Weekly Vulnerabilities Reports > August 12 to 18, 2019

Overview

339 new vulnerabilities reported during this period, including 58 critical vulnerabilities and 132 high severity vulnerabilities. This weekly summary report vulnerabilities in 479 products from 173 vendors including Debian, Canonical, Opensuse, Fedoraproject, and SAP. Vulnerabilities are notably categorized as "Cross-site Scripting", "Cross-Site Request Forgery (CSRF)", "SQL Injection", "Out-of-bounds Read", and "Incorrect Permission Assignment for Critical Resource".

  • 283 reported vulnerabilities are remotely exploitables.
  • 18 reported vulnerabilities have public exploit available.
  • 151 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 271 reported vulnerabilities are exploitable by an anonymous user.
  • Debian has the most reported vulnerabilities, with 37 reported vulnerabilities.
  • Debian has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

58 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-18 CVE-2019-15151 Adplug Project
Fedoraproject
Double Free vulnerability in multiple products

AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h.

9.8
2019-08-18 CVE-2019-15149 Networkgenomics 7PK - Security Features vulnerability in Networkgenomics Mitogen

core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child.

9.8
2019-08-18 CVE-2019-15130 Humanica Use of Insufficiently Random Values vulnerability in Humanica Humatrix 7 1.0.0.203/1.0.0.681

The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parameter.

9.8
2019-08-16 CVE-2018-20973 Codeermeneer Improper Input Validation vulnerability in Codeermeneer Companion Auto Update

The companion-auto-update plugin before 3.2.1 for WordPress has local file inclusion.

9.8
2019-08-16 CVE-2017-18543 Invite Anyone Project Improper Access Control vulnerability in Invite Anyone Project Invite Anyone

The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations.

9.8
2019-08-16 CVE-2015-9324 Sandhillsdev SQL Injection vulnerability in Sandhillsdev Easy Digital Downloads

The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection.

9.8
2019-08-16 CVE-2015-9323 Duckdev SQL Injection vulnerability in Duckdev 404 to 301

The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.

9.8
2019-08-16 CVE-2014-10376 Themeist SQL Injection vulnerability in Themeist I Recommend This

The i-recommend-this plugin before 3.7.3 for WordPress has SQL injection.

9.8
2019-08-16 CVE-2019-7964 Adobe Unspecified vulnerability in Adobe Experience Manager 6.4/6.5

Adobe Experience Manager versions 6.5, and 6.4 have an authentication bypass vulnerability.

9.8
2019-08-16 CVE-2019-7959 Adobe Improper Input Validation vulnerability in Adobe Creative Cloud

Creative Cloud Desktop Application versions 4.6.1 and earlier have a using components with known vulnerabilities vulnerability.

9.8
2019-08-16 CVE-2019-7958 Adobe Incorrect Permission Assignment for Critical Resource vulnerability in Adobe Creative Cloud

Creative Cloud Desktop Application versions 4.6.1 and earlier have an insecure inherited permissions vulnerability.

9.8
2019-08-16 CVE-2019-5477 Nokogiri
Canonical
Debian
OS Command Injection vulnerability in multiple products

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method.

9.8
2019-08-16 CVE-2017-18548 Datainterlock SQL Injection vulnerability in Datainterlock Note Press 0.1.0/0.1.1

The note-press plugin before 0.1.2 for WordPress has SQL injection.

9.8
2019-08-16 CVE-2016-10904 Olimometer Project SQL Injection vulnerability in Olimometer Project Olimometer

The olimometer plugin before 2.57 for WordPress has SQL injection.

9.8
2019-08-16 CVE-2015-9326 Wpbusinessintelligence SQL Injection vulnerability in Wpbusinessintelligence WP Business Intelligence

The wp-business-intelligence-lite plugin before 1.6.3 for WordPress has SQL injection.

9.8
2019-08-16 CVE-2015-9325 Bestwebsoft SQL Injection vulnerability in Bestwebsoft Visitors Online 0.1/0.2/0.3

The visitors-online plugin before 0.4 for WordPress has SQL injection.

9.8
2019-08-16 CVE-2019-15091 Artica Unrestricted Upload of File with Dangerous Type vulnerability in Artica Integria IMS 5.0.86

filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload arbitrary file upload.

9.8
2019-08-16 CVE-2019-15107 Webmin OS Command Injection vulnerability in Webmin

An issue was discovered in Webmin <=1.920.

9.8
2019-08-16 CVE-2019-15106 Zohocorp Missing Authentication for Critical Function vulnerability in Zohocorp Manageengine Opmanager

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310.

9.8
2019-08-15 CVE-2019-9851 Debian
Canonical
Opensuse
Fedoraproject
Libreoffice
Improper Input Validation vulnerability in multiple products

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

9.8
2019-08-15 CVE-2019-9850 Debian
Canonical
Opensuse
Fedoraproject
Libreoffice
Improper Input Validation vulnerability in multiple products

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

9.8
2019-08-15 CVE-2019-9010 Codesys Unspecified vulnerability in Codesys products

An issue was discovered in 3S-Smart CODESYS V3 products.

9.8
2019-08-15 CVE-2018-14671 Yandex Improper Input Validation vulnerability in Yandex Clickhouse

In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.

9.8
2019-08-15 CVE-2018-14670 Yandex Improper Authorization vulnerability in Yandex Clickhouse

Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database.

9.8
2019-08-15 CVE-2019-11187 Gonicus
Debian
Improper Authentication vulnerability in multiple products

Incorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided.

9.8
2019-08-15 CVE-2019-13578 Givewp SQL Injection vulnerability in Givewp

A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress.

9.8
2019-08-14 CVE-2019-9585 EQ 3 Missing Authentication for Critical Function vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of Metadata.

9.8
2019-08-14 CVE-2019-9584 EQ 3 Forced Browsing vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration.

9.8
2019-08-14 CVE-2019-14527 Netgear OS Command Injection vulnerability in Netgear Mr1100 Firmware 12.05.05.00

An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03.

9.8
2019-08-14 CVE-2019-12103 TP Link OS Command Injection vulnerability in Tp-Link M7350 Firmware 1.0.16/151021/160330

The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability.

9.8
2019-08-14 CVE-2019-15052 Gradle Insufficiently Protected Credentials vulnerability in Gradle

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host.

9.8
2019-08-14 CVE-2019-12262 Windriver
Belden
Siemens
Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and 7 has Incorrect Access Control in the RARP client component.
9.8
2019-08-14 CVE-2019-11652 Microfocus Unspecified vulnerability in Microfocus Netiq Self Service Password Reset

A potential authorization bypass issue was found in Micro Focus Self Service Password Reset (SSPR) versions prior to: 4.4.0.3, 4.3.0.6, and 4.2.0.6.

9.8
2019-08-14 CVE-2016-10888 Tipsandtricks HQ SQL Injection vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues.

9.8
2019-08-14 CVE-2016-10887 Tipsandtricks HQ SQL Injection vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues.

9.8
2019-08-14 CVE-2016-10886 Benjaminrojas Permissions, Privileges, and Access Controls vulnerability in Benjaminrojas WP Editor

The wp-editor plugin before 1.2.6 for WordPress has incorrect permissions.

9.8
2019-08-14 CVE-2015-9310 Tipsandtricks HQ SQL Injection vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues.

9.8
2019-08-14 CVE-2019-15025 Ninjaforms SQL Injection vulnerability in Ninjaforms

The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.

9.8
2019-08-14 CVE-2017-18514 Simplerealtytheme SQL Injection vulnerability in Simplerealtytheme Simple Login LOG

The simple-login-log plugin before 1.1.2 for WordPress has SQL injection.

