Weekly Vulnerabilities Reports > August 5 to 11, 2019
Overview
318 new vulnerabilities reported during this period, including 39 critical vulnerabilities and 120 high severity vulnerabilities. This weekly summary report vulnerabilities in 560 products from 140 vendors including Cpanel, Cisco, Jenkins, HP, and Microdigital. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Out-of-bounds Write", "Cross-Site Request Forgery (CSRF)", and "Information Exposure".
- 247 reported vulnerabilities are remotely exploitables.
- 10 reported vulnerabilities have public exploit available.
- 115 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 170 reported vulnerabilities are exploitable by an anonymous user.
- Cpanel has the most reported vulnerabilities, with 66 reported vulnerabilities.
- Microdigital has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
39 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-06 | CVE-2019-5684 | Nvidia | Out-of-bounds Write vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially crafted shader can cause an out of bounds access of an input texture array, which may lead to denial of service or code execution. | 10.0 |
2019-08-08 | CVE-2019-11208 | Tibco | Unspecified vulnerability in Tibco API Exchange Gateway The authorization component of TIBCO Software Inc.'s TIBCO API Exchange Gateway, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically processes OAuth authorization incorrectly, leading to potential escalation of privileges for the specific customer endpoint, when the implementation uses multiple scopes. | 9.9 |
2019-08-09 | CVE-2019-12261 | Windriver Sonicwall Siemens Netapp Oracle Belden | Classic Buffer Overflow vulnerability in multiple products Wind River VxWorks 6.7 though 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 3 of 4). | 9.8 |
2019-08-09 | CVE-2019-12260 | Windriver Sonicwall Siemens Netapp Oracle Belden | Classic Buffer Overflow vulnerability in multiple products Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 2 of 4). | 9.8 |
2019-08-09 | CVE-2019-12255 | Windriver Netapp Sonicwall Siemens Belden | Classic Buffer Overflow vulnerability in multiple products Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). | 9.8 |
2019-08-09 | CVE-2019-11581 | Atlassian | Injection vulnerability in Atlassian Jira There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. | 9.8 |
2019-08-09 | CVE-2019-12256 | Windriver Netapp Sonicwall Siemens Belden | Classic Buffer Overflow vulnerability in multiple products Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the IPv4 component. | 9.8 |
2019-08-09 | CVE-2019-14801 | Foliovision | SQL Injection vulnerability in Foliovision FV Flowplayer Video Player The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection. | 9.8 |
2019-08-09 | CVE-2019-14234 | Djangoproject Fedoraproject Debian | SQL Injection vulnerability in multiple products An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. | 9.8 |
2019-08-08 | CVE-2018-20955 | Swann | Use of Hard-coded Credentials vulnerability in Swann Swwhd-Intcam-Hd Firmware Swann SWWHD-INTCAM-HD devices have the twipc root password, leading to FTP access as root. | 9.8 |
2019-08-08 | CVE-2019-14754 | Open School | SQL Injection vulnerability in Open-School 2.3/3.0 Open-School 3.0, and Community Edition 2.3, allows SQL Injection via the index.php?r=students/students/document id parameter. | 9.8 |
2019-08-08 | CVE-2019-14255 | GO Camo Project | Server-Side Request Forgery (SSRF) vulnerability in Go-Camo Project Go-Camo A Server Side Request Forgery (SSRF) vulnerability in go-camo up to version 1.1.4 allows a remote attacker to perform HTTP requests to internal endpoints. | 9.8 |
2019-08-08 | CVE-2019-13101 | Dlink | Missing Authentication for Critical Function vulnerability in Dlink Dir-600M Firmware An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices. | 9.8 |
2019-08-08 | CVE-2019-1971 | Cisco | Improper Input Validation vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure A vulnerability in the web portal of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to perform a command injection attack and execute arbitrary commands with root privileges. | 9.8 |
2019-08-08 | CVE-2019-14771 | Backdropcms | Improper Input Validation vulnerability in Backdropcms Backdrop CMS Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. | 9.8 |
2019-08-07 | CVE-2019-1895 | Cisco | Missing Authentication for Critical Function vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure A vulnerability in the Virtual Network Computing (VNC) console implementation of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to access the VNC console session of an administrative user on an affected device. | 9.8 |
2019-08-07 | CVE-2019-5476 | Nextcloud | SQL Injection vulnerability in Nextcloud Lookup-Server 0.2.0 An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running on https://lookup.nextcloud.com) caused unauthenticated users to be able to execute arbitrary SQL commands. | 9.8 |
2019-08-07 | CVE-2019-14537 | Yourls | Type Confusion vulnerability in Yourls YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass. | 9.8 |
2019-08-07 | CVE-2019-14746 | Kuaifan | Code Injection vulnerability in Kuaifan Kuaifancms 5.0 A issue was discovered in KuaiFanCMS 5.0. | 9.8 |
2019-08-07 | CVE-2018-20961 | Linux | Double Free vulnerability in Linux Kernel In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact. | 9.8 |
2019-08-07 | CVE-2019-1913 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system. | 9.8 |
2019-08-06 | CVE-2019-14709 | Microdigital | Insufficiently Protected Credentials vulnerability in Microdigital products A cleartext password storage issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. | 9.8 |
2019-08-06 | CVE-2019-14708 | Microdigital | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microdigital products An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. | 9.8 |
2019-08-06 | CVE-2019-14704 | Microdigital | Server-Side Request Forgery (SSRF) vulnerability in Microdigital products An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 via FTP commands following a newline character in the uploadfile field. | 9.8 |
2019-08-06 | CVE-2019-14702 | Microdigital | SQL Injection vulnerability in Microdigital products An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. | 9.8 |
2019-08-06 | CVE-2019-14699 | Microdigital | OS Command Injection vulnerability in Microdigital products An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. | 9.8 |
2019-08-06 | CVE-2019-14698 | Microdigital | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microdigital products An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. | 9.8 |
2019-08-06 | CVE-2019-5685 | Nvidia | Out-of-bounds Write vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially crafted shader can cause an out of bounds access to a shader local temporary array, which may lead to denial of service or code execution. | 9.8 |
2019-08-06 | CVE-2019-13143 | Shenzhen Dragon Brothers | Improper Input Validation vulnerability in Shenzhen Dragon Brothers Fb50 Firmware 2.3 An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. | 9.8 |
2019-08-06 | CVE-2019-14697 | Musl Libc | Out-of-bounds Write vulnerability in Musl-Libc Musl musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. | 9.8 |
2019-08-06 | CVE-2019-14695 | Sygnoos | SQL Injection vulnerability in Sygnoos Popup Builder A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin before 3.45 for WordPress. | 9.8 |
2019-08-05 | CVE-2019-14348 | Beardev | SQL Injection vulnerability in Beardev Joomsport 3.3 The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter. | 9.8 |
2019-08-09 | CVE-2019-5402 | HP | Unspecified vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5 A remote authorization bypass vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. | 9.4 |
