Weekly Vulnerabilities Reports > August 5 to 11, 2019

Overview

318 new vulnerabilities reported during this period, including 28 critical vulnerabilities and 37 high severity vulnerabilities. This weekly summary report vulnerabilities in 890 products from 137 vendors including Cpanel, Cisco, Jenkins, HP, and Microdigital. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Information Exposure", "Out-of-bounds Write", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 270 reported vulnerabilities are remotely exploitables.
  • 5 reported vulnerabilities have public exploit available.
  • 113 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 198 reported vulnerabilities are exploitable by an anonymous user.
  • Cpanel has the most reported vulnerabilities, with 66 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

28 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-09 CVE-2019-5402 HP Unspecified vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5

A remote authorization bypass vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.

10.0
2019-08-08 CVE-2018-20955 Swann USE of Hard-Coded Credentials vulnerability in Swann Swwhd-Intcam-Hd Firmware

Swann SWWHD-INTCAM-HD devices have the twipc root password, leading to FTP access as root.

10.0
2019-08-08 CVE-2019-1971 Cisco OS Command Injection vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure

A vulnerability in the web portal of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to perform a command injection attack and execute arbitrary commands with root privileges.

10.0
2019-08-07 CVE-2018-20961 Linux Double Free vulnerability in Linux Kernel

In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.

10.0
2019-08-07 CVE-2019-1913 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.

10.0
2019-08-06 CVE-2019-14699 Microdigital OS Command Injection vulnerability in Microdigital products

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5.

10.0
2019-08-06 CVE-2019-5685 Nvidia
Microsoft
Out-Of-Bounds Write vulnerability in Nvidia GPU Driver

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially crafted shader can cause an out of bounds access to a shader local temporary array, which may lead to denial of service or code execution.

10.0
2019-08-06 CVE-2019-5684 Nvidia
Microsoft
Out-Of-Bounds Write vulnerability in Nvidia GPU Driver

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially crafted shader can cause an out of bounds access of an input texture array, which may lead to denial of service or code execution.

10.0
2019-08-09 CVE-2019-5399 HP Unspecified vulnerability in HP 3Par Service Processor Firmware

A remote gain authorized access vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1.

9.7
2019-08-09 CVE-2019-5397 HP Cross-Site Scripting vulnerability in HP 3Par Service Processor Firmware

A remote bypass of security restrictions vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1.

9.7
2019-08-09 CVE-2019-5396 HP Unspecified vulnerability in HP 3Par Service Processor Firmware

A remote authentication bypass vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1.

9.7
2019-08-09 CVE-2019-11581 Atlassian Code Injection vulnerability in Atlassian Jira

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions.

9.3
2019-08-08 CVE-2019-14771 Backdropcms Improper Input Validation vulnerability in Backdropcms Backdrop CMS

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line.

9.3
2019-08-07 CVE-2019-1929 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-08-07 CVE-2019-1928 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-08-07 CVE-2019-1927 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-08-07 CVE-2019-1926 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-08-07 CVE-2019-1924 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-08-07 CVE-2019-1925 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-08-09 CVE-2019-5406 HP Session Fixation vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5

A remote session reuse vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.

9.0
2019-08-07 CVE-2016-10812 Cpanel Improper Input Validation vulnerability in Cpanel

In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs (SEC-117).

9.0
2019-08-07 CVE-2016-10811 Cpanel Information Exposure vulnerability in Cpanel

In cPanel before 57.9999.54, /scripts/unsuspendacct exposed TTYs (SEC-116).

9.0
2019-08-07 CVE-2016-10810 Cpanel Information Exposure vulnerability in Cpanel

In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).

9.0
2019-08-07 CVE-2016-10809 Cpanel Information Exposure vulnerability in Cpanel

In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).

9.0
2019-08-07 CVE-2016-10808 Cpanel Improper Input Validation vulnerability in Cpanel

In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).

9.0
2019-08-07 CVE-2019-1914 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack.

9.0
2019-08-06 CVE-2019-13143 Shenzhen Dragon Brothers Improper Input Validation vulnerability in Shenzhen Dragon Brothers Fb50 Firmware 2.3

An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3.

9.0
2019-08-06 CVE-2016-10788 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).

9.0

37 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-09 CVE-2019-5404 HP Injection vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5

A remote script injection vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.

8.7
2019-08-07 CVE-2016-10804 Cpanel Improper Input Validation vulnerability in Cpanel

The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58).

8.7
2019-08-06 CVE-2019-13106 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution.

8.3
2019-08-06 CVE-2019-6000 Canon Out-Of-Bounds Write vulnerability in Canon products

Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via sendhostinfo command.

8.3
2019-08-06 CVE-2019-5999 Canon Out-Of-Bounds Write vulnerability in Canon products

Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via blerequest command.

8.3
2019-08-06 CVE-2019-5998 Canon Out-Of-Bounds Write vulnerability in Canon products

Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via notifybtstatus command.

8.3
2019-08-06 CVE-2019-5994 Canon Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Canon products

Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via SendObjectInfo command.

8.3
2019-08-08 CVE-2019-1957 Cisco Unspecified vulnerability in Cisco IOT Field Network Director

A vulnerability in the web interface of Cisco IoT Field Network Director could allow an unauthenticated, remote attacker to trigger high CPU usage, resulting in a denial of service (DoS) condition on an affected device.

7.8
2019-08-09 CVE-2019-12261 Windriver
Netap
Sonicwall
Siemens
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Wind River VxWorks 6.7 though 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 3 of 4).

7.5
2019-08-09 CVE-2019-12260 Windriver
Netap
Sonicwall
Siemens
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 2 of 4).

7.5
2019-08-09 CVE-2019-12255 Windriver
Netap
Sonicwall
Siemens
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4).

7.5
2019-08-09 CVE-2019-12256 Windriver
Netap
Sonicwall
Siemens
Out-Of-Bounds Write vulnerability in multiple products

Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the IPv4 component.

7.5
2019-08-09 CVE-2019-14801 Foliovision SQL Injection vulnerability in Foliovision FV Flowplayer Video Player

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection.

7.5
2019-08-09 CVE-2019-14234 Djangoproject
Fedoraproject
Debian
SQL Injection vulnerability in multiple products

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4.

7.5
2019-08-08 CVE-2019-14754 Open School SQL Injection vulnerability in Open-School 2.3/3.0

Open-School 3.0, and Community Edition 2.3, allows SQL Injection via the index.php?r=students/students/document id parameter.

7.5
2019-08-08 CVE-2019-14255 GO Camo Project Server-Side Request Forgery (SSRF) vulnerability in Go-Camo Project Go-Camo

A Server Side Request Forgery (SSRF) vulnerability in go-camo up to version 1.1.4 allows a remote attacker to perform HTTP requests to internal endpoints.

7.5
2019-08-08 CVE-2019-13101 Dlink Missing Authentication FOR Critical Function vulnerability in Dlink Dir-600M Firmware

An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices.

7.5
2019-08-07 CVE-2019-1895 Cisco Missing Authentication FOR Critical Function vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure

A vulnerability in the Virtual Network Computing (VNC) console implementation of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to access the VNC console session of an administrative user on an affected device.

7.5
2019-08-07 CVE-2019-5476 Nextcloud SQL Injection vulnerability in Nextcloud Lookup-Server 0.2.0

An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running on https://lookup.nextcloud.com) caused unauthenticated users to be able to execute arbitrary SQL commands.

