Weekly Vulnerabilities Reports > August 12 to 18, 2019
Overview
339 new vulnerabilities reported during this period, including 58 critical vulnerabilities and 132 high severity vulnerabilities. This weekly summary report vulnerabilities in 479 products from 173 vendors including Debian, Canonical, Opensuse, Fedoraproject, and SAP. Vulnerabilities are notably categorized as "Cross-site Scripting", "Cross-Site Request Forgery (CSRF)", "SQL Injection", "Out-of-bounds Read", and "Incorrect Permission Assignment for Critical Resource".
- 283 reported vulnerabilities are remotely exploitables.
- 18 reported vulnerabilities have public exploit available.
- 151 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 271 reported vulnerabilities are exploitable by an anonymous user.
- Debian has the most reported vulnerabilities, with 37 reported vulnerabilities.
- Debian has the most reported critical vulnerabilities, with 5 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
58 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-18 | CVE-2019-15151 | Adplug Project Fedoraproject | Double Free vulnerability in multiple products AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h. | 9.8 |
2019-08-18 | CVE-2019-15149 | Networkgenomics | 7PK - Security Features vulnerability in Networkgenomics Mitogen core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. | 9.8 |
2019-08-18 | CVE-2019-15130 | Humanica | Use of Insufficiently Random Values vulnerability in Humanica Humatrix 7 1.0.0.203/1.0.0.681 The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parameter. | 9.8 |
2019-08-16 | CVE-2018-20973 | Codeermeneer | Improper Input Validation vulnerability in Codeermeneer Companion Auto Update The companion-auto-update plugin before 3.2.1 for WordPress has local file inclusion. | 9.8 |
2019-08-16 | CVE-2017-18543 | Invite Anyone Project | Improper Access Control vulnerability in Invite Anyone Project Invite Anyone The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations. | 9.8 |
2019-08-16 | CVE-2015-9324 | Sandhillsdev | SQL Injection vulnerability in Sandhillsdev Easy Digital Downloads The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection. | 9.8 |
2019-08-16 | CVE-2015-9323 | Duckdev | SQL Injection vulnerability in Duckdev 404 to 301 The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection. | 9.8 |
2019-08-16 | CVE-2014-10376 | Themeist | SQL Injection vulnerability in Themeist I Recommend This The i-recommend-this plugin before 3.7.3 for WordPress has SQL injection. | 9.8 |
2019-08-16 | CVE-2019-7964 | Adobe | Unspecified vulnerability in Adobe Experience Manager 6.4/6.5 Adobe Experience Manager versions 6.5, and 6.4 have an authentication bypass vulnerability. | 9.8 |
2019-08-16 | CVE-2019-7959 | Adobe | Improper Input Validation vulnerability in Adobe Creative Cloud Creative Cloud Desktop Application versions 4.6.1 and earlier have a using components with known vulnerabilities vulnerability. | 9.8 |
2019-08-16 | CVE-2019-7958 | Adobe | Incorrect Permission Assignment for Critical Resource vulnerability in Adobe Creative Cloud Creative Cloud Desktop Application versions 4.6.1 and earlier have an insecure inherited permissions vulnerability. | 9.8 |
2019-08-16 | CVE-2019-5477 | Nokogiri Canonical Debian | OS Command Injection vulnerability in multiple products A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. | 9.8 |
2019-08-16 | CVE-2017-18548 | Datainterlock | SQL Injection vulnerability in Datainterlock Note Press 0.1.0/0.1.1 The note-press plugin before 0.1.2 for WordPress has SQL injection. | 9.8 |
2019-08-16 | CVE-2016-10904 | Olimometer Project | SQL Injection vulnerability in Olimometer Project Olimometer The olimometer plugin before 2.57 for WordPress has SQL injection. | 9.8 |
2019-08-16 | CVE-2015-9326 | Wpbusinessintelligence | SQL Injection vulnerability in Wpbusinessintelligence WP Business Intelligence The wp-business-intelligence-lite plugin before 1.6.3 for WordPress has SQL injection. | 9.8 |
2019-08-16 | CVE-2015-9325 | Bestwebsoft | SQL Injection vulnerability in Bestwebsoft Visitors Online 0.1/0.2/0.3 The visitors-online plugin before 0.4 for WordPress has SQL injection. | 9.8 |
2019-08-16 | CVE-2019-15091 | Artica | Unrestricted Upload of File with Dangerous Type vulnerability in Artica Integria IMS 5.0.86 filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload arbitrary file upload. | 9.8 |
2019-08-16 | CVE-2019-15107 | Webmin | OS Command Injection vulnerability in Webmin An issue was discovered in Webmin <=1.920. | 9.8 |
2019-08-16 | CVE-2019-15106 | Zohocorp | Missing Authentication for Critical Function vulnerability in Zohocorp Manageengine Opmanager An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. | 9.8 |
2019-08-15 | CVE-2019-9851 | Debian Canonical Opensuse Fedoraproject Libreoffice | Improper Input Validation vulnerability in multiple products LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. | 9.8 |
2019-08-15 | CVE-2019-9850 | Debian Canonical Opensuse Fedoraproject Libreoffice | Improper Input Validation vulnerability in multiple products LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. | 9.8 |
2019-08-15 | CVE-2019-9010 | Codesys | Unspecified vulnerability in Codesys products An issue was discovered in 3S-Smart CODESYS V3 products. | 9.8 |
2019-08-15 | CVE-2018-14671 | Yandex | Improper Input Validation vulnerability in Yandex Clickhouse In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability. | 9.8 |
2019-08-15 | CVE-2018-14670 | Yandex | Improper Authorization vulnerability in Yandex Clickhouse Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database. | 9.8 |
2019-08-15 | CVE-2019-11187 | Gonicus Debian | Improper Authentication vulnerability in multiple products Incorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided. | 9.8 |
2019-08-15 | CVE-2019-13578 | Givewp | SQL Injection vulnerability in Givewp A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. | 9.8 |
2019-08-14 | CVE-2019-9585 | EQ 3 | Missing Authentication for Critical Function vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of Metadata. | 9.8 |
2019-08-14 | CVE-2019-9584 | EQ 3 | Forced Browsing vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. | 9.8 |
2019-08-14 | CVE-2019-14527 | Netgear | OS Command Injection vulnerability in Netgear Mr1100 Firmware 12.05.05.00 An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. | 9.8 |
2019-08-14 | CVE-2019-12103 | TP Link | OS Command Injection vulnerability in Tp-Link M7350 Firmware 1.0.16/151021/160330 The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability. | 9.8 |
2019-08-14 | CVE-2019-15052 | Gradle | Insufficiently Protected Credentials vulnerability in Gradle The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. | 9.8 |
2019-08-14 | CVE-2019-12262 | Windriver Belden Siemens | Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and 7 has Incorrect Access Control in the RARP client component. | 9.8 |
2019-08-14 | CVE-2019-11652 | Microfocus | Unspecified vulnerability in Microfocus Netiq Self Service Password Reset A potential authorization bypass issue was found in Micro Focus Self Service Password Reset (SSPR) versions prior to: 4.4.0.3, 4.3.0.6, and 4.2.0.6. | 9.8 |
2019-08-14 | CVE-2016-10888 | Tipsandtricks HQ | SQL Injection vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues. | 9.8 |
2019-08-14 | CVE-2016-10887 | Tipsandtricks HQ | SQL Injection vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues. | 9.8 |
2019-08-14 | CVE-2016-10886 | Benjaminrojas | Permissions, Privileges, and Access Controls vulnerability in Benjaminrojas WP Editor The wp-editor plugin before 1.2.6 for WordPress has incorrect permissions. | 9.8 |
2019-08-14 | CVE-2015-9310 | Tipsandtricks HQ | SQL Injection vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues. | 9.8 |
2019-08-14 | CVE-2019-15025 | Ninjaforms | SQL Injection vulnerability in Ninjaforms The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page. | 9.8 |
2019-08-14 | CVE-2017-18514 | Simplerealtytheme | SQL Injection vulnerability in Simplerealtytheme Simple Login LOG The simple-login-log plugin before 1.1.2 for WordPress has SQL injection. | 9.8 |
2019-08-14 | CVE-2016-10889 | Imagely | SQL Injection vulnerability in Imagely Nextgen Gallery The nextgen-gallery plugin before 2.1.57 for WordPress has SQL injection via a gallery name. | 9.8 |