2019-08-09 | CVE-2019-5399 | HP | Unspecified vulnerability in HP 3Par Service Processor Firmware A remote gain authorized access vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. | 9.4 |
2019-08-09 | CVE-2019-5397 | HP | Cross-site Scripting vulnerability in HP 3Par Service Processor Firmware A remote bypass of security restrictions vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. | 9.4 |
2019-08-09 | CVE-2019-5396 | HP | Unspecified vulnerability in HP 3Par Service Processor Firmware A remote authentication bypass vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. | 9.4 |
2019-08-08 | CVE-2019-12994 | Zohocorp | Server-Side Request Forgery (SSRF) vulnerability in Zohocorp Manageengine Assetexplorer 6.2.0 Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL. | 9.1 |
2019-08-07 | CVE-2019-1912 | Cisco | Incorrect Authorization vulnerability in Cisco products A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. | 9.1 |
2019-08-05 | CVE-2019-5502 | Netapp | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Netapp Data Ontap SMB in Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 has weak cryptography which when exploited could lead to information disclosure or addition or modification of data. | 9.1 |
120 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-11 | CVE-2019-14933 | Webkul | Cross-Site Request Forgery (CSRF) vulnerability in Webkul Bagisto 0.1.5 Bagisto 0.1.5 allows CSRF under /admin URIs. | 8.8 |
2019-08-09 | CVE-2019-5404 | HP | Injection vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5 A remote script injection vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. | 8.8 |
2019-08-09 | CVE-2019-12257 | Windriver Sonicwall Siemens Netapp Belden | Classic Buffer Overflow vulnerability in multiple products Wind River VxWorks 6.6 through 6.9 has a Buffer Overflow in the DHCP client component. | 8.8 |
2019-08-09 | CVE-2019-5395 | HP | Unrestricted Upload of File with Dangerous Type vulnerability in HP 3Par Service Processor Firmware A remote arbitrary file upload vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. | 8.8 |
2019-08-09 | CVE-2019-12805 | Ncsoft | Command Injection vulnerability in Ncsoft NC Launcher2 2.4.1.691 NCSOFT Game Launcher, NC Launcher2 2.4.1.691 and earlier versions have a vulnerability in the custom protocol handler that could allow remote attacker to execute arbitrary command. | 8.8 |
2019-08-08 | CVE-2018-20957 | Tapplock | Improper Access Control vulnerability in Tapplock One+ Firmware The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 2018-06-12 allows replay attacks. | 8.8 |
2019-08-08 | CVE-2016-10863 | Edimax | Cross-Site Request Forgery (CSRF) vulnerability in Edimax 7237Rpd Firmware and Ew-7438Rpn Mini Firmware Edimax Wi-Fi Extender devices allow goform/formwlencryptvxd CSRF with resultant PSK key disclosure. | 8.8 |
2019-08-08 | CVE-2016-10862 | Neetcables | Cross-Site Request Forgery (CSRF) vulnerability in Neetcables Airstream NAS Firmware 1.1 Neet AirStream NAS1.1 devices have a password of ifconfig for the root account. | 8.8 |
2019-08-08 | CVE-2015-9292 | 6Kbbs | Cross-Site Request Forgery (CSRF) vulnerability in 6Kbbs 7.1/8.0 6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code parameter) or admin.php (fileids parameter). | 8.8 |
2019-08-08 | CVE-2019-14681 | Deny ALL Firewall Project | Cross-Site Request Forgery (CSRF) vulnerability in Deny ALL Firewall Project Deny ALL Firewall The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=daf_settings&daf_remove=true CSRF. | 8.8 |
2019-08-08 | CVE-2019-12959 | Zohocorp | Server-Side Request Forgery (SSRF) vulnerability in Zohocorp Manageengine Assetexplorer Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter. | 8.8 |
2019-08-08 | CVE-2019-1958 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Hyperflex HX Data Platform A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. | 8.8 |
2019-08-07 | CVE-2019-1934 | Cisco | Unspecified vulnerability in Cisco Adaptive Security Appliance Software A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to elevate privileges and execute administrative functions on an affected device. | 8.8 |
2019-08-07 | CVE-2019-14749 | Osticket | Improper Neutralization of Formula Elements in a CSV File vulnerability in Osticket An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. | 8.8 |
2019-08-07 | CVE-2019-14432 | Loom | Improper Authentication vulnerability in Loom 0.16.0 Incorrect authentication of application WebSocket connections in Loom Desktop for Mac up to 0.16.0 allows remote code execution from either malicious JavaScript in a browser or hosts on the same network, during periods in which a user is recording a video with the application. | 8.8 |
2019-08-07 | CVE-2019-10386 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins XL Testview A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |
2019-08-07 | CVE-2019-10380 | Jenkins | Unspecified vulnerability in Jenkins Simple Travis Pipeline Runner 1.0 Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code. | 8.8 |
2019-08-07 | CVE-2019-10368 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Jclouds A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |
2019-08-07 | CVE-2016-10812 | Cpanel | Improper Input Validation vulnerability in Cpanel In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs (SEC-117). | 8.8 |
2019-08-07 | CVE-2016-10811 | Cpanel | Information Exposure vulnerability in Cpanel In cPanel before 57.9999.54, /scripts/unsuspendacct exposed TTYs (SEC-116). | 8.8 |
2019-08-07 | CVE-2016-10810 | Cpanel | Information Exposure vulnerability in Cpanel In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115). | 8.8 |
2019-08-07 | CVE-2016-10809 | Cpanel | Information Exposure vulnerability in Cpanel In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114). | 8.8 |
2019-08-07 | CVE-2016-10808 | Cpanel | Improper Input Validation vulnerability in Cpanel In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113). | 8.8 |
2019-08-07 | CVE-2016-10805 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109). | 8.8 |
2019-08-07 | CVE-2016-10802 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142). | 8.8 |
2019-08-07 | CVE-2016-10801 | Cpanel | Injection vulnerability in Cpanel cPanel before 58.0.4 has improper session handling for shared users (SEC-139). | 8.8 |
2019-08-07 | CVE-2019-14734 | Adplug Project Fedoraproject | Out-of-bounds Write vulnerability in multiple products AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::load() in mtk.cpp. | 8.8 |
2019-08-07 | CVE-2019-14733 | Adplug Project Fedoraproject | Out-of-bounds Write vulnerability in multiple products AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::load() in rad.cpp. | 8.8 |
2019-08-07 | CVE-2019-14732 | Adplug Project Fedoraproject | Out-of-bounds Write vulnerability in multiple products AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::load() in a2m.cpp. | 8.8 |
2019-08-06 | CVE-2019-14703 | Microdigital | Cross-Site Request Forgery (CSRF) vulnerability in Microdigital products A CSRF issue was discovered in webparam?user&action=set¶m=add in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 to create an admin account. | 8.8 |
2019-08-06 | CVE-2019-6000 | Canon | Out-of-bounds Write vulnerability in Canon products Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via sendhostinfo command. | 8.8 |
2019-08-06 | CVE-2019-5999 | Canon | Out-of-bounds Write vulnerability in Canon products Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via blerequest command. | 8.8 |
2019-08-06 | CVE-2019-5998 | Canon | Out-of-bounds Write vulnerability in Canon products Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via notifybtstatus command. | 8.8 |