7.5
2019-08-07 CVE-2019-14537 Yourls Type Confusion vulnerability in Yourls 1.7/1.7.3

YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.

7.5
2019-08-07 CVE-2019-14746 Kuaifan Code Injection vulnerability in Kuaifan Kuaifancms 5.0

A issue was discovered in KuaiFanCMS 5.0.

7.5
2019-08-06 CVE-2019-14708 Microdigital Buffer Errors vulnerability in Microdigital products

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5.

7.5
2019-08-06 CVE-2019-14704 Microdigital Server-Side Request Forgery (SSRF) vulnerability in Microdigital products

An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 via FTP commands following a newline character in the uploadfile field.

7.5
2019-08-06 CVE-2019-14702 Microdigital SQL Injection vulnerability in Microdigital products

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5.

7.5
2019-08-06 CVE-2019-14698 Microdigital Buffer Errors vulnerability in Microdigital products

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5.

7.5
2019-08-06 CVE-2019-14697 Musl Libc Out-Of-Bounds Write vulnerability in Musl-Libc Musl

musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory.

7.5
2019-08-06 CVE-2019-14695 Sygnoos SQL Injection vulnerability in Sygnoos Popup Builder

A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin before 3.45 for WordPress.

7.5
2019-08-05 CVE-2019-14348 Beardev SQL Injection vulnerability in Beardev Joomsport 3.3

The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter.

7.5
2019-08-09 CVE-2019-3744 Dell Path Traversal vulnerability in Dell Digital Delivery 3.5.1/3.5.2/3.5.2006

Dell/Alienware Digital Delivery versions prior to 4.0.41 contain a privilege escalation vulnerability.

7.2
2019-08-09 CVE-2019-3742 Dell Unspecified vulnerability in Dell Digital Delivery 3.5.1/3.5.2/3.5.2006

Dell/Alienware Digital Delivery versions prior to 3.5.2013 contain a privilege escalation vulnerability.

7.2
2019-08-08 CVE-2019-1972 Cisco Unspecified vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure

A vulnerability the Cisco Enterprise NFV Infrastructure Software (NFVIS) restricted CLI could allow an authenticated, local attacker with valid administrator-level credentials to elevate privileges and execute arbitrary commands on the underlying operating system as root.

7.2
2019-08-07 CVE-2019-14743 Valvesoftware
Microsoft
Incorrect Permission Assignment FOR Critical Resource vulnerability in Valvesoftware Steam Client

In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITY\SYSTEM access.

7.2
2019-08-06 CVE-2019-5683 Nvidia
Microsoft
Link Following vulnerability in Nvidia GPU Driver

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in the user mode video driver trace logger component.

7.2
2019-08-06 CVE-2019-5682 Nvidia
Google
Unspecified vulnerability in Nvidia Shield Experience

NVIDIA Shield TV Experience prior to v8.0, contains a vulnerability in the NVIDIA Games App where it improperly exports an Activity but does not properly restrict which applications can launch the Activity, which may lead to code execution or denial of service.

7.2
2019-08-06 CVE-2019-5679 Nvidia
Google
Improper Authentication vulnerability in Nvidia Shield Experience

NVIDIA Shield TV Experience prior to v8.0, NVIDIA Tegra bootloader contains a vulnerability in nvtboot where the Trusted OS image is improperly authenticated, which may lead to code execution, denial of service, escalation of privileges, and information disclosure, code execution, denial of service, or escalation of privileges

7.2
2019-08-06 CVE-2019-6001 Canon Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Canon products

Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via setadapterbatteryreport command.

7.2
2019-08-05 CVE-2019-3717 Dell Unspecified vulnerability in Dell products

Select Dell Client Commercial and Consumer platforms contain an Improper Access Vulnerability.

7.2

189 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-11 CVE-2019-14934 Pdfresurrect Project Out-Of-Bounds Write vulnerability in Pdfresurrect Project Pdfresurrect

An issue was discovered in PDFResurrect before 0.18.

6.8
2019-08-11 CVE-2019-14933 Webkul Cross-Site Request Forgery (CSRF) vulnerability in Webkul Bagisto 0.1.5

Bagisto 0.1.5 allows CSRF under /admin URIs.

6.8
2019-08-09 CVE-2019-12263 Windriver
Netap
Sonicwall
Siemens
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Wind River VxWorks 6.9.4 and vx7 has a Buffer Overflow in the TCP component (issue 4 of 4).

6.8
2019-08-09 CVE-2019-12805 Ncsoft Command Injection vulnerability in Ncsoft NC Launcher2 2.4.1.691

NCSOFT Game Launcher, NC Launcher2 2.4.1.691 and earlier versions have a vulnerability in the custom protocol handler that could allow remote attacker to execute arbitrary command.

6.8
2019-08-08 CVE-2016-10863 Edimax Cross-Site Request Forgery (CSRF) vulnerability in Edimax 7237Rpd Firmware and Ew-7438Rpn Mini Firmware

Edimax Wi-Fi Extender devices allow goform/formwlencryptvxd CSRF with resultant PSK key disclosure.

6.8
2019-08-08 CVE-2016-10862 Neetcables Cross-Site Request Forgery (CSRF) vulnerability in Neetcables Airstream NAS Firmware 1.1

Neet AirStream NAS1.1 devices have a password of ifconfig for the root account.

6.8
2019-08-08 CVE-2015-9292 6Kbbs Cross-Site Request Forgery (CSRF) vulnerability in 6Kbbs 7.1/8.0

6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code parameter) or admin.php (fileids parameter).

6.8
2019-08-08 CVE-2019-14681 Deny ALL Firewall Project Cross-Site Request Forgery (CSRF) vulnerability in Deny ALL Firewall Project Deny ALL Firewall

The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=daf_settings&daf_remove=true CSRF.

6.8
2019-08-08 CVE-2019-5238 Huawei Unspecified vulnerability in Huawei Pcmanager(China) and Pcmanager(Oversea)

Huawei PCManager with the versions before 9.0.1.66 (Oversea) and versions before 9.0.1.70 (China) have a code execution vulnerability.

6.8
2019-08-08 CVE-2019-5237 Huawei Unspecified vulnerability in Huawei Pcmanager(China) and Pcmanager(Oversea)

Huawei PCManager with the versions before 9.0.1.66 (Oversea) and versions before 9.0.1.70 (China) have a code execution vulnerability.

6.8
2019-08-08 CVE-2019-5236 Huawei Double Free vulnerability in Huawei Emily-L29C Firmware

Huawei smart phones Emily-L29C with versions of 8.1.0.132a(C432), 8.1.0.135(C782), 8.1.0.154(C10), 8.1.0.154(C461), 8.1.0.154(C635), 8.1.0.156(C185), 8.1.0.156(C605), 8.1.0.159(C636) have a double free vulnerability.

6.8
2019-08-08 CVE-2019-1961 Cisco Information Exposure Through LOG Files vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure 3.5.1/3.5.2

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system (OS) of an affected device.

6.8
2019-08-08 CVE-2019-1958 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Hyperflex HX Data Platform

A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.

6.8
2019-08-07 CVE-2019-14749 Osticket Unspecified vulnerability in Osticket

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.

6.8
2019-08-07 CVE-2019-14745 Radare Command Injection vulnerability in Radare Radare2

In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c.

6.8
2019-08-07 CVE-2019-14432 Loom Improper Authentication vulnerability in Loom

Incorrect authentication of application WebSocket connections in Loom Desktop for Mac up to 0.16.0 allows remote code execution from either malicious JavaScript in a browser or hosts on the same network, during periods in which a user is recording a video with the application.