9.8
2019-08-14 CVE-2016-10889 Imagely SQL Injection vulnerability in Imagely Nextgen Gallery

The nextgen-gallery plugin before 2.1.57 for WordPress has SQL injection via a gallery name.

9.8
2019-08-14 CVE-2015-9316 Wpfastestcache SQL Injection vulnerability in Wpfastestcache WP Fastest Cache

The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injection in wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request via the poll_id parameter.

9.8
2019-08-14 CVE-2015-9315 Newstatpress Project SQL Injection vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.1 for WordPress has SQL injection.

9.8
2019-08-14 CVE-2015-9313 Newstatpress Project SQL Injection vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element.

9.8
2019-08-14 CVE-2019-0345 SAP Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Java

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.

9.8
2019-08-14 CVE-2019-0344 SAP Deserialization of Untrusted Data vulnerability in SAP Commerce Cloud

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

9.8
2019-08-14 CVE-2017-18515 Veronalabs SQL Injection vulnerability in Veronalabs WP Statistics

The wp-statistics plugin before 12.0.8 for WordPress has SQL injection.

9.8
2019-08-14 CVE-2019-15027 Mediatek OS Command Injection vulnerability in Mediatek Mt6577 Firmware, Mt6625 Firmware and Mt8163 Firmware

The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows attackers to execute arbitrary commands as root via shell metacharacters in a filename under /data, because clear_emmc_nomedia_entry in platform/mt6577/external/meta/emmc/meta_clr_emmc.c invokes 'system("/system/bin/rm -r /data/' followed by this filename upon an eMMC clearance from a Meta Mode boot.

9.8
2019-08-13 CVE-2019-14809 Golang
Debian
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications.
9.8
2019-08-13 CVE-2019-14985 EQ 3 Improper Authentication vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28.

9.8
2019-08-13 CVE-2015-9301 W3Eden SQL Injection vulnerability in W3Eden Live Forms

The liveforms plugin before 3.2.0 for WordPress has SQL injection.

9.8
2019-08-13 CVE-2015-9298 Pixelite Code Injection vulnerability in Pixelite Events Manager

The events-manager plugin before 5.6 for WordPress has code injection.

9.8
2019-08-12 CVE-2019-14968 Txjia SQL Injection vulnerability in Txjia Imcat 4.9

An issue was discovered in imcat 4.9.

9.8
2019-08-12 CVE-2019-14965 Frappe Code Injection vulnerability in Frappe

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4.

9.8
2019-08-12 CVE-2019-12618 Hashicorp Improper Privilege Management vulnerability in Hashicorp Nomad 0.9.0/0.9.1

HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver.

9.8
2019-08-15 CVE-2018-14062 Cospas Sarsat Cryptographic Issues vulnerability in Cospas-Sarsat System

The COSPAS-SARSAT protocol allows remote attackers to forge messages, replay encrypted messages, conduct denial of service attacks, and send private messages (unrelated to distress alerts) via a crafted 406 MHz digital signal.

9.1
2019-08-14 CVE-2019-15058 STB Project Out-of-bounds Read vulnerability in STB Project STB 2.23

stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer over-read in stbi__tga_load, leading to Information Disclosure or Denial of Service.

9.1
2019-08-13 CVE-2019-12479 Twentytwenty Storage Project Path Traversal vulnerability in Twentytwenty.Storage Project Twentytwenty.Storage 2.11.0

An issue was discovered in 20|20 Storage 2.11.0.

9.1
2019-08-12 CVE-2019-13462 Lansweeper SQL Injection vulnerability in Lansweeper

Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.

9.1

132 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-18 CVE-2019-15140 Imagemagick Use After Free vulnerability in Imagemagick 7.0.843

coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.

8.8
2019-08-16 CVE-2019-15115 Profilepress Cross-Site Request Forgery (CSRF) vulnerability in Profilepress Loginwp

The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.

8.8
2019-08-16 CVE-2019-15114 Ncrafts Cross-Site Request Forgery (CSRF) vulnerability in Ncrafts Formcraft

The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.

8.8
2019-08-16 CVE-2019-15113 Codeermeneer Cross-Site Request Forgery (CSRF) vulnerability in Codeermeneer Companion Sitemap Generator

The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.

8.8
2019-08-16 CVE-2018-20974 Joomsky Cross-Site Request Forgery (CSRF) vulnerability in Joomsky JS JOB Manager

The js-jobs plugin before 1.0.7 for WordPress has CSRF.

8.8
2019-08-16 CVE-2018-20972 Codeermeneer Cross-Site Request Forgery (CSRF) vulnerability in Codeermeneer Companion Auto Update

The companion-auto-update plugin before 3.2.1 for WordPress has CSRF.

8.8
2019-08-16 CVE-2018-20971 Churchadminplugin Cross-Site Request Forgery (CSRF) vulnerability in Churchadminplugin Church Admin

The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan.

8.8
2019-08-16 CVE-2017-18547 Neliosoftware Cross-Site Request Forgery (CSRF) vulnerability in Neliosoftware Nelio AB Testing

The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.

8.8
2019-08-16 CVE-2017-18546 Jayj Quicktag Project Cross-Site Request Forgery (CSRF) vulnerability in Jayj Quicktag Project Jayj Quicktag

The jayj-quicktag plugin before 1.3.2 for WordPress has CSRF.

8.8
2019-08-16 CVE-2017-18544 Invite Anyone Project Cross-Site Request Forgery (CSRF) vulnerability in Invite Anyone Project Invite Anyone

The invite-anyone plugin before 1.3.16 for WordPress has admin-panel CSRF.

8.8
2019-08-16 CVE-2015-9322 Erident Custom Login AND Dashboard Project Cross-Site Request Forgery (CSRF) vulnerability in Erident Custom Login and Dashboard Project Erident Custom Login and Dashboard

The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF.

8.8
2019-08-16 CVE-2019-14923 Eyesofnetwork OS Command Injection vulnerability in Eyesofnetwork 5.10

EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field.

8.8
2019-08-16 CVE-2019-15105 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Applications Manager

An issue was discovered in Zoho ManageEngine Application Manager through 14.2.

8.8
2019-08-16 CVE-2019-15104 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Applications Manager

An issue was discovered in Zoho ManageEngine OpManager through 12.4x.

8.8
2019-08-15 CVE-2019-12792 Vestacp OS Command Injection vulnerability in Vestacp Control Panel 0.9.824

A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root.

8.8
2019-08-15 CVE-2019-12791 Vestacp Path Traversal vulnerability in Vestacp Control Panel 0.9.824

A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form.

8.8
2019-08-15 CVE-2019-13516 Osisoft Cross-Site Request Forgery (CSRF) vulnerability in Osisoft PI web API

In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect.

8.8
2019-08-15 CVE-2019-12809 Yes24 Unspecified vulnerability in Yes24 Viewer Activex 1.0.327.50126

Yes24ViewerX ActiveX Control 1.0.327.50126 and earlier versions contains a vulnerability that could allow remote attackers to download and execute arbitrary files by setting the arguments to the ActiveX method.

8.8
2019-08-15 CVE-2018-14668 Yandex Cross-Site Request Forgery (CSRF) vulnerability in Yandex Clickhouse

In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.

8.8
2019-08-15 CVE-2019-9013 Codesys Use of a Broken or Risky Cryptographic Algorithm vulnerability in Codesys products

An issue was discovered in 3S-Smart CODESYS V3 products.

8.8
2019-08-15 CVE-2019-14422 Tortoisesvn Unspecified vulnerability in Tortoisesvn 1.12.1

An issue was discovered in in TortoiseSVN 1.12.1.