2019-08-14 | CVE-2015-9316 | Wpfastestcache | SQL Injection vulnerability in Wpfastestcache WP Fastest Cache The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injection in wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request via the poll_id parameter. | 9.8 |
2019-08-14 | CVE-2015-9315 | Newstatpress Project | SQL Injection vulnerability in Newstatpress Project Newstatpress The newstatpress plugin before 1.0.1 for WordPress has SQL injection. | 9.8 |
2019-08-14 | CVE-2015-9313 | Newstatpress Project | SQL Injection vulnerability in Newstatpress Project Newstatpress The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element. | 9.8 |
2019-08-14 | CVE-2019-0345 | SAP | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Java A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery. | 9.8 |
2019-08-14 | CVE-2019-0344 | SAP | Deserialization of Untrusted Data vulnerability in SAP Commerce Cloud Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. | 9.8 |
2019-08-14 | CVE-2017-18515 | Veronalabs | SQL Injection vulnerability in Veronalabs WP Statistics The wp-statistics plugin before 12.0.8 for WordPress has SQL injection. | 9.8 |
2019-08-14 | CVE-2019-15027 | Mediatek | OS Command Injection vulnerability in Mediatek Mt6577 Firmware, Mt6625 Firmware and Mt8163 Firmware The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows attackers to execute arbitrary commands as root via shell metacharacters in a filename under /data, because clear_emmc_nomedia_entry in platform/mt6577/external/meta/emmc/meta_clr_emmc.c invokes 'system("/system/bin/rm -r /data/' followed by this filename upon an eMMC clearance from a Meta Mode boot. | 9.8 |
2019-08-13 | CVE-2019-14809 | Golang Debian | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. | 9.8 |
2019-08-13 | CVE-2019-14985 | EQ 3 | Improper Authentication vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28. | 9.8 |
2019-08-13 | CVE-2015-9301 | W3Eden | SQL Injection vulnerability in W3Eden Live Forms The liveforms plugin before 3.2.0 for WordPress has SQL injection. | 9.8 |
2019-08-13 | CVE-2015-9298 | Pixelite | Code Injection vulnerability in Pixelite Events Manager The events-manager plugin before 5.6 for WordPress has code injection. | 9.8 |
2019-08-12 | CVE-2019-14968 | Txjia | SQL Injection vulnerability in Txjia Imcat 4.9 An issue was discovered in imcat 4.9. | 9.8 |
2019-08-12 | CVE-2019-14965 | Frappe | Code Injection vulnerability in Frappe An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. | 9.8 |
2019-08-12 | CVE-2019-12618 | Hashicorp | Improper Privilege Management vulnerability in Hashicorp Nomad 0.9.0/0.9.1 HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver. | 9.8 |
2019-08-15 | CVE-2018-14062 | Cospas Sarsat | Cryptographic Issues vulnerability in Cospas-Sarsat System The COSPAS-SARSAT protocol allows remote attackers to forge messages, replay encrypted messages, conduct denial of service attacks, and send private messages (unrelated to distress alerts) via a crafted 406 MHz digital signal. | 9.1 |
2019-08-14 | CVE-2019-15058 | STB Project | Out-of-bounds Read vulnerability in STB Project STB 2.23 stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer over-read in stbi__tga_load, leading to Information Disclosure or Denial of Service. | 9.1 |
2019-08-13 | CVE-2019-12479 | Twentytwenty Storage Project | Path Traversal vulnerability in Twentytwenty.Storage Project Twentytwenty.Storage 2.11.0 An issue was discovered in 20|20 Storage 2.11.0. | 9.1 |
2019-08-12 | CVE-2019-13462 | Lansweeper | SQL Injection vulnerability in Lansweeper Lansweeper before 7.1.117.4 allows unauthenticated SQL injection. | 9.1 |
132 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-18 | CVE-2019-15140 | Imagemagick | Use After Free vulnerability in Imagemagick 7.0.843 coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c. | 8.8 |
2019-08-16 | CVE-2019-15115 | Profilepress | Cross-Site Request Forgery (CSRF) vulnerability in Profilepress Loginwp The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF. | 8.8 |
2019-08-16 | CVE-2019-15114 | Ncrafts | Cross-Site Request Forgery (CSRF) vulnerability in Ncrafts Formcraft The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF. | 8.8 |
2019-08-16 | CVE-2019-15113 | Codeermeneer | Cross-Site Request Forgery (CSRF) vulnerability in Codeermeneer Companion Sitemap Generator The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF. | 8.8 |
2019-08-16 | CVE-2018-20974 | Joomsky | Cross-Site Request Forgery (CSRF) vulnerability in Joomsky JS JOB Manager The js-jobs plugin before 1.0.7 for WordPress has CSRF. | 8.8 |
2019-08-16 | CVE-2018-20972 | Codeermeneer | Cross-Site Request Forgery (CSRF) vulnerability in Codeermeneer Companion Auto Update The companion-auto-update plugin before 3.2.1 for WordPress has CSRF. | 8.8 |
2019-08-16 | CVE-2018-20971 | Churchadminplugin | Cross-Site Request Forgery (CSRF) vulnerability in Churchadminplugin Church Admin The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan. | 8.8 |
2019-08-16 | CVE-2017-18547 | Neliosoftware | Cross-Site Request Forgery (CSRF) vulnerability in Neliosoftware Nelio AB Testing The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms. | 8.8 |
2019-08-16 | CVE-2017-18546 | Jayj Quicktag Project | Cross-Site Request Forgery (CSRF) vulnerability in Jayj Quicktag Project Jayj Quicktag The jayj-quicktag plugin before 1.3.2 for WordPress has CSRF. | 8.8 |
2019-08-16 | CVE-2017-18544 | Invite Anyone Project | Cross-Site Request Forgery (CSRF) vulnerability in Invite Anyone Project Invite Anyone The invite-anyone plugin before 1.3.16 for WordPress has admin-panel CSRF. | 8.8 |
2019-08-16 | CVE-2015-9322 | Erident Custom Login AND Dashboard Project | Cross-Site Request Forgery (CSRF) vulnerability in Erident Custom Login and Dashboard Project Erident Custom Login and Dashboard The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF. | 8.8 |
2019-08-16 | CVE-2019-14923 | Eyesofnetwork | OS Command Injection vulnerability in Eyesofnetwork 5.10 EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field. | 8.8 |
2019-08-16 | CVE-2019-15105 | Zohocorp | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager An issue was discovered in Zoho ManageEngine Application Manager through 14.2. | 8.8 |
2019-08-16 | CVE-2019-15104 | Zohocorp | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager An issue was discovered in Zoho ManageEngine OpManager through 12.4x. | 8.8 |
2019-08-15 | CVE-2019-12792 | Vestacp | OS Command Injection vulnerability in Vestacp Control Panel 0.9.824 A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root. | 8.8 |
2019-08-15 | CVE-2019-12791 | Vestacp | Path Traversal vulnerability in Vestacp Control Panel 0.9.824 A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form. | 8.8 |
2019-08-15 | CVE-2019-13516 | Osisoft | Cross-Site Request Forgery (CSRF) vulnerability in Osisoft PI web API In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect. | 8.8 |
2019-08-15 | CVE-2019-12809 | Yes24 | Unspecified vulnerability in Yes24 Viewer Activex 1.0.327.50126 Yes24ViewerX ActiveX Control 1.0.327.50126 and earlier versions contains a vulnerability that could allow remote attackers to download and execute arbitrary files by setting the arguments to the ActiveX method. | 8.8 |
2019-08-15 | CVE-2018-14668 | Yandex | Cross-Site Request Forgery (CSRF) vulnerability in Yandex Clickhouse In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks. | 8.8 |
2019-08-15 | CVE-2019-9013 | Codesys | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Codesys products An issue was discovered in 3S-Smart CODESYS V3 products. | 8.8 |
2019-08-15 | CVE-2019-14422 | Tortoisesvn | Unspecified vulnerability in Tortoisesvn 1.12.1 An issue was discovered in in TortoiseSVN 1.12.1. | 8.8 |
2019-08-15 | CVE-2019-14788 | Tribulant | Path Traversal vulnerability in Tribulant Newsletters wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value. | 8.8 |
2019-08-15 | CVE-2019-3417 | ZTE | OS Command Injection vulnerability in ZTE Zxhn F670 Firmware All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by command injection vulnerability. | 8.8 |
2019-08-15 | CVE-2019-14755 | Leaftecnologia | Unrestricted Upload of File with Dangerous Type vulnerability in Leaftecnologia Leaf Admin 61.9.0212.10F The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type. | 8.8 |
2019-08-14 | CVE-2019-14216 | WP SVG Icons Project | Cross-Site Request Forgery (CSRF) vulnerability in WP SVG Icons Project WP SVG Icons An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress. | 8.8 |