6.8
2019-08-07 CVE-2019-10386 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins XL Testview

A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.8
2019-08-07 CVE-2019-10368 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Jclouds

A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.8
2019-08-07 CVE-2016-10800 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 58.0.4 allows demo-mode escape via Site Templates and Boxtrapper API calls (SEC-138).

6.8
2019-08-07 CVE-2019-14734 Adplug Project Out-Of-Bounds Write vulnerability in Adplug Project Adplug 2.3.1

AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::load() in mtk.cpp.

6.8
2019-08-07 CVE-2019-14733 Adplug Project
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::load() in rad.cpp.

6.8
2019-08-07 CVE-2019-14732 Adplug Project
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::load() in a2m.cpp.

6.8
2019-08-06 CVE-2019-14703 Microdigital Cross-Site Request Forgery (CSRF) vulnerability in Microdigital products

A CSRF issue was discovered in webparam?user&action=set&param=add in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 to create an admin account.

6.8
2019-08-06 CVE-2019-13105 Denx Double Free vulnerability in Denx U-Boot 2019.07

Das U-Boot versions 2019.07-rc1 through 2019.07-rc4 can double-free a cached block of data when listing files in a crafted ext4 filesystem.

6.8
2019-08-06 CVE-2019-13104 Denx Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Denx U-Boot

In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause memcpy() to overwrite a very large amount of data (including the whole stack) while reading a crafted ext4 filesystem.

6.8
2019-08-06 CVE-2019-14692 Adplug Project
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in mkj.cpp.

6.8
2019-08-06 CVE-2019-14691 Adplug Project Out-Of-Bounds Write vulnerability in Adplug Project Adplug 2.3.1

AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in dtm.cpp.

6.8
2019-08-06 CVE-2019-14690 Adplug Project Out-Of-Bounds Write vulnerability in Adplug Project Adplug 2.3.1

AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp.

6.8
2019-08-05 CVE-2019-10980 Laquisscada Incorrect Type Conversion OR Cast vulnerability in Laquisscada Scada 4.3.1.71

A type confusion vulnerability may be exploited when LAquis SCADA 4.3.1.71 processes a specially crafted project file.

6.8
2019-08-05 CVE-2017-18474 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 62.0.4 allows arbitrary file-read operations via Exim valiases (SEC-201).

6.8
2019-08-05 CVE-2016-10775 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).

6.8
2019-08-09 CVE-2019-5407 HP Unspecified vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5

A remote information disclosure vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.

6.5
2019-08-09 CVE-2019-5400 HP Session Fixation vulnerability in HP 3Par Service Processor Firmware

A remote session reuse vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1.

6.5
2019-08-09 CVE-2019-5395 HP Unrestricted Upload of File With Dangerous Type vulnerability in HP 3Par Service Processor Firmware

A remote arbitrary file upload vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1.

6.5
2019-08-09 CVE-2017-18486 Jitbit Insufficient Entropy in PRNG vulnerability in Jitbit Helpdesk

Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter.

6.5
2019-08-08 CVE-2019-12994 Zohocorp Server-Side Request Forgery (SSRF) vulnerability in Zohocorp Manageengine Assetexplorer 6.2.0

Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL.

6.5
2019-08-08 CVE-2019-12959 Zohocorp Server-Side Request Forgery (SSRF) vulnerability in Zohocorp Manageengine Assetexplorer 4.0/5.6/6.1

Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter.

6.5
2019-08-08 CVE-2019-11208 Tibco Unspecified vulnerability in Tibco API Exchange Gateway

The authorization component of TIBCO Software Inc.'s TIBCO API Exchange Gateway, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically processes OAuth authorization incorrectly, leading to potential escalation of privileges for the specific customer endpoint, when the implementation uses multiple scopes.

6.5
2019-08-07 CVE-2019-1934 Cisco Unspecified vulnerability in Cisco Adaptive Security Appliance Software

A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to elevate privileges and execute administrative functions on an affected device.

6.5
2019-08-07 CVE-2019-10380 Jenkins 7PK - Security Features vulnerability in Jenkins Simple Travis Pipeline Runner 1.0

Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

6.5
2019-08-07 CVE-2016-10805 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).

6.5
2019-08-07 CVE-2016-10802 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142).

6.5
2019-08-07 CVE-2016-10801 Cpanel Injection vulnerability in Cpanel

cPanel before 58.0.4 has improper session handling for shared users (SEC-139).

6.5
2019-08-06 CVE-2019-14707 Microdigital Unspecified vulnerability in Microdigital products

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5.

6.5
2019-08-06 CVE-2019-14705 Microdigital Improper Authentication vulnerability in Microdigital products

An Incorrect Access Control issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5 because any valid cookie can be used to make requests as an admin.

6.5
2019-08-06 CVE-2019-14473 EQ 3 Missing Authorization vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware

eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but lack authorization checks.

6.5
2019-08-06 CVE-2019-14347 Schben Forced Browsing vulnerability in Schben Adive

Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unprivileged users (editor or developer) to create an administrator account via admin/user/add, as demonstrated by a Python PoC script.

6.5
2019-08-06 CVE-2016-10793 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).

6.5
2019-08-06 CVE-2016-10792 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).

6.5
2019-08-06 CVE-2016-10789 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).

6.5
2019-08-05 CVE-2017-18475 Cpanel Improper Input Validation vulnerability in Cpanel

In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user (SEC-204).

6.5
2019-08-05 CVE-2017-18469 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call (SEC-233).

6.5
2019-08-05 CVE-2016-10773 Cpanel USE of Externally-Controlled Format String vulnerability in Cpanel

cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).

6.5
2019-08-05 CVE-2017-18468 Cpanel Code Injection vulnerability in Cpanel

cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API (SEC-232).

6.5
2019-08-05 CVE-2019-14654 Joomla Unspecified vulnerability in Joomla Joomla! 3.9.7/3.9.8

In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

6.5
2019-08-09 CVE-2019-5408 HP Unspecified vulnerability in HP products

Command View Advanced Edition (CVAE) products contain a vulnerability that could expose configuration information of hosts and storage systems that are managed by Device Manager server.

6.4
2019-08-08 CVE-2019-14773 Webcraftic Unspecified vulnerability in Webcraftic Woody AD Snippets

admin/includes/class.actions.snippet.php in the "Woody ad snippets" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion.

6.4
2019-08-08 CVE-2019-1946 Cisco Improper Authentication vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure 3.5.1/3.5.2

A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and get limited access to the web-based management interface.

6.4
2019-08-07 CVE-2019-1912 Cisco Incorrect Authorization vulnerability in Cisco products

A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.

6.4
2019-08-05 CVE-2019-5502 Netapp Cryptographic Issues vulnerability in Netapp Data Ontap

SMB in Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 has weak cryptography which when exploited could lead to information disclosure or addition or modification of data.

6.4
2019-08-07 CVE-2019-1918 Cisco Incorrect Calculation vulnerability in Cisco Carrier Routing System and IOS XR

A vulnerability in the implementation of Intermediate System&ndash;to&ndash;Intermediate System (IS&ndash;IS) routing protocol functionality in Cisco IOS XR Software could allow an unauthenticated attacker who is in the same IS-IS area to cause a denial of service (DoS) condition.