8.8
2019-08-15 CVE-2019-14788 Tribulant Path Traversal vulnerability in Tribulant Newsletters

wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value.

8.8
2019-08-15 CVE-2019-3417 ZTE OS Command Injection vulnerability in ZTE Zxhn F670 Firmware

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by command injection vulnerability.

8.8
2019-08-15 CVE-2019-14755 Leaftecnologia Unrestricted Upload of File with Dangerous Type vulnerability in Leaftecnologia Leaf Admin 61.9.0212.10F

The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type.

8.8
2019-08-14 CVE-2019-14216 WP SVG Icons Project Cross-Site Request Forgery (CSRF) vulnerability in WP SVG Icons Project WP SVG Icons

An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress.

8.8
2019-08-14 CVE-2019-1258 Microsoft Unspecified vulnerability in Microsoft Active Directory Authentication Library and Nuget

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens.

8.8
2019-08-14 CVE-2019-1229 Microsoft Unspecified vulnerability in Microsoft Dynamics 365 9.0

An elevation of privilege vulnerability exists in Dynamics On-Premise v9.

8.8
2019-08-14 CVE-2019-12104 TP Link Command Injection vulnerability in Tp-Link M7350 Firmware 1.0.16/151021/160330

The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by several post-authentication command injection vulnerabilities.

8.8
2019-08-14 CVE-2019-1183 Microsoft Unspecified vulnerability in Microsoft products

This information is being revised to indicate that this CVE (CVE-2019-1183) is fully mitigated by the security updates for the vulnerability discussed in CVE-2019-1194.

8.8
2019-08-14 CVE-2019-10199 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat Keycloak

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests.

8.8
2019-08-14 CVE-2019-15050 Axiosys Out-of-bounds Read vulnerability in Axiosys Bento4 1.5.1.0

An issue was discovered in Bento4 1.5.1.0.

8.8
2019-08-14 CVE-2019-15049 Axiosys Out-of-bounds Read vulnerability in Axiosys Bento4 1.5.1.0

An issue was discovered in Bento4 1.5.1.0.

8.8
2019-08-14 CVE-2019-15048 Axiosys Out-of-bounds Write vulnerability in Axiosys Bento4 1.5.1.0

An issue was discovered in Bento4 1.5.1.0.

8.8
2019-08-14 CVE-2019-15047 Axiosys Out-of-bounds Read vulnerability in Axiosys Bento4 1.5.1.0

An issue was discovered in Bento4 1.5.1.0.

8.8
2019-08-14 CVE-2018-20968 Smackcoders Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Ultimate Exporter

The wp-ultimate-exporter plugin before 1.4.2 for WordPress has CSRF.

8.8
2019-08-14 CVE-2018-20967 Smackcoders Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Import ALL Pages, Post Types, Products, Orders, and Users AS XML & CSV

The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.

8.8
2019-08-14 CVE-2017-18513 Expresstech Cross-Site Request Forgery (CSRF) vulnerability in Expresstech Responsive Menu

The responsive-menu plugin before 3.1.4 for WordPress has no CSRF protection mechanism for the admin interface.

8.8
2019-08-14 CVE-2017-18512 Supsystic Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Newsletter BY Supsystic

The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF.

8.8
2019-08-14 CVE-2017-18511 Wpmudev Cross-Site Request Forgery (CSRF) vulnerability in Wpmudev Custom Sidebars

The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF.

8.8
2019-08-14 CVE-2017-18510 Wpmudev Cross-Site Request Forgery (CSRF) vulnerability in Wpmudev Custom Sidebars 3.0.8.1

The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions.

8.8
2019-08-14 CVE-2016-10885 Benjaminrojas Cross-Site Request Forgery (CSRF) vulnerability in Benjaminrojas WP Editor

The wp-editor plugin before 1.2.6 for WordPress has CSRF.

8.8
2019-08-14 CVE-2016-10884 Simple Membership Plugin Cross-Site Request Forgery (CSRF) vulnerability in Simple-Membership-Plugin Simple Membership

The simple-membership plugin before 3.3.3 for WordPress has multiple CSRF issues.

8.8
2019-08-14 CVE-2016-10882 Google DOC Embedder Project Cross-Site Request Forgery (CSRF) vulnerability in Google DOC Embedder Project Google DOC Embedder

The google-document-embedder plugin before 2.6.2 for WordPress has CSRF.

8.8
2019-08-14 CVE-2015-9309 Flippercode Cross-Site Request Forgery (CSRF) vulnerability in Flippercode WP Google MAP

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.

8.8
2019-08-14 CVE-2015-9308 Flippercode Cross-Site Request Forgery (CSRF) vulnerability in Flippercode WP Google MAP

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature.

8.8
2019-08-14 CVE-2015-9307 Flippercode Cross-Site Request Forgery (CSRF) vulnerability in Flippercode WP Google MAP

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature.

8.8
2019-08-14 CVE-2013-7476 Simple Fields Project Cross-Site Request Forgery (CSRF) vulnerability in Simple Fields Project Simple Fields

The simple-fields plugin before 1.2 for WordPress has CSRF in the admin interface.

8.8
2019-08-14 CVE-2019-0351 SAP Unspecified vulnerability in SAP Netweaver

A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50.

8.8
2019-08-14 CVE-2019-0343 SAP Code Injection vulnerability in SAP Commerce Cloud

SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application, leading to Code Injection.

8.8
2019-08-14 CVE-2019-0341 SAP Incorrect Permission Assignment for Critical Resource vulnerability in SAP Enable NOW 1902

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set.

8.8
2019-08-13 CVE-2019-11207 Tibco Cross-site Scripting vulnerability in Tibco products

The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enterprise Virtual Appliance, and TIBCO LogLogic Log Management Intelligence contains multiple vulnerabilities that theoretically allow persistent and reflected cross-site scripting (XSS) attacks, as well as cross-site request forgery (CSRF) attacks.

8.8
2019-08-13 CVE-2019-12806 Crosscert Out-of-bounds Write vulnerability in Crosscert Unisign 2.0.4.0

UniSign 2.0.4.0 and earlier version contains a stack-based buffer overflow vulnerability which can overwrite the stack with arbitrary data, due to a buffer overflow in a library.

8.8
2019-08-13 CVE-2018-20964 Codepeople Cross-Site Request Forgery (CSRF) vulnerability in Codepeople Contact Form Email

The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.

8.8
2019-08-13 CVE-2019-14530 Open EMR Path Traversal vulnerability in Open-Emr Openemr

An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.

8.8
2019-08-12 CVE-2019-14966 Frappe SQL Injection vulnerability in Frappe

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4.

8.8
2019-08-12 CVE-2017-18504 Wpdeveloper Cross-Site Request Forgery (CSRF) vulnerability in Wpdeveloper Twitter Cards Meta

The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF.

8.8
2019-08-12 CVE-2016-10876 Wpseeds Cross-Site Request Forgery (CSRF) vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 4.3.1 for WordPress has CSRF.

8.8
2019-08-12 CVE-2016-10874 Wpseeds Cross-Site Request Forgery (CSRF) vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 4.3.3 for WordPress has CSRF.

8.8
2019-08-13 CVE-2019-10942 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X-200 switch family (incl.

8.6
2019-08-14 CVE-2019-13030 Mediola Forced Browsing vulnerability in Mediola NEO Server

eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details.

8.2
2019-08-14 CVE-2019-9583 EQ 3 Resource Exhaustion vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login.

8.2
2019-08-15 CVE-2019-3974 Tenable Unspecified vulnerability in Tenable Nessus

Nessus 8.5.2 and earlier on Windows platforms were found to contain an issue where certain system files could be overwritten arbitrarily, potentially creating a denial of service condition.