2019-08-14 | CVE-2019-1258 | Microsoft | Unspecified vulnerability in Microsoft Active Directory Authentication Library and Nuget An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. | 8.8 |
2019-08-14 | CVE-2019-1229 | Microsoft | Unspecified vulnerability in Microsoft Dynamics 365 9.0 An elevation of privilege vulnerability exists in Dynamics On-Premise v9. | 8.8 |
2019-08-14 | CVE-2019-12104 | TP Link | Command Injection vulnerability in Tp-Link M7350 Firmware 1.0.16/151021/160330 The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by several post-authentication command injection vulnerabilities. | 8.8 |
2019-08-14 | CVE-2019-1183 | Microsoft | Unspecified vulnerability in Microsoft products This information is being revised to indicate that this CVE (CVE-2019-1183) is fully mitigated by the security updates for the vulnerability discussed in CVE-2019-1194. | 8.8 |
2019-08-14 | CVE-2019-10199 | Redhat | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Keycloak It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. | 8.8 |
2019-08-14 | CVE-2019-15050 | Axiosys | Out-of-bounds Read vulnerability in Axiosys Bento4 1.5.1.0 An issue was discovered in Bento4 1.5.1.0. | 8.8 |
2019-08-14 | CVE-2019-15049 | Axiosys | Out-of-bounds Read vulnerability in Axiosys Bento4 1.5.1.0 An issue was discovered in Bento4 1.5.1.0. | 8.8 |
2019-08-14 | CVE-2019-15048 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.5.1.0 An issue was discovered in Bento4 1.5.1.0. | 8.8 |
2019-08-14 | CVE-2019-15047 | Axiosys | Out-of-bounds Read vulnerability in Axiosys Bento4 1.5.1.0 An issue was discovered in Bento4 1.5.1.0. | 8.8 |
2019-08-14 | CVE-2018-20968 | Smackcoders | Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Ultimate Exporter The wp-ultimate-exporter plugin before 1.4.2 for WordPress has CSRF. | 8.8 |
2019-08-14 | CVE-2018-20967 | Smackcoders | Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Import ALL Pages, Post Types, Products, Orders, and Users AS XML & CSV The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF. | 8.8 |
2019-08-14 | CVE-2017-18513 | Expresstech | Cross-Site Request Forgery (CSRF) vulnerability in Expresstech Responsive Menu The responsive-menu plugin before 3.1.4 for WordPress has no CSRF protection mechanism for the admin interface. | 8.8 |
2019-08-14 | CVE-2017-18512 | Supsystic | Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Newsletter BY Supsystic The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF. | 8.8 |
2019-08-14 | CVE-2017-18511 | Wpmudev | Cross-Site Request Forgery (CSRF) vulnerability in Wpmudev Custom Sidebars The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF. | 8.8 |
2019-08-14 | CVE-2017-18510 | Wpmudev | Cross-Site Request Forgery (CSRF) vulnerability in Wpmudev Custom Sidebars 3.0.8.1 The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions. | 8.8 |
2019-08-14 | CVE-2016-10885 | Benjaminrojas | Cross-Site Request Forgery (CSRF) vulnerability in Benjaminrojas WP Editor The wp-editor plugin before 1.2.6 for WordPress has CSRF. | 8.8 |
2019-08-14 | CVE-2016-10884 | Simple Membership Plugin | Cross-Site Request Forgery (CSRF) vulnerability in Simple-Membership-Plugin Simple Membership The simple-membership plugin before 3.3.3 for WordPress has multiple CSRF issues. | 8.8 |
2019-08-14 | CVE-2016-10882 | Google DOC Embedder Project | Cross-Site Request Forgery (CSRF) vulnerability in Google DOC Embedder Project Google DOC Embedder The google-document-embedder plugin before 2.6.2 for WordPress has CSRF. | 8.8 |
2019-08-14 | CVE-2015-9309 | Flippercode | Cross-Site Request Forgery (CSRF) vulnerability in Flippercode WP Google MAP The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature. | 8.8 |
2019-08-14 | CVE-2015-9308 | Flippercode | Cross-Site Request Forgery (CSRF) vulnerability in Flippercode WP Google MAP The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature. | 8.8 |
2019-08-14 | CVE-2015-9307 | Flippercode | Cross-Site Request Forgery (CSRF) vulnerability in Flippercode WP Google MAP The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature. | 8.8 |
2019-08-14 | CVE-2013-7476 | Simple Fields Project | Cross-Site Request Forgery (CSRF) vulnerability in Simple Fields Project Simple Fields The simple-fields plugin before 1.2 for WordPress has CSRF in the admin interface. | 8.8 |
2019-08-14 | CVE-2019-0351 | SAP | Unspecified vulnerability in SAP Netweaver A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. | 8.8 |
2019-08-14 | CVE-2019-0343 | SAP | Code Injection vulnerability in SAP Commerce Cloud SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application, leading to Code Injection. | 8.8 |
2019-08-14 | CVE-2019-0341 | SAP | Incorrect Permission Assignment for Critical Resource vulnerability in SAP Enable NOW 1902 The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. | 8.8 |
2019-08-13 | CVE-2019-11207 | Tibco | Cross-site Scripting vulnerability in Tibco products The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enterprise Virtual Appliance, and TIBCO LogLogic Log Management Intelligence contains multiple vulnerabilities that theoretically allow persistent and reflected cross-site scripting (XSS) attacks, as well as cross-site request forgery (CSRF) attacks. | 8.8 |
2019-08-13 | CVE-2019-12806 | Crosscert | Out-of-bounds Write vulnerability in Crosscert Unisign 2.0.4.0 UniSign 2.0.4.0 and earlier version contains a stack-based buffer overflow vulnerability which can overwrite the stack with arbitrary data, due to a buffer overflow in a library. | 8.8 |
2019-08-13 | CVE-2018-20964 | Codepeople | Cross-Site Request Forgery (CSRF) vulnerability in Codepeople Contact Form Email The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF. | 8.8 |
2019-08-13 | CVE-2019-14530 | Open EMR | Path Traversal vulnerability in Open-Emr Openemr An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. | 8.8 |
2019-08-12 | CVE-2019-14966 | Frappe | SQL Injection vulnerability in Frappe An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. | 8.8 |
2019-08-12 | CVE-2017-18504 | Wpdeveloper | Cross-Site Request Forgery (CSRF) vulnerability in Wpdeveloper Twitter Cards Meta The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF. | 8.8 |
2019-08-12 | CVE-2016-10876 | Wpseeds | Cross-Site Request Forgery (CSRF) vulnerability in Wpseeds WP Database Backup The wp-database-backup plugin before 4.3.1 for WordPress has CSRF. | 8.8 |
2019-08-12 | CVE-2016-10874 | Wpseeds | Cross-Site Request Forgery (CSRF) vulnerability in Wpseeds WP Database Backup The wp-database-backup plugin before 4.3.3 for WordPress has CSRF. | 8.8 |
2019-08-13 | CVE-2019-10942 | Siemens | Unspecified vulnerability in Siemens products A vulnerability has been identified in SCALANCE X-200 switch family (incl. | 8.6 |
2019-08-14 | CVE-2019-13030 | Mediola | Forced Browsing vulnerability in Mediola NEO Server eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details. | 8.2 |
2019-08-14 | CVE-2019-9583 | EQ 3 | Resource Exhaustion vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. | 8.2 |
2019-08-15 | CVE-2019-3974 | Tenable | Unspecified vulnerability in Tenable Nessus Nessus 8.5.2 and earlier on Windows platforms were found to contain an issue where certain system files could be overwritten arbitrarily, potentially creating a denial of service condition. | 8.1 |
2019-08-14 | CVE-2019-14526 | Netgear | Cross-Site Request Forgery (CSRF) vulnerability in Netgear Mr1100 Firmware 12.05.05.00 An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. | 8.1 |
2019-08-14 | CVE-2019-9506 | Google Apple Canonical Debian Opensuse Redhat Huawei | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. | 8.1 |
2019-08-14 | CVE-2019-10201 | Redhat | Improper Verification of Cryptographic Signature vulnerability in Redhat Keycloak and Single Sign-On It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. | 8.1 |
2019-08-13 | CVE-2019-14986 | EQ 3 | Unspecified vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installed allow administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as "Set root password") are exposed. | 8.1 |
2019-08-13 | CVE-2019-14984 | EQ 3 | Missing Authentication for Critical Function vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request. | 8.1 |
2019-08-14 | CVE-2019-15062 | Dolibarr | Cross-Site Request Forgery (CSRF) vulnerability in Dolibarr Erp/Crm 11.0.0 An issue was discovered in Dolibarr 11.0.0-alpha. | 8.0 |