2019-08-06 | CVE-2019-5994 | Canon | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Canon products Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via SendObjectInfo command. | 8.8 |
2019-08-06 | CVE-2019-14473 | EQ 3 | Missing Authorization vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but lack authorization checks. | 8.8 |
2019-08-06 | CVE-2019-14347 | Schben | Forced Browsing vulnerability in Schben Adive Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unprivileged users (editor or developer) to create an administrator account via admin/user/add, as demonstrated by a Python PoC script. | 8.8 |
2019-08-06 | CVE-2019-14346 | Schben | Cross-Site Request Forgery (CSRF) vulnerability in Schben Adive 2.0.7 Internal/Views/config.php in Schben Adive 2.0.7 allows admin/config CSRF to change a user password. | 8.8 |
2019-08-06 | CVE-2016-10793 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152). | 8.8 |
2019-08-06 | CVE-2016-10792 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141). | 8.8 |
2019-08-06 | CVE-2019-14692 | Adplug Project Fedoraproject | Out-of-bounds Write vulnerability in multiple products AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in mkj.cpp. | 8.8 |
2019-08-06 | CVE-2019-14691 | Adplug Project Fedoraproject | Out-of-bounds Write vulnerability in multiple products AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in dtm.cpp. | 8.8 |
2019-08-06 | CVE-2019-14690 | Adplug Project Fedoraproject | Out-of-bounds Write vulnerability in multiple products AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp. | 8.8 |
2019-08-06 | CVE-2016-10789 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191). | 8.8 |
2019-08-06 | CVE-2016-10788 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188). | 8.8 |
2019-08-05 | CVE-2017-18475 | Cpanel | Improper Input Validation vulnerability in Cpanel In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user (SEC-204). | 8.8 |
2019-08-05 | CVE-2017-18470 | Cpanel | Credentials Management vulnerability in Cpanel cPanel before 62.0.4 has a fixed password for the Munin MySQL test account (SEC-196). | 8.8 |
2019-08-05 | CVE-2016-10773 | Cpanel | Use of Externally-Controlled Format String vulnerability in Cpanel cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171). | 8.8 |
2019-08-05 | CVE-2019-14654 | Joomla | Unspecified vulnerability in Joomla Joomla! 3.9.7/3.9.8 In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. | 8.8 |
2019-08-09 | CVE-2019-12263 | Windriver Sonicwall Siemens Netapp Belden | Out-of-bounds Write vulnerability in multiple products Wind River VxWorks 6.9.4 and vx7 has a Buffer Overflow in the TCP component (issue 4 of 4). | 8.1 |
2019-08-08 | CVE-2018-20960 | Nespresso | Unspecified vulnerability in Nespresso Prodigo Firmware Nespresso Prodigio devices lack Bluetooth connection security. | 8.1 |
2019-08-08 | CVE-2019-14693 | Zohocorp | XXE vulnerability in Zohocorp Manageengine Assetexplorer 6.2.0 Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. | 8.1 |
2019-08-07 | CVE-2018-20959 | Jura | Unspecified vulnerability in Jura E8 Firmware Jura E8 devices lack Bluetooth connection security. | 8.1 |
2019-08-07 | CVE-2016-10804 | Cpanel | Improper Input Validation vulnerability in Cpanel The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58). | 8.1 |
2019-08-06 | CVE-2016-10787 | Cpanel | Improper Input Validation vulnerability in Cpanel The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187). | 8.1 |
2019-08-05 | CVE-2016-10771 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165). | 8.1 |
2019-08-11 | CVE-2019-14934 | Pdfresurrect Project Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in PDFResurrect before 0.18. | 7.8 |
2019-08-09 | CVE-2019-3744 | Dell | Race Condition vulnerability in Dell Digital Delivery Dell/Alienware Digital Delivery versions prior to 4.0.41 contain a privilege escalation vulnerability. | 7.8 |
2019-08-09 | CVE-2019-3742 | Dell | Unspecified vulnerability in Dell Digital Delivery Dell/Alienware Digital Delivery versions prior to 3.5.2013 contain a privilege escalation vulnerability. | 7.8 |
2019-08-08 | CVE-2019-5238 | Huawei | Unspecified vulnerability in Huawei Pcmanager(China) and Pcmanager(Oversea) Huawei PCManager with the versions before 9.0.1.66 (Oversea) and versions before 9.0.1.70 (China) have a code execution vulnerability. | 7.8 |
2019-08-08 | CVE-2019-5237 | Huawei | Unspecified vulnerability in Huawei Pcmanager(China) and Pcmanager(Oversea) Huawei PCManager with the versions before 9.0.1.66 (Oversea) and versions before 9.0.1.70 (China) have a code execution vulnerability. | 7.8 |
2019-08-07 | CVE-2019-1945 | Cisco | Improper Input Validation vulnerability in Cisco Adaptive Security Appliance Software Multiple vulnerabilities in the smart tunnel functionality of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, local attacker to elevate privileges to the root user or load a malicious library file while the tunnel is being established. | 7.8 |
2019-08-07 | CVE-2019-1929 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. | 7.8 |
2019-08-07 | CVE-2019-1928 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. | 7.8 |
2019-08-07 | CVE-2019-1927 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. | 7.8 |
2019-08-07 | CVE-2019-1926 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. | 7.8 |
2019-08-07 | CVE-2019-1924 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. | 7.8 |
2019-08-07 | CVE-2019-1925 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. | 7.8 |
2019-08-07 | CVE-2019-14745 | Radare Fedoraproject | Command Injection vulnerability in multiple products In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. | 7.8 |
2019-08-07 | CVE-2019-14744 | KDE Debian Fedoraproject Opensuse Canonical Redhat | OS Command Injection vulnerability in multiple products In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. | 7.8 |
2019-08-07 | CVE-2016-10800 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 58.0.4 allows demo-mode escape via Site Templates and Boxtrapper API calls (SEC-138). | 7.8 |
2019-08-06 | CVE-2019-5683 | Nvidia | Link Following vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in the user mode video driver trace logger component. | 7.8 |
2019-08-06 | CVE-2019-5682 | Nvidia | Unspecified vulnerability in Nvidia Shield Experience NVIDIA Shield TV Experience prior to v8.0, contains a vulnerability in the NVIDIA Games App where it improperly exports an Activity but does not properly restrict which applications can launch the Activity, which may lead to code execution or denial of service. | 7.8 |
2019-08-06 | CVE-2019-5679 | Nvidia | Improper Authentication vulnerability in Nvidia Shield Experience NVIDIA Shield TV Experience prior to v8.0, NVIDIA Tegra bootloader contains a vulnerability in nvtboot where the Trusted OS image is improperly authenticated, which may lead to code execution, denial of service, escalation of privileges, and information disclosure, code execution, denial of service, or escalation of privileges | 7.8 |
2019-08-06 | CVE-2019-13106 | Denx Opensuse | Out-of-bounds Write vulnerability in multiple products Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution. | 7.8 |
2019-08-06 | CVE-2019-13105 | Denx | Double Free vulnerability in Denx U-Boot 2019.07 Das U-Boot versions 2019.07-rc1 through 2019.07-rc4 can double-free a cached block of data when listing files in a crafted ext4 filesystem. | 7.8 |
2019-08-06 | CVE-2019-13104 | Denx Opensuse | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause memcpy() to overwrite a very large amount of data (including the whole stack) while reading a crafted ext4 filesystem. | 7.8 |
