Weekly Vulnerabilities Reports > August 12 to 18, 2019

Overview

413 new vulnerabilities reported during this period, including 40 critical vulnerabilities and 85 high severity vulnerabilities. This weekly summary report vulnerabilities in 351 products from 173 vendors including Microsoft, Debian, Canonical, SAP, and Bestwebsoft. Vulnerabilities are notably categorized as "Cross-site Scripting", "Cross-Site Request Forgery (CSRF)", "Information Exposure", "SQL Injection", and "Out-of-bounds Write".

  • 356 reported vulnerabilities are remotely exploitables.
  • 9 reported vulnerabilities have public exploit available.
  • 155 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 357 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 96 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 24 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

40 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-18 CVE-2019-15130 Humanica Unrestricted Upload of File With Dangerous Type vulnerability in Humanica Humatrix 7 1.0.0.203/1.0.0.681

The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parameter.

10.0
2019-08-16 CVE-2019-7964 Adobe Unspecified vulnerability in Adobe Experience Manager 6.4/6.5

Adobe Experience Manager versions 6.5, and 6.4 have an authentication bypass vulnerability.

10.0
2019-08-16 CVE-2019-7959 Adobe
Apple
Microsoft
Improper Input Validation vulnerability in Adobe Creative Cloud

Creative Cloud Desktop Application versions 4.6.1 and earlier have a using components with known vulnerabilities vulnerability.

10.0
2019-08-16 CVE-2019-7958 Adobe
Apple
Microsoft
Incorrect Permission Assignment FOR Critical Resource vulnerability in Adobe Creative Cloud

Creative Cloud Desktop Application versions 4.6.1 and earlier have an insecure inherited permissions vulnerability.

10.0
2019-08-16 CVE-2019-15107 Webmin OS Command Injection vulnerability in Webmin

An issue was discovered in Webmin <=1.920.

10.0
2019-08-14 CVE-2019-14527 Netgear OS Command Injection vulnerability in Netgear Mr1100 Firmware

An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03.

10.0
2019-08-14 CVE-2019-1226 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

10.0
2019-08-14 CVE-2019-1222 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

10.0
2019-08-14 CVE-2019-12103 TP Link OS Command Injection vulnerability in Tp-Link M7350 Firmware 1.0.16/151021/160330

The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability.

10.0
2019-08-14 CVE-2019-1182 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

10.0
2019-08-14 CVE-2019-1181 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

10.0
2019-08-14 CVE-2019-15027 Mediatek OS Command Injection vulnerability in Mediatek Mt6577 Firmware, Mt6625 Firmware and Mt8163 Firmware

The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows attackers to execute arbitrary commands as root via shell metacharacters in a filename under /data, because clear_emmc_nomedia_entry in platform/mt6577/external/meta/emmc/meta_clr_emmc.c invokes 'system("/system/bin/rm -r /data/' followed by this filename upon an eMMC clearance from a Meta Mode boot.

10.0
2019-08-12 CVE-2019-12618 Hashicorp Improper Privilege Management vulnerability in Hashicorp Nomad 0.9.0/0.9.1

HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver.

10.0
2019-08-15 CVE-2018-14062 Cospas Sarsat Cryptographic Issues vulnerability in Cospas-Sarsat System

The COSPAS-SARSAT protocol allows remote attackers to forge messages, replay encrypted messages, conduct denial of service attacks, and send private messages (unrelated to distress alerts) via a crafted 406 MHz digital signal.

9.4
2019-08-16 CVE-2018-20969 GNU OS Command Injection vulnerability in GNU Patch

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character.

9.3
2019-08-14 CVE-2019-1205 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1201 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1200 Microsoft Unspecified vulnerability in Microsoft Office, Office 365 Proplus and Outlook

A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka 'Microsoft Outlook Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1199 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Office and Office 365 Proplus

A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory, aka 'Microsoft Outlook Memory Corruption Vulnerability'.

