Weekly Vulnerabilities Reports > July 15 to 21, 2019

Overview

345 new vulnerabilities reported during this period, including 44 critical vulnerabilities and 87 high severity vulnerabilities. This weekly summary report vulnerabilities in 388 products from 161 vendors including Microsoft, Debian, Fedoraproject, Adobe, and Canonical. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Information Exposure", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Improper Input Validation".

  • 287 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 98 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 291 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 90 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 13 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

44 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-19 CVE-2019-13569 Icegram SQL Injection vulnerability in Icegram Email Subscribers & Newsletters

A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress.

10.0
2019-07-19 CVE-2019-12725 Zeroshell OS Command Injection vulnerability in Zeroshell 3.9.0

Zeroshell 3.9.0 is prone to a remote command execution vulnerability.

10.0
2019-07-17 CVE-2019-1917 Cisco Improper Authentication vulnerability in Cisco Vision Dynamic Signage Director

A vulnerability in the REST API interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected system.

10.0
2019-07-17 CVE-2019-13447 Sertek SQL Injection vulnerability in Sertek Xpare 3.67

An issue was discovered in Sertek Xpare 3.67.

10.0
2019-07-17 CVE-2019-11535 Linksys Command Injection vulnerability in Linksys Re6300 Firmware and Re6400 Firmware

Unsanitized user input in the web interface for Linksys WiFi extender products (RE6400 and RE6300 through 1.2.04.022) allows for remote command execution.

10.0
2019-07-17 CVE-2019-13624 Onosproject Data Processing Errors vulnerability in Onosproject Onos 1.15.0

In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.

10.0
2019-07-16 CVE-2019-12988 Citrix OS Command Injection vulnerability in Citrix Netscaler Sd-Wan and Sd-Wan

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 4 of 6).

10.0
2019-07-16 CVE-2019-12987 Citrix OS Command Injection vulnerability in Citrix Netscaler Sd-Wan and Sd-Wan

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 3 of 6).

10.0
2019-07-16 CVE-2019-12986 Citrix OS Command Injection vulnerability in Citrix Netscaler Sd-Wan and Sd-Wan

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 2 of 6).

10.0
2019-07-16 CVE-2019-12985 Citrix OS Command Injection vulnerability in Citrix Netscaler Sd-Wan and Sd-Wan

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 1 of 6).

10.0
2019-07-15 CVE-2019-1010298 Linaro Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linaro Op-Tee

Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow.

10.0
2019-07-15 CVE-2019-1010297 Linaro Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linaro Op-Tee

Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow.

10.0
2019-07-15 CVE-2019-1010296 Linaro Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linaro Op-Tee

Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow.

10.0
2019-07-19 CVE-2019-12815 Proftpd
Fedoraproject
Debian
Siemens
Improper Handling of Exceptional Conditions vulnerability in multiple products

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.

9.8
2019-07-19 CVE-2019-1010238 Gnome
Oracle
Fedoraproject
Debian
Canonical
Redhat
Out-of-bounds Write vulnerability in multiple products

Gnome Pango 1.42 and later is affected by: Buffer Overflow.

9.8
2019-07-18 CVE-2019-13962 Videolan
Opensuse
Debian
Canonical
Out-of-bounds Read vulnerability in multiple products

lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height.

9.8
2019-07-18 CVE-2019-13575 Wpeverest SQL Injection vulnerability in Wpeverest Everest Forms

A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9.

9.8
2019-07-17 CVE-2019-13640 Qbittorrent OS Command Injection vulnerability in Qbittorrent

In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.

9.8
2019-07-17 CVE-2019-13585 Fanucamerica Out-of-bounds Write vulnerability in Fanucamerica Robotics Virtual Robot Controller 8.23

The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 has a Buffer Overflow via a forged HTTP request.

9.8
2019-07-17 CVE-2019-13573 Foliovision SQL Injection vulnerability in Foliovision FV Flowplayer Video Player

A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress.

9.8
2019-07-17 CVE-2019-9848 Libreoffice
Canonical
Fedoraproject
Debian
Opensuse
Code Injection vulnerability in multiple products

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc.

9.8
2019-07-16 CVE-2019-12990 Citrix Path Traversal vulnerability in Citrix Netscaler Sd-Wan and Sd-Wan

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.

9.8
2019-07-16 CVE-2019-13360 Control Webpanel Authorization Bypass Through User-Controlled Key vulnerability in Control-Webpanel Webpanel 0.9.8.836

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username.

9.8
2019-07-15 CVE-2019-6824 Schneider Electric Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Proclima 6.0.1/6.1

A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.

9.8
2019-07-15 CVE-2019-6823 Schneider Electric Code Injection vulnerability in Schneider-Electric Proclima 6.0.1/6.1

A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.

9.8
2019-07-15 CVE-2019-1010022 GNU Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GNU Glibc

GNU Libc current is affected by: Mitigation bypass.

9.8
2019-07-17 CVE-2019-13625 NSA XXE vulnerability in NSA Ghidra 9.0

NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file.

9.4
2019-07-17 CVE-2019-13637 Logmeininc Untrusted Search Path vulnerability in Logmeininc Join.Me

In LogMeIn join.me before 3.16.0.5505, an attacker could execute arbitrary commands on a targeted system.

9.3
2019-07-15 CVE-2019-1128 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1127 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1124 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1123 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1122 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1121 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1120 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1119 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2019

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1118 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1117 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1111 Microsoft Unspecified vulnerability in Microsoft Excel, Office and Office 365 Proplus

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1110 Microsoft Unspecified vulnerability in Microsoft Excel, Office and Office 365 Proplus

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.

9.3
2019-07-15 CVE-2019-1102 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'.

9.3
2019-07-19 CVE-2019-11990 HP Unspecified vulnerability in HP Universal Internet of Things

Security vulnerabilities in HPE UIoT versions 1.6, 1.5, 1.4.2, 1.4.1, 1.4.0, and 1.2.4.2 could allow unauthorized remote access and access to sensitive data.

9.0
2019-07-16 CVE-2019-12992 Citrix OS Command Injection vulnerability in Citrix Netscaler Sd-Wan and Sd-Wan

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 6 of 6).

9.0
2019-07-16 CVE-2019-12991 Citrix OS Command Injection vulnerability in Citrix Netscaler Sd-Wan and Sd-Wan

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).

9.0

87 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-18 CVE-2019-1010054 Dolibarr Cross-Site Request Forgery (CSRF) vulnerability in Dolibarr Erp/Crm 7.0.0

Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF).

8.8
2019-07-16 CVE-2019-13605 Control Webpanel Authorization Bypass Through User-Controlled Key vulnerability in Control-Webpanel Webpanel 0.9.8.836

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username.

8.8
2019-07-15 CVE-2019-1010023 GNU Unspecified vulnerability in GNU Glibc

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file.

8.8
2019-07-17 CVE-2019-12876 Zohocorp Incorrect Permission Assignment for Critical Resource vulnerability in Zohocorp products

Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.

8.5
2019-07-16 CVE-2019-13115 Libssh2
Debian
Fedoraproject
Netapp
F5
Integer Overflow or Wraparound vulnerability in multiple products

In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server.

8.1
2019-07-16 CVE-2019-13616 Libsdl
Debian
Opensuse
Fedoraproject
Canonical
Redhat
Out-of-bounds Read vulnerability in multiple products

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.

8.1
2019-07-15 CVE-2019-0887 Microsoft Path Traversal vulnerability in Microsoft products

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

8.0
2019-07-19 CVE-2019-1010136 Chinamobileltd Missing Authentication for Critical Function vulnerability in Chinamobileltd Gpn2.4P21-C-Cn Firmware W2001En00

ChinaMobile GPN2.4P21-C-CN W2001EN-00 is affected by: Incorrect Access Control - Unauthenticated Remote Reboot.

7.8
2019-07-17 CVE-2019-11771 Eclipse Permissions, Privileges, and Access Controls vulnerability in Eclipse Openj9

AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users.