6.1
2019-08-07 CVE-2019-1910 Cisco Improper Input Validation vulnerability in Cisco Carrier Routing System and IOS XR

A vulnerability in the implementation of the Intermediate System&ndash;to&ndash;Intermediate System (IS&ndash;IS) routing protocol functionality in Cisco IOS XR Software could allow an unauthenticated attacker who is in the same IS&ndash;IS area to cause a denial of service (DoS) condition.

6.1
2019-08-06 CVE-2019-2386 Mongodb Insufficient Session Expiration vulnerability in Mongodb

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.

6.0
2019-08-09 CVE-2019-11042 PHP
Debian
Canonical
Apple
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

When PHP EXIF extension is parsing EXIF information from an image, e.g.

5.8
2019-08-09 CVE-2019-11041 PHP
Debian
Canonical
Apple
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

When PHP EXIF extension is parsing EXIF information from an image, e.g.

5.8
2019-08-09 CVE-2019-12257 Windriver
Netap
Sonicwall
Siemens
Out-Of-Bounds Write vulnerability in multiple products

Wind River VxWorks 6.6 through 6.9 has a Buffer Overflow in the DHCP client component.

5.8
2019-08-08 CVE-2018-20957 Tapplock Improper Access Control vulnerability in Tapplock One+ Firmware

The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 2018-06-12 allows replay attacks.

5.8
2019-08-08 CVE-2017-18485 Elementalpath Cross-Site Request Forgery (CSRF) vulnerability in Elementalpath Cognitoys Dino Firmware

Cognitoys Dino devices allow profiles_add.html CSRF.

5.8
2019-08-08 CVE-2019-1954 Cisco Open Redirect vulnerability in Cisco Webex Meetings Server

A vulnerability in the web-based management interface of Cisco Webex Meetings Server Software could allow an unauthenticated, remote attacker to redirect a user to an undesired web page.

5.8
2019-08-07 CVE-2019-10382 Jenkins Improper Certificate Validation vulnerability in Jenkins VMWare LAB Manager Slaves

Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

5.8
2019-08-07 CVE-2019-10372 Jenkins Open Redirect vulnerability in Jenkins Gitlab Oauth

An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login.

5.8
2019-08-05 CVE-2016-10769 Cpanel Open Redirect vulnerability in Cpanel

cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-clone.cgi (SEC-162).

5.8
2019-08-09 CVE-2019-14793 Metabox Missing Authorization vulnerability in Metabox Meta BOX

The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter.

5.5
2019-08-08 CVE-2019-14693 Zohocorp XXE vulnerability in Zohocorp Manageengine Assetexplorer 6.2.0

Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data.

5.5
2019-08-07 CVE-2019-11653 Microfocus Unspecified vulnerability in Microfocus Content Manager 9.1.0/9.2.0/9.3.0

Remote Access Control Bypass in Micro Focus Content Manager.

5.5
2019-08-06 CVE-2016-10787 Cpanel Improper Input Validation vulnerability in Cpanel

The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187).

5.5
2019-08-05 CVE-2016-10771 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165).

5.5
2019-08-05 CVE-2016-10770 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).

5.5
2019-08-05 CVE-2016-10768 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161).

5.5
2019-08-05 CVE-2017-18464 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226).

5.5
2019-08-07 CVE-2019-14744 KDE
Debian
OS Command Injection vulnerability in multiple products

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction.

5.1
2019-08-10 CVE-2019-14924 Gcdwebserver Project Information Exposure vulnerability in Gcdwebserver Project Gcdwebserver

An issue was discovered in GCDWebServer before 3.5.3.

5.0
2019-08-09 CVE-2019-12258 Windriver
Netap
Sonicwall
Siemens
Session Fixation vulnerability in multiple products

Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component.

5.0
2019-08-09 CVE-2019-12265 Windriver
Netap
Sonicwall
Siemens
Memory Leak vulnerability in multiple products

Wind River VxWorks 6.5, 6.6, 6.7, 6.8, 6.9.3 and 6.9.4 has a Memory Leak in the IGMPv3 client component.

5.0
2019-08-09 CVE-2019-12259 Windriver
Netap
Sonicwall
Siemens
Null Pointer Dereference vulnerability in multiple products

Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and vx7 has an array index error in the IGMPv3 client component.

5.0
2019-08-09 CVE-2019-5405 HP Unspecified vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5

A remote authorization bypass vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.

5.0
2019-08-09 CVE-2019-14806 Palletsprojects Insufficient Entropy vulnerability in Palletsprojects Werkzeug

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.

5.0
2019-08-09 CVE-2019-14794 Metabox Data Processing Errors vulnerability in Metabox Meta BOX

The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders.

5.0
2019-08-08 CVE-2018-20954 Mailpile Improper Authentication vulnerability in Mailpile

The "Security and Privacy" Encryption feature in Mailpile before 1.0.0rc4 does not exclude disabled, revoked, and expired keys.

5.0
2019-08-08 CVE-2019-13176 3CX XXE vulnerability in 3CX 12.5/12.5.44178.1002

An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2.

5.0
2019-08-08 CVE-2019-1970 Cisco Protection Mechanism Failure vulnerability in Cisco products

A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocol inspection engine of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the configured file policies on an affected system.

5.0
2019-08-08 CVE-2019-1955 Cisco Improper Input Validation vulnerability in Cisco Email Security Appliance Firmware 12.0/3.3.109

A vulnerability in the Sender Policy Framework (SPF) functionality of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to bypass configured user filters on the device.

5.0
2019-08-08 CVE-2019-1951 Cisco Unspecified vulnerability in Cisco Sd-Wan Firmware

A vulnerability in the packet filtering features of Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to bypass L3 and L4 traffic filters.

5.0
2019-08-07 CVE-2019-14474 EQ 3 Improper Input Validation vulnerability in Eq-3 Ccu3 Firmware

eQ-3 Homematic CCU3 3.47.15 and prior has Improper Input Validation in function 'Call()' of ReGa core logic process, resulting in the ability to start a Denial of Service.

5.0
2019-08-07 CVE-2019-10371 Jenkins Session Fixation vulnerability in Jenkins Gitlab Oauth

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

5.0
2019-08-07 CVE-2018-14383 Ttpsc XXE vulnerability in Ttpsc the Scheduler 5.1.3

The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser.

5.0
2019-08-07 CVE-2016-5431 PHP Jose Project Cryptographic Issues vulnerability in PHP Jose Project PHP Jose

The PHP JOSE Library by Gree Inc.

5.0
2019-08-07 CVE-2016-10803 Cpanel Crlf Injection vulnerability in Cpanel

cPanel before 57.9999.105 allows newline injection via LOC records (CPANEL-6923).

5.0
2019-08-06 CVE-2019-14709 Microdigital Insufficiently Protected Credentials vulnerability in Microdigital products

A cleartext password storage issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5.

5.0
2019-08-06 CVE-2019-14706 Microdigital Buffer Errors vulnerability in Microdigital products

A denial of service issue in HTTPD was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5.

5.0
2019-08-06 CVE-2019-14701 Microdigital Path Traversal vulnerability in Microdigital products

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5.

5.0
2019-08-06 CVE-2019-14700 Microdigital Path Traversal vulnerability in Microdigital products

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5.

5.0
2019-08-06 CVE-2016-10791 Cpanel Credentials Management vulnerability in Cpanel

cPanel before 60.0.15 does not ensure that system accounts lack a valid password, so that logins are impossible (CPANEL-9559).

5.0
2019-08-06 CVE-2016-10790 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192).