8.1
2019-08-14 CVE-2019-14526 Netgear Cross-Site Request Forgery (CSRF) vulnerability in Netgear Mr1100 Firmware 12.05.05.00

An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03.

8.1
2019-08-14 CVE-2019-9506 Google
Apple
Canonical
Debian
Opensuse
Redhat
Huawei
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation.

8.1
2019-08-14 CVE-2019-10201 Redhat Improper Verification of Cryptographic Signature vulnerability in Redhat Keycloak and Single Sign-On

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures.

8.1
2019-08-13 CVE-2019-14986 EQ 3 Unspecified vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installed allow administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as "Set root password") are exposed.

8.1
2019-08-13 CVE-2019-14984 EQ 3 Missing Authentication for Critical Function vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.

8.1
2019-08-14 CVE-2019-15062 Dolibarr Cross-Site Request Forgery (CSRF) vulnerability in Dolibarr Erp/Crm 11.0.0

An issue was discovered in Dolibarr 11.0.0-alpha.

8.0
2019-08-17 CVE-2019-13069 Extenua Incorrect Permission Assignment for Critical Resource vulnerability in Extenua Silvershield

extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM.

7.8
2019-08-16 CVE-2019-15117 Linux Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel

parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access.

7.8
2019-08-16 CVE-2018-20969 GNU OS Command Injection vulnerability in GNU Patch

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character.

7.8
2019-08-16 CVE-2019-15084 Maxx Incorrect Permission Assignment for Critical Resource vulnerability in Maxx Waves Maxx Audio 1.6.2.0

Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions.

7.8
2019-08-15 CVE-2019-9852 Debian
Canonical
Opensuse
Fedoraproject
Libreoffice
Path Traversal vulnerability in multiple products

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.

7.8
2019-08-15 CVE-2019-13514 Deltaww Use After Free vulnerability in Deltaww Delta Industrial Automation Dopsoft

In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application.

7.8
2019-08-15 CVE-2019-13513 Deltaww Out-of-bounds Read vulnerability in Deltaww Delta Industrial Automation Dopsoft

In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger multiple out-of-bounds read vulnerabilities, which may allow information disclosure, remote code execution, or crash of the application.

7.8
2019-08-15 CVE-2019-13510 Rockwellautomation Use After Free vulnerability in Rockwellautomation Arena

Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain a USE AFTER FREE CWE-416.

7.8
2019-08-15 CVE-2019-13221 STB Vorbis Project
Debian
Out-of-bounds Write vulnerability in multiple products

A stack buffer overflow in the compute_codewords function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file.

7.8
2019-08-15 CVE-2019-13217 STB Vorbis Project
Debian
Out-of-bounds Write vulnerability in multiple products

A heap buffer overflow in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file.

7.8
2019-08-14 CVE-2019-1205 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory.

7.8
2019-08-14 CVE-2019-1201 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory.

7.8
2019-08-14 CVE-2019-1200 Microsoft Unspecified vulnerability in Microsoft Office, Office 365 Proplus and Outlook

A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory.

7.8
2019-08-14 CVE-2019-1199 Microsoft Out-of-bounds Write vulnerability in Microsoft Office and Office 365 Proplus

A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory.

7.8
2019-08-14 CVE-2019-1185 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists due to a stack corruption in Windows Subsystem for Linux.

7.8
2019-08-14 CVE-2019-8062 Adobe Uncontrolled Search Path Element vulnerability in Adobe After Effects

Adobe After Effects versions 16 and earlier have an insecure library loading (dll hijacking) vulnerability.

7.8
2019-08-14 CVE-2019-7961 Adobe Uncontrolled Search Path Element vulnerability in Adobe Prelude CC 8.1

Adobe Prelude CC versions 8.1 and earlier have an insecure library loading (dll hijacking) vulnerability.

7.8
2019-08-14 CVE-2019-7931 Adobe Uncontrolled Search Path Element vulnerability in Adobe Premiere PRO CC 13.1.2

Adobe Premiere Pro CC versions 13.1.2 and earlier have an insecure library loading (dll hijacking) vulnerability.

7.8
2019-08-14 CVE-2019-7870 Adobe Uncontrolled Search Path Element vulnerability in Adobe Character Animator 2.1

Adobe Character Animator versions 2.1 and earlier have an insecure library loading (dll hijacking) vulnerability.

7.8
2019-08-13 CVE-2019-5299 Huawei Improper Verification of Cryptographic Signature vulnerability in Huawei Hima-Al00B Firmware 9.0.0.200(C00E200R2P1)

Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL00C00B175 have a signature verification bypass vulnerability.

7.8
2019-08-13 CVE-2019-5223 Huawei Improper Authentication vulnerability in Huawei Pcmanager 9.1.3.1

PCManager 9.1.3.1 has an improper authentication vulnerability.

7.8
2019-08-13 CVE-2019-12808 Estsoft Incorrect Permission Assignment for Critical Resource vulnerability in Estsoft Altools 18.1

ALTOOLS update service 18.1 and earlier versions contains a local privilege escalation vulnerability due to insecure permission.

7.8
2019-08-13 CVE-2019-12807 Estsoft Out-of-bounds Write vulnerability in Estsoft Alzip

Alzip 10.83 and earlier version contains a stack-based buffer overflow vulnerability, caused by improper bounds checking during the parsing of crafted ISO archive file format.

7.8
2019-08-13 CVE-2019-5681 Nvidia Unspecified vulnerability in Nvidia Shield Experience

NVIDIA Shield TV Experience prior to v8.0, contains a vulnerability in the custom NVIDIA API used in the mount system service where user data could be overridden, which may lead to code execution, denial of service, or information disclosure.

7.8
2019-08-13 CVE-2017-18509 Linux
Debian
Canonical
Improper Input Validation vulnerability in multiple products

An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11.

7.8
2019-08-12 CVE-2019-14969 Netwrix Incorrect Permission Assignment for Critical Resource vulnerability in Netwrix Auditor 9.7

Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders.

7.8
2019-08-12 CVE-2019-14935 3CX Incorrect Permission Assignment for Critical Resource vulnerability in 3CX 15

3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.

7.8
2019-08-18 CVE-2019-15137 Eprosima Unspecified vulnerability in Eprosima Fast-Rtps

The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.

7.5
2019-08-18 CVE-2019-15136 Eprosima Missing Authorization vulnerability in Eprosima Fast-Rtps

The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.

7.5
2019-08-18 CVE-2019-15135 OMG Cleartext Transmission of Sensitive Information vulnerability in OMG DDS Security 1.1

The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability information on a Data Distribution Service (DDS) network.

7.5
2019-08-17 CVE-2019-15134 Riot OS Memory Leak vulnerability in Riot-Os Riot

RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working.

7.5
2019-08-17 CVE-2019-14937 Vanderbilt SQL Injection vulnerability in Vanderbilt Redcap

REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php.

7.5
2019-08-16 CVE-2017-18545 Invite Anyone Project Improper Input Validation vulnerability in Invite Anyone Project Invite Anyone

The invite-anyone plugin before 1.3.16 for WordPress has incorrect escaping of untrusted Dashboard and front-end input.

7.5
2019-08-16 CVE-2019-8063 Adobe Unspecified vulnerability in Adobe Creative Cloud

Creative Cloud Desktop Application 4.6.1 and earlier versions have an insecure transmission of sensitive data vulnerability.

7.5
2019-08-16 CVE-2019-7957 Adobe Unspecified vulnerability in Adobe Creative Cloud

Creative Cloud Desktop Application versions 4.6.1 and earlier have a security bypass vulnerability.