2019-08-05 | CVE-2019-10980 | Laquisscada | Type Confusion vulnerability in Laquisscada Scada 4.3.1.71 A type confusion vulnerability may be exploited when LAquis SCADA 4.3.1.71 processes a specially crafted project file. | 7.8 |
2019-08-05 | CVE-2019-3800 | Pivotal Apigee Newrelic Microsoft Appdynamics Bluemedora Contrastsecurity Cyberark Datadoghq Datastax Dynatrace Forgerock IBM Pagerduty Riverbed Signalsciences Wavefront Tibco Solace Snyk Samba Splunk Sumologic Synopsys Yugabyte Anynines | Information Exposure vulnerability in multiple products CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. | 7.8 |
2019-08-05 | CVE-2019-4473 | IBM | Uncontrolled Search Path Element vulnerability in IBM Java 7.0.0.0/7.1.4.50/8.0 Multiple binaries in IBM SDK, Java Technology Edition 7, 7R, and 8 on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. | 7.8 |
2019-08-10 | CVE-2019-14924 | Gcdwebserver Project | Incorrect Authorization vulnerability in Gcdwebserver Project Gcdwebserver An issue was discovered in GCDWebServer before 3.5.3. | 7.5 |
2019-08-09 | CVE-2019-12258 | Windriver Sonicwall Siemens Netapp Belden | Session Fixation vulnerability in multiple products Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. | 7.5 |
2019-08-09 | CVE-2019-12259 | Windriver Sonicwall Siemens Belden | NULL Pointer Dereference vulnerability in multiple products Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and vx7 has an array index error in the IGMPv3 client component. | 7.5 |
2019-08-09 | CVE-2019-14806 | Palletsprojects Opensuse | Insufficient Entropy vulnerability in multiple products Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. | 7.5 |
2019-08-09 | CVE-2019-14794 | Metabox | Data Processing Errors vulnerability in Metabox Meta BOX The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders. | 7.5 |
2019-08-08 | CVE-2018-20954 | Mailpile | Improper Authentication vulnerability in Mailpile The "Security and Privacy" Encryption feature in Mailpile before 1.0.0rc4 does not exclude disabled, revoked, and expired keys. | 7.5 |
2019-08-08 | CVE-2019-14773 | Webcraftic | Unspecified vulnerability in Webcraftic Woody AD Snippets admin/includes/class.actions.snippet.php in the "Woody ad snippets" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion. | 7.5 |
2019-08-08 | CVE-2019-13176 | 3CX | XXE vulnerability in 3CX 12.5/12.5.44178.1002 An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. | 7.5 |
2019-08-08 | CVE-2019-1970 | Cisco | Protection Mechanism Failure vulnerability in Cisco Firepower Threat Defense A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocol inspection engine of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the configured file policies on an affected system. | 7.5 |
2019-08-08 | CVE-2019-1957 | Cisco | Unspecified vulnerability in Cisco IOT Field Network Director A vulnerability in the web interface of Cisco IoT Field Network Director could allow an unauthenticated, remote attacker to trigger high CPU usage, resulting in a denial of service (DoS) condition on an affected device. | 7.5 |
2019-08-08 | CVE-2019-1955 | Cisco | Improper Input Validation vulnerability in Cisco Email Security Appliance Firmware 12.0/3.3.109 A vulnerability in the Sender Policy Framework (SPF) functionality of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to bypass configured user filters on the device. | 7.5 |
2019-08-07 | CVE-2019-14474 | EQ 3 | Improper Input Validation vulnerability in Eq-3 Ccu3 Firmware eQ-3 Homematic CCU3 3.47.15 and prior has Improper Input Validation in function 'Call()' of ReGa core logic process, resulting in the ability to start a Denial of Service. | 7.5 |
2019-08-07 | CVE-2019-10099 | Apache | Cleartext Storage of Sensitive Information vulnerability in Apache Spark Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. | 7.5 |
2019-08-07 | CVE-2019-10381 | Jenkins | Improper Certificate Validation vulnerability in Jenkins Codefresh Integration Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM. | 7.5 |
2019-08-07 | CVE-2019-10371 | Jenkins | Session Fixation vulnerability in Jenkins Gitlab Oauth A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | 7.5 |
2019-08-07 | CVE-2018-14383 | Ttpsc | XXE vulnerability in Ttpsc the Scheduler 5.1.3 The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. | 7.5 |
2019-08-07 | CVE-2016-5431 | PHP Jose Project | Use of a Broken or Risky Cryptographic Algorithm vulnerability in PHP Jose Project PHP Jose The PHP JOSE Library by Gree Inc. | 7.5 |
2019-08-07 | CVE-2016-10803 | Cpanel | CRLF Injection vulnerability in Cpanel cPanel before 57.9999.105 allows newline injection via LOC records (CPANEL-6923). | 7.5 |
2019-08-06 | CVE-2019-14706 | Microdigital | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microdigital products A denial of service issue in HTTPD was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. | 7.5 |
2019-08-06 | CVE-2019-14701 | Microdigital | Path Traversal vulnerability in Microdigital products An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. | 7.5 |
2019-08-06 | CVE-2019-14700 | Microdigital | Path Traversal vulnerability in Microdigital products An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. | 7.5 |
2019-08-06 | CVE-2016-10790 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192). | 7.5 |
2019-08-05 | CVE-2019-14475 | EQ 3 | Missing Authorization vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use session IDs for authentication but lack authorization checks. | 7.5 |
2019-08-05 | CVE-2019-11270 | Pivotal Software | Incorrect Permission Assignment for Critical Resource vulnerability in Pivotal Software Cloud Foundry UAA Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. | 7.5 |
2019-08-05 | CVE-2017-18476 | Cpanel | 7PK - Security Features vulnerability in Cpanel Leech Protect in cPanel before 62.0.4 does not protect certain directories (SEC-205). | 7.5 |
2019-08-05 | CVE-2019-14521 | Emca | Path Traversal vulnerability in Emca Energy Logserver 6.1.2 The api/admin/logoupload Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter. | 7.5 |
2019-08-05 | CVE-2017-18462 | Cpanel | 7PK - Security Features vulnerability in Cpanel cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224). | 7.5 |
2019-08-07 | CVE-2019-1918 | Cisco | Incorrect Calculation vulnerability in Cisco Carrier Routing System and IOS XR A vulnerability in the implementation of Intermediate System–to–Intermediate System (IS–IS) routing protocol functionality in Cisco IOS XR Software could allow an unauthenticated attacker who is in the same IS-IS area to cause a denial of service (DoS) condition. | 7.4 |
2019-08-07 | CVE-2019-1910 | Cisco | Improper Input Validation vulnerability in Cisco IOS XR A vulnerability in the implementation of the Intermediate System–to–Intermediate System (IS–IS) routing protocol functionality in Cisco IOS XR Software could allow an unauthenticated attacker who is in the same IS–IS area to cause a denial of service (DoS) condition. | 7.4 |
2019-08-09 | CVE-2019-5405 | HP | Unspecified vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5 A remote authorization bypass vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. | 7.3 |
2019-08-07 | CVE-2019-1944 | Cisco | Incorrect Permission Assignment for Critical Resource vulnerability in Cisco Adaptive Security Appliance Software Multiple vulnerabilities in the smart tunnel functionality of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, local attacker to elevate privileges to the root user or load a malicious library file while the tunnel is being established. | 7.3 |
2019-08-09 | CVE-2019-5406 | HP | Session Fixation vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5 A remote session reuse vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. | 7.2 |
2019-08-09 | CVE-2017-18486 | Jitbit | Insufficient Entropy in PRNG vulnerability in Jitbit Helpdesk Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. | 7.2 |