7.8
2019-07-17 CVE-2019-13272 Linux
Debian
Fedoraproject
Canonical
Redhat
Netapp
Improper Privilege Management vulnerability in multiple products

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker).

7.8
2019-07-16 CVE-2019-1010057 Nfdump Project
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

nfdump 1.6.16 and earlier is affected by: Buffer Overflow.

7.8
2019-07-15 CVE-2019-6827 Schneider Electric Out-of-bounds Write vulnerability in Schneider-Electric Interactive Graphical Scada System

A CWE-787: Out-of-bounds Write vulnerability exists in Interactive Graphical SCADA System (IGSS), Version 14 and prior, which could cause a software crash when data in the mdb database is manipulated.

7.8
2019-07-15 CVE-2019-6822 Schneider Electric Use After Free vulnerability in Schneider-Electric Zelio Soft 2

A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.

7.8
2019-07-15 CVE-2018-7838 Schneider Electric Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric products

A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP CWD command with a data length greater than 1020 bytes.

7.8
2019-07-15 CVE-2019-1010006 Gnome
Canonical
Debian
Opensuse
Integer Overflow or Wraparound vulnerability in multiple products

Evince 3.26.0 is affected by buffer overflow.

7.8
2019-07-15 CVE-2019-1107 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1106 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1104 Microsoft Out-of-bounds Write vulnerability in Microsoft Edge and Internet Explorer

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1103 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1092 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1063 Microsoft Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka 'Internet Explorer Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1062 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1059 Microsoft Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1056 Microsoft Out-of-bounds Write vulnerability in Microsoft Internet Explorer 11

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1004 Microsoft Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-07-15 CVE-2019-1001 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore, Edge and Internet Explorer

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-07-21 CVE-2019-14231 Onionbuzz SQL Injection vulnerability in Onionbuzz

An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress.

7.5
2019-07-21 CVE-2019-14230 Onionbuzz SQL Injection vulnerability in Onionbuzz

An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress.

7.5
2019-07-21 CVE-2019-14213 Foxitsoftware Unspecified vulnerability in Foxitsoftware Phantompdf

An issue was discovered in Foxit PhantomPDF before 8.3.11.

7.5
2019-07-21 CVE-2019-14211 Foxitsoftware Improper Input Validation vulnerability in Foxitsoftware Phantompdf

An issue was discovered in Foxit PhantomPDF before 8.3.11.

7.5
2019-07-21 CVE-2019-14209 Foxitsoftware
Microsoft
Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf

An issue was discovered in Foxit PhantomPDF before 8.3.10.

7.5
2019-07-21 CVE-2019-14206 Nevma Path Traversal vulnerability in Nevma Adaptive Images

An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.

7.5
2019-07-19 CVE-2019-9228 Audiocodes Unspecified vulnerability in Audiocodes products

An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A at least to 7.20A.252.062.

7.5
2019-07-19 CVE-2019-12193 H3C SQL Injection vulnerability in H3C H3Cloud OS

H3C H3Cloud OS all versions allows SQL injection via the ear/grid_event sidx parameter.

7.5
2019-07-19 CVE-2019-1010142 Scapy
Fedoraproject
Infinite Loop vulnerability in multiple products

scapy 2.4.0 is affected by: Denial of Service.

7.5
2019-07-19 CVE-2019-1010101 Akeo Incorrect Permission Assignment for Critical Resource vulnerability in Akeo Rufus

Akeo Consulting Rufus 3.0 and earlier is affected by: Insecure Permissions.

7.5
2019-07-19 CVE-2019-1010245 Linuxfoundation Improper Input Validation vulnerability in Linuxfoundation Open Network Operating System

The Linux Foundation ONOS SDN Controller 1.15 and earlier versions is affected by: Improper Input Validation.

7.5
2019-07-19 CVE-2019-1010151 Zzcms Path Traversal vulnerability in Zzcms Zzmcms 8.3

zzcms zzmcms 8.3 and earlier is affected by: File Delete to getshell.

7.5
2019-07-19 CVE-2019-13973 Layerbb Unrestricted Upload of File with Dangerous Type vulnerability in Layerbb 1.1.3

LayerBB 1.1.3 allows admin/general.php arbitrary file upload because the custom_logo filename suffix is not restricted, and .php may be used.

7.5
2019-07-18 CVE-2019-7850 Adobe
Linux
Microsoft
Command Injection vulnerability in Adobe Campaign 18.10.5.8984

Adobe Campaign Classic version 18.10.5-8984 and earlier versions have a Command injection vulnerability.

7.5
2019-07-18 CVE-2019-13956 Codersclub Code Injection vulnerability in Codersclub Discuz!Ml 3.2/3.3/3.4

Discuz!ML 3.2 through 3.4 allows remote attackers to execute arbitrary PHP code via a modified language cookie, as demonstrated by changing 4gH4_0df5_language=en to 4gH4_0df5_language=en'.phpinfo().'; (if the random prefix 4gH4_0df5_ were used).

7.5
2019-07-18 CVE-2019-1010248 I Doit SQL Injection vulnerability in I-Doit

Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection.

7.5
2019-07-18 CVE-2019-13952 Gdnsd Out-of-bounds Write vulnerability in Gdnsd

The set_ipv6() function in zscan_rfc1035.rl in gdnsd before 2.4.3 and 3.x before 3.2.1 has a stack-based buffer overflow via a long and malformed IPv6 address in zone data.

7.5
2019-07-18 CVE-2019-13951 Gdnsd Out-of-bounds Write vulnerability in Gdnsd 3.2.0

The set_ipv4() function in zscan_rfc1035.rl in gdnsd 3.x before 3.2.1 has a stack-based buffer overflow via a long and malformed IPv4 address in zone data.

7.5
2019-07-18 CVE-2019-1010268 Ladon Project XXE vulnerability in Ladon Project Ladon

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE).

7.5
2019-07-18 CVE-2019-1010259 Saltstack SQL Injection vulnerability in Saltstack Salt 2018 and Salt 2019

SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection.

7.5
2019-07-18 CVE-2019-3570 Facebook Out-of-bounds Write vulnerability in Facebook Hiphop Virtual Machine

Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p).

7.5
2019-07-18 CVE-2019-13509 Docker Information Exposure Through Log Files vulnerability in Docker

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log.

7.5
2019-07-18 CVE-2019-1010104 Techytalk SQL Injection vulnerability in Techytalk Quick Chat

TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection.

7.5
2019-07-17 CVE-2019-11772 Eclipse Out-of-bounds Write vulnerability in Eclipse Openj9

In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT.

7.5
2019-07-17 CVE-2019-1010283 Univention Information Exposure vulnerability in Univention Corporate Server

Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure.

7.5
2019-07-17 CVE-2019-1010275 Helm Improper Certificate Validation vulnerability in Helm

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation.

7.5
2019-07-17 CVE-2019-1010263 Perl Crypt Improper Verification of Cryptographic Signature vulnerability in Perl Crypt::Jwt Project Perl Crypt::Jwt

Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control.

7.5
2019-07-17 CVE-2019-13619 Wireshark
Fedoraproject
Canonical
Debian
Opensuse
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ASN.1 BER dissector and related dissectors could crash.

7.5
2019-07-17 CVE-2019-13577 Computerlab Out-of-bounds Write vulnerability in Computerlab Maple Computer WBT Snmp Administrator 2.0.195.15

SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987.

7.5
2019-07-17 CVE-2019-13614 TP Link Out-of-bounds Write vulnerability in Tp-Link Archer C1200 Firmware 1.0.0

CMD_SET_CONFIG_COUNTRY in the TP-Link Device Debug protocol in TP-Link Archer C1200 1.0.0 Build 20180502 rel.45702 and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server.

7.5
2019-07-17 CVE-2019-13613 TP Link Out-of-bounds Write vulnerability in Tp-Link Archer C1200 Firmware 1.0.0

CMD_FTEST_CONFIG in the TP-Link Device Debug protocol in TP-Link Wireless Router Archer Router version 1.0.0 Build 20180502 rel.45702 (EU) and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server.