7.5
2019-08-16 CVE-2019-15099 Linux
Canonical
NULL Pointer Dereference vulnerability in multiple products

drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.

7.5
2019-08-15 CVE-2019-10081 Apache
Debian
Out-of-bounds Write vulnerability in multiple products

HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes.

7.5
2019-08-15 CVE-2019-9012 Codesys Allocation of Resources Without Limits or Throttling vulnerability in Codesys products

An issue was discovered in 3S-Smart CODESYS V3 products.

7.5
2019-08-15 CVE-2018-14669 Yandex Information Exposure vulnerability in Yandex Clickhouse

ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.

7.5
2019-08-15 CVE-2019-12854 Squid Cache
Debian
Fedoraproject
Canonical
Opensuse
Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory.
7.5
2019-08-14 CVE-2019-9582 EQ 3 Unspecified vulnerability in Eq-3 Homematic Ccu2 Firmware

eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service.

7.5
2019-08-14 CVE-2019-15046 Zohocorp Improper Authentication vulnerability in Zohocorp Manageengine Servicedesk Plus

Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.

7.5
2019-08-14 CVE-2014-10375 GNU Numeric Errors vulnerability in GNU Exosip 3.5.0/4.0.0/4.1.0

handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles a negative value in a content-length header.

7.5
2019-08-13 CVE-2019-9518 Apple
Apache
Canonical
Debian
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
Nodejs
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.

7.5
2019-08-13 CVE-2019-9517 Apple
Apache
Canonical
Debian
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
Netapp
Nodejs
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service.

7.5
2019-08-13 CVE-2019-9515 Apple
Apache
Canonical
Debian
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
F5
Nodejs
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service.

7.5
2019-08-13 CVE-2019-9514 Apple
Apache
Debian
Canonical
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
Netapp
F5
Nodejs
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.

7.5
2019-08-13 CVE-2019-9513 Apple
Apache
Canonical
Debian
Fedoraproject
Synology
Opensuse
Redhat
Oracle
Mcafee
F5
Nodejs
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service.
7.5
2019-08-13 CVE-2019-9512 Apple
Apache
Debian
Nodejs
Resource Exhaustion vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service.

7.5
2019-08-13 CVE-2019-9511 Apple
Apache
Canonical
Debian
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
F5
Nodejs
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service.

7.5
2019-08-13 CVE-2019-10943 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SIMATIC Drive Controller family (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl.

7.5
2019-08-13 CVE-2019-14993 Istio Incorrect Regular Expression vulnerability in Istio

Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.

7.5
2019-08-13 CVE-2019-13419 Search Guard Information Exposure vulnerability in Search-Guard Search Guard

Search Guard versions before 23.1 had an issue that for aggregations clear text values of anonymised fields were leaked.

7.5
2019-08-12 CVE-2019-13418 Search Guard Improper Validation of Array Index vulnerability in Search-Guard Search Guard

Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized.

7.5
2019-08-12 CVE-2019-14951 Telenav Improper Restriction of Excessive Authentication Attempts vulnerability in Telenav Scout GPS Link

The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile.

7.5
2019-08-12 CVE-2019-14932 Humanica Authorization Bypass Through User-Controlled Key vulnerability in Humanica Humatrix 7 1.0.0.203/1.0.0.681

The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates' information on the website via a modified selApp variable to personalData/resumeDetail.cfm.

7.5
2019-08-13 CVE-2019-14516 Uidai Improper Certificate Validation vulnerability in Uidai Maadhaar 1.2.7

The mAadhaar application 1.2.7 for Android lacks SSL Certificate Validation, leading to man-in-the-middle attacks against requests for FAQs or Help.

7.4
2019-08-14 CVE-2019-1211 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2017 and Visual Studio 2019

An elevation of privilege vulnerability exists in Git for Visual Studio when it improperly parses configuration files.

7.3
2019-08-14 CVE-2019-0349 SAP Missing Authorization vulnerability in SAP Advanced Business Application Programming Platform Kernel

SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute “Go to statement” without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check

7.2
2019-08-15 CVE-2019-13222 STB Vorbis Project
Debian
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read of a global buffer in the draw_line function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.

7.1
2019-08-15 CVE-2019-13220 STB Vorbis Project
Debian
Use of Uninitialized Resource vulnerability in multiple products

Use of uninitialized stack variables in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.

7.1
2019-08-14 CVE-2019-1161 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the MpSigStub.exe for Defender allows file deletion in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system.

7.1
2019-08-14 CVE-2019-3639 Mcafee Improper Restriction of Rendered UI Layers or Frames vulnerability in Mcafee web Gateway

Clickjack vulnerability in Adminstrator web console in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows remote attackers to conduct clickjacking attacks via a crafted web page that contains an iframe via does not send an X-Frame-Options HTTP header.

7.1
2019-08-14 CVE-2019-14975 Artifex Out-of-bounds Read vulnerability in Artifex Mupdf

Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_chartorune in fitz/string.c because pdf/pdf-op-filter.c does not check for a missing string.

7.1

146 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-14 CVE-2019-15053 Atlassian Cross-site Scripting vulnerability in Atlassian Html Include and Replace Macro 1.4.0/1.4.1/1.4.2

The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.

6.8
2019-08-16 CVE-2019-15090 Linux
Canonical
Opensuse
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12.

6.7
2019-08-14 CVE-2019-3637 Mcafee Unspecified vulnerability in Mcafee File and Removable Media Protection

Privilege Escalation vulnerability in McAfee FRP 5.x prior to 5.1.0.209 allows local users to gain elevated privileges via running McAfee Tray with elevated privileges.

6.7
2019-08-13 CVE-2019-10928 Siemens Unspecified vulnerability in Siemens Scalance Sc-600 Firmware 2.0

A vulnerability has been identified in SCALANCE SC-600 (V2.0).

6.6
2019-08-18 CVE-2019-15148 Gopro Out-of-bounds Write vulnerability in Gopro Gpmf-Parser 1.2.2

GoPro GPMF-parser 1.2.2 has an out-of-bounds write in OpenMP4Source in demo/GPMF_mp4reader.c.

6.5
2019-08-18 CVE-2019-15147 Gopro Out-of-bounds Read vulnerability in Gopro Gpmf-Parser 1.2.2

GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c.

6.5
2019-08-18 CVE-2019-15146 Gopro Out-of-bounds Read vulnerability in Gopro Gpmf-Parser 1.2.2

GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.

6.5
2019-08-18 CVE-2019-15141 Imagemagick
Opensuse
Out-of-bounds Read vulnerability in multiple products

WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF.

6.5
2019-08-18 CVE-2019-15139 Imagemagick Out-of-bounds Read vulnerability in Imagemagick 7.0.841

The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.

6.5
2019-08-17 CVE-2019-15133 Giflib Project
Canonical
Debian
Divide By Zero vulnerability in multiple products

In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.

6.5
2019-08-15 CVE-2019-13515 Osisoft Information Exposure Through Log Files vulnerability in Osisoft PI web API

OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information.

6.5
2019-08-15 CVE-2018-14008 Arista Improper Authentication vulnerability in Arista EOS

Arista EOS through 4.21.0F allows a crash because 802.1x authentication is mishandled.

6.5
2019-08-15 CVE-2018-12357 Arista Incorrect Permission Assignment for Critical Resource vulnerability in Arista Cloudvision Portal

Arista CloudVision Portal through 2018.1.1 has Incorrect Permissions.

6.5
2019-08-15 CVE-2019-14786 Rankmath Missing Authorization vulnerability in Rankmath SEO

The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter.

