 2.7 |
2019-07-10 | CVE-2019-5220 | Huawei | Incorrect Authorization vulnerability in Huawei products There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. | 2.1 |
2019-07-09 | CVE-2018-15738 | Stopzilla | Improper Input Validation vulnerability in Stopzilla Antimalware 6.5.2.59 An issue was discovered in STOPzilla AntiMalware 6.5.2.59. | 2.1 |
2019-07-08 | CVE-2019-2119 | Information Exposure vulnerability in Google Android 8.0/8.1/9.0 In multiple functions of key_store_service.cpp, there is a possible Information Disclosure due to improper locking. | 2.1 | |
2019-07-08 | CVE-2019-2118 | Information Exposure vulnerability in Google Android 8.0/8.1/9.0 In various functions of Parcel.cpp, there are uninitialized or partially initialized stack variables. | 2.1 | |
2019-07-08 | CVE-2019-2117 | Information Exposure vulnerability in Google Android In checkQueryPermission of TelephonyProvider.java, there is a possible disclosure of secure data due to a missing permission check. | 2.1 | |
2019-07-08 | CVE-2019-2113 | Unspecified vulnerability in Google Android 9.0 In setup wizard there is a bypass of some checks when wifi connection is skipped. | 2.1 | |
2019-07-08 | CVE-2019-2104 | Information Exposure vulnerability in Google Android 8.0/8.1/9.0 In HIDL, safe_union, and other C++ structs/unions being sent to application processes, there are uninitialized fields. | 2.1 |