7.5
2019-07-17 CVE-2019-10353 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins

CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.

7.5
2019-07-17 CVE-2019-4430 IBM Path Traversal vulnerability in IBM Maximo Asset Management 7.6

IBM Maximo Asset Management 7.6 could allow a remote attacker to traverse directories on the system.

7.5
2019-07-16 CVE-2019-13359 Control Webpanel Unrestricted Upload of File with Dangerous Type vulnerability in Control-Webpanel Webpanel 0.9.8.836

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.

7.5
2019-07-16 CVE-2019-12989 Citrix SQL Injection vulnerability in Citrix Netscaler Sd-Wan and Sd-Wan

Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.

7.5
2019-07-16 CVE-2019-10191 NIC
Fedoraproject
Improper Input Validation vulnerability in multiple products

A vulnerability was discovered in DNS resolver of knot resolver before version 4.1.0 which allows remote attackers to downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol.

7.5
2019-07-16 CVE-2019-10190 NIC
Fedoraproject
Improper Input Validation vulnerability in multiple products

A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer.

7.5
2019-07-16 CVE-2019-1010292 Linaro Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linaro Op-Tee

Linaro/OP-TEE OP-TEE Prior to version v3.4.0 is affected by: Boundary checks.

7.5
2019-07-16 CVE-2019-1010043 Quake3E Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Quake3E Project Quake3E

Quake3e < 5ed740d is affected by: Buffer Overflow.

7.5
2019-07-16 CVE-2019-1010062 Pluck CMS Unrestricted Upload of File with Dangerous Type vulnerability in Pluck-Cms Pluckcms

PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type.

7.5
2019-07-16 CVE-2019-1010060 Nasa Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nasa Cfitsio

NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow.

7.5
2019-07-15 CVE-2019-1072 Microsoft Improper Input Validation vulnerability in Microsoft Azure Devops Server and Team Foundation Server

A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability'.

7.5
2019-07-15 CVE-2019-0785 Microsoft Out-of-bounds Write vulnerability in Microsoft products

A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.

7.5
2019-07-15 CVE-2019-1010295 Linaro Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linaro Op-Tee

Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow.

7.5
2019-07-15 CVE-2019-1010293 Linaro Out-of-bounds Write vulnerability in Linaro Op-Tee

Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Boundary crossing.

7.5
2019-07-15 CVE-2019-1010044 Archivesunleashed Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Archivesunleashed Graphpass

borg-reducer c6d5240 is affected by: Buffer Overflow.

7.5
2019-07-15 CVE-2019-1010306 Teller Deserialization of Untrusted Data vulnerability in Teller Slanger 0.6.0

Slanger 0.6.0 is affected by: Remote Code Execution (RCE).

7.5
2019-07-15 CVE-2019-1010039 Ulaunchelf Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ulaunchelf Project Ulaunchelf 170827A/190107

uLaunchELF < commit 170827a is affected by: Buffer Overflow.

7.5
2019-07-15 CVE-2019-1010038 Openmodelica Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Openmodelica Omcompiler

OpenModelica OMCompiler is affected by: Buffer Overflow.

7.5
2019-07-15 CVE-2019-1010009 Dglogik Incorrect Permission Assignment for Critical Resource vulnerability in Dglogik Dglux Server

DGLogik Inc DGLux Server All Versions is affected by: Insecure Permissions.

7.5
2019-07-17 CVE-2019-3969 Comodo Unspecified vulnerability in Comodo Antivirus 11.0.0.6582/12.0.0.6810

Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to Local Privilege Escalation due to CmdAgent's handling of COM clients.

7.2
2019-07-17 CVE-2019-1919 Cisco Use of Hard-coded Credentials vulnerability in Cisco Findit Network Manager and Findit Network Probe

A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges.

7.2
2019-07-15 CVE-2019-1132 Microsoft Unspecified vulnerability in Microsoft Windows 7 and Windows Server 2008

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2019-07-15 CVE-2019-1130 Microsoft Link Following vulnerability in Microsoft products

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'.

7.2
2019-07-15 CVE-2019-1129 Microsoft Link Following vulnerability in Microsoft products

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'.

7.2
2019-07-15 CVE-2019-1090 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the dnsrslvr.dll handles objects in memory, aka 'Windows dnsrlvr.dll Elevation of Privilege Vulnerability'.

7.2
2019-07-15 CVE-2019-1089 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request.

7.2
2019-07-15 CVE-2019-1082 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Microsoft Windows where a certain DLL, with Local Service privilege, is vulnerable to race planting a customized DLL.An attacker who successfully exploited this vulnerability could potentially elevate privilege to SYSTEM.The update addresses this vulnerability by requiring SYSTEM privileges for a certain DLL., aka 'Microsoft Windows Elevation of Privilege Vulnerability'.

7.2
2019-07-15 CVE-2019-1067 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

7.2
2019-07-15 CVE-2019-0999 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Elevation of Privilege Vulnerability'.

7.2
2019-07-19 CVE-2019-11989 HP
Microsoft
Redhat
Unspecified vulnerability in HP Icewall SSO Agent and MFA Proxy

A security vulnerability in HPE IceWall SSO Agent Option and IceWall MFA (Agent module ) could be exploited remotely to cause a denial of service.

7.1

185 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-15 CVE-2019-1037 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'.

6.9
2019-07-20 CVE-2019-12934 WP Code Highlightjs Project Cross-Site Request Forgery (CSRF) vulnerability in Wp-Code-Highlightjs Project Wp-Code-Highlightjs

An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.

6.8
2019-07-19 CVE-2019-1579 Paloaltonetworks Use of Externally-Controlled Format String vulnerability in Paloaltonetworks Pan-Os

Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.

6.8
2019-07-19 CVE-2019-13989 Dpic Project Out-of-bounds Write vulnerability in Dpic Project Dpic 20190620

dpic 2019.06.20 has a Stack-based Buffer Overflow in the wfloat() function in main.c.

6.8
2019-07-19 CVE-2018-17792 Altn Cross-Site Request Forgery (CSRF) vulnerability in Altn Mdaemon Webmail 14.0

MDaemon Webmail (formerly WorldClient) has CSRF.

6.8
2019-07-19 CVE-2019-1010100 Akeo Uncontrolled Search Path Element vulnerability in Akeo Rufus

Akeo Consulting Rufus 3.0 and earlier is affected by: DLL search order hijacking.

6.8
2019-07-19 CVE-2015-7882 Mongodb Improper Authentication vulnerability in Mongodb 3.0.0/3.0.6

Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.

6.8
2019-07-19 CVE-2019-13984 Rangerstudio Unrestricted Upload of File with Dangerous Type vulnerability in Rangerstudio Directus 7 API

Directus 7 API before 2.3.0 does not validate uploaded files.

6.8
2019-07-19 CVE-2019-13980 Rangerstudio Unrestricted Upload of File with Dangerous Type vulnerability in Rangerstudio Directus 7 API

In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx.

6.8
2019-07-19 CVE-2019-13979 Rangerstudio Unrestricted Upload of File with Dangerous Type vulnerability in Rangerstudio Directus 7 API

In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution.

6.8
2019-07-19 CVE-2019-13974 Layerbb Cross-Site Request Forgery (CSRF) vulnerability in Layerbb 1.1.3

LayerBB 1.1.3 allows conversations.php/cmd/new CSRF.

6.8
2019-07-18 CVE-2019-7956 Adobe Untrusted Search Path vulnerability in Adobe Dreamweaver

Adobe Dreamweaver direct download installer versions 19.0 and below, 18.0 and below have an Insecure Library Loading (DLL hijacking) vulnerability.

6.8
2019-07-18 CVE-2019-13961 Flatcore Cross-Site Request Forgery (CSRF) vulnerability in Flatcore

A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.