2019-08-07 | CVE-2019-1914 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack. | 7.2 |
2019-08-06 | CVE-2019-14707 | Microdigital | Unspecified vulnerability in Microdigital products An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. | 7.2 |
2019-08-06 | CVE-2019-14705 | Microdigital | Improper Authentication vulnerability in Microdigital products An Incorrect Access Control issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5 because any valid cookie can be used to make requests as an admin. | 7.2 |
2019-08-09 | CVE-2019-11042 | PHP Debian Canonical Apple Opensuse Redhat Tenable | Out-of-bounds Read vulnerability in multiple products When PHP EXIF extension is parsing EXIF information from an image, e.g. | 7.1 |
2019-08-09 | CVE-2019-11041 | PHP Debian Canonical Apple Opensuse Redhat Tenable | Out-of-bounds Read vulnerability in multiple products When PHP EXIF extension is parsing EXIF information from an image, e.g. | 7.1 |
2019-08-06 | CVE-2019-5687 | Nvidia | Incorrect Default Permissions vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which an incorrect use of default permissions for an object exposes it to an unintended actor | 7.1 |
2019-08-06 | CVE-2019-2386 | Mongodb | Insufficient Session Expiration vulnerability in Mongodb After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. | 7.1 |
2019-08-05 | CVE-2019-12264 | Windriver Belden Siemens | Argument Injection or Modification vulnerability in multiple products Wind River VxWorks 6.6, 6.7, 6.8, 6.9.3, 6.9.4, and Vx7 has Incorrect Access Control in IPv4 assignment by the ipdhcpc DHCP client component. | 7.1 |
150 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-07 | CVE-2016-10798 | Cpanel | Race Condition vulnerability in Cpanel cPanel before 58.0.4 allows a file-ownership change (to nobody) via rearrangeacct (SEC-134). | 6.8 |
2019-08-06 | CVE-2019-6001 | Canon | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Canon products Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via setadapterbatteryreport command. | 6.8 |
2019-08-05 | CVE-2019-3717 | Dell | Unspecified vulnerability in Dell products Select Dell Client Commercial and Consumer platforms contain an Improper Access Vulnerability. | 6.8 |
2019-08-08 | CVE-2019-1972 | Cisco | Unspecified vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure A vulnerability the Cisco Enterprise NFV Infrastructure Software (NFVIS) restricted CLI could allow an authenticated, local attacker with valid administrator-level credentials to elevate privileges and execute arbitrary commands on the underlying operating system as root. | 6.7 |
2019-08-08 | CVE-2019-1952 | Cisco | Improper Input Validation vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to overwrite or read arbitrary files. | 6.7 |
2019-08-07 | CVE-2019-14743 | Valvesoftware | Incorrect Permission Assignment for Critical Resource vulnerability in Valvesoftware Steam Client In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITY\SYSTEM access. | 6.6 |
2019-08-09 | CVE-2019-14433 | Openstack Canonical Redhat Debian | Information Exposure Through an Error Message vulnerability in multiple products An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. | 6.5 |
2019-08-09 | CVE-2019-5498 | Netapp | Unspecified vulnerability in Netapp Oncommand Insight OnCommand Insight versions through 7.3.6 may disclose sensitive account information to an authenticated user. | 6.5 |
2019-08-09 | CVE-2019-5408 | HP | Unspecified vulnerability in HP products Command View Advanced Edition (CVAE) products contain a vulnerability that could expose configuration information of hosts and storage systems that are managed by Device Manager server. | 6.5 |
2019-08-09 | CVE-2019-14793 | Metabox | Missing Authorization vulnerability in Metabox Meta BOX The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter. | 6.5 |
2019-08-09 | CVE-2019-14312 | Aptana | Path Traversal vulnerability in Aptana Jaxer 1.0.3.4547 Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. | 6.5 |
2019-08-08 | CVE-2019-14679 | Reputeinfosystems | Cross-Site Request Forgery (CSRF) vulnerability in Reputeinfosystems Arprice Lite 2.2 core/views/arprice_import_export.php in the ARPrice Lite plugin 2.2 for WordPress allows wp-admin/admin.php?page=arplite_import_export CSRF. | 6.5 |
2019-08-08 | CVE-2019-1953 | Cisco | Information Exposure Through Log Files vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure A vulnerability in the web portal of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to view a password in clear text. | 6.5 |
2019-08-08 | CVE-2019-1946 | Cisco | Improper Authentication vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and get limited access to the web-based management interface. | 6.5 |
2019-08-07 | CVE-2019-10387 | Jenkins | Missing Authorization vulnerability in Jenkins XL Testview A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2019-08-07 | CVE-2019-10385 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Eggplant Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | 6.5 |
2019-08-07 | CVE-2019-10382 | Jenkins | Improper Certificate Validation vulnerability in Jenkins VMWare LAB Manager Slaves Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM. | 6.5 |
2019-08-07 | CVE-2019-10379 | Insufficiently Protected Credentials vulnerability in Google Cloud Messaging Notification 1.0 Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | 6.5 | |
2019-08-07 | CVE-2019-10375 | Jenkins | Unspecified vulnerability in Jenkins File System SCM An arbitrary file read vulnerability in Jenkins File System SCM Plugin 2.1 and earlier allows attackers able to configure jobs in Jenkins to obtain the contents of any file on the Jenkins master. | 6.5 |
2019-08-07 | CVE-2019-10370 | Jenkins | Information Exposure Through Log Files vulnerability in Jenkins Mask Passwords Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure. | 6.5 |
2019-08-07 | CVE-2019-10369 | Jenkins | Missing Authorization vulnerability in Jenkins Jclouds A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2019-08-07 | CVE-2018-20958 | Tapplock | Information Exposure vulnerability in Tapplock Firmware The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 2018-06-12 relies on Key1 and SerialNo for unlock operations; however, these are derived from the MAC address, which is broadcasted by the device. | 6.5 |
2019-08-07 | CVE-2016-10861 | Neetcables | Cross-Site Request Forgery (CSRF) vulnerability in Neetcables Airstream NAS Firmware 1.1 Neet AirStream NAS1.1 devices allow CSRF attacks that cause the settings binary to change the AP name and password. | 6.5 |
2019-08-07 | CVE-2016-10807 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112). | 6.5 |
2019-08-06 | CVE-2019-5995 | Canon | Missing Authorization vulnerability in Canon products Missing authorization vulnerability exists in EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier. | 6.5 |
2019-08-06 | CVE-2016-10794 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 59.9999.145 allows arbitrary file-read operations because of a multipart form processing error (SEC-154). | 6.5 |
2019-08-06 | CVE-2016-10786 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186). | 6.5 |
2019-08-06 | CVE-2016-10785 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185). | 6.5 |
2019-08-05 | CVE-2019-14664 | Enigmail Fedoraproject | Cleartext Transmission of Sensitive Information vulnerability in multiple products In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. | 6.5 |
2019-08-05 | CVE-2019-4261 | IBM | Unspecified vulnerability in IBM MQ and Websphere MQ IBM WebSphere MQ V7.1, 7.5, IBM MQ V8, IBM MQ V9.0LTS, IBM MQ V9.1 LTS, and IBM MQ V9.1 CD are vulnerable to a denial of service attack caused by specially crafted messages. | 6.5 |