2019-08-17 | CVE-2019-13069 | Extenua | Incorrect Permission Assignment for Critical Resource vulnerability in Extenua Silvershield extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. | 7.8 |
2019-08-16 | CVE-2019-15117 | Linux | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access. | 7.8 |
2019-08-16 | CVE-2018-20969 | GNU | OS Command Injection vulnerability in GNU Patch do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. | 7.8 |
2019-08-16 | CVE-2019-15084 | Maxx | Incorrect Permission Assignment for Critical Resource vulnerability in Maxx Waves Maxx Audio 1.6.2.0 Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions. | 7.8 |
2019-08-15 | CVE-2019-9852 | Debian Canonical Opensuse Fedoraproject Libreoffice | Path Traversal vulnerability in multiple products LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. | 7.8 |
2019-08-15 | CVE-2019-13514 | Deltaww | Use After Free vulnerability in Deltaww Delta Industrial Automation Dopsoft In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application. | 7.8 |
2019-08-15 | CVE-2019-13513 | Deltaww | Out-of-bounds Read vulnerability in Deltaww Delta Industrial Automation Dopsoft In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger multiple out-of-bounds read vulnerabilities, which may allow information disclosure, remote code execution, or crash of the application. | 7.8 |
2019-08-15 | CVE-2019-13510 | Rockwellautomation | Use After Free vulnerability in Rockwellautomation Arena Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain a USE AFTER FREE CWE-416. | 7.8 |
2019-08-15 | CVE-2019-13221 | STB Vorbis Project Debian | Out-of-bounds Write vulnerability in multiple products A stack buffer overflow in the compute_codewords function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file. | 7.8 |
2019-08-15 | CVE-2019-13217 | STB Vorbis Project Debian | Out-of-bounds Write vulnerability in multiple products A heap buffer overflow in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file. | 7.8 |
2019-08-14 | CVE-2019-1205 | Microsoft | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. | 7.8 |
2019-08-14 | CVE-2019-1201 | Microsoft | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. | 7.8 |
2019-08-14 | CVE-2019-1200 | Microsoft | Unspecified vulnerability in Microsoft Office, Office 365 Proplus and Outlook A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. | 7.8 |
2019-08-14 | CVE-2019-1199 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Office and Office 365 Proplus A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. | 7.8 |
2019-08-14 | CVE-2019-1185 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 An elevation of privilege vulnerability exists due to a stack corruption in Windows Subsystem for Linux. | 7.8 |
2019-08-14 | CVE-2019-8062 | Adobe | Uncontrolled Search Path Element vulnerability in Adobe After Effects Adobe After Effects versions 16 and earlier have an insecure library loading (dll hijacking) vulnerability. | 7.8 |
2019-08-14 | CVE-2019-7961 | Adobe | Uncontrolled Search Path Element vulnerability in Adobe Prelude CC 8.1 Adobe Prelude CC versions 8.1 and earlier have an insecure library loading (dll hijacking) vulnerability. | 7.8 |
2019-08-14 | CVE-2019-7931 | Adobe | Uncontrolled Search Path Element vulnerability in Adobe Premiere PRO CC 13.1.2 Adobe Premiere Pro CC versions 13.1.2 and earlier have an insecure library loading (dll hijacking) vulnerability. | 7.8 |
2019-08-14 | CVE-2019-7870 | Adobe | Uncontrolled Search Path Element vulnerability in Adobe Character Animator 2.1 Adobe Character Animator versions 2.1 and earlier have an insecure library loading (dll hijacking) vulnerability. | 7.8 |
2019-08-13 | CVE-2019-5299 | Huawei | Improper Verification of Cryptographic Signature vulnerability in Huawei Hima-Al00B Firmware 9.0.0.200(C00E200R2P1) Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL00C00B175 have a signature verification bypass vulnerability. | 7.8 |
2019-08-13 | CVE-2019-5223 | Huawei | Improper Authentication vulnerability in Huawei Pcmanager 9.1.3.1 PCManager 9.1.3.1 has an improper authentication vulnerability. | 7.8 |
2019-08-13 | CVE-2019-12808 | Estsoft | Incorrect Permission Assignment for Critical Resource vulnerability in Estsoft Altools 18.1 ALTOOLS update service 18.1 and earlier versions contains a local privilege escalation vulnerability due to insecure permission. | 7.8 |
2019-08-13 | CVE-2019-12807 | Estsoft | Out-of-bounds Write vulnerability in Estsoft Alzip Alzip 10.83 and earlier version contains a stack-based buffer overflow vulnerability, caused by improper bounds checking during the parsing of crafted ISO archive file format. | 7.8 |
2019-08-13 | CVE-2019-5681 | Nvidia | Unspecified vulnerability in Nvidia Shield Experience NVIDIA Shield TV Experience prior to v8.0, contains a vulnerability in the custom NVIDIA API used in the mount system service where user data could be overridden, which may lead to code execution, denial of service, or information disclosure. | 7.8 |
2019-08-13 | CVE-2017-18509 | Linux Debian Canonical | Improper Input Validation vulnerability in multiple products An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. | 7.8 |
2019-08-12 | CVE-2019-14969 | Netwrix | Incorrect Permission Assignment for Critical Resource vulnerability in Netwrix Auditor 9.7 Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. | 7.8 |
2019-08-12 | CVE-2019-14935 | 3CX | Incorrect Permission Assignment for Critical Resource vulnerability in 3CX 15 3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link. | 7.8 |
2019-08-18 | CVE-2019-15137 | Eprosima | Unspecified vulnerability in Eprosima Fast-Rtps The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network. | 7.5 |
2019-08-18 | CVE-2019-15136 | Eprosima | Missing Authorization vulnerability in Eprosima Fast-Rtps The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition. | 7.5 |
2019-08-18 | CVE-2019-15135 | OMG | Cleartext Transmission of Sensitive Information vulnerability in OMG DDS Security 1.1 The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability information on a Data Distribution Service (DDS) network. | 7.5 |
2019-08-17 | CVE-2019-15134 | Riot OS | Memory Leak vulnerability in Riot-Os Riot RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. | 7.5 |
2019-08-17 | CVE-2019-14937 | Vanderbilt | SQL Injection vulnerability in Vanderbilt Redcap REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. | 7.5 |
2019-08-16 | CVE-2017-18545 | Invite Anyone Project | Improper Input Validation vulnerability in Invite Anyone Project Invite Anyone The invite-anyone plugin before 1.3.16 for WordPress has incorrect escaping of untrusted Dashboard and front-end input. | 7.5 |
2019-08-16 | CVE-2019-8063 | Adobe | Unspecified vulnerability in Adobe Creative Cloud Creative Cloud Desktop Application 4.6.1 and earlier versions have an insecure transmission of sensitive data vulnerability. | 7.5 |
2019-08-16 | CVE-2019-7957 | Adobe | Unspecified vulnerability in Adobe Creative Cloud Creative Cloud Desktop Application versions 4.6.1 and earlier have a security bypass vulnerability. | 7.5 |
2019-08-16 | CVE-2019-15099 | Linux Canonical | NULL Pointer Dereference vulnerability in multiple products drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor. | 7.5 |
2019-08-15 | CVE-2019-10081 | Apache Debian | Out-of-bounds Write vulnerability in multiple products HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. | 7.5 |
2019-08-15 | CVE-2019-9012 | Codesys | Allocation of Resources Without Limits or Throttling vulnerability in Codesys products An issue was discovered in 3S-Smart CODESYS V3 products. | 7.5 |
2019-08-15 | CVE-2018-14669 | Yandex | Information Exposure vulnerability in Yandex Clickhouse ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server. | 7.5 |
2019-08-15 | CVE-2019-12854 | Squid Cache Debian Fedoraproject Canonical Opensuse | Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. | 7.5 |
2019-08-14 | CVE-2019-9582 | EQ 3 | Unspecified vulnerability in Eq-3 Homematic Ccu2 Firmware eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service. | 7.5 |
2019-08-14 | CVE-2019-15046 | Zohocorp | Improper Authentication vulnerability in Zohocorp Manageengine Servicedesk Plus Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. | 7.5 |