6.8
2019-07-18 CVE-2019-1010112 Phpcoo Cross-Site Request Forgery (CSRF) vulnerability in PHPcoo Oecms 4.3/4.3.R60321

OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Forgery (CSRF).

6.8
2019-07-18 CVE-2019-9231 Audiocodes Cross-Site Request Forgery (CSRF) vulnerability in Audiocodes products

An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions before 7.20A.202.307.

6.8
2019-07-18 CVE-2019-13949 Syguestbook A5 Project Cross-Site Request Forgery (CSRF) vulnerability in Syguestbook A5 Project Syguestbook A5 1.2

SyGuestBook A5 Version 1.2 has no CSRF protection mechanism, as demonstrated by CSRF for an index.php?c=Administrator&a=update admin password change.

6.8
2019-07-18 CVE-2019-1010096 Domainmod Cross-Site Request Forgery (CSRF) vulnerability in Domainmod 4.10.0

DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF).

6.8
2019-07-18 CVE-2019-1010095 Domainmod Cross-Site Request Forgery (CSRF) vulnerability in Domainmod 4.10.0

DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF).

6.8
2019-07-18 CVE-2019-1010094 Domainmod Cross-Site Request Forgery (CSRF) vulnerability in Domainmod 4.10.0

domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF).

6.8
2019-07-17 CVE-2019-13631 Linux Out-of-bounds Write vulnerability in Linux Kernel

In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.

6.8
2019-07-17 CVE-2019-13623 NSA Path Traversal vulnerability in NSA Ghidra

In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename.

6.8
2019-07-16 CVE-2019-13611 Python Engineio Project Cross-Site Request Forgery (CSRF) vulnerability in Python-Engineio Project Python-Engineio

An issue was discovered in python-engineio through 3.8.2.

6.8
2019-07-15 CVE-2019-6825 Schneider Electric Uncontrolled Search Path Element vulnerability in Schneider-Electric Proclima 6.0.1/6.1

A CWE-427: Uncontrolled Search Path Element vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow a malicious DLL file, with the same name of any resident DLLs inside the software installation, to execute arbitrary code in all versions of ProClima prior to version 8.0.0.

6.8
2019-07-15 CVE-2019-1113 Microsoft Improper Input Validation vulnerability in Microsoft .Net Framework and Visual Studio 2017

A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code Execution Vulnerability'.

6.8
2019-07-15 CVE-2019-0975 Microsoft Unspecified vulnerability in Microsoft Windows Server 2016 and Windows Server 2019

A security feature bypass vulnerability exists when Active Directory Federation Services (ADFS) improperly updates its list of banned IP addresses.

6.8
2019-07-18 CVE-2019-3592 Mcafee Unspecified vulnerability in Mcafee Agent

Privilege escalation vulnerability in McAfee Agent (MA) before 5.6.1 HF3, allows local administrator users to potentially disable some McAfee processes by manipulating the MA directory control and placing a carefully constructed file in the MA directory.

6.7
2019-07-15 CVE-2019-1077 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2017 and Visual Studio 2019

An elevation of privilege vulnerability exists when the Visual Studio updater service improperly handles file permissions, aka 'Visual Studio Elevation of Privilege Vulnerability'.

6.6
2019-07-20 CVE-2018-17210 Printeron Improper Authorization vulnerability in Printeron Central Print Services 2.5/4.1.4

An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4.

6.5
2019-07-19 CVE-2019-11553 Code42 Improper Privilege Management vulnerability in Code42

In Code42 for Enterprise through 6.8.4, an administrator without web restore permission but with the ability to manage users in an organization can impersonate a user with web restore permission.

6.5
2019-07-19 CVE-2019-13978 Ovidentia SQL Injection vulnerability in Ovidentia 8.4.3

Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request.

6.5
2019-07-19 CVE-2019-13969 Metinfo SQL Injection vulnerability in Metinfo

Metinfo 6.x allows SQL Injection via the id parameter in an admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1 request.

6.5
2019-07-18 CVE-2019-1010065 Sleuthkit
Fedoraproject
Debian
Integer Overflow or Wraparound vulnerability in multiple products

The Sleuth Kit 4.6.0 and earlier is affected by: Integer Overflow.

6.5
2019-07-17 CVE-2019-13626 Libsdl
Fedoraproject
Debian
Opensuse
Out-of-bounds Read vulnerability in multiple products

SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buffer over-read in Fill_IMA_ADPCM_block, caused by an integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c.

6.5
2019-07-17 CVE-2019-10352 Jenkins Path Traversal vulnerability in Jenkins

A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.

6.5
2019-07-16 CVE-2018-13442 Solarwinds SQL Injection vulnerability in Solarwinds Network Performance Monitor

SolarWinds Network Performance Monitor 12.3 allows SQL Injection via the /api/ActiveAlertsOnThisEntity/GetActiveAlerts TriggeringObjectEntityNames parameter.

6.5
2019-07-16 CVE-2019-1576 Paloaltonetworks OS Command Injection vulnerability in Paloaltonetworks Pan-Os 9.0.0/9.0.1/9.0.2

Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user’s permissions.

6.5
2019-07-16 CVE-2019-1575 Paloaltonetworks Information Exposure vulnerability in Paloaltonetworks Pan-Os

Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and possibly escalate privileges granted to them.

6.5
2019-07-15 CVE-2019-1068 Microsoft Unspecified vulnerability in Microsoft SQL Server 2014/2016/2017

A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions, aka 'Microsoft SQL Server Remote Code Execution Vulnerability'.

6.5
2019-07-15 CVE-2019-1109 Microsoft Improper Input Validation vulnerability in Microsoft Office and Office 365

A spoofing vulnerability exists when Microsoft Office Javascript does not check the validity of the web page making a request to Office documents.An attacker who successfully exploited this vulnerability could read or write information in Office documents.The security update addresses the vulnerability by correcting the way that Microsoft Office Javascript verifies trusted web pages., aka 'Microsoft Office Spoofing Vulnerability'.

6.4
2019-07-19 CVE-2019-1010247 Openidc Cross-site Scripting vulnerability in Openidc MOD Auth Openidc

ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS).

6.1
2019-07-17 CVE-2019-1920 Cisco Unspecified vulnerability in Cisco products

A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface.

6.1
2019-07-17 CVE-2018-2021 IBM Cross-site Scripting vulnerability in IBM Qradar Security Information and Event Manager

IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting.

6.1
2019-07-15 CVE-2019-0234 Apache Cross-site Scripting vulnerability in Apache Roller 5.2.0/5.2.1/5.2.2

A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller.

6.1
2019-07-15 CVE-2019-1010016 Dolibarr Cross-site Scripting vulnerability in Dolibarr Erp/Crm 6.0.4

Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS).

6.1
2019-07-17 CVE-2019-13636 GNU Link Following vulnerability in GNU Patch

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files.

5.9
2019-07-20 CVE-2019-9229 Audiocodes Use of Hard-coded Credentials vulnerability in Audiocodes products

An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251.

5.8
2019-07-18 CVE-2019-7955 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager version 6.4 and ealier have a Reflected Cross-site Scripting vulnerability.

5.8
2019-07-17 CVE-2019-1943 Cisco Open Redirect vulnerability in Cisco products

A vulnerability in the web interface of Cisco Small Business 200, 300, and 500 Series Switches software could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.

5.8
2019-07-16 CVE-2019-1010290 Cmsmadesimple Open Redirect vulnerability in Cmsmadesimple Bable:Multilingual Site

Babel: Multilingual site Babel All is affected by: Open Redirection.

5.8
2019-07-15 CVE-2019-1075 Microsoft Open Redirect vulnerability in Microsoft Asp.Net Core 2.1/2.2

A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect, aka 'ASP.NET Core Spoofing Vulnerability'.

5.8
2019-07-19 CVE-2019-12820 Jisiwei Cleartext Transmission of Sensitive Information vulnerability in Jisiwei I3 Firmware 2.0

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner.