6.5
2019-08-14 CVE-2019-3635 Mcafee Unspecified vulnerability in Mcafee web Gateway

Exfiltration of Data in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows attackers to obtain sensitive data via crafting a complex webpage that will trigger the Web Gateway to block the user accessing an iframe.

6.5
2019-08-14 CVE-2016-10883 Mijnpress Cross-Site Request Forgery (CSRF) vulnerability in Mijnpress Simple ADD Pages or Posts

The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users.

6.5
2019-08-14 CVE-2019-0348 SAP Cleartext Transmission of Sensitive Information vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2

SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted.

6.5
2019-08-14 CVE-2019-0346 SAP Cleartext Transmission of Sensitive Information vulnerability in SAP Businessobjects Business Intelligence 4.2

Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP NetWeaver BI systems, resulting in Information Disclosure.

6.5
2019-08-14 CVE-2019-0333 SAP Unspecified vulnerability in SAP Businessobjects Business Intelligence 4.2

In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data set instead of just what is part of their authorized security profile, resulting in Information Disclosure.

6.5
2019-08-14 CVE-2019-14973 Libtiff
Debian
Fedoraproject
Opensuse
Integer Overflow or Wraparound vulnerability in multiple products

_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards.

6.5
2019-08-13 CVE-2019-9516 Apple
Apache
Canonical
Debian
Fedoraproject
Synology
Opensuse
Redhat
Oracle
Mcafee
F5
Nodejs
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.

6.5
2019-08-13 CVE-2019-5280 Huawei Improper Certificate Validation vulnerability in Huawei Cloudlink Phone 7900 Firmware V600R019C10

The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability.

6.5
2019-08-13 CVE-2019-13416 Search Guard Unspecified vulnerability in Search-Guard Search Guard

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).

6.5
2019-08-13 CVE-2019-13415 Search Guard Unspecified vulnerability in Search-Guard Search Guard

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see.

6.5
2019-08-13 CVE-2019-10927 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SCALANCE SC-600 (V2.0), SCALANCE XB-200 (V4.1), SCALANCE XC-200 (V4.1), SCALANCE XF-200BA (V4.1), SCALANCE XP-200 (V4.1), SCALANCE XR-300WG (V4.1).

6.5
2019-08-12 CVE-2019-14982 Exiv2 Integer Overflow or Wraparound vulnerability in Exiv2

In Exiv2 before v0.27.2, there is an integer overflow vulnerability in the WebPImage::getHeaderOffset function in webpimage.cpp.

6.5
2019-08-12 CVE-2019-14981 Imagemagick
Debian
Canonical
Opensuse
Divide By Zero vulnerability in multiple products

In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function.

6.5
2019-08-12 CVE-2019-14980 Imagemagick
Opensuse
Use After Free vulnerability in multiple products

In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.

6.5
2019-08-12 CVE-2019-14940 Spdk Unspecified vulnerability in Spdk Storage Performance Development KIT

In Storage Performance Development Kit (SPDK) before 19.07, a user of a vhost can cause a crash if the target is sent invalid input.

6.5
2019-08-16 CVE-2019-15116 Sandhillsdev Cross-site Scripting vulnerability in Sandhillsdev Easy Digital Downloads

The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.

6.1
2019-08-16 CVE-2017-18542 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Zendesk Help Center

The zendesk-help-center plugin before 1.0.5 for WordPress has multiple XSS issues.

6.1
2019-08-16 CVE-2017-18541 Xakuro Cross-site Scripting vulnerability in Xakuro XO Security

The xo-security plugin before 1.5.3 for WordPress has XSS.

6.1
2019-08-16 CVE-2019-15095 Diaowen Cross-site Scripting vulnerability in Diaowen Dwsurvey 1.0/20190722/3.2.0

DWSurvey through 2019-07-22 has reflected XSS via the design/qu-multi-fillblank!answers.action surveyId parameter.

6.1
2019-08-15 CVE-2019-14789 Kunalnagar Cross-site Scripting vulnerability in Kunalnagar Custom 404 PRO 3.2.8

The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter.

6.1
2019-08-15 CVE-2019-14784 Codepeople Cross-site Scripting vulnerability in Codepeople CP Contact Form With Paypal

The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.

6.1
2019-08-15 CVE-2019-14790 Limbcode Cross-site Scripting vulnerability in Limbcode Limb-Gallery 1.4.0

The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter,

6.1
2019-08-14 CVE-2019-14427 Webstudio Cross-site Scripting vulnerability in Webstudio Ultimate Loan Manager 2.0

XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.

6.1
2019-08-14 CVE-2018-19386 Solarwinds Cross-site Scripting vulnerability in Solarwinds Database Performance Analyzer 11.1.457

SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI.

6.1
2019-08-14 CVE-2019-14974 Sugarcrm Cross-site Scripting vulnerability in Sugarcrm 9.0.0

SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.

6.1
2019-08-14 CVE-2016-10881 Google DOC Embedder Project Cross-site Scripting vulnerability in Google DOC Embedder Project Google DOC Embedder

The google-document-embedder plugin before 2.6.2 for WordPress has XSS.

6.1
2019-08-14 CVE-2016-10880 Google DOC Embedder Project Cross-site Scripting vulnerability in Google DOC Embedder Project Google DOC Embedder

The google-document-embedder plugin before 2.6.1 for WordPress has XSS.

6.1
2019-08-14 CVE-2015-9314 Newstatpress Project Cross-site Scripting vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.4 for WordPress has XSS related to the Referer header.

6.1
2019-08-14 CVE-2015-9312 Newstatpress Project Cross-site Scripting vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.5 for WordPress has XSS related to an IMG element.

6.1
2019-08-14 CVE-2015-9311 Newstatpress Project Cross-site Scripting vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.6 for WordPress has reflected XSS.

6.1
2019-08-14 CVE-2019-0337 SAP Cross-site Scripting vulnerability in SAP Netweaver Process Integration

Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious scripts in the url thereby resulting in Reflected Cross-Site Scripting (XSS) vulnerability

6.1
2019-08-14 CVE-2019-0335 SAP Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3

Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account.

6.1
2019-08-14 CVE-2019-0332 SAP Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3

SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword in the search and it will be executed while search performs its action, resulting in Cross-Site Scripting (XSS) vulnerability.

6.1
2019-08-13 CVE-2017-18488 Backup Guard Cross-site Scripting vulnerability in Backup-Guard Backup Guard

The Backup Guard plugin before 1.1.47 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2017-18487 Google Adsense Project Cross-site Scripting vulnerability in Google Adsense Project Google Adsense

The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2016-10867 Tipsandtricks HQ Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages.

6.1
2019-08-13 CVE-2016-10866 Tipsandtricks HQ Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2018-20963 Codepeople Cross-site Scripting vulnerability in Codepeople Contact Form Email

The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.

6.1
2019-08-13 CVE-2017-18507 3CX Cross-site Scripting vulnerability in 3CX Live Chat

The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS.

6.1
2019-08-13 CVE-2017-18498 Presstigers Cross-site Scripting vulnerability in Presstigers Simple JOB Board

The simple-job-board plugin before 2.4.4 for WordPress has reflected XSS via keyword search.

6.1
2019-08-13 CVE-2017-18497 W3Eden Cross-site Scripting vulnerability in W3Eden Live Forms

The liveforms plugin before 3.4.0 for WordPress has XSS.

6.1
2019-08-13 CVE-2017-18496 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Htaccess

The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2017-18495 Mediaburst Cross-site Scripting vulnerability in Mediaburst Gravity Forms

The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress has XSS.