2019-08-14 | CVE-2014-10375 | GNU | Numeric Errors vulnerability in GNU Exosip 3.5.0/4.0.0/4.1.0 handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles a negative value in a content-length header. | 7.5 |
2019-08-13 | CVE-2019-9518 | Apple Apache Canonical Debian Synology Fedoraproject Opensuse Redhat Oracle Mcafee Nodejs | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. | 7.5 |
2019-08-13 | CVE-2019-9517 | Apple Apache Canonical Debian Synology Fedoraproject Opensuse Redhat Oracle Mcafee Netapp Nodejs | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. | 7.5 |
2019-08-13 | CVE-2019-9515 | Apple Apache Canonical Debian Synology Fedoraproject Opensuse Redhat Oracle Mcafee F5 Nodejs | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. | 7.5 |
2019-08-13 | CVE-2019-9514 | Apple Apache Debian Canonical Synology Fedoraproject Opensuse Redhat Oracle Mcafee Netapp F5 Nodejs | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. | 7.5 |
2019-08-13 | CVE-2019-9513 | Apple Apache Canonical Debian Fedoraproject Synology Opensuse Redhat Oracle Mcafee F5 Nodejs | Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. | 7.5 |
2019-08-13 | CVE-2019-9512 | Apple Apache Debian Nodejs | Resource Exhaustion vulnerability in multiple products Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. | 7.5 |
2019-08-13 | CVE-2019-9511 | Apple Apache Canonical Debian Synology Fedoraproject Opensuse Redhat Oracle Mcafee F5 Nodejs | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. | 7.5 |
2019-08-13 | CVE-2019-10943 | Siemens | Unspecified vulnerability in Siemens products A vulnerability has been identified in SIMATIC Drive Controller family (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. | 7.5 |
2019-08-13 | CVE-2019-14993 | Istio | Incorrect Regular Expression vulnerability in Istio Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API. | 7.5 |
2019-08-13 | CVE-2019-13419 | Search Guard | Information Exposure vulnerability in Search-Guard Search Guard Search Guard versions before 23.1 had an issue that for aggregations clear text values of anonymised fields were leaked. | 7.5 |
2019-08-12 | CVE-2019-13418 | Search Guard | Improper Validation of Array Index vulnerability in Search-Guard Search Guard Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized. | 7.5 |
2019-08-12 | CVE-2019-14951 | Telenav | Improper Restriction of Excessive Authentication Attempts vulnerability in Telenav Scout GPS Link The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile. | 7.5 |
2019-08-12 | CVE-2019-14932 | Humanica | Authorization Bypass Through User-Controlled Key vulnerability in Humanica Humatrix 7 1.0.0.203/1.0.0.681 The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates' information on the website via a modified selApp variable to personalData/resumeDetail.cfm. | 7.5 |
2019-08-13 | CVE-2019-14516 | Uidai | Improper Certificate Validation vulnerability in Uidai Maadhaar 1.2.7 The mAadhaar application 1.2.7 for Android lacks SSL Certificate Validation, leading to man-in-the-middle attacks against requests for FAQs or Help. | 7.4 |
2019-08-14 | CVE-2019-1211 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio 2017 and Visual Studio 2019 An elevation of privilege vulnerability exists in Git for Visual Studio when it improperly parses configuration files. | 7.3 |
2019-08-14 | CVE-2019-0349 | SAP | Missing Authorization vulnerability in SAP Advanced Business Application Programming Platform Kernel SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute “Go to statement” without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check | 7.2 |
2019-08-15 | CVE-2019-13222 | STB Vorbis Project Debian | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read of a global buffer in the draw_line function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file. | 7.1 |
2019-08-15 | CVE-2019-13220 | STB Vorbis Project Debian | Use of Uninitialized Resource vulnerability in multiple products Use of uninitialized stack variables in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file. | 7.1 |
2019-08-14 | CVE-2019-1161 | Microsoft | Unspecified vulnerability in Microsoft products An elevation of privilege vulnerability exists when the MpSigStub.exe for Defender allows file deletion in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. | 7.1 |
2019-08-14 | CVE-2019-3639 | Mcafee | Improper Restriction of Rendered UI Layers or Frames vulnerability in Mcafee web Gateway Clickjack vulnerability in Adminstrator web console in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows remote attackers to conduct clickjacking attacks via a crafted web page that contains an iframe via does not send an X-Frame-Options HTTP header. | 7.1 |
2019-08-14 | CVE-2019-14975 | Artifex | Out-of-bounds Read vulnerability in Artifex Mupdf Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_chartorune in fitz/string.c because pdf/pdf-op-filter.c does not check for a missing string. | 7.1 |
146 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-14 | CVE-2019-15053 | Atlassian | Cross-site Scripting vulnerability in Atlassian Html Include and Replace Macro 1.4.0/1.4.1/1.4.2 The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element. | 6.8 |
2019-08-16 | CVE-2019-15090 | Linux Canonical Opensuse | Out-of-bounds Read vulnerability in multiple products An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. | 6.7 |
2019-08-14 | CVE-2019-3637 | Mcafee | Unspecified vulnerability in Mcafee File and Removable Media Protection Privilege Escalation vulnerability in McAfee FRP 5.x prior to 5.1.0.209 allows local users to gain elevated privileges via running McAfee Tray with elevated privileges. | 6.7 |
2019-08-13 | CVE-2019-10928 | Siemens | Unspecified vulnerability in Siemens Scalance Sc-600 Firmware 2.0 A vulnerability has been identified in SCALANCE SC-600 (V2.0). | 6.6 |
2019-08-18 | CVE-2019-15148 | Gopro | Out-of-bounds Write vulnerability in Gopro Gpmf-Parser 1.2.2 GoPro GPMF-parser 1.2.2 has an out-of-bounds write in OpenMP4Source in demo/GPMF_mp4reader.c. | 6.5 |
2019-08-18 | CVE-2019-15147 | Gopro | Out-of-bounds Read vulnerability in Gopro Gpmf-Parser 1.2.2 GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c. | 6.5 |
2019-08-18 | CVE-2019-15146 | Gopro | Out-of-bounds Read vulnerability in Gopro Gpmf-Parser 1.2.2 GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c. | 6.5 |
2019-08-18 | CVE-2019-15141 | Imagemagick Opensuse | Out-of-bounds Read vulnerability in multiple products WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. | 6.5 |
2019-08-18 | CVE-2019-15139 | Imagemagick | Out-of-bounds Read vulnerability in Imagemagick 7.0.841 The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472. | 6.5 |
2019-08-17 | CVE-2019-15133 | Giflib Project Canonical Debian | Divide By Zero vulnerability in multiple products In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero. | 6.5 |
2019-08-15 | CVE-2019-13515 | Osisoft | Information Exposure Through Log Files vulnerability in Osisoft PI web API OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information. | 6.5 |
2019-08-15 | CVE-2018-14008 | Arista | Improper Authentication vulnerability in Arista EOS Arista EOS through 4.21.0F allows a crash because 802.1x authentication is mishandled. | 6.5 |
2019-08-15 | CVE-2018-12357 | Arista | Incorrect Permission Assignment for Critical Resource vulnerability in Arista Cloudvision Portal Arista CloudVision Portal through 2018.1.1 has Incorrect Permissions. | 6.5 |
2019-08-15 | CVE-2019-14786 | Rankmath | Missing Authorization vulnerability in Rankmath SEO The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter. | 6.5 |
2019-08-14 | CVE-2019-3635 | Mcafee | Unspecified vulnerability in Mcafee web Gateway Exfiltration of Data in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows attackers to obtain sensitive data via crafting a complex webpage that will trigger the Web Gateway to block the user accessing an iframe. | 6.5 |
2019-08-14 | CVE-2016-10883 | Mijnpress | Cross-Site Request Forgery (CSRF) vulnerability in Mijnpress Simple ADD Pages or Posts The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users. | 6.5 |
2019-08-14 | CVE-2019-0348 | SAP | Cleartext Transmission of Sensitive Information vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2 SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted. | 6.5 |