5.6
2019-07-19 CVE-2019-13648 Linux Resource Management Errors vulnerability in Linux Kernel

In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame.

5.5
2019-07-18 CVE-2019-13960 Libjpeg Turbo Allocation of Resources Without Limits or Throttling vulnerability in Libjpeg-Turbo 2.0.2

In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header.

5.5
2019-07-18 CVE-2019-1010252 Linuxfoundation Improper Input Validation vulnerability in Linuxfoundation Open Network Operating System

The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input-validation.

5.5
2019-07-18 CVE-2019-1010250 Linuxfoundation Improper Input Validation vulnerability in Linuxfoundation Open Network Operating System

The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input-validation.

5.5
2019-07-18 CVE-2019-1010249 Linuxfoundation Integer Overflow or Wraparound vulnerability in Linuxfoundation Open Network Operating System

The Linux Foundation ONOS 2.0.0 and earlier is affected by: Integer Overflow.

5.5
2019-07-18 CVE-2019-1010069 Moinejf
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

moinejf abcm2ps 8.13.20 is affected by: Incorrect Access Control.

5.5
2019-07-15 CVE-2019-0966 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

5.5
2019-07-15 CVE-2019-1010302 Jhead Project
Fedoraproject
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

jhead 3.03 is affected by: Incorrect Access Control.

5.5
2019-07-15 CVE-2019-1010301 Jhead Project
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

jhead 3.03 is affected by: Buffer Overflow.

5.5
2019-07-15 CVE-2019-1010305 Kyzer
Fedoraproject
Debian
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

libmspack 0.9.1alpha is affected by: Buffer Overflow.

5.5
2019-07-18 CVE-2019-13647 Firefly III Cross-site Scripting vulnerability in Firefly-Iii Firefly III

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content.

5.4
2019-07-18 CVE-2019-13646 Firefly III Cross-site Scripting vulnerability in Firefly-Iii Firefly III

Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.

5.4
2019-07-18 CVE-2019-13645 Firefly III Cross-site Scripting vulnerability in Firefly-Iii Firefly III

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names.

5.4
2019-07-18 CVE-2019-13644 Firefly III Cross-site Scripting vulnerability in Firefly-Iii Firefly III

Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name.

5.4
2019-07-17 CVE-2019-4211 IBM Cross-site Scripting vulnerability in IBM Qradar Security Information and Event Manager

IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting.

5.4
2019-07-17 CVE-2018-1921 IBM Cross-site Scripting vulnerability in IBM Campaign

IBM Campaign 9.1.0, 9.1.2, 10.1, and 11.0 is vulnerable to cross-site scripting.

5.4
2019-07-17 CVE-2018-2022 IBM Information Exposure vulnerability in IBM Qradar Security Information and Event Manager

IBM QRadar SIEM 7.2 and 7.3 discloses sensitive information to unauthorized users.

5.3
2019-07-16 CVE-2019-3571 Whatsapp Improper Input Validation vulnerability in Whatsapp

An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.

5.3
2019-07-16 CVE-2019-13383 Control Webpanel Information Exposure Through Discrepancy vulnerability in Control-Webpanel Webpanel 0.9.8.836

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response.

5.3
2019-07-15 CVE-2019-5447 Http File Server Project Path Traversal vulnerability in Http-File-Server Project Http-File-Server

A path traversal vulnerability in <= v0.2.6 of http-file-server npm module allows attackers to list files in arbitrary folders.

5.3
2019-07-15 CVE-2019-1010025 GNU Use of Insufficiently Random Values vulnerability in GNU Glibc

GNU Libc current is affected by: Mitigation bypass.

5.3
2019-07-15 CVE-2019-1010024 GNU Information Exposure vulnerability in GNU Glibc

GNU Libc current is affected by: Mitigation bypass.

5.3
2019-07-18 CVE-2016-10762 Automattic Command Injection vulnerability in Automattic Camptix Event Ticketing

The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used.

5.1
2019-07-15 CVE-2019-1136 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2010/2013

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'.

5.1
2019-07-21 CVE-2019-14215 Foxitsoftware
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Foxitsoftware Phantompdf

An issue was discovered in Foxit PhantomPDF before 8.3.11.

5.0
2019-07-21 CVE-2019-14214 Foxitsoftware
Microsoft
Unspecified vulnerability in Foxitsoftware Phantompdf

An issue was discovered in Foxit PhantomPDF before 8.3.10.

5.0
2019-07-21 CVE-2019-14212 Foxitsoftware
Microsoft
NULL Pointer Dereference vulnerability in Foxitsoftware Phantompdf

An issue was discovered in Foxit PhantomPDF before 8.3.11.

5.0
2019-07-21 CVE-2019-14210 Foxitsoftware
Microsoft
Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf

An issue was discovered in Foxit PhantomPDF before 8.3.10.

5.0
2019-07-21 CVE-2019-14208 Foxitsoftware
Microsoft
NULL Pointer Dereference vulnerability in Foxitsoftware Phantompdf

An issue was discovered in Foxit PhantomPDF before 8.3.10.

5.0
2019-07-21 CVE-2019-14207 Foxitsoftware
Microsoft
Infinite Loop vulnerability in Foxitsoftware Phantompdf

An issue was discovered in Foxit PhantomPDF before 8.3.11.

5.0
2019-07-21 CVE-2019-14205 Nevma Path Traversal vulnerability in Nevma Adaptive Images

A Local File Inclusion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to retrieve arbitrary files via the $REQUEST['adaptive-images-settings']['source_file'] parameter in adaptive-images-script.php.

5.0
2019-07-19 CVE-2019-1010239 Cjson Project
Oracle
NULL Pointer Dereference vulnerability in multiple products

DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusual or Exceptional Conditions.

5.0
2019-07-19 CVE-2019-13983 Rangerstudio Missing Authentication for Critical Function vulnerability in Rangerstudio Directus 7 API

Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php.

5.0
2019-07-19 CVE-2019-13982 Rangerstudio Information Exposure vulnerability in Rangerstudio Directus 7

interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 does not sanitize Markdown text before rendering a preview.

5.0
2019-07-19 CVE-2019-13981 Rangerstudio Forced Browsing vulnerability in Rangerstudio Directus 7 API

In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory.

5.0
2019-07-19 CVE-2019-12946 Elcom SQL Injection vulnerability in Elcom CMS 10.7

Elcom CMS before 10.7 has SQL Injection via EventSearchByState.aspx and EventSearchAdv.aspx.

5.0
2019-07-18 CVE-2019-7941 Adobe Information Exposure vulnerability in Adobe Campaign 18.10.5.8984

Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Information Exposure Through an Error Message vulnerability.

5.0
2019-07-18 CVE-2019-7848 Adobe
Linux
Microsoft
Unspecified vulnerability in Adobe Campaign 18.10.5.8984

Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Inadequate access control vulnerability.

5.0
2019-07-18 CVE-2019-7847 Adobe
Linux
Microsoft
XXE vulnerability in Adobe Campaign 18.10.5.8984

Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability.

5.0
2019-07-18 CVE-2019-7846 Adobe 7PK - Errors vulnerability in Adobe Campaign 18.10.5.8984

Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper error handling vulnerability.

5.0
2019-07-18 CVE-2019-7843 Adobe
Linux
Microsoft
Improper Input Validation vulnerability in Adobe Campaign 18.10.5.8984

Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Insufficient input validation vulnerability.

5.0
2019-07-18 CVE-2019-1010279 Oisf Improper Verification of Cryptographic Signature vulnerability in Oisf Suricata

Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass.

5.0
2019-07-18 CVE-2019-1010246 Mailcleaner Missing Authorization vulnerability in Mailcleaner

MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure.

5.0
2019-07-18 CVE-2019-1010251 Oisf Improper Input Validation vulnerability in Oisf Suricata

Open Information Security Foundation Suricata prior to version 4.1.2 is affected by: Denial of Service - DNS detection bypass.