5.0
2019-08-05 CVE-2019-14475 EQ 3 Missing Authorization vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware

eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use session IDs for authentication but lack authorization checks.

5.0
2019-08-05 CVE-2019-11270 Pivotal Software 7PK - Security Features vulnerability in Pivotal Software products

Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.

5.0
2019-08-05 CVE-2017-18476 Cpanel 7PK - Security Features vulnerability in Cpanel

Leech Protect in cPanel before 62.0.4 does not protect certain directories (SEC-205).

5.0
2019-08-05 CVE-2019-14521 Emca Path Traversal vulnerability in Emca Energy Logserver 6.1.2

The api/admin/logoupload Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter.

5.0
2019-08-05 CVE-2017-18462 Cpanel 7PK - Security Features vulnerability in Cpanel

cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224).

5.0
2019-08-08 CVE-2019-14683 Codection Cross-Site Request Forgery (CSRF) vulnerability in Codection Import Users From CSV With Meta

The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.

4.9
2019-08-08 CVE-2019-14335 Dlink Unspecified vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices.

4.9
2019-08-07 CVE-2019-14763 Linux Numeric Errors vulnerability in Linux Kernel

In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid.

4.9
2019-08-07 CVE-2016-10798 Cpanel Race Condition vulnerability in Cpanel

cPanel before 58.0.4 allows a file-ownership change (to nobody) via rearrangeacct (SEC-134).

4.9
2019-08-06 CVE-2019-5686 Nvidia
Microsoft
Improper Input Validation vulnerability in Nvidia GPU Driver

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software uses an API function or data structure in a way that relies on properties that are not always guaranteed to be valid, which may lead to denial of service.

4.9
2019-08-08 CVE-2018-20960 Nespresso Unspecified vulnerability in Nespresso Prodigo Firmware

Nespresso Prodigio devices lack Bluetooth connection security.

4.8
2019-08-07 CVE-2018-20959 Jura Unspecified vulnerability in Jura E8 Firmware

Jura E8 devices lack Bluetooth connection security.

4.8
2019-08-06 CVE-2019-5995 Canon Missing Authorization vulnerability in Canon products

Missing authorization vulnerability exists in EOS series digital cameras (EOS-1D X firmware version 2.1.0 and earlier, EOS-1D X MKII firmware version 1.1.6 and earlier, EOS-1D C firmware version 1.4.1 and earlier, EOS 5D MARK III firmware version 1.3.5 and earlier, EOS 5D MARK IV firmware version 1.2.0 and earlier, EOS 5DS firmware version 1.1.2 and earlier, EOS 5DS R firmware version 1.1.2 and earlier, EOS 6D firmware version 1.1.8 and earlier, EOS 6D MARK II firmware version 1.0.4 and earlier, EOS 7D MARK II firmware version 1.1.2 and earlier, EOS 70 D firmware version 1.1.2 and earlier, EOS 80 D firmware version 1.0.2 and earlier, EOS KISS X7I / EOS D REBEL T5I / EOS 700D firmware version 1.1.5 and earlier, EOS KISS X8I / EOS D REBEL T6I / EOS 750D firmware version 1.0.0 and earlier, EOS KISS X9I / EOS D REBEL T7I / EOS 800D firmware version 1.0.1 and earlier, EOS KISS X7 / EOS D REBEL SL1 / EOS 100D firmware version 1.0.1 and earlier, EOS KISS X9 / EOS D REBEL SL2 / EOS 200D firmware version 1.0.1 and earlier, EOS KISS X10 / EOS D REBEL SL3 / EOS 200D / EOS 250D firmware version 1.0.1 and earlier, EOS 8000D / EOS D REBEL T6S / EOS 760D firmware version 1.0.0 and earlier, EOS 9000D / EOS 77D firmware version 1.0.2 and earlier, EOS KISS X70 / EOS D REBEL T5 / EOS 1200D firmware version 1.0.2 and earlier, EOS D REBEL T5 RE / EOS 1200D MG / EOS HI firmware version 1.0.2 and earlier, EOS KISS X80 / EOS D REBEL T6 / EOS 1300D firmware version 1.1.0 and earlier, EOS KISS X90 / EOS D REBEL T7 / EOS 1500D / EOS 2000D firmware version 1.0.0 and earlier, EOS D REBEL T100 / EOS 3000D / EOS 4000D firmware version 1.0.0 and earlier, EOS R firmware version 1.3.0 and earlier, EOS RP firmware version 1.2.0 and earlier, EOS RP GOLD firmware version 1.2.0 and earlier, EOS M2 firmware version 1.0.3 and earlier, EOS M3 firmware version 1.2.0 and earlier, EOS M5 firmware version 1.0.1 and earlier, EOS M6 firmware version 1.0.1 and earlier, EOS M6(China) firmware version 5.0.0 and earlier, EOS M10 firmware version 1.1.0 and earlier, EOS M100 firmware version 1.0.0 and earlier, EOS KISS M / EOS M50 firmware version 1.0.2 and earlier) and PowerShot SX740 HS firmware version 1.0.1 and earlier, PowerShot SX70 HS firmware version 1.1.0 and earlier, and PowerShot G5Xmark II firmware version 1.0.1 and earlier.

4.8
2019-08-05 CVE-2019-12264 Windriver Argument Injection OR Modification vulnerability in Windriver Vxworks

Wind River VxWorks 6.6, 6.7, 6.8, 6.9.3, 6.9.4, and Vx7 has Incorrect Access Control in IPv4 assignment by the ipdhcpc DHCP client component.

4.8
2019-08-08 CVE-2019-1952 Cisco Path Traversal vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure 3.5.1/3.5.2

A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to overwrite or read arbitrary files.

4.6
2019-08-07 CVE-2019-1945 Cisco Improper Input Validation vulnerability in Cisco Adaptive Security Appliance Software

Multiple vulnerabilities in the smart tunnel functionality of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, local attacker to elevate privileges to the root user or load a malicious library file while the tunnel is being established.

4.6
2019-08-05 CVE-2019-4473 IBM Uncontrolled Search Path Element vulnerability in IBM Java 7.0.0.0/7.1.4.50/8.0

Multiple binaries in IBM SDK, Java Technology Edition 7, 7R, and 8 on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users.

4.6
2019-08-07 CVE-2019-1944 Cisco Incorrect Permission Assignment FOR Critical Resource vulnerability in Cisco Adaptive Security Appliance Software

Multiple vulnerabilities in the smart tunnel functionality of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, local attacker to elevate privileges to the root user or load a malicious library file while the tunnel is being established.

4.4
2019-08-09 CVE-2019-14807 Mediawiki Cross-Site Scripting vulnerability in Mediawiki Mobilefrontend 1.31.0/1.32.0/1.33.0

In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/MobileSpecialPageFeed.php.

4.3
2019-08-09 CVE-2019-11274 Cloudfoundry Cross-Site Scripting vulnerability in Cloudfoundry User Account and Authentication

Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack.

4.3
2019-08-09 CVE-2019-11776 Eclipse Cross-Site Scripting vulnerability in Eclipse Business Intelligence and Reporting Tools

In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter.

4.3
2019-08-09 CVE-2018-20858 EDX Cross-Site Scripting vulnerability in EDX Recommender

Recommender before 2018-07-18 allows XSS.

4.3
2019-08-09 CVE-2019-14791 Codepeople Cross-Site Scripting vulnerability in Codepeople Appointment Booking Calendar 1.3.18

The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter.