9.3
2019-08-14 CVE-2019-1188 Microsoft Link Following vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, aka 'LNK Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1183 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'Windows VBScript Engine Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1157 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1156 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1155 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1152 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1151 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1150 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1149 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1147 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1146 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1145 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1144 Microsoft Double Free vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'.

9.3
2019-08-14 CVE-2019-1057 Microsoft XXE vulnerability in Microsoft products

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.

9.3
2019-08-13 CVE-2019-14986 EQ 3 Unspecified vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installed allow administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as "Set root password") are exposed.

9.3
2019-08-16 CVE-2019-15105 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Applications Manager

An issue was discovered in Zoho ManageEngine Application Manager through 14.2.

9.0
2019-08-16 CVE-2019-15104 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Applications Manager

An issue was discovered in Zoho ManageEngine OpManager through 12.4x.

9.0
2019-08-15 CVE-2019-12792 Vestacp OS Command Injection vulnerability in Vestacp Control Panel 0.9.824

A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root.

9.0
2019-08-15 CVE-2019-12791 Vestacp Path Traversal vulnerability in Vestacp Control Panel 0.9.824

A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form.

9.0
2019-08-15 CVE-2019-3417 ZTE OS Command Injection vulnerability in ZTE Zxhn F670 Firmware

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by command injection vulnerability.

9.0
2019-08-14 CVE-2019-12104 TP Link Command Injection vulnerability in Tp-Link M7350 Firmware 1.0.16/151021/160330

The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by several post-authentication command injection vulnerabilities.

9.0

85 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-15 CVE-2019-3974 Tenable
Microsoft
Unspecified vulnerability in Tenable Nessus

Nessus 8.5.2 and earlier on Windows platforms were found to contain an issue where certain system files could be overwritten arbitrarily, potentially creating a denial of service condition.

8.5
2019-08-17 CVE-2019-15134 Riot OS Memory Leak vulnerability in Riot-Os Riot

RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working.

7.8
2019-08-16 CVE-2019-15099 Linux Null Pointer Dereference vulnerability in Linux Kernel

drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.

7.8
2019-08-15 CVE-2019-9012 Codesys Allocation of Resources Without Limits OR Throttling vulnerability in Codesys products

An issue was discovered in 3S-Smart CODESYS V3 products.

7.8
2019-08-14 CVE-2019-1212 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Denial of Service Vulnerability'.

7.8
2019-08-14 CVE-2019-9582 EQ 3 Unspecified vulnerability in Eq-3 Homematic Ccu2 Firmware

eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service.

7.8
2019-08-13 CVE-2019-9518 Apple
Canonical
Apache
Debian
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.

7.8
2019-08-13 CVE-2019-9517 Apple
Apache
Canonical
Debian
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
Netapp
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service.

7.8
2019-08-13 CVE-2019-9515 Apple
Canonical
Apache
Debian
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
F5
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service.

7.8
2019-08-13 CVE-2019-9514 Apple
Apache
Debian
Canonical
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
Netapp
F5
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.

7.8
2019-08-13 CVE-2019-9513 Apple
Apache
Canonical
Debian
Fedoraproject
Synology
Opensuse
Redhat
Oracle
Mcafee
Nginx
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service.
7.8
2019-08-13 CVE-2019-9512 Apple
Apache
Debian
Resource Exhaustion vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service.

7.8
2019-08-13 CVE-2019-9511 Apple
Apache
Canonical
Debian
Synology
Fedoraproject
Opensuse
Redhat
Oracle
Mcafee
Nginx
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service.

7.8
2019-08-14 CVE-2019-0965 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'.

7.7
2019-08-14 CVE-2019-0720 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V Remote Code Execution Vulnerability'.

7.7
2019-08-14 CVE-2019-1197 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-08-14 CVE-2019-1196 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-08-14 CVE-2019-1195 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-08-14 CVE-2019-1194 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-08-14 CVE-2019-1193 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge and Internet Explorer

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.