5.0
2019-07-18 CVE-2019-13915 B3Log Injection vulnerability in B3Log Wide

b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files.

5.0
2019-07-18 CVE-2019-1010066 Llnl Improper Privilege Management vulnerability in Llnl Model Specific Registers-Safe 1.1.0

Lawrence Livermore National Laboratory msr-safe v1.1.0 is affected by: Incorrect Access Control.

5.0
2019-07-17 CVE-2019-8932 Rdbrck Insufficiently Protected Credentials vulnerability in Rdbrck Shift

Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application.

5.0
2019-07-17 CVE-2019-8931 Rdbrck Information Exposure vulnerability in Rdbrck Shift

Redbrick Shift through 3.4.3 allows an attacker to extract emails of services (such as Gmail, Outlook, etc.) used in the application.

5.0
2019-07-17 CVE-2019-12914 Rdbrck Insecure Storage of Sensitive Information vulnerability in Rdbrck Shift

Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application.

5.0
2019-07-17 CVE-2019-12911 Rdbrck Insecure Storage of Sensitive Information vulnerability in Rdbrck Shift

Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application.

5.0
2019-07-17 CVE-2019-13584 Fanucamerica Path Traversal vulnerability in Fanucamerica Robotics Virtual Robot Controller 8.23

The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 allows Directory Traversal via a forged HTTP request.

5.0
2019-07-17 CVE-2019-13403 Temenos Unspecified vulnerability in Temenos CWX 8.9

Temenos CWX version 8.9 has an Broken Access Control vulnerability in the module /CWX/Employee/EmployeeEdit2.aspx, leading to the viewing of user information.

5.0
2019-07-17 CVE-2019-12175 Zeek NULL Pointer Dereference vulnerability in Zeek

In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, a NULL pointer dereference in the Kerberos (aka KRB) protocol parser leads to DoS because a case-type index is mishandled.

5.0
2019-07-17 CVE-2019-1010083 Palletsprojects Unspecified vulnerability in Palletsprojects Flask

The Pallets Project Flask before 1.0 is affected by: unexpected memory usage.

5.0
2019-07-16 CVE-2019-6160 Lenovo Unspecified vulnerability in Lenovo products

A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.

5.0
2019-07-16 CVE-2019-13618 Gpac Out-of-bounds Read vulnerability in Gpac

In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c.

5.0
2019-07-16 CVE-2018-19629 Hyland Improper Input Validation vulnerability in Hyland Perceptive Content Server 7.1.4

A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.

5.0
2019-07-16 CVE-2019-13612 Altn Improper Input Validation vulnerability in Altn Mdaemon Email Server 19

MDaemon Email Server 19 through 20.0.1 skips SpamAssassin checks by default for e-mail messages larger than 2 MB (and limits checks to 10 MB even with special configuration), which is arguably inconsistent with currently popular message sizes.

5.0
2019-07-15 CVE-2019-1126 Microsoft Improper Restriction of Excessive Authentication Attempts vulnerability in Microsoft products

A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker to launch a password brute-force attack or cause account lockouts in Active Directory.This security update corrects how ADFS handles external authentication requests., aka 'ADFS Security Feature Bypass Vulnerability'.

5.0
2019-07-15 CVE-2019-1083 Microsoft Data Processing Errors vulnerability in Microsoft .Net Framework

A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests, aka '.NET Denial of Service Vulnerability'.

5.0
2019-07-15 CVE-2019-1006 Microsoft Improper Certificate Validation vulnerability in Microsoft products

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.

5.0
2019-07-15 CVE-2019-0865 Microsoft Unspecified vulnerability in Microsoft products

A denial of service vulnerability exists when SymCrypt improperly handles a specially crafted digital signature.An attacker could exploit the vulnerability by creating a specially crafted connection or message.The security update addresses the vulnerability by correcting the way SymCrypt handles digital signatures., aka 'SymCrypt Denial of Service Vulnerability'.

5.0
2019-07-15 CVE-2019-0811 Microsoft Data Processing Errors vulnerability in Microsoft products

A denial of service vulnerability exists in Windows DNS Server when it fails to properly handle DNS queries, aka 'Windows DNS Server Denial of Service Vulnerability'.

5.0
2019-07-15 CVE-2019-1010308 Aquaverde Insufficiently Protected Credentials vulnerability in Aquaverde Aquarius CMS

Aquaverde GmbH Aquarius CMS prior to version 4.1.1 is affected by: Incorrect Access Control.

5.0
2019-07-15 CVE-2019-1010300 MZ Automation Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mz-Automation Libiec61850 1.3.0/1.3.1/1.3.2

mz-automation libiec61850 1.3.2 1.3.1 1.3.0 is affected by: Buffer Overflow.

5.0
2019-07-15 CVE-2019-1010299 Rust Lang Information Exposure vulnerability in Rust-Lang Rust

The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure.

5.0
2019-07-15 CVE-2019-1010294 Linaro Numeric Errors vulnerability in Linaro Op-Tee

Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Rounding error.

5.0
2019-07-15 CVE-2019-1010304 Mirumee Missing Authorization vulnerability in Mirumee Saleor

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c.

5.0
2019-07-15 CVE-2019-1010017 Libnmap XML Injection (aka Blind XPath Injection) vulnerability in Libnmap

libnmap < v0.6.3 is affected by: XML Injection.

5.0
2019-07-17 CVE-2019-3973 Comodo Out-of-bounds Write vulnerability in Comodo Antivirus 11.0.0.6582

Comodo Antivirus versions 11.0.0.6582 and below are vulnerable to Denial of Service affecting CmdGuard.sys via its filter port "cmdServicePort".

4.9
2019-07-19 CVE-2019-12821 Jisiwei Use of Insufficiently Random Values vulnerability in Jisiwei I3 Firmware 2.0

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, while adding a device to the account using a QR-code.

4.8
2019-07-19 CVE-2019-7590 Johnsoncontrols Unquoted Search Path or Element vulnerability in Johnsoncontrols Exacqvision Server 9.6/9.8

ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path.

4.6
2019-07-19 CVE-2019-5680 Nvidia Improper Input Validation vulnerability in Nvidia Jetson TX1 Firmware

In NVIDIA Jetson TX1 L4T R32 version branch prior to R32.2, Tegra bootloader contains a vulnerability in nvtboot in which the nvtboot-cpu image is loaded without the load address first being validated, which may lead to code execution, denial of service, or escalation of privileges.

4.6
2019-07-17 CVE-2019-1923 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device.

4.6
2019-07-15 CVE-2019-1088 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege exists in Windows Audio Service, aka 'Windows Audio Service Elevation of Privilege Vulnerability'.

4.6
2019-07-15 CVE-2019-1087 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege exists in Windows Audio Service, aka 'Windows Audio Service Elevation of Privilege Vulnerability'.

4.6
2019-07-15 CVE-2019-1086 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege exists in Windows Audio Service, aka 'Windows Audio Service Elevation of Privilege Vulnerability'.

4.6
2019-07-15 CVE-2019-1085 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory, aka 'Windows WLAN Service Elevation of Privilege Vulnerability'.

4.6
2019-07-15 CVE-2019-0880 Microsoft Unspecified vulnerability in Microsoft products

A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls, aka 'Microsoft splwow64 Elevation of Privilege Vulnerability'.

4.6
2019-07-19 CVE-2019-11552 Code42 Code Injection vulnerability in Code42 products

Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection.

4.4
2019-07-19 CVE-2019-12453 Microstrategy Cross-site Scripting vulnerability in Microstrategy web 10.1/7

In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation.

4.3
2019-07-19 CVE-2019-1010113 Premiumsoftware Cross-site Scripting vulnerability in Premiumsoftware Cleditor

Premium Software CLEditor 1.4.5 and earlier is affected by: Cross Site Scripting (XSS).