4.3
2019-08-09 CVE-2019-14799 Foliovision Cross-Site Scripting vulnerability in Foliovision FV Flowplayer Video Player

The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS.

4.3
2019-08-09 CVE-2016-10865 23Systems Cross-Site Request Forgery (CSRF) vulnerability in 23Systems Lightbox Plus Colorbox 2.7.2

The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cross-site request forgery (CSRF) via wp-admin/admin.php?page=lightboxplus, as demonstrated by resultant width XSS.

4.3
2019-08-08 CVE-2017-18484 Elementalpath Cross-Site Scripting vulnerability in Elementalpath Cognitoys Dino Firmware

Cognitoys Dino devices allow XSS via the SSID.

4.3
2019-08-08 CVE-2019-14774 Getwooplugins Cross-Site Scripting vulnerability in Getwooplugins Woo-Variation-Swatches 1.0.61

The woo-variation-swatches (aka Variation Swatches for WooCommerce) plugin 1.0.61 for WordPress allows XSS via the wp-admin/admin.php?page=woo-variation-swatches-settings tab parameter.

4.3
2019-08-08 CVE-2019-14682 ACF Cross-Site Request Forgery (CSRF) vulnerability in Acf: Better Search Project Acf: Better Search

The acf-better-search (aka ACF: Better Search) plugin before 3.3.1 for WordPress allows wp-admin/options-general.php?page=acfbs_admin_page CSRF.

4.3
2019-08-08 CVE-2019-14679 Reputeinfosystems Cross-Site Request Forgery (CSRF) vulnerability in Reputeinfosystems Arprice Lite 2.2

core/views/arprice_import_export.php in the ARPrice Lite plugin 2.2 for WordPress allows wp-admin/admin.php?page=arplite_import_export CSRF.

4.3
2019-08-08 CVE-2018-20962 Backpackforlaravel Cross-Site Scripting vulnerability in Backpackforlaravel BackpackCrud

The Backpack\CRUD Backpack component before 3.4.9 for Laravel allows XSS via the select field type.

4.3
2019-08-08 CVE-2019-12397 Apache Cross-Site Scripting vulnerability in Apache Ranger

Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue.

4.3
2019-08-08 CVE-2019-5301 Huawei Unspecified vulnerability in Huawei Honor V20 Firmware

Huawei smart phones Honor V20 with the versions before 9.0.1.161(C00E161R2P2) have an information leak vulnerability.

4.3
2019-08-08 CVE-2019-5239 Huawei Unspecified vulnerability in Huawei Pcmanager(China) and Pcmanager(Oversea)

Huawei PCManager with the versions before 9.0.1.66 (Oversea) and versions before 9.0.1.70 (China) have an information leak vulnerability.

4.3
2019-08-08 CVE-2019-14772 Verdaccio Cross-Site Scripting vulnerability in Verdaccio

verdaccio before 3.12.0 allows XSS.

4.3
2019-08-08 CVE-2018-19855 Uipath Unspecified vulnerability in Uipath Orchestrator

UiPath Orchestrator before 2018.3.4 allows CSV Injection, related to the Audit export, Robot log export, and Transaction log export features.

4.3
2019-08-08 CVE-2019-14770 Backdropcms Cross-Site Scripting vulnerability in Backdropcms Backdrop Core

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality.

4.3
2019-08-08 CVE-2019-14769 Backdropcms Cross-Site Scripting vulnerability in Backdropcms Backdrop

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators.

4.3
2019-08-07 CVE-2019-14750 Osticket Cross-Site Scripting vulnerability in Osticket

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.

4.3
2019-08-07 CVE-2019-10099 Apache Cryptographic Issues vulnerability in Apache Spark

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true.

4.3
2019-08-07 CVE-2019-14747 Diaowen Cross-Site Scripting vulnerability in Diaowen Dwsurvey 20190722

DWSurvey through 2019-07-22 has stored XSS via the design/my-survey-design!copySurvey.action surveyName parameter.

4.3
2019-08-07 CVE-2019-10388 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Relution Enterprise Appstore Publisher 1.0/1.24

A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.

4.3
2019-08-07 CVE-2019-10381 Jenkins Improper Certificate Validation vulnerability in Jenkins Codefresh Integration

Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

4.3
2019-08-07 CVE-2019-10376 Jenkins Cross-Site Scripting vulnerability in Jenkins Wall Display

A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

4.3
2019-08-07 CVE-2019-10370 Jenkins Credentials Management vulnerability in Jenkins Mask Passwords

Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure.

4.3
2019-08-07 CVE-2017-18483 Annke Cross-Site Scripting vulnerability in Annke SP1 Firmware 3.4.1.160407110

ANNKE SP1 HD wireless camera 3.4.1.1604071109 devices allow XSS via a crafted SSID.

4.3
2019-08-07 CVE-2016-10861 Neetcables Cross-Site Request Forgery (CSRF) vulnerability in Neetcables Airstream Nas1.1 Firmware

Neet AirStream NAS1.1 devices allow CSRF attacks that cause the settings binary to change the AP name and password.

4.3
2019-08-06 CVE-2019-14696 Open School Cross-Site Scripting vulnerability in Open-School 2.3/3.0

Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter.

4.3
2019-08-06 CVE-2019-14346 Schben Cross-Site Request Forgery (CSRF) vulnerability in Schben Adive 2.0.7

Internal/Views/config.php in Schben Adive 2.0.7 allows admin/config CSRF to change a user password.

4.3
2019-08-06 CVE-2016-10795 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156).

4.3
2019-08-05 CVE-2019-14667 Firefly III Cross-Site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.4

Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name.

4.3
2019-08-05 CVE-2019-14664 Enigmail Inadequate Encryption Strength vulnerability in Enigmail

In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email.

4.3
2019-08-05 CVE-2019-14665 Brandy Project Out-Of-Bounds Write vulnerability in Brandy Project Brandy 1.20.1

Brandy 1.20.1 has a heap-based buffer overflow in define_array in variables.c via crafted BASIC source code.

4.3
2019-08-05 CVE-2019-10994 Laquisscada Out-Of-Bounds Read vulnerability in Laquisscada Scada 4.3.1.71

Processing a specially crafted project file in LAquis SCADA 4.3.1.71 may trigger an out-of-bounds read, which may allow an attacker to obtain sensitive information.

4.3
2019-08-05 CVE-2019-11198 Sitecore Cross-Site Scripting vulnerability in Sitecore CMS

Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog.

4.3
2019-08-05 CVE-2017-18472 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 62.0.4 allows reflected XSS in reset-password interfaces (SEC-198).

4.3
2019-08-05 CVE-2019-14663 Brandy Project Out-Of-Bounds Write vulnerability in Brandy Project Brandy 1.20.1

Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fileio.c via crafted BASIC source code.

4.3
2019-08-05 CVE-2019-14662 Brandy Project Out-Of-Bounds Write vulnerability in Brandy Project Brandy 1.20.1

Brandy 1.20.1 has a stack-based buffer overflow in fileio_openout in fileio.c via crafted BASIC source code.

4.3
2019-08-09 CVE-2018-20826 Atlassian Improper Authorization vulnerability in Atlassian Jira

The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.

4.0
2019-08-09 CVE-2019-14433 Openstack Information Exposure vulnerability in Openstack Nova

An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2.

4.0
2019-08-09 CVE-2019-5498 Netapp Unspecified vulnerability in Netapp Oncommand Insight

OnCommand Insight versions through 7.3.6 may disclose sensitive account information to an authenticated user.