7.6
2019-08-14 CVE-2019-1141 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-08-14 CVE-2019-1140 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-08-14 CVE-2019-1139 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-08-14 CVE-2019-1133 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-08-14 CVE-2019-1131 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-08-18 CVE-2019-15151 Adplug Project Double Free vulnerability in Adplug Project Adplug 2.3.1

AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h.

7.5
2019-08-16 CVE-2018-20973 Codeermeneer Improper Input Validation vulnerability in Codeermeneer Companion Auto Update

The companion-auto-update plugin before 3.2.1 for WordPress has local file inclusion.

7.5
2019-08-16 CVE-2017-18543 Invite Anyone Project Improper Access Control vulnerability in Invite Anyone Project Invite Anyone

The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations.

7.5
2019-08-16 CVE-2015-9324 Easydigitaldownloads SQL Injection vulnerability in Easydigitaldownloads Easy Digital Downloads

The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection.

7.5
2019-08-16 CVE-2015-9323 Duckdev SQL Injection vulnerability in Duckdev 404 TO 301

The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.

7.5
2019-08-16 CVE-2014-10376 Themeist SQL Injection vulnerability in Themeist I Recommend This

The i-recommend-this plugin before 3.7.3 for WordPress has SQL injection.

7.5
2019-08-16 CVE-2019-5477 Nokogiri
Canonical
Debian
OS Command Injection vulnerability in multiple products

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method.

7.5
2019-08-16 CVE-2017-18548 Datainterlock SQL Injection vulnerability in Datainterlock Note Press 0.1.0/0.1.1

The note-press plugin before 0.1.2 for WordPress has SQL injection.

7.5
2019-08-16 CVE-2016-10904 Olimometer Project SQL Injection vulnerability in Olimometer Project Olimometer

The olimometer plugin before 2.57 for WordPress has SQL injection.

7.5
2019-08-16 CVE-2015-9326 Wpbusinessintelligence SQL Injection vulnerability in Wpbusinessintelligence WP Business Intelligence

The wp-business-intelligence-lite plugin before 1.6.3 for WordPress has SQL injection.

7.5
2019-08-16 CVE-2015-9325 Bestwebsoft SQL Injection vulnerability in Bestwebsoft Visitors Online 0.1/0.2/0.3

The visitors-online plugin before 0.4 for WordPress has SQL injection.

7.5
2019-08-16 CVE-2019-15091 Artica Unrestricted Upload of File With Dangerous Type vulnerability in Artica Integria IMS 5.0.86

filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload arbitrary file upload.

7.5
2019-08-16 CVE-2019-15106 Zohocorp Missing Authentication FOR Critical Function vulnerability in Zohocorp Manageengine Opmanager

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310.

7.5
2019-08-15 CVE-2019-9852 Debian
Fedoraproject
Libreoffice
Path Traversal vulnerability in multiple products

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.

7.5
2019-08-15 CVE-2019-9851 Canonical
Debian
Fedoraproject
Libreoffice
Improper Input Validation vulnerability in multiple products

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

7.5
2019-08-15 CVE-2019-9850 Canonical
Debian
Fedoraproject
Libreoffice
Improper Input Validation vulnerability in multiple products

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

7.5
2019-08-15 CVE-2019-9010 Codesys Unspecified vulnerability in Codesys products

An issue was discovered in 3S-Smart CODESYS V3 products.

7.5
2019-08-15 CVE-2018-14671 Yandex Improper Input Validation vulnerability in Yandex Clickhouse

In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.

7.5
2019-08-15 CVE-2018-14670 Yandex Improper Authorization vulnerability in Yandex Clickhouse

Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database.

7.5
2019-08-15 CVE-2019-11187 Gonicus
Debian
Improper Authentication vulnerability in multiple products

Incorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided.

7.5
2019-08-15 CVE-2019-13578 Impress SQL Injection vulnerability in Impress Givewp

A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress.