4.3
2019-07-19 CVE-2019-13972 Layerbb Cross-site Scripting vulnerability in Layerbb 1.1.3

LayerBB 1.1.3 allows XSS via the application/commands/new.php pm_title variable, a related issue to CVE-2019-17997.

4.3
2019-07-19 CVE-2019-13971 Otcms Cross-site Scripting vulnerability in Otcms 3.81

OTCMS 3.81 allows XSS via the mode parameter in an apiRun.php?mudi=autoRun request.

4.3
2019-07-19 CVE-2019-13970 Antsword Project Cross-site Scripting vulnerability in Antsword Project Antsword

In antSword before 2.1.0, self-XSS in the database configuration leads to code execution via modules/database/asp/index.js, modules/database/custom/index.js, modules/database/index.js, or modules/database/php/index.js.

4.3
2019-07-18 CVE-2019-7963 Adobe
Apple
Microsoft
Out-of-bounds Read vulnerability in Adobe Bridge CC 6.1/9.0.2

Adobe Bridge CC version 9.0.2 and earlier versions have an out of bound read vulnerability.

4.3
2019-07-18 CVE-2019-7954 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager version 6.4 and ealier have a Stored Cross-site Scripting vulnerability.

4.3
2019-07-18 CVE-2019-7953 Adobe Cross-Site Request Forgery (CSRF) vulnerability in Adobe Experience Manager

Adobe Experience Manager version 6.4 and ealier have a Cross-Site Request Forgery vulnerability.

4.3
2019-07-18 CVE-2019-8286 Kaspersky Information Exposure vulnerability in Kaspersky products

Information Disclosure in Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security versions up to 2019 could potentially disclose unique Product ID by forcing victim to visit a specially crafted webpage (for example, via clicking phishing link).

4.3
2019-07-18 CVE-2019-13959 Axiosys NULL Pointer Dereference vulnerability in Axiosys Bento4 1.5.1627

In Bento4 1.5.1-627, AP4_DataBuffer::SetDataSize does not handle reallocation failures, leading to a memory copy into a NULL pointer.

4.3
2019-07-18 CVE-2019-1010261 Gitea Cross-site Scripting vulnerability in Gitea

Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS).

4.3
2019-07-18 CVE-2019-3794 Pivotal Software Improper Restriction of Rendered UI Layers or Frames vulnerability in Pivotal Software Cloud Foundry UAA

Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints.

4.3
2019-07-18 CVE-2019-9230 Audiocodes Cross-site Scripting vulnerability in Audiocodes products

An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.253.

4.3
2019-07-18 CVE-2019-13607 Opera Cross-site Scripting vulnerability in Opera Mini 16.0.14

The Opera Mini application through 16.0.14 for iOS has a UXSS vulnerability that can be triggered by performing navigation to a javascript: URL.

4.3
2019-07-18 CVE-2019-13643 Espocrm Cross-site Scripting vulnerability in Espocrm

Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages.

4.3
2019-07-17 CVE-2019-5222 Huawei Incorrect Permission Assignment for Critical Resource vulnerability in Huawei Honor Magic 2 Firmware Tonyal00B/Tonytl00B9.0.0.182(C00E180R2P2)

There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1).

4.3
2019-07-17 CVE-2019-1941 Cisco Cross-site Scripting vulnerability in Cisco Identity Services Engine

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

4.3
2019-07-17 CVE-2019-1940 Cisco Improper Certificate Validation vulnerability in Cisco Industrial Network Director

A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate.

4.3
2019-07-17 CVE-2019-1010287 Timesheet Next GEN Project Cross-site Scripting vulnerability in Timesheet Next GEN Project Timesheet Next GEN

Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS).

4.3
2019-07-17 CVE-2019-13448 Sertek Cross-site Scripting vulnerability in Sertek Xpare 3.67

An issue was discovered in Sertek Xpare 3.67.

4.3
2019-07-17 CVE-2019-13346 MYT Project Cross-site Scripting vulnerability in MYT Project MYT 1.5.1

In MyT 1.5.1, the User[username] parameter has XSS.

4.3
2019-07-17 CVE-2019-12475 Microstrategy Cross-site Scripting vulnerability in Microstrategy web 10.1/10.4/7

In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.

4.3
2019-07-17 CVE-2019-1010091 Tiny Cross-site Scripting vulnerability in Tiny Tinymce

tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation.

4.3
2019-07-17 CVE-2019-10354 Jenkins
Redhat
Missing Authorization vulnerability in multiple products

A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.

4.3
2019-07-17 CVE-2019-13453 Zipios Project Infinite Loop vulnerability in Zipios Project Zipios 0.1.5/0.1.6

Zipios before 0.1.7 does not properly handle certain malformed zip archives and can go into an infinite loop, causing a denial of service.

4.3
2019-07-17 CVE-2019-4194 IBM Unspecified vulnerability in IBM Jazz for Service Management 1.1.3.0/1.1.3.1/1.1.3.2

IBM Jazz for Service Management 1.1.3, 1.1.3.1, and 1.1.3.2 is missing function level access control that could allow a user to delete authorized resources.

4.3
2019-07-17 CVE-2019-9849 Libreoffice
Canonical
Fedoraproject
Debian
Opensuse
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources.
4.3
2019-07-16 CVE-2019-12834 Ht2Labs Cross-site Scripting vulnerability in Ht2Labs Learning Locker 3.15.1

In HT2 Labs Learning Locker 3.15.1, it's possible to inject malicious HTML and JavaScript code into the DOM of the website via the PATH_INFO to the dashboards/ URI.

4.3
2019-07-16 CVE-2019-13617 F5 Out-of-bounds Read vulnerability in F5 NJS

njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxt_vsprintf in nxt/nxt_sprintf.c during error handling, as demonstrated by an njs_regexp_literal call that leads to an njs_parser_lexer_error call and then an njs_parser_scope_error call.

4.3
2019-07-16 CVE-2019-13615 Videolan Out-of-bounds Read vulnerability in Videolan VLC Media Player

libebml before 1.3.6, as used in the MKV module in VideoLAN VLC Media Player binaries before 3.0.3, has a heap-based buffer over-read in EbmlElement::FindNextElement.

4.3
2019-07-16 CVE-2019-13603 Hidglobal Unspecified vulnerability in Hidglobal Digital Persona U.Are.U 4500 Driver Firmware 5.0.0.5

An issue was discovered in the HID Global DigitalPersona (formerly Crossmatch) U.are.U 4500 Fingerprint Reader Windows Biometric Framework driver 5.0.0.5.

4.3
2019-07-16 CVE-2019-1010018 Zammad Cross-site Scripting vulnerability in Zammad

Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80.

4.3
2019-07-15 CVE-2019-1116 Microsoft Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-07-15 CVE-2019-1112 Microsoft Information Exposure vulnerability in Microsoft Office and Office 365 Proplus

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka 'Microsoft Excel Information Disclosure Vulnerability'.

4.3
2019-07-15 CVE-2019-1101 Microsoft Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-07-15 CVE-2019-1100 Microsoft Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-07-15 CVE-2019-1099 Microsoft Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-07-15 CVE-2019-1098 Microsoft Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-07-15 CVE-2019-1095 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-07-15 CVE-2019-1094 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-07-15 CVE-2019-1079 Microsoft Improper Input Validation vulnerability in Microsoft Visual Studio

An information disclosure vulnerability exists when Visual Studio improperly parses XML input in certain settings files, aka 'Visual Studio Information Disclosure Vulnerability'.

4.3
2019-07-15 CVE-2019-13604 Assaabloy Use of a Broken or Risky Cryptographic Algorithm vulnerability in Assaabloy HID Digitalpersona 4500 Firmware 24

There is a short key vulnerability in HID Global DigitalPersona (formerly Crossmatch) U.are.U 4500 Fingerprint Reader v24.

4.3
2019-07-15 CVE-2019-1010028 School College Portal With ERP Script Project Cross-site Scripting vulnerability in School College Portal With ERP Script Project School College Portal With ERP Script 2.6.1

phpscriptsmall.com School College Portal with ERP Script 2.6.1 and earlier is affected by: Cross Site Scripting (XSS).