2019-08-05 | CVE-2017-18482 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_item API for queueing non-rearrange modules (SEC-213). | 6.5 |
2019-08-05 | CVE-2017-18480 | Cpanel | 7PK - Security Features vulnerability in Cpanel cPanel before 62.0.4 does not enforce account ownership for has_mycnf_for_cpuser WHM API calls (SEC-210). | 6.5 |
2019-08-05 | CVE-2017-18479 | Cpanel | Improper Certificate Validation vulnerability in Cpanel In cPanel before 62.0.4, WHM SSL certificate generation uses an unreserved e-mail address (SEC-209). | 6.5 |
2019-08-05 | CVE-2017-18478 | Cpanel | Information Exposure vulnerability in Cpanel In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions (SEC-207). | 6.5 |
2019-08-05 | CVE-2017-18477 | Cpanel | 7PK - Security Features vulnerability in Cpanel In cPanel before 62.0.4, Exim transports could execute in the context of the nobody account (SEC-206). | 6.5 |
2019-08-05 | CVE-2017-18474 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 62.0.4 allows arbitrary file-read operations via Exim valiases (SEC-201). | 6.5 |
2019-08-05 | CVE-2016-10775 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173). | 6.5 |
2019-08-05 | CVE-2016-10770 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164). | 6.5 |
2019-08-05 | CVE-2016-10768 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161). | 6.5 |
2019-08-09 | CVE-2019-5407 | HP | Unspecified vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5 A remote information disclosure vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. | 6.3 |
2019-08-09 | CVE-2019-5400 | HP | Session Fixation vulnerability in HP 3Par Service Processor Firmware A remote session reuse vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. | 6.3 |
2019-08-08 | CVE-2019-5236 | Huawei | Double Free vulnerability in Huawei Emily-L29C Firmware Huawei smart phones Emily-L29C with versions of 8.1.0.132a(C432), 8.1.0.135(C782), 8.1.0.154(C10), 8.1.0.154(C461), 8.1.0.154(C635), 8.1.0.156(C185), 8.1.0.156(C605), 8.1.0.159(C636) have a double free vulnerability. | 6.3 |
2019-08-05 | CVE-2017-18469 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call (SEC-233). | 6.3 |
2019-08-05 | CVE-2017-18468 | Cpanel | Code Injection vulnerability in Cpanel cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API (SEC-232). | 6.3 |
2019-08-09 | CVE-2019-14807 | Mediawiki | Cross-site Scripting vulnerability in Mediawiki Mobilefrontend 1.31.0/1.32.0/1.33.0 In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/MobileSpecialPageFeed.php. | 6.1 |
2019-08-09 | CVE-2019-11274 | Cloudfoundry | Cross-site Scripting vulnerability in Cloudfoundry User Account and Authentication Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack. | 6.1 |
2019-08-09 | CVE-2019-11776 | Eclipse | Cross-site Scripting vulnerability in Eclipse Business Intelligence and Reporting Tools In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. | 6.1 |
2019-08-09 | CVE-2018-20858 | EDX | Cross-site Scripting vulnerability in EDX Recommender Recommender before 2018-07-18 allows XSS. | 6.1 |
2019-08-09 | CVE-2019-14791 | Codepeople | Cross-site Scripting vulnerability in Codepeople Appointment Booking Calendar 1.3.18 The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter. | 6.1 |
2019-08-09 | CVE-2019-14799 | Foliovision | Cross-site Scripting vulnerability in Foliovision FV Flowplayer Video Player The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS. | 6.1 |
2019-08-09 | CVE-2016-10865 | 23Systems | Cross-Site Request Forgery (CSRF) vulnerability in 23Systems Lightbox Plus Colorbox 2.7.2 The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cross-site request forgery (CSRF) via wp-admin/admin.php?page=lightboxplus, as demonstrated by resultant width XSS. | 6.1 |
2019-08-08 | CVE-2017-18484 | Elementalpath | Cross-site Scripting vulnerability in Elementalpath Cognitoys Dino Firmware Cognitoys Dino devices allow XSS via the SSID. | 6.1 |
2019-08-08 | CVE-2019-14774 | Getwooplugins | Cross-site Scripting vulnerability in Getwooplugins Woo-Variation-Swatches 1.0.61 The woo-variation-swatches (aka Variation Swatches for WooCommerce) plugin 1.0.61 for WordPress allows XSS via the wp-admin/admin.php?page=woo-variation-swatches-settings tab parameter. | 6.1 |
2019-08-08 | CVE-2018-20962 | Backpackforlaravel | Cross-site Scripting vulnerability in Backpackforlaravel BackpackCrud The Backpack\CRUD Backpack component before 3.4.9 for Laravel allows XSS via the select field type. | 6.1 |
2019-08-08 | CVE-2019-12397 | Apache | Cross-site Scripting vulnerability in Apache Ranger Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. | 6.1 |
2019-08-08 | CVE-2019-14772 | Verdaccio | Cross-site Scripting vulnerability in Verdaccio verdaccio before 3.12.0 allows XSS. | 6.1 |
2019-08-08 | CVE-2019-1954 | Cisco | Improper Input Validation vulnerability in Cisco Webex Meetings Server A vulnerability in the web-based management interface of Cisco Webex Meetings Server Software could allow an unauthenticated, remote attacker to redirect a user to an undesired web page. | 6.1 |
2019-08-08 | CVE-2019-14770 | Backdropcms | Cross-site Scripting vulnerability in Backdropcms Backdrop Core In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. | 6.1 |
2019-08-08 | CVE-2019-14769 | Backdropcms | Cross-site Scripting vulnerability in Backdropcms Backdrop Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. | 6.1 |
2019-08-07 | CVE-2019-14750 | Osticket | Cross-site Scripting vulnerability in Osticket An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. | 6.1 |
2019-08-07 | CVE-2019-14747 | Diaowen | Cross-site Scripting vulnerability in Diaowen Dwsurvey 1.0/20190722/3.2.0 DWSurvey through 2019-07-22 has stored XSS via the design/my-survey-design!copySurvey.action surveyName parameter. | 6.1 |
2019-08-07 | CVE-2019-10376 | Jenkins | Cross-site Scripting vulnerability in Jenkins Wall Display A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin. | 6.1 |
2019-08-07 | CVE-2019-10372 | Jenkins | Open Redirect vulnerability in Jenkins Gitlab Oauth An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login. | 6.1 |
2019-08-07 | CVE-2017-18483 | Annke | Cross-site Scripting vulnerability in Annke SP1 Firmware 3.4.1.160407110 ANNKE SP1 HD wireless camera 3.4.1.1604071109 devices allow XSS via a crafted SSID. | 6.1 |
2019-08-06 | CVE-2019-14696 | Open School | Cross-site Scripting vulnerability in Open-School 2.3/3.0 Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter. | 6.1 |
2019-08-06 | CVE-2016-10795 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156). | 6.1 |
2019-08-05 | CVE-2019-14667 | Firefly III | Cross-site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.4 Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. | 6.1 |
2019-08-05 | CVE-2019-11198 | Sitecore | Cross-site Scripting vulnerability in Sitecore CMS Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. | 6.1 |
2019-08-05 | CVE-2017-18472 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 62.0.4 allows reflected XSS in reset-password interfaces (SEC-198). | 6.1 |
2019-08-05 | CVE-2016-10769 | Cpanel | Open Redirect vulnerability in Cpanel cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-clone.cgi (SEC-162). | 6.1 |
2019-08-08 | CVE-2019-1951 | Cisco | Unspecified vulnerability in Cisco Sd-Wan Firmware A vulnerability in the packet filtering features of Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to bypass L3 and L4 traffic filters. | 5.8 |
2019-08-08 | CVE-2019-14683 | Codection | Cross-Site Request Forgery (CSRF) vulnerability in Codection Import Users From CSV With Meta The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF. | 5.7 |
2019-08-08 | CVE-2019-14680 | Mijnpress | Cross-Site Request Forgery (CSRF) vulnerability in Mijnpress Admin-Renamer-Extended 3.2.1 The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF. | 5.7 |