4.0
2019-08-09 CVE-2019-14798 10Web Path Traversal vulnerability in 10Web Photo Gallery

The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter.

4.0
2019-08-09 CVE-2019-14312 Aptana Path Traversal vulnerability in Aptana Jaxer 1.0.3.4547

Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer.

4.0
2019-08-08 CVE-2019-1953 Cisco Information Exposure Through LOG Files vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure 3.5.1/3.5.2

A vulnerability in the web portal of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to view a password in clear text.

4.0
2019-08-07 CVE-2019-10389 Jenkins Permission Issues vulnerability in Jenkins Relution Enterprise Appstore Publisher 1.0/1.24

A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.

4.0
2019-08-07 CVE-2019-10387 Jenkins Permission Issues vulnerability in Jenkins XL Testview

A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

4.0
2019-08-07 CVE-2019-10385 Jenkins Credentials Management vulnerability in Jenkins Eggplant

Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-08-07 CVE-2019-10379 Google Credentials Management vulnerability in Google Cloud Messaging Notification 1.0

Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-08-07 CVE-2019-10377 Jenkins Permission Issues vulnerability in Jenkins Avatar 1.0/1.1/1.2

A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins.

4.0
2019-08-07 CVE-2019-10375 Jenkins Information Exposure vulnerability in Jenkins File System SCM

An arbitrary file read vulnerability in Jenkins File System SCM Plugin 2.1 and earlier allows attackers able to configure jobs in Jenkins to obtain the contents of any file on the Jenkins master.

4.0
2019-08-07 CVE-2019-10369 Jenkins Permission Issues vulnerability in Jenkins Jclouds

A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

4.0
2019-08-07 CVE-2016-10807 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112).

4.0
2019-08-06 CVE-2016-10797 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains (SEC-133).

4.0
2019-08-06 CVE-2016-10794 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 59.9999.145 allows arbitrary file-read operations because of a multipart form processing error (SEC-154).

4.0
2019-08-06 CVE-2016-10786 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).

4.0
2019-08-06 CVE-2016-10785 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).

4.0
2019-08-05 CVE-2019-4261 IBM Improper Input Validation vulnerability in IBM MQ and Websphere MQ

IBM WebSphere MQ V7.1, 7.5, IBM MQ V8, IBM MQ V9.0LTS, IBM MQ V9.1 LTS, and IBM MQ V9.1 CD are vulnerable to a denial of service attack caused by specially crafted messages.

4.0
2019-08-05 CVE-2017-18482 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_item API for queueing non-rearrange modules (SEC-213).

4.0
2019-08-05 CVE-2017-18480 Cpanel 7PK - Security Features vulnerability in Cpanel

cPanel before 62.0.4 does not enforce account ownership for has_mycnf_for_cpuser WHM API calls (SEC-210).

4.0
2019-08-05 CVE-2017-18479 Cpanel Improper Certificate Validation vulnerability in Cpanel

In cPanel before 62.0.4, WHM SSL certificate generation uses an unreserved e-mail address (SEC-209).

4.0
2019-08-05 CVE-2017-18478 Cpanel Information Exposure vulnerability in Cpanel

In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions (SEC-207).

4.0
2019-08-05 CVE-2017-18477 Cpanel 7PK - Security Features vulnerability in Cpanel

In cPanel before 62.0.4, Exim transports could execute in the context of the nobody account (SEC-206).

4.0
2019-08-05 CVE-2017-18470 Cpanel Credentials Management vulnerability in Cpanel

cPanel before 62.0.4 has a fixed password for the Munin MySQL test account (SEC-196).

4.0
2019-08-05 CVE-2019-14525 Octopus Information Exposure vulnerability in Octopus Deploy

In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.

4.0
2019-08-05 CVE-2017-18467 Cpanel 7PK - Security Features vulnerability in Cpanel

cPanel before 62.0.17 allows access to restricted resources because of a URL filtering error (SEC-229).

4.0
2019-08-05 CVE-2017-18466 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration (SEC-228).

4.0

64 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-06 CVE-2019-5687 Nvidia
Microsoft
Incorrect Default Permissions vulnerability in Nvidia GPU Driver

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which an incorrect use of default permissions for an object exposes it to an unintended actor

3.6
2019-08-09 CVE-2018-20827 Atlassian Cross-Site Scripting vulnerability in Atlassian Jira

The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.

3.5
2019-08-09 CVE-2019-5403 HP Cross-Site Scripting vulnerability in HP 3Par Storeserv Management Console 3.3.1/3.5

A remote multiple cross-site scripting vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.

3.5
2019-08-09 CVE-2019-5398 HP Cross-Site Scripting vulnerability in HP 3Par Service Processor Firmware

A remote multiple multiple cross-site vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1.

3.5
2019-08-09 CVE-2019-14805 UNA Cross-Site Scripting vulnerability in UNA 10.0.0

studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the System Name field under Sets during set editing.

3.5
2019-08-09 CVE-2019-14804 UNA Cross-Site Scripting vulnerability in UNA 10.0.0

studio/polyglot.php?page=etemplates in UNA 10.0.0-RC1 allows XSS via the System Name field under Emails during template editing.

3.5
2019-08-09 CVE-2019-14797 10Web Cross-Site Scripting vulnerability in 10Web Photo Gallery

The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS.

3.5
2019-08-09 CVE-2019-14796 MQ Woocommerce Products Price Bulk Edit Project Cross-Site Scripting vulnerability in Mq-Woocommerce-Products-Price-Bulk-Edit Project Mq-Woocommerce-Products-Price-Bulk-Edit 2.0

The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin 2.0 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=update_options show_products_page_limit parameter.

3.5
2019-08-09 CVE-2019-14792 Codecabin Cross-Site Scripting vulnerability in Codecabin WP Google Maps

The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter.

3.5
2019-08-09 CVE-2019-14787 Tribulant Cross-Site Scripting vulnerability in Tribulant Newsletters

The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.

3.5
2019-08-09 CVE-2019-14785 Codepeople Cross-Site Scripting vulnerability in Codepeople CP Contact Form With Paypal

The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter.

3.5
2019-08-08 CVE-2019-14680 Mijnpress Cross-Site Request Forgery (CSRF) vulnerability in Mijnpress Admin-Renamer-Extended 3.2.1

The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.

3.5
2019-08-08 CVE-2019-14221 1Crm Cross-Site Scripting vulnerability in 1Crm On-Premise 8.5.7

1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishandled during a Run Report operation.

3.5
2019-08-08 CVE-2019-1973 Cisco Cross-Site Scripting vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure 3.11.1/3.5.1/3.5.2

A vulnerability in the web portal framework of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface.

3.5
2019-08-08 CVE-2019-1956 Cisco Cross-Site Scripting vulnerability in Cisco Spa112 2-Port Phone Adapter Firmware

A vulnerability in the web-based interface of the Cisco SPA112 2-Port Phone Adapter could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against another user of the device.

3.5
2019-08-08 CVE-2019-1949 Cisco Cross-Site Scripting vulnerability in Cisco Firepower Management Center

A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system.

3.5
2019-08-07 CVE-2019-14748 Osticket Cross-Site Scripting vulnerability in Osticket

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.

3.5
2019-08-07 CVE-2019-10374 Jenkins Cross-Site Scripting vulnerability in Jenkins Pegdown Formatter

A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.