4.3
2019-07-15 CVE-2019-1010005 Hexoeditor Project Cross-site Scripting vulnerability in Hexoeditor Project Hexoeditor 1.1.8

HexoEditor v1.1.8-beta is affected by: XSS to code execution.

4.3
2019-07-15 CVE-2019-1010004 Sound Exchange Project Out-of-bounds Read vulnerability in Sound Exchange Project Sound Exchange

SoX - Sound eXchange 14.4.2 and earlier is affected by: Out-of-bounds Read.

4.3
2019-07-19 CVE-2019-1010241 Jenkins Credentials Management vulnerability in Jenkins Credentials Binding 1.17

Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format.

4.0
2019-07-18 CVE-2019-3734 Dell Unspecified vulnerability in Dell products

Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain an improper authorization vulnerability in NAS Server quotas configuration.

4.0
2019-07-17 CVE-2019-1942 Cisco SQL Injection vulnerability in Cisco Identity Services Engine

A vulnerability in the sponsor portal web interface for Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries.

4.0
2019-07-17 CVE-2019-1010266 Lodash Resource Exhaustion vulnerability in Lodash

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption.

4.0
2019-07-17 CVE-2019-1010084 Dancer Incorrect Authorization vulnerability in Dancer::Plugin::Simplecrud Project Dancer::Plugin::Simplecrud

Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: Incorrect Access Control.

4.0
2019-07-15 CVE-2019-1108 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory, aka 'Remote Desktop Protocol Client Information Disclosure Vulnerability'.

4.0
2019-07-15 CVE-2019-1084 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters.

4.0
2019-07-15 CVE-2019-0962 Microsoft Unspecified vulnerability in Microsoft Azure Automation

An elevation of privilege vulnerability exists in Azure Automation "RunAs account" runbooks for users with contributor role, aka 'Azure Automation Elevation of Privilege Vulnerability'.

4.0
2019-07-15 CVE-2019-1010034 Deepsoft SQL Injection vulnerability in Deepsoft Weblibrarian

Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection.

4.0

29 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-07-18 CVE-2019-11230 Avast Link Following vulnerability in Avast Antivirus

In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\Update.log file with a symlink.

3.6
2019-07-19 CVE-2019-13977 Ovidentia Cross-site Scripting vulnerability in Ovidentia 8.4.3

index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&idx=create&userid=0&bgrp=y, tg=delegat, tg=site&idx=create, tg=site&item=4, tg=admdir&idx=mdb&id=1, tg=notes&idx=Create, tg=admfaqs&idx=Add, or tg=admoc&idx=addoc&item=.

3.5
2019-07-18 CVE-2019-13950 Syguestbook A5 Project Cross-site Scripting vulnerability in Syguestbook A5 Project Syguestbook A5 1.2

index.php?c=admin&a=index in SyGuestBook A5 Version 1.2 has stored XSS via a reply to a comment.

3.5
2019-07-18 CVE-2019-13948 Syguestbook A5 Project Cross-site Scripting vulnerability in Syguestbook A5 Project Syguestbook A5 1.2

SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData function in include/functions.php does not properly block XSS payloads, as demonstrated by a crafted use of the onerror attribute of an IMG element.

3.5
2019-07-18 CVE-2016-10763 Automattic Cross-site Scripting vulnerability in Automattic Camptix Event Ticketing

The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body.

3.5
2019-07-17 CVE-2019-13493 Sitecore Cross-site Scripting vulnerability in Sitecore Experience Platform 9.0

In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager.

3.5
2019-07-15 CVE-2019-1137 Microsoft Cross-site Scripting vulnerability in Microsoft Exchange Server 2013/2016/2019

A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server, aka 'Microsoft Exchange Server Spoofing Vulnerability'.

3.5
2019-07-15 CVE-2019-1134 Microsoft Cross-site Scripting vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.

3.5
2019-07-15 CVE-2019-1076 Microsoft Cross-site Scripting vulnerability in Microsoft Azure Devops Server and Team Foundation Server

A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka 'Team Foundation Server Cross-site Scripting Vulnerability'.

3.5
2019-07-15 CVE-2019-1010307 Glpi Project Cross-site Scripting vulnerability in Glpi-Project Glpi 9.3.1

GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS).

3.5
2019-07-15 CVE-2019-1010008 Openenergymonitor Cross-site Scripting vulnerability in Openenergymonitor Emoncms 9.8.8

OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross Site Scripting (XSS).

3.5
2019-07-19 CVE-2019-13991 Arduino Unspecified vulnerability in Arduino Firmware

Embedded systems based on Arduino before Rev3 allow remote attackers to send data to LEDs (directly connected to GPIO pins) via a laser, because of LED photosensitivity.

3.3
2019-07-17 CVE-2019-4054 IBM Unspecified vulnerability in IBM Qradar Security Information and Event Manager

IBM QRadar SIEM 7.2 and 7.3 could allow a local user to obtain sensitive information when exporting content that could aid an attacker in further attacks against the system.

3.3
2019-07-15 CVE-2014-10374 Fitbit Information Exposure vulnerability in Fitbit Charge 2 Firmware

On Fitbit activity-tracker devices, certain addresses never change.

3.3
2019-07-18 CVE-2019-3741 Dell Protection Mechanism Failure vulnerability in Dell products

Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain a plain-text password storage vulnerability.

2.1
2019-07-17 CVE-2019-3972 Comodo Out-of-bounds Read vulnerability in Comodo Antivirus 11.0.0.6582/12.0.0.6810

Comodo Antivirus versions 12.0.0.6810 and below are vulnerable to Denial of Service affecting CmdAgent.exe via an unprotected section object "<GUID>_CisSharedMemBuff".

2.1
2019-07-17 CVE-2019-3971 Comodo Unspecified vulnerability in Comodo Antivirus 11.0.0.6582/12.0.0.6810

Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to a local Denial of Service affecting CmdVirth.exe via its LPC port "cmdvrtLPCServerPort".

2.1
2019-07-17 CVE-2019-3970 Comodo Improper Input Validation vulnerability in Comodo Antivirus

Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to Arbitrary File Write due to Cavwp.exe handling of Comodo's Antivirus database.

2.1
2019-07-17 CVE-2019-12913 Rdbrck Unspecified vulnerability in Rdbrck Shift

Redbrick Shift through 3.4.3 allows an attacker to extract emails of services (such as Gmail, Outlook, etc.) used in the application.

2.1
2019-07-17 CVE-2019-12912 Rdbrck Untrusted Search Path vulnerability in Rdbrck Shift

Redbrick Shift through 3.4.3 allows an attacker to extract emails of services (such as Gmail, Outlook, etc.) used in the application.

2.1
2019-07-15 CVE-2019-1097 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory, aka 'DirectWrite Information Disclosure Vulnerability'.

2.1
2019-07-15 CVE-2019-1096 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'.

2.1
2019-07-15 CVE-2019-1093 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory, aka 'DirectWrite Information Disclosure Vulnerability'.

2.1
2019-07-15 CVE-2019-1091 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when Unistore.dll fails to properly handle objects in memory, aka 'Microsoft unistore.dll Information Disclosure Vulnerability'.

2.1
2019-07-15 CVE-2019-1074 Microsoft Link Following vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Microsoft Windows where certain folders, with local service privilege, are vulnerable to symbolic link attack.

2.1
2019-07-15 CVE-2019-1073 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'.

2.1
2019-07-15 CVE-2019-1071 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'.

2.1
2019-07-19 CVE-2019-1167 Microsoft Unspecified vulnerability in Microsoft Powershell Core 6.1/6.2

A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement, aka 'Windows Defender Application Control Security Feature Bypass Vulnerability'.

1.9
2019-07-16 CVE-2019-9700 Norton Information Exposure vulnerability in Norton Password Manager

Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue.

1.7