6.1
2019-08-13 CVE-2017-18494 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Custom Search

The custom-search-plugin plugin before 1.36 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2017-18493 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Custom Admin Page 0.1/0.1.1

The custom-admin-page plugin before 0.1.2 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2017-18492 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Contact Form to DB

The contact-form-to-db plugin before 1.5.7 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2017-18491 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Contact Form

The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2017-18490 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Contact Form Multi

The contact-form-multi plugin before 1.2.1 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2017-18489 Mediaburst Cross-site Scripting vulnerability in Mediaburst Contact Form 7 - Clockwork SMS

The contact-form-7-sms-addon plugin before 2.4.0 for WordPress has XSS.

6.1
2019-08-13 CVE-2016-10871 Ibericode Cross-site Scripting vulnerability in Ibericode Mailchimp

The mailchimp-for-wp plugin before 4.0.11 for WordPress has XSS on the integration settings page.

6.1
2019-08-13 CVE-2016-10870 Gtranslate Cross-site Scripting vulnerability in Gtranslate Google Language Translator

The google-language-translator plugin before 5.0.06 for WordPress has XSS.

6.1
2019-08-13 CVE-2016-10869 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Contact Form

The contact-form-plugin plugin before 4.0.2 for WordPress has XSS.

6.1
2019-08-13 CVE-2016-10868 Tipsandtricks HQ Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.0.5 for WordPress has XSS in the blacklist, file system, and file change detection settings pages.

6.1
2019-08-13 CVE-2015-9302 Simple Fields Project Cross-site Scripting vulnerability in Simple Fields Project Simple Fields

The simple-fields plugin before 1.4.11 for WordPress has XSS.

6.1
2019-08-13 CVE-2015-9300 Pixelite Cross-site Scripting vulnerability in Pixelite Events Manager

The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues.

6.1
2019-08-13 CVE-2015-9299 Pixelite Cross-site Scripting vulnerability in Pixelite Events Manager

The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS.

6.1
2019-08-13 CVE-2015-9297 Pixelite Cross-site Scripting vulnerability in Pixelite Events Manager

The events-manager plugin before 5.6 for WordPress has XSS.

6.1
2019-08-13 CVE-2015-9296 Never5 Cross-site Scripting vulnerability in Never5 Download Monitor

The download-monitor plugin before 1.7.1 for WordPress has XSS related to add_query_arg.

6.1
2019-08-13 CVE-2015-9295 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Contact Form

The contact-form-plugin plugin before 3.96 for WordPress has XSS.

6.1
2019-08-13 CVE-2015-9294 Tipsandtricks HQ Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances.

6.1
2019-08-13 CVE-2015-9293 Tipsandtricks HQ Cross-site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature.

6.1
2019-08-13 CVE-2013-7475 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Contact Form

The contact-form-plugin plugin before 3.52 for WordPress has XSS.

6.1
2019-08-13 CVE-2012-6713 WP Jobmanager Cross-site Scripting vulnerability in Wp-Jobmanager JOB Manager

The job-manager plugin before 0.7.19 for WordPress has multiple XSS issues.

6.1
2019-08-12 CVE-2019-14976 Icmsdev Cross-site Scripting vulnerability in Icmsdev Icms 7.0.15

iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter.

6.1
2019-08-12 CVE-2019-14967 Frappe Cross-site Scripting vulnerability in Frappe

An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12.

6.1
2019-08-12 CVE-2018-20966 Booster Cross-site Scripting vulnerability in Booster for Woocommerce

The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.

6.1
2019-08-12 CVE-2018-20965 Ultimatemember Cross-site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 2.0.4 for WordPress has XSS.

6.1
2019-08-12 CVE-2017-18505 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Twitter Button

The twitter-plugin plugin before 2.55 for WordPress has XSS.

6.1
2019-08-12 CVE-2017-18503 Wpdeveloper Cross-site Scripting vulnerability in Wpdeveloper Twitter Cards Meta

The twitter-cards-meta plugin before 2.5.0 for WordPress has XSS.

6.1
2019-08-12 CVE-2017-18502 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Subscriber

The subscriber plugin before 1.3.5 for WordPress has multiple XSS issues.

6.1
2019-08-12 CVE-2017-18501 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Social Login 0.1

The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues.

6.1
2019-08-12 CVE-2017-18500 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Social Buttons Pack

The social-buttons-pack plugin before 1.1.1 for WordPress has multiple XSS issues.

6.1
2019-08-12 CVE-2017-18499 Simple Membership Plugin Cross-site Scripting vulnerability in Simple-Membership-Plugin Simple Membership

The simple-membership plugin before 3.5.7 for WordPress has XSS.

6.1
2019-08-12 CVE-2016-10872 Ultimatemember Cross-site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.

6.1
2019-08-12 CVE-2015-9304 Ultimatemember Cross-site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

6.1
2019-08-12 CVE-2015-9303 Simplesharebuttons Cross-site Scripting vulnerability in Simplesharebuttons Simple Share Buttons Adder

The simple-share-buttons-adder plugin before 6.0.0 for WordPress has XSS.

6.1
2019-08-12 CVE-2019-14950 3CX Cross-site Scripting vulnerability in 3CX Live Chat

The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.

6.1
2019-08-12 CVE-2019-14949 Wpseeds Cross-site Scripting vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 5.1.2 for WordPress has XSS.

6.1
2019-08-12 CVE-2017-18508 3CX Cross-site Scripting vulnerability in 3CX Live Chat

The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS.

6.1
2019-08-12 CVE-2017-18506 Wpovernight Cross-site Scripting vulnerability in Wpovernight Woocommerce PDF Invoices& Packing Slips

The woocommerce-pdf-invoices-packing-slips plugin before 2.0.13 for WordPress has XSS via the tab or section variable on settings screens.

6.1
2019-08-12 CVE-2016-10879 3CX Cross-site Scripting vulnerability in 3CX Live Chat

The wp-live-chat-support plugin before 6.2.02 for WordPress has XSS.

6.1
2019-08-12 CVE-2016-10878 Flippercode Cross-site Scripting vulnerability in Flippercode WP Google MAP

The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS.

6.1
2019-08-12 CVE-2016-10877 WP Editor Project Cross-site Scripting vulnerability in WP Editor Project WP Editor

The wp-editor plugin before 1.2.6.3 for WordPress has multiple XSS issues.

6.1
2019-08-12 CVE-2016-10875 Wpseeds Cross-site Scripting vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 4.3.1 for WordPress has XSS.

6.1
2019-08-12 CVE-2016-10873 Wpseeds Cross-site Scripting vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 4.3.3 for WordPress has XSS.

6.1
2019-08-12 CVE-2015-9306 Smackcoders Cross-site Scripting vulnerability in Smackcoders Import ALL Pages, Post Types, Products, Orders, and Users AS XML & CSV

The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.

6.1
2019-08-12 CVE-2015-9305 Flippercode Cross-site Scripting vulnerability in Flippercode WP Google MAP

The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS related to the add_query_arg() and remove_query_arg() functions.

6.1
2019-08-15 CVE-2019-13377 W1 FI
Fedoraproject
Canonical
Debian
Information Exposure Through Discrepancy vulnerability in multiple products

The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used.

5.9
2019-08-13 CVE-2019-10929 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SIMATIC CP 1626 (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl.

5.9
2019-08-13 CVE-2019-13420 Search Guard Information Exposure Through Discrepancy vulnerability in Search-Guard Search Guard

Search Guard versions before 21.0 had an timing side channel issue when using the internal user database.

5.9
2019-08-18 CVE-2019-15145 Djvulibre Project
Debian
Fedoraproject
Canonical
Opensuse
Out-of-bounds Read vulnerability in multiple products

DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.