2019-08-14 | CVE-2019-0346 | SAP | Cleartext Transmission of Sensitive Information vulnerability in SAP Businessobjects Business Intelligence 4.2 Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP NetWeaver BI systems, resulting in Information Disclosure. | 6.5 |
2019-08-14 | CVE-2019-0333 | SAP | Unspecified vulnerability in SAP Businessobjects Business Intelligence 4.2 In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data set instead of just what is part of their authorized security profile, resulting in Information Disclosure. | 6.5 |
2019-08-14 | CVE-2019-14973 | Libtiff Debian Fedoraproject Opensuse | Integer Overflow or Wraparound vulnerability in multiple products _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. | 6.5 |
2019-08-13 | CVE-2019-9516 | Apple Apache Canonical Debian Fedoraproject Synology Opensuse Redhat Oracle Mcafee F5 Nodejs | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. | 6.5 |
2019-08-13 | CVE-2019-5280 | Huawei | Improper Certificate Validation vulnerability in Huawei Cloudlink Phone 7900 Firmware V600R019C10 The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. | 6.5 |
2019-08-13 | CVE-2019-13416 | Search Guard | Unspecified vulnerability in Search-Guard Search Guard Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s). | 6.5 |
2019-08-13 | CVE-2019-13415 | Search Guard | Unspecified vulnerability in Search-Guard Search Guard Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see. | 6.5 |
2019-08-13 | CVE-2019-10927 | Siemens | Unspecified vulnerability in Siemens products A vulnerability has been identified in SCALANCE SC-600 (V2.0), SCALANCE XB-200 (V4.1), SCALANCE XC-200 (V4.1), SCALANCE XF-200BA (V4.1), SCALANCE XP-200 (V4.1), SCALANCE XR-300WG (V4.1). | 6.5 |
2019-08-12 | CVE-2019-14982 | Exiv2 | Integer Overflow or Wraparound vulnerability in Exiv2 In Exiv2 before v0.27.2, there is an integer overflow vulnerability in the WebPImage::getHeaderOffset function in webpimage.cpp. | 6.5 |
2019-08-12 | CVE-2019-14981 | Imagemagick Debian Canonical Opensuse | Divide By Zero vulnerability in multiple products In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. | 6.5 |
2019-08-12 | CVE-2019-14980 | Imagemagick Opensuse | Use After Free vulnerability in multiple products In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file. | 6.5 |
2019-08-12 | CVE-2019-14940 | Spdk | Unspecified vulnerability in Spdk Storage Performance Development KIT In Storage Performance Development Kit (SPDK) before 19.07, a user of a vhost can cause a crash if the target is sent invalid input. | 6.5 |
2019-08-16 | CVE-2019-15116 | Sandhillsdev | Cross-site Scripting vulnerability in Sandhillsdev Easy Digital Downloads The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging. | 6.1 |
2019-08-16 | CVE-2017-18542 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Zendesk Help Center The zendesk-help-center plugin before 1.0.5 for WordPress has multiple XSS issues. | 6.1 |
2019-08-16 | CVE-2017-18541 | Xakuro | Cross-site Scripting vulnerability in Xakuro XO Security The xo-security plugin before 1.5.3 for WordPress has XSS. | 6.1 |
2019-08-16 | CVE-2019-15095 | Diaowen | Cross-site Scripting vulnerability in Diaowen Dwsurvey 1.0/20190722/3.2.0 DWSurvey through 2019-07-22 has reflected XSS via the design/qu-multi-fillblank!answers.action surveyId parameter. | 6.1 |
2019-08-15 | CVE-2019-14789 | Kunalnagar | Cross-site Scripting vulnerability in Kunalnagar Custom 404 PRO 3.2.8 The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter. | 6.1 |
2019-08-15 | CVE-2019-14784 | Codepeople | Cross-site Scripting vulnerability in Codepeople CP Contact Form With Paypal The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition. | 6.1 |
2019-08-15 | CVE-2019-14790 | Limbcode | Cross-site Scripting vulnerability in Limbcode Limb-Gallery 1.4.0 The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter, | 6.1 |
2019-08-14 | CVE-2019-14427 | Webstudio | Cross-site Scripting vulnerability in Webstudio Ultimate Loan Manager 2.0 XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code. | 6.1 |
2019-08-14 | CVE-2018-19386 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds Database Performance Analyzer 11.1.457 SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI. | 6.1 |
2019-08-14 | CVE-2019-14974 | Sugarcrm | Cross-site Scripting vulnerability in Sugarcrm 9.0.0 SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS. | 6.1 |
2019-08-14 | CVE-2016-10881 | Google DOC Embedder Project | Cross-site Scripting vulnerability in Google DOC Embedder Project Google DOC Embedder The google-document-embedder plugin before 2.6.2 for WordPress has XSS. | 6.1 |
2019-08-14 | CVE-2016-10880 | Google DOC Embedder Project | Cross-site Scripting vulnerability in Google DOC Embedder Project Google DOC Embedder The google-document-embedder plugin before 2.6.1 for WordPress has XSS. | 6.1 |
2019-08-14 | CVE-2015-9314 | Newstatpress Project | Cross-site Scripting vulnerability in Newstatpress Project Newstatpress The newstatpress plugin before 1.0.4 for WordPress has XSS related to the Referer header. | 6.1 |
2019-08-14 | CVE-2015-9312 | Newstatpress Project | Cross-site Scripting vulnerability in Newstatpress Project Newstatpress The newstatpress plugin before 1.0.5 for WordPress has XSS related to an IMG element. | 6.1 |
2019-08-14 | CVE-2015-9311 | Newstatpress Project | Cross-site Scripting vulnerability in Newstatpress Project Newstatpress The newstatpress plugin before 1.0.6 for WordPress has reflected XSS. | 6.1 |
2019-08-14 | CVE-2019-0337 | SAP | Cross-site Scripting vulnerability in SAP Netweaver Process Integration Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious scripts in the url thereby resulting in Reflected Cross-Site Scripting (XSS) vulnerability | 6.1 |
2019-08-14 | CVE-2019-0335 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3 Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account. | 6.1 |
2019-08-14 | CVE-2019-0332 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3 SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword in the search and it will be executed while search performs its action, resulting in Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2019-08-13 | CVE-2017-18488 | Backup Guard | Cross-site Scripting vulnerability in Backup-Guard Backup Guard The Backup Guard plugin before 1.1.47 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2017-18487 | Google Adsense Project | Cross-site Scripting vulnerability in Google Adsense Project Google Adsense The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2016-10867 | Tipsandtricks HQ | Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages. | 6.1 |
2019-08-13 | CVE-2016-10866 | Tipsandtricks HQ | Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2018-20963 | Codepeople | Cross-site Scripting vulnerability in Codepeople Contact Form Email The contact-form-to-email plugin before 1.2.66 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2017-18507 | 3CX | Cross-site Scripting vulnerability in 3CX Live Chat The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2017-18498 | Presstigers | Cross-site Scripting vulnerability in Presstigers Simple JOB Board The simple-job-board plugin before 2.4.4 for WordPress has reflected XSS via keyword search. | 6.1 |
2019-08-13 | CVE-2017-18497 | W3Eden | Cross-site Scripting vulnerability in W3Eden Live Forms The liveforms plugin before 3.4.0 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2017-18496 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Htaccess The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2017-18495 | Mediaburst | Cross-site Scripting vulnerability in Mediaburst Gravity Forms The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2017-18494 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Custom Search The custom-search-plugin plugin before 1.36 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2017-18493 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Custom Admin Page 0.1/0.1.1 The custom-admin-page plugin before 0.1.2 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2017-18492 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Contact Form to DB The contact-form-to-db plugin before 1.5.7 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2017-18491 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Contact Form The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2017-18490 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Contact Form Multi The contact-form-multi plugin before 1.2.1 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2017-18489 | Mediaburst | Cross-site Scripting vulnerability in Mediaburst Contact Form 7 - Clockwork SMS The contact-form-7-sms-addon plugin before 2.4.0 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2016-10871 | Ibericode | Cross-site Scripting vulnerability in Ibericode Mailchimp The mailchimp-for-wp plugin before 4.0.11 for WordPress has XSS on the integration settings page. | 6.1 |