2019-08-08 | CVE-2019-14783 | Unspecified vulnerability in Google Android On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, FotaAgent allows a malicious application to create privileged files. | 5.5 | |
2019-08-08 | CVE-2018-20956 | Swann | Information Exposure Through Log Files vulnerability in Swann Swwhd-Intcam-Hd Firmware Swann SWWHD-INTCAM-HD devices leave the PSK in logs after a factory reset. | 5.5 |
2019-08-08 | CVE-2019-5239 | Huawei | Unspecified vulnerability in Huawei Pcmanager(China) and Pcmanager(Oversea) Huawei PCManager with the versions before 9.0.1.66 (Oversea) and versions before 9.0.1.70 (China) have an information leak vulnerability. | 5.5 |
2019-08-08 | CVE-2019-14335 | Dlink | Unspecified vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. | 5.5 |
2019-08-08 | CVE-2018-19855 | Uipath | Improper Neutralization of Formula Elements in a CSV File vulnerability in Uipath Orchestrator UiPath Orchestrator before 2018.3.4 allows CSV Injection, related to the Audit export, Robot log export, and Transaction log export features. | 5.5 |
2019-08-07 | CVE-2019-14763 | Linux Canonical | Improper Locking vulnerability in multiple products In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid. | 5.5 |
2019-08-07 | CVE-2019-10367 | Jenkins | Information Exposure Through Log Files vulnerability in Jenkins Configuration AS Code Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. | 5.5 |
2019-08-07 | CVE-2016-10799 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 58.0.4 does not set the Pear tmp directory during a PHP installation (SEC-137). | 5.5 |
2019-08-06 | CVE-2019-5686 | Nvidia | Unspecified vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software uses an API function or data structure in a way that relies on properties that are not always guaranteed to be valid, which may lead to denial of service. | 5.5 |
2019-08-05 | CVE-2019-14665 | Brandy Project | Out-of-bounds Write vulnerability in Brandy Project Brandy 1.20.1 Brandy 1.20.1 has a heap-based buffer overflow in define_array in variables.c via crafted BASIC source code. | 5.5 |
2019-08-05 | CVE-2019-14663 | Brandy Project | Out-of-bounds Write vulnerability in Brandy Project Brandy 1.20.1 Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fileio.c via crafted BASIC source code. | 5.5 |
2019-08-05 | CVE-2019-14662 | Brandy Project | Out-of-bounds Write vulnerability in Brandy Project Brandy 1.20.1 Brandy 1.20.1 has a stack-based buffer overflow in fileio_openout in fileio.c via crafted BASIC source code. | 5.5 |
2019-08-09 | CVE-2018-20827 | Atlassian | Cross-site Scripting vulnerability in Atlassian Jira The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter. | 5.4 |
2019-08-09 | CVE-2019-5398 | HP | Cross-site Scripting vulnerability in HP 3Par Service Processor Firmware A remote multiple multiple cross-site vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. | 5.4 |
2019-08-09 | CVE-2019-14797 | 10Web | Cross-site Scripting vulnerability in 10Web Photo Gallery The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS. | 5.4 |
2019-08-09 | CVE-2019-14796 | MQ Woocommerce Products Price Bulk Edit Project | Cross-site Scripting vulnerability in Mq-Woocommerce-Products-Price-Bulk-Edit Project Mq-Woocommerce-Products-Price-Bulk-Edit 2.0 The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin 2.0 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=update_options show_products_page_limit parameter. | 5.4 |
2019-08-09 | CVE-2019-14792 | Codecabin | Cross-site Scripting vulnerability in Codecabin WP GO Maps The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter. | 5.4 |
2019-08-09 | CVE-2019-14787 | Tribulant | Cross-site Scripting vulnerability in Tribulant Newsletters The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter. | 5.4 |
2019-08-09 | CVE-2019-14785 | Codepeople | Cross-site Scripting vulnerability in Codepeople CP Contact Form With Paypal The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter. | 5.4 |
2019-08-08 | CVE-2017-18485 | Elementalpath | Cross-Site Request Forgery (CSRF) vulnerability in Elementalpath Cognitoys Dino Firmware Cognitoys Dino devices allow profiles_add.html CSRF. | 5.4 |
2019-08-08 | CVE-2019-14221 | 1Crm | Cross-site Scripting vulnerability in 1Crm On-Premise 8.5.7 1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishandled during a Run Report operation. | 5.4 |
2019-08-07 | CVE-2019-14748 | Osticket | Unrestricted Upload of File with Dangerous Type vulnerability in Osticket An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. | 5.4 |
2019-08-07 | CVE-2019-11653 | Microfocus | Unspecified vulnerability in Microfocus Content Manager 9.1.0/9.2.0/9.3.0 Remote Access Control Bypass in Micro Focus Content Manager. | 5.4 |
2019-08-07 | CVE-2019-10374 | Jenkins | Cross-site Scripting vulnerability in Jenkins Pegdown Formatter A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI. | 5.4 |
2019-08-07 | CVE-2019-10373 | Jenkins | Cross-site Scripting vulnerability in Jenkins Build Pipeline A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | 5.4 |
2019-08-07 | CVE-2016-10806 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 57.9999.54 allows self XSS on the Paper Lantern Landing Page (SEC-110). | 5.4 |
2019-08-07 | CVE-2019-14731 | Cnezsoft | Cross-site Scripting vulnerability in Cnezsoft Zentao 11.5.1 An issue was discovered in ZenTao 11.5.1. | 5.4 |
2019-08-06 | CVE-2019-12950 | Teampass | Cross-site Scripting vulnerability in Teampass 2.1.27.35 An issue was discovered in TeamPass 2.1.27.35. | 5.4 |
2019-08-06 | CVE-2016-10784 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows self XSS in the alias upload interface (SEC-184). | 5.4 |
2019-08-06 | CVE-2016-10783 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182). | 5.4 |
2019-08-06 | CVE-2016-10782 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs (SEC-181). | 5.4 |
2019-08-06 | CVE-2016-10781 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180). | 5.4 |
2019-08-06 | CVE-2016-10780 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-180). | 5.4 |
2019-08-06 | CVE-2016-10779 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SEC-179). | 5.4 |
2019-08-06 | CVE-2016-10778 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows self stored XSS in the listftpstable API (SEC-178). | 5.4 |
2019-08-06 | CVE-2016-10777 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177). | 5.4 |
2019-08-06 | CVE-2016-10776 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174). | 5.4 |
2019-08-05 | CVE-2019-14672 | Firefly III | Cross-site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.5 Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field. | 5.4 |
2019-08-05 | CVE-2019-14670 | Firefly III | Cross-site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.3 Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. | 5.4 |
2019-08-05 | CVE-2019-14669 | Firefly III | Cross-site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.3 Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the asset account name. | 5.4 |
2019-08-05 | CVE-2019-14668 | Firefly III | Cross-site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.3 Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field. | 5.4 |
2019-08-05 | CVE-2019-14550 | Espocrm | Cross-site Scripting vulnerability in Espocrm An issue was discovered in EspoCRM before 5.6.9. | 5.4 |
2019-08-05 | CVE-2019-14549 | Espocrm | Cross-site Scripting vulnerability in Espocrm An issue was discovered in EspoCRM before 5.6.9. | 5.4 |
2019-08-05 | CVE-2019-14548 | Espocrm | Cross-site Scripting vulnerability in Espocrm An issue was discovered in EspoCRM before 5.6.9. | 5.4 |