5.5
2019-08-18 CVE-2019-15144 Djvulibre Project
Debian
Fedoraproject
Canonical
Opensuse
Uncontrolled Recursion vulnerability in multiple products

In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h.

5.5
2019-08-18 CVE-2019-15143 Djvulibre Project
Debian
Fedoraproject
Canonical
Opensuse
Infinite Loop vulnerability in multiple products

In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp.

5.5
2019-08-18 CVE-2019-15142 Djvulibre Project
Debian
Fedoraproject
Canonical
Opensuse
Out-of-bounds Read vulnerability in multiple products

In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file.

5.5
2019-08-16 CVE-2019-15119 NPS Project Incorrect Permission Assignment for Critical Resource vulnerability in NPS Project NPS

lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user.

5.5
2019-08-16 CVE-2019-15118 Linux
Canonical
Debian
Opensuse
Netapp
Uncontrolled Recursion vulnerability in multiple products

check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.

5.5
2019-08-15 CVE-2019-13223 STB Vorbis Project
Debian
Reachable Assertion vulnerability in multiple products

A reachable assertion in the lookup1_values function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.

5.5
2019-08-15 CVE-2019-13219 STB Vorbis Project
Debian
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference in the get_window function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.

5.5
2019-08-15 CVE-2019-13218 STB Vorbis Project
Debian
Divide By Zero vulnerability in multiple products

Division by zero in the predict_point function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.

5.5
2019-08-15 CVE-2019-10140 Linux
Redhat
A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs.
5.5
2019-08-15 CVE-2017-14232 Flif
Jasper Project
Resource Management Errors vulnerability in multiple products

The read_chunk function in flif-dec.cpp in Free Lossless Image Format (FLIF) 0.3 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted flif file.

5.5
2019-08-12 CVE-2019-14939 Mysql Project Unspecified vulnerability in Mysql Project Mysql 2.17.1

An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js.

5.5
2019-08-16 CVE-2019-15120 Kunena Cross-site Scripting vulnerability in Kunena

The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode.

5.4
2019-08-15 CVE-2018-17790 Prospecta Cross-site Scripting vulnerability in Prospecta Master Data Online 2.0

Prospecta Master Data Online (MDO) 2.0 has Stored XSS.

5.4
2019-08-15 CVE-2018-12101 Clippercms Cross-site Scripting vulnerability in Clippercms 1.3.3

CMS Clipper 1.3.3 has XSS in the Security tab search, User Groups, Resource Groups, and User/Resource Group Links fields.

5.4
2019-08-15 CVE-2019-14518 Modx Cross-site Scripting vulnerability in Modx Evolution CMS 2.0.0

Evolution CMS 2.0.x allows XSS via a description and new category location in a template.

5.4
2019-08-15 CVE-2019-3418 ZTE Cross-site Scripting vulnerability in ZTE Zxhn F670 Firmware

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS).

5.4
2019-08-14 CVE-2019-1218 Microsoft Cross-site Scripting vulnerability in Microsoft Outlook

A spoofing vulnerability exists in the way Microsoft Outlook iOS software parses specifically crafted email messages.

5.4
2019-08-14 CVE-2019-1203 Microsoft Cross-site Scripting vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server.

5.4
2019-08-14 CVE-2019-0340 SAP XXE vulnerability in SAP Enable NOW 10

The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability.

5.4
2019-08-14 CVE-2019-0334 SAP Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3

When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could potentially allow a user to escalate privileges via session hijacking.

5.4
2019-08-12 CVE-2019-14947 Ultimatemember Cross-site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.

5.4
2019-08-12 CVE-2019-14946 Ultimatemember Cross-site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.

5.4
2019-08-12 CVE-2019-14945 Ultimatemember Cross-site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 2.0.54 for WordPress has XSS.

5.4
2019-08-12 CVE-2019-14948 Najeebmedia Cross-site Scripting vulnerability in Najeebmedia Ppom for Woocommerce

The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure.

5.4
2019-08-18 CVE-2019-15129 Humanica Missing Authentication for Critical Function vulnerability in Humanica Humatrix 7 1.0.0.203/1.0.0.681

The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_name] URI.

5.3
2019-08-17 CVE-2019-15132 Zabbix
Debian
Information Exposure Through Discrepancy vulnerability in multiple products

Zabbix through 4.4.0alpha1 allows User Enumeration.

5.3
2019-08-15 CVE-2018-14672 Yandex Path Traversal vulnerability in Yandex Clickhouse

In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.

5.3
2019-08-15 CVE-2019-14800 Foliovision Information Exposure vulnerability in Foliovision FV Flowplayer Video Player

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1 URI.

5.3
2019-08-14 CVE-2019-0338 SAP Information Exposure vulnerability in SAP Gateway

During an OData V2/V4 request in SAP Gateway, versions 750, 751, 752, 753, the HTTP Header attributes cache-control and pragma were not properly set, allowing an attacker to access restricted information, resulting in Information Disclosure.

5.3
2019-08-14 CVE-2019-0331 SAP Unspecified vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3

Under certain conditions, SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, allows an attacker to access sensitive data such as directory structure, leading to Information Disclosure.

5.3
2019-08-14 CVE-2019-15028 Joomla Unspecified vulnerability in Joomla Joomla!

In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.

5.3
2019-08-13 CVE-2019-8448 Atlassian Unspecified vulnerability in Atlassian Jira Server

The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

5.3
2019-08-12 CVE-2019-13417 Search Guard Information Exposure vulnerability in Search-Guard Search Guard

Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.

5.3
2019-08-16 CVE-2019-15108 Wso2 Cross-site Scripting vulnerability in Wso2 API Manager

An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457.

4.8
2019-08-15 CVE-2019-15081 Opencart Cross-site Scripting vulnerability in Opencart

OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.

4.8
2019-08-15 CVE-2019-14795 Toggle THE Title Project Cross-site Scripting vulnerability in Toggle-The-Title Project Toggle-The-Title 1.4

The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter.

4.8
2019-08-13 CVE-2019-14987 Schben Cross-site Scripting vulnerability in Schben Framework 2.0.7

Adive Framework through 2.0.7 is affected by XSS in the Create New Table and Create New Navigation Link functions.

4.8
2019-08-16 CVE-2016-10894 Xtrlock Project
Debian
7PK - Security Features vulnerability in multiple products

xtrlock through 2.10 does not block multitouch events.

4.6
2019-08-16 CVE-2019-15098 Linux
Canonical
Opensuse
Netapp
Debian
NULL Pointer Dereference vulnerability in multiple products

drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.

4.6
2019-08-14 CVE-2019-1202 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in the way Microsoft SharePoint handles session objects.

4.4
2019-08-14 CVE-2019-1204 Microsoft Improper Input Validation vulnerability in Microsoft Office, Office 365 Proplus and Outlook

An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages.

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-15 CVE-2019-13512 Fujielectric Out-of-bounds Read vulnerability in Fujielectric Frenic Loader 3.5.0.0

Fuji Electric FRENIC Loader 3.5.0.0 and prior is vulnerable to an out-of-bounds read vulnerability, which may allow an attacker to read limited information from the device.

3.3
2019-08-15 CVE-2019-13511 Rockwellautomation Use After Free vulnerability in Rockwellautomation Arena

Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain an INFORMATION EXPOSURE CWE-200.

3.3
2019-08-12 CVE-2019-14359 Real SEC Information Exposure Through Discrepancy vulnerability in Real-Sec BC Vault Firmware

On BC Vault devices, a side channel for the row-based SSD1309 OLED display was found.

2.4