2019-08-13 | CVE-2016-10870 | Gtranslate | Cross-site Scripting vulnerability in Gtranslate Google Language Translator The google-language-translator plugin before 5.0.06 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2016-10869 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Contact Form The contact-form-plugin plugin before 4.0.2 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2016-10868 | Tipsandtricks HQ | Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall The all-in-one-wp-security-and-firewall plugin before 4.0.5 for WordPress has XSS in the blacklist, file system, and file change detection settings pages. | 6.1 |
2019-08-13 | CVE-2015-9302 | Simple Fields Project | Cross-site Scripting vulnerability in Simple Fields Project Simple Fields The simple-fields plugin before 1.4.11 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2015-9300 | Pixelite | Cross-site Scripting vulnerability in Pixelite Events Manager The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues. | 6.1 |
2019-08-13 | CVE-2015-9299 | Pixelite | Cross-site Scripting vulnerability in Pixelite Events Manager The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS. | 6.1 |
2019-08-13 | CVE-2015-9297 | Pixelite | Cross-site Scripting vulnerability in Pixelite Events Manager The events-manager plugin before 5.6 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2015-9296 | Never5 | Cross-site Scripting vulnerability in Never5 Download Monitor The download-monitor plugin before 1.7.1 for WordPress has XSS related to add_query_arg. | 6.1 |
2019-08-13 | CVE-2015-9295 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Contact Form The contact-form-plugin plugin before 3.96 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2015-9294 | Tipsandtricks HQ | Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances. | 6.1 |
2019-08-13 | CVE-2015-9293 | Tipsandtricks HQ | Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature. | 6.1 |
2019-08-13 | CVE-2013-7475 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Contact Form The contact-form-plugin plugin before 3.52 for WordPress has XSS. | 6.1 |
2019-08-13 | CVE-2012-6713 | WP Jobmanager | Cross-site Scripting vulnerability in Wp-Jobmanager JOB Manager The job-manager plugin before 0.7.19 for WordPress has multiple XSS issues. | 6.1 |
2019-08-12 | CVE-2019-14976 | Icmsdev | Cross-site Scripting vulnerability in Icmsdev Icms 7.0.15 iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter. | 6.1 |
2019-08-12 | CVE-2019-14967 | Frappe | Cross-site Scripting vulnerability in Frappe An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. | 6.1 |
2019-08-12 | CVE-2018-20966 | Booster | Cross-site Scripting vulnerability in Booster for Woocommerce The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature. | 6.1 |
2019-08-12 | CVE-2018-20965 | Ultimatemember | Cross-site Scripting vulnerability in Ultimatemember Ultimate Member The ultimate-member plugin before 2.0.4 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2017-18505 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Twitter Button The twitter-plugin plugin before 2.55 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2017-18503 | Wpdeveloper | Cross-site Scripting vulnerability in Wpdeveloper Twitter Cards Meta The twitter-cards-meta plugin before 2.5.0 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2017-18502 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Subscriber The subscriber plugin before 1.3.5 for WordPress has multiple XSS issues. | 6.1 |
2019-08-12 | CVE-2017-18501 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Social Login 0.1 The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues. | 6.1 |
2019-08-12 | CVE-2017-18500 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Social Buttons Pack The social-buttons-pack plugin before 1.1.1 for WordPress has multiple XSS issues. | 6.1 |
2019-08-12 | CVE-2017-18499 | Simple Membership Plugin | Cross-site Scripting vulnerability in Simple-Membership-Plugin Simple Membership The simple-membership plugin before 3.5.7 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2016-10872 | Ultimatemember | Cross-site Scripting vulnerability in Ultimatemember Ultimate Member The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form. | 6.1 |
2019-08-12 | CVE-2015-9304 | Ultimatemember | Cross-site Scripting vulnerability in Ultimatemember Ultimate Member The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input. | 6.1 |
2019-08-12 | CVE-2015-9303 | Simplesharebuttons | Cross-site Scripting vulnerability in Simplesharebuttons Simple Share Buttons Adder The simple-share-buttons-adder plugin before 6.0.0 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2019-14950 | 3CX | Cross-site Scripting vulnerability in 3CX Live Chat The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page. | 6.1 |
2019-08-12 | CVE-2019-14949 | Wpseeds | Cross-site Scripting vulnerability in Wpseeds WP Database Backup The wp-database-backup plugin before 5.1.2 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2017-18508 | 3CX | Cross-site Scripting vulnerability in 3CX Live Chat The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2017-18506 | Wpovernight | Cross-site Scripting vulnerability in Wpovernight Woocommerce PDF Invoices& Packing Slips The woocommerce-pdf-invoices-packing-slips plugin before 2.0.13 for WordPress has XSS via the tab or section variable on settings screens. | 6.1 |
2019-08-12 | CVE-2016-10879 | 3CX | Cross-site Scripting vulnerability in 3CX Live Chat The wp-live-chat-support plugin before 6.2.02 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2016-10878 | Flippercode | Cross-site Scripting vulnerability in Flippercode WP Google MAP The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2016-10877 | WP Editor Project | Cross-site Scripting vulnerability in WP Editor Project WP Editor The wp-editor plugin before 1.2.6.3 for WordPress has multiple XSS issues. | 6.1 |
2019-08-12 | CVE-2016-10875 | Wpseeds | Cross-site Scripting vulnerability in Wpseeds WP Database Backup The wp-database-backup plugin before 4.3.1 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2016-10873 | Wpseeds | Cross-site Scripting vulnerability in Wpseeds WP Database Backup The wp-database-backup plugin before 4.3.3 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2015-9306 | Smackcoders | Cross-site Scripting vulnerability in Smackcoders Import ALL Pages, Post Types, Products, Orders, and Users AS XML & CSV The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS. | 6.1 |
2019-08-12 | CVE-2015-9305 | Flippercode | Cross-site Scripting vulnerability in Flippercode WP Google MAP The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS related to the add_query_arg() and remove_query_arg() functions. | 6.1 |
2019-08-15 | CVE-2019-13377 | W1 FI Fedoraproject Canonical Debian | Information Exposure Through Discrepancy vulnerability in multiple products The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. | 5.9 |
2019-08-13 | CVE-2019-10929 | Siemens | Unspecified vulnerability in Siemens products A vulnerability has been identified in SIMATIC CP 1626 (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. | 5.9 |
2019-08-13 | CVE-2019-13420 | Search Guard | Information Exposure Through Discrepancy vulnerability in Search-Guard Search Guard Search Guard versions before 21.0 had an timing side channel issue when using the internal user database. | 5.9 |
2019-08-18 | CVE-2019-15145 | Djvulibre Project Debian Fedoraproject Canonical Opensuse | Out-of-bounds Read vulnerability in multiple products DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h. | 5.5 |
2019-08-18 | CVE-2019-15144 | Djvulibre Project Debian Fedoraproject Canonical Opensuse | Uncontrolled Recursion vulnerability in multiple products In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h. | 5.5 |
2019-08-18 | CVE-2019-15143 | Djvulibre Project Debian Fedoraproject Canonical Opensuse | Infinite Loop vulnerability in multiple products In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp. | 5.5 |