3.5
2019-08-07 CVE-2019-10373 Jenkins Cross-Site Scripting vulnerability in Jenkins Build Pipeline

A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

3.5
2019-08-07 CVE-2016-10806 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 57.9999.54 allows self XSS on the Paper Lantern Landing Page (SEC-110).

3.5
2019-08-07 CVE-2019-14731 Cnezsoft Cross-Site Scripting vulnerability in Cnezsoft Zentao 11.5.1

An issue was discovered in ZenTao 11.5.1.

3.5
2019-08-06 CVE-2019-12950 Teampass Cross-Site Scripting vulnerability in Teampass 2.1.27.35

An issue was discovered in TeamPass 2.1.27.35.

3.5
2019-08-06 CVE-2016-10784 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows self XSS in the alias upload interface (SEC-184).

3.5
2019-08-06 CVE-2016-10783 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182).

3.5
2019-08-06 CVE-2016-10782 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs (SEC-181).

3.5
2019-08-06 CVE-2016-10781 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180).

3.5
2019-08-06 CVE-2016-10780 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-180).

3.5
2019-08-06 CVE-2016-10779 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SEC-179).

3.5
2019-08-06 CVE-2016-10778 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows self stored XSS in the listftpstable API (SEC-178).

3.5
2019-08-06 CVE-2016-10777 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177).

3.5
2019-08-06 CVE-2016-10776 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174).

3.5
2019-08-05 CVE-2019-14672 Firefly III Cross-Site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.5

Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field.

3.5
2019-08-05 CVE-2019-14670 Firefly III Cross-Site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.3

Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field.

3.5
2019-08-05 CVE-2019-14669 Firefly III Cross-Site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.3

Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the asset account name.

3.5
2019-08-05 CVE-2019-14668 Firefly III Cross-Site Scripting vulnerability in Firefly-Iii Firefly III 4.7.17.3

Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field.

3.5
2019-08-05 CVE-2019-14550 Espocrm Cross-Site Scripting vulnerability in Espocrm

An issue was discovered in EspoCRM before 5.6.9.

3.5
2019-08-05 CVE-2019-14549 Espocrm Cross-Site Scripting vulnerability in Espocrm

An issue was discovered in EspoCRM before 5.6.9.

3.5
2019-08-05 CVE-2019-14548 Espocrm Cross-Site Scripting vulnerability in Espocrm

An issue was discovered in EspoCRM before 5.6.9.

3.5
2019-08-05 CVE-2019-14547 Espocrm Cross-Site Scripting vulnerability in Espocrm

An issue was discovered in EspoCRM before 5.6.9.

3.5
2019-08-05 CVE-2019-14546 Espocrm Cross-Site Scripting vulnerability in Espocrm

An issue was discovered in EspoCRM before 5.6.9.

3.5
2019-08-05 CVE-2017-18481 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 62.0.4 allows stored XSS in the WHM Account Suspension List interface (SEC-211).

3.5
2019-08-05 CVE-2017-18473 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 62.0.4 allows self XSS on the webmail Password and Security page (SEC-199).

3.5
2019-08-05 CVE-2017-18471 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 62.0.4 allows self XSS on the paper_lantern password-change screen (SEC-197).

3.5
2019-08-05 CVE-2016-10774 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).

3.5
2019-08-05 CVE-2016-10767 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface (SEC-159).

3.5
2019-08-07 CVE-2018-20958 Tapplock Information Exposure vulnerability in Tapplock Firmware

The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 2018-06-12 relies on Key1 and SerialNo for unlock operations; however, these are derived from the MAC address, which is broadcasted by the device.

3.3
2019-08-08 CVE-2016-10864 Netgear Cross-Site Scripting vulnerability in Netgear Ex7000 Firmware

NETGEAR EX7000 V1.0.0.42_1.0.94 devices allow XSS via the SSID.

2.9
2019-08-08 CVE-2019-14783 Google Unspecified vulnerability in Google Android

On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, FotaAgent allows a malicious application to create privileged files.

2.1
2019-08-08 CVE-2018-20956 Swann Information Exposure Through LOG Files vulnerability in Swann Swwhd-Intcam-Hd Firmware

Swann SWWHD-INTCAM-HD devices leave the PSK in logs after a factory reset.

2.1
2019-08-08 CVE-2019-1960 Cisco OS Command Injection vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure 3.11.1/3.5.1/3.5.2

Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to read arbitrary files on the underlying operating system (OS) of an affected device.

2.1
2019-08-08 CVE-2019-1959 Cisco OS Command Injection vulnerability in Cisco Enterprise Network Function Virtualization Infrastructure 3.11.1/3.5.1/3.5.2

Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to read arbitrary files on the underlying operating system (OS) of an affected device.

2.1
2019-08-07 CVE-2019-10378 Jenkins Credentials Management vulnerability in Jenkins Testlink

Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

2.1
2019-08-07 CVE-2019-10367 Jenkins Information Exposure Through LOG Files vulnerability in Jenkins Configuration AS Code

Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.

2.1
2019-08-07 CVE-2016-10799 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 58.0.4 does not set the Pear tmp directory during a PHP installation (SEC-137).

2.1
2019-08-06 CVE-2016-10796 Cpanel Permission Issues vulnerability in Cpanel

cPanel before 58.0.4 initially uses weak permissions for Apache HTTP Server log files (SEC-130).

2.1
2019-08-05 CVE-2019-14671 Firefly III Information Exposure vulnerability in Firefly-Iii Firefly III 4.7.17.3

Firefly III 4.7.17.3 is vulnerable to local file enumeration.

2.1
2019-08-05 CVE-2019-3800 Pivotal
Anynines
Apigee
Appdynamics
Bluemedora
Contrastsecurity
Cyberark
Datadoghq
Datastax
Dynatrace
Forgerock
Google
IBM
Microsoft
Newrelic
Pagerduty
Riverbed
Samba
Signalsciences
Snyk
Solace
Splunk
Sumologic
Synopsys
Tibco
Wavefront
Yugabyte
Information Exposure vulnerability in multiple products

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag.

2.1
2019-08-05 CVE-2019-4284 IBM Information Exposure Through LOG Files vulnerability in IBM Cloud Private

IBM Cloud Private 2.1.0 , 3.1.0, 3.1.1, and 3.1.2 could allow a local privileged user to obtain sensitive OIDC token that is printed to log files, which could be used to log in to the system as another user.

2.1
2019-08-05 CVE-2016-10772 Cpanel 7PK - Security Features vulnerability in Cpanel

cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin (SEC-168).

2.1
2019-08-05 CVE-2017-18465 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227).

2.1
2019-08-10 CVE-2019-14357 Mooltipass Information Exposure vulnerability in Mooltipass Mini Firmware

** DISPUTED ** On Mooltipass Mini devices, a side channel for the row-based OLED display was found.

1.9
2019-08-10 CVE-2019-14355 Shapeshift Information Exposure vulnerability in Shapeshift Keepkey Firmware

** DISPUTED ** On ShapeShift KeepKey devices, a side channel for the row-based OLED display was found.

1.9
2019-08-10 CVE-2019-14354 Ledger Information Exposure vulnerability in Ledger Nano S Firmware and Nano X Firmware

On Ledger Nano S and Nano X devices, a side channel for the row-based OLED display was found.

1.9
2019-08-08 CVE-2019-14353 Trezor Information Exposure vulnerability in Trezor ONE Firmware

On Trezor One devices before 1.8.2, a side channel for the row-based OLED display was found.

1.9