2019-08-05 | CVE-2019-14547 | Espocrm | Cross-site Scripting vulnerability in Espocrm An issue was discovered in EspoCRM before 5.6.9. | 5.4 |
2019-08-05 | CVE-2019-14546 | Espocrm | Cross-site Scripting vulnerability in Espocrm An issue was discovered in EspoCRM before 5.6.9. | 5.4 |
2019-08-05 | CVE-2017-18481 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 62.0.4 allows stored XSS in the WHM Account Suspension List interface (SEC-211). | 5.4 |
2019-08-05 | CVE-2017-18473 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 62.0.4 allows self XSS on the webmail Password and Security page (SEC-199). | 5.4 |
2019-08-05 | CVE-2017-18471 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 62.0.4 allows self XSS on the paper_lantern password-change screen (SEC-197). | 5.4 |
2019-08-05 | CVE-2016-10774 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172). | 5.4 |
2019-08-05 | CVE-2016-10767 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface (SEC-159). | 5.4 |
2019-08-09 | CVE-2019-12265 | Windriver Sonicwall Siemens Netapp Belden | Memory Leak vulnerability in multiple products Wind River VxWorks 6.5, 6.6, 6.7, 6.8, 6.9.3 and 6.9.4 has a Memory Leak in the IGMPv3 client component. | 5.3 |
2019-08-07 | CVE-2019-10378 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Testlink Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | 5.3 |
2019-08-06 | CVE-2016-10791 | Cpanel | Credentials Management vulnerability in Cpanel cPanel before 60.0.15 does not ensure that system accounts lack a valid password, so that logins are impossible (CPANEL-9559). | 5.3 |
2019-08-08 | CVE-2016-10864 | Netgear | Cross-site Scripting vulnerability in Netgear Ex7000 Firmware NETGEAR EX7000 V1.0.0.42_1.0.94 devices allow XSS via the SSID. | 5.2 |
2019-08-09 | CVE-2019-14798 | 10Web | Path Traversal vulnerability in 10Web Photo Gallery The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter. | 4.9 |
2019-08-08 | CVE-2019-1961 | Cisco | Improper Input Validation vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system (OS) of an affected device. | 4.9 |
2019-08-05 | CVE-2019-14525 | Octopus | Unspecified vulnerability in Octopus Deploy and Octopus Server In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call. | 4.9 |
2019-08-05 | CVE-2017-18464 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226). | 4.9 |
2019-08-09 | CVE-2019-5403 | HP | Cross-site Scripting vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5 A remote multiple cross-site scripting vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. | 4.8 |
2019-08-09 | CVE-2019-14805 | UNA | Cross-site Scripting vulnerability in UNA 10.0.0 studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the System Name field under Sets during set editing. | 4.8 |
2019-08-09 | CVE-2019-14804 | UNA | Cross-site Scripting vulnerability in UNA 10.0.0 studio/polyglot.php?page=etemplates in UNA 10.0.0-RC1 allows XSS via the System Name field under Emails during template editing. | 4.8 |
2019-08-08 | CVE-2019-1973 | Cisco | Cross-site Scripting vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure A vulnerability in the web portal framework of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. | 4.8 |
2019-08-08 | CVE-2019-1956 | Cisco | Cross-site Scripting vulnerability in Cisco Spa112 2-Port Phone Adapter Firmware A vulnerability in the web-based interface of the Cisco SPA112 2-Port Phone Adapter could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against another user of the device. | 4.8 |
2019-08-08 | CVE-2019-1949 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. | 4.8 |
2019-08-08 | CVE-2019-1960 | Cisco | OS Command Injection vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to read arbitrary files on the underlying operating system (OS) of an affected device. | 4.4 |
2019-08-08 | CVE-2019-1959 | Cisco | OS Command Injection vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to read arbitrary files on the underlying operating system (OS) of an affected device. | 4.4 |
2019-08-05 | CVE-2019-4284 | IBM | Information Exposure Through Log Files vulnerability in IBM Cloud Private IBM Cloud Private 2.1.0 , 3.1.0, 3.1.1, and 3.1.2 could allow a local privileged user to obtain sensitive OIDC token that is printed to log files, which could be used to log in to the system as another user. | 4.4 |
2019-08-05 | CVE-2017-18465 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227). | 4.4 |
2019-08-09 | CVE-2018-20826 | Atlassian | Incorrect Authorization vulnerability in Atlassian Jira The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check. | 4.3 |
2019-08-08 | CVE-2019-14682 | ACF | Cross-Site Request Forgery (CSRF) vulnerability in Acf: Better Search Project Acf: Better Search The acf-better-search (aka ACF: Better Search) plugin before 3.3.1 for WordPress allows wp-admin/options-general.php?page=acfbs_admin_page CSRF. | 4.3 |
2019-08-07 | CVE-2019-10389 | Jenkins | Missing Authorization vulnerability in Jenkins Relution Enterprise Appstore Publisher 1.0/1.24 A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server. | 4.3 |
2019-08-07 | CVE-2019-10388 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Relution Enterprise Appstore Publisher 1.0/1.24 A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server. | 4.3 |
2019-08-07 | CVE-2019-10377 | Jenkins | Missing Authorization vulnerability in Jenkins Avatar 1.0/1.1/1.2 A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins. | 4.3 |
2019-08-06 | CVE-2016-10797 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains (SEC-133). | 4.3 |
2019-08-05 | CVE-2017-18467 | Cpanel | 7PK - Security Features vulnerability in Cpanel cPanel before 62.0.17 allows access to restricted resources because of a URL filtering error (SEC-229). | 4.3 |
2019-08-08 | CVE-2019-14353 | Trezor | Information Exposure Through Discrepancy vulnerability in Trezor ONE Firmware On Trezor One devices before 1.8.2, a side channel for the row-based OLED display was found. | 4.2 |
9 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-08 | CVE-2019-5301 | Huawei | Unspecified vulnerability in Huawei Honor V20 Firmware Huawei smart phones Honor V20 with the versions before 9.0.1.161(C00E161R2P2) have an information leak vulnerability. | 3.3 |
2019-08-06 | CVE-2016-10796 | Cpanel | Permission Issues vulnerability in Cpanel cPanel before 58.0.4 initially uses weak permissions for Apache HTTP Server log files (SEC-130). | 3.3 |
2019-08-05 | CVE-2019-14671 | Firefly III | Improper Input Validation vulnerability in Firefly-Iii Firefly III 4.7.17.3 Firefly III 4.7.17.3 is vulnerable to local file enumeration. | 3.3 |
2019-08-05 | CVE-2019-10994 | Laquisscada | Out-of-bounds Read vulnerability in Laquisscada Scada 4.3.1.71 Processing a specially crafted project file in LAquis SCADA 4.3.1.71 may trigger an out-of-bounds read, which may allow an attacker to obtain sensitive information. | 3.3 |
2019-08-05 | CVE-2016-10772 | Cpanel | 7PK - Security Features vulnerability in Cpanel cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin (SEC-168). | 3.3 |
2019-08-05 | CVE-2017-18466 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration (SEC-228). | 2.7 |
2019-08-10 | CVE-2019-14357 | Mooltipass | Information Exposure Through Discrepancy vulnerability in Mooltipass Mini Firmware On Mooltipass Mini devices, a side channel for the row-based OLED display was found. | 2.4 |
2019-08-10 | CVE-2019-14355 | Shapeshift | Information Exposure Through Discrepancy vulnerability in Shapeshift Keepkey Firmware On ShapeShift KeepKey devices, a side channel for the row-based OLED display was found. | 2.4 |
2019-08-10 | CVE-2019-14354 | Ledger | Information Exposure Through Discrepancy vulnerability in Ledger Nano S Firmware and Nano X Firmware On Ledger Nano S and Nano X devices, a side channel for the row-based OLED display was found. | 2.4 |