2019-08-18 | CVE-2019-15142 | Djvulibre Project Debian Fedoraproject Canonical Opensuse | Out-of-bounds Read vulnerability in multiple products In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file. | 5.5 |
2019-08-16 | CVE-2019-15119 | NPS Project | Incorrect Permission Assignment for Critical Resource vulnerability in NPS Project NPS lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user. | 5.5 |
2019-08-16 | CVE-2019-15118 | Linux Canonical Debian Opensuse Netapp | Uncontrolled Recursion vulnerability in multiple products check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion. | 5.5 |
2019-08-15 | CVE-2019-13223 | STB Vorbis Project Debian | Reachable Assertion vulnerability in multiple products A reachable assertion in the lookup1_values function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file. | 5.5 |
2019-08-15 | CVE-2019-13219 | STB Vorbis Project Debian | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference in the get_window function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file. | 5.5 |
2019-08-15 | CVE-2019-13218 | STB Vorbis Project Debian | Divide By Zero vulnerability in multiple products Division by zero in the predict_point function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file. | 5.5 |
2019-08-15 | CVE-2019-10140 | Linux Redhat | A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs. | 5.5 |
2019-08-15 | CVE-2017-14232 | Flif Jasper Project | Resource Management Errors vulnerability in multiple products The read_chunk function in flif-dec.cpp in Free Lossless Image Format (FLIF) 0.3 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted flif file. | 5.5 |
2019-08-12 | CVE-2019-14939 | Mysql Project | Unspecified vulnerability in Mysql Project Mysql 2.17.1 An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js. | 5.5 |
2019-08-16 | CVE-2019-15120 | Kunena | Cross-site Scripting vulnerability in Kunena The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode. | 5.4 |
2019-08-15 | CVE-2018-17790 | Prospecta | Cross-site Scripting vulnerability in Prospecta Master Data Online 2.0 Prospecta Master Data Online (MDO) 2.0 has Stored XSS. | 5.4 |
2019-08-15 | CVE-2018-12101 | Clippercms | Cross-site Scripting vulnerability in Clippercms 1.3.3 CMS Clipper 1.3.3 has XSS in the Security tab search, User Groups, Resource Groups, and User/Resource Group Links fields. | 5.4 |
2019-08-15 | CVE-2019-14518 | Modx | Cross-site Scripting vulnerability in Modx Evolution CMS 2.0.0 Evolution CMS 2.0.x allows XSS via a description and new category location in a template. | 5.4 |
2019-08-15 | CVE-2019-3418 | ZTE | Cross-site Scripting vulnerability in ZTE Zxhn F670 Firmware All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS). | 5.4 |
2019-08-14 | CVE-2019-1218 | Microsoft | Cross-site Scripting vulnerability in Microsoft Outlook A spoofing vulnerability exists in the way Microsoft Outlook iOS software parses specifically crafted email messages. | 5.4 |
2019-08-14 | CVE-2019-1203 | Microsoft | Cross-site Scripting vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. | 5.4 |
2019-08-14 | CVE-2019-0340 | SAP | XXE vulnerability in SAP Enable NOW 10 The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. | 5.4 |
2019-08-14 | CVE-2019-0334 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3 When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could potentially allow a user to escalate privileges via session hijacking. | 5.4 |
2019-08-12 | CVE-2019-14947 | Ultimatemember | Cross-site Scripting vulnerability in Ultimatemember Ultimate Member The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade. | 5.4 |
2019-08-12 | CVE-2019-14946 | Ultimatemember | Cross-site Scripting vulnerability in Ultimatemember Ultimate Member The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations. | 5.4 |
2019-08-12 | CVE-2019-14945 | Ultimatemember | Cross-site Scripting vulnerability in Ultimatemember Ultimate Member The ultimate-member plugin before 2.0.54 for WordPress has XSS. | 5.4 |
2019-08-12 | CVE-2019-14948 | Najeebmedia | Cross-site Scripting vulnerability in Najeebmedia Ppom for Woocommerce The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure. | 5.4 |
2019-08-18 | CVE-2019-15129 | Humanica | Missing Authentication for Critical Function vulnerability in Humanica Humatrix 7 1.0.0.203/1.0.0.681 The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_name] URI. | 5.3 |
2019-08-17 | CVE-2019-15132 | Zabbix Debian | Information Exposure Through Discrepancy vulnerability in multiple products Zabbix through 4.4.0alpha1 allows User Enumeration. | 5.3 |
2019-08-15 | CVE-2018-14672 | Yandex | Path Traversal vulnerability in Yandex Clickhouse In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages. | 5.3 |
2019-08-15 | CVE-2019-14800 | Foliovision | Information Exposure vulnerability in Foliovision FV Flowplayer Video Player The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1 URI. | 5.3 |
2019-08-14 | CVE-2019-0338 | SAP | Information Exposure vulnerability in SAP Gateway During an OData V2/V4 request in SAP Gateway, versions 750, 751, 752, 753, the HTTP Header attributes cache-control and pragma were not properly set, allowing an attacker to access restricted information, resulting in Information Disclosure. | 5.3 |
2019-08-14 | CVE-2019-0331 | SAP | Unspecified vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3 Under certain conditions, SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, allows an attacker to access sensitive data such as directory structure, leading to Information Disclosure. | 5.3 |
2019-08-14 | CVE-2019-15028 | Joomla | Unspecified vulnerability in Joomla Joomla! In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms. | 5.3 |
2019-08-13 | CVE-2019-8448 | Atlassian | Unspecified vulnerability in Atlassian Jira Server The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | 5.3 |
2019-08-12 | CVE-2019-13417 | Search Guard | Information Exposure vulnerability in Search-Guard Search Guard Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated. | 5.3 |
2019-08-16 | CVE-2019-15108 | Wso2 | Cross-site Scripting vulnerability in Wso2 API Manager An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. | 4.8 |
2019-08-15 | CVE-2019-15081 | Opencart | Cross-site Scripting vulnerability in Opencart OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages. | 4.8 |
2019-08-15 | CVE-2019-14795 | Toggle THE Title Project | Cross-site Scripting vulnerability in Toggle-The-Title Project Toggle-The-Title 1.4 The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter. | 4.8 |
2019-08-13 | CVE-2019-14987 | Schben | Cross-site Scripting vulnerability in Schben Framework 2.0.7 Adive Framework through 2.0.7 is affected by XSS in the Create New Table and Create New Navigation Link functions. | 4.8 |
2019-08-16 | CVE-2016-10894 | Xtrlock Project Debian | 7PK - Security Features vulnerability in multiple products xtrlock through 2.10 does not block multitouch events. | 4.6 |
2019-08-16 | CVE-2019-15098 | Linux Canonical Opensuse Netapp Debian | NULL Pointer Dereference vulnerability in multiple products drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor. | 4.6 |
2019-08-14 | CVE-2019-1202 | Microsoft | Information Exposure vulnerability in Microsoft products An information disclosure vulnerability exists in the way Microsoft SharePoint handles session objects. | 4.4 |
2019-08-14 | CVE-2019-1204 | Microsoft | Improper Input Validation vulnerability in Microsoft Office, Office 365 Proplus and Outlook An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. | 4.3 |
3 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-15 | CVE-2019-13512 | Fujielectric | Out-of-bounds Read vulnerability in Fujielectric Frenic Loader 3.5.0.0 Fuji Electric FRENIC Loader 3.5.0.0 and prior is vulnerable to an out-of-bounds read vulnerability, which may allow an attacker to read limited information from the device. | 3.3 |
2019-08-15 | CVE-2019-13511 | Rockwellautomation | Use After Free vulnerability in Rockwellautomation Arena Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain an INFORMATION EXPOSURE CWE-200. | 3.3 |
2019-08-12 | CVE-2019-14359 | Real SEC | Information Exposure Through Discrepancy vulnerability in Real-Sec BC Vault Firmware On BC Vault devices, a side channel for the row-based SSD1309 OLED display was found. | 2.4 |