7.5
2019-08-14 CVE-2019-9585 EQ 3 Missing Authentication FOR Critical Function vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of Metadata.

7.5
2019-08-14 CVE-2019-9584 EQ 3 Forced Browsing vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration.

7.5
2019-08-14 CVE-2019-1213 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Windows Server 2008

A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.

7.5
2019-08-14 CVE-2019-1198 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege exists in SyncController.dll, aka 'Microsoft Windows Elevation of Privilege Vulnerability'.

7.5
2019-08-14 CVE-2019-0736 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client, aka 'Windows DHCP Client Remote Code Execution Vulnerability'.

7.5
2019-08-14 CVE-2019-12262 Windriver Unspecified vulnerability in Windriver Vxworks

Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and 7 has Incorrect Access Control in the RARP client component.

7.5
2019-08-14 CVE-2019-11652 Microfocus Unspecified vulnerability in Microfocus Netiq Self Service Password Reset

A potential authorization bypass issue was found in Micro Focus Self Service Password Reset (SSPR) versions prior to: 4.4.0.3, 4.3.0.6, and 4.2.0.6.

7.5
2019-08-14 CVE-2016-10888 Tipsandtricks HQ SQL Injection vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues.

7.5
2019-08-14 CVE-2016-10887 Tipsandtricks HQ SQL Injection vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues.

7.5
2019-08-14 CVE-2016-10886 WP Editor Project Permissions, Privileges, and Access Controls vulnerability in WP Editor Project WP Editor

The wp-editor plugin before 1.2.6 for WordPress has incorrect permissions.

7.5
2019-08-14 CVE-2015-9310 Tipsandtricks HQ SQL Injection vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues.

7.5
2019-08-14 CVE-2019-15025 Ninjaforms SQL Injection vulnerability in Ninjaforms

The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.

7.5
2019-08-14 CVE-2017-18514 Simplerealtytheme SQL Injection vulnerability in Simplerealtytheme Simple Login LOG

The simple-login-log plugin before 1.1.2 for WordPress has SQL injection.

7.5
2019-08-14 CVE-2016-10889 Imagely SQL Injection vulnerability in Imagely Nextgen Gallery

The nextgen-gallery plugin before 2.1.57 for WordPress has SQL injection via a gallery name.

7.5
2019-08-14 CVE-2015-9316 Wpfastestcache SQL Injection vulnerability in Wpfastestcache WP Fastest Cache

The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injection in wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request via the poll_id parameter.

7.5
2019-08-14 CVE-2015-9315 Newstatpress Project SQL Injection vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.1 for WordPress has SQL injection.

7.5
2019-08-14 CVE-2015-9313 Newstatpress Project SQL Injection vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element.

7.5
2019-08-14 CVE-2019-0344 SAP Deserialization of Untrusted Data vulnerability in SAP Commerce Cloud

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

7.5
2019-08-14 CVE-2017-18515 Veronalabs SQL Injection vulnerability in Veronalabs WP Statistics

The wp-statistics plugin before 12.0.8 for WordPress has SQL injection.

7.5
2019-08-13 CVE-2019-14809 Golang
Debian
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications.
7.5
2019-08-13 CVE-2019-14985 EQ 3 Improper Authentication vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28.

7.5
2019-08-13 CVE-2015-9301 W3Eden SQL Injection vulnerability in W3Eden Live Forms

The liveforms plugin before 3.2.0 for WordPress has SQL injection.

7.5
2019-08-13 CVE-2015-9298 WP Events Plugin Code Injection vulnerability in Wp-Events-Plugin Events Manager

The events-manager plugin before 5.6 for WordPress has code injection.

7.5
2019-08-12 CVE-2019-14968 Txjia SQL Injection vulnerability in Txjia Imcat 4.9

An issue was discovered in imcat 4.9.

7.5
2019-08-12 CVE-2019-14965 Frappe Code Injection vulnerability in Frappe

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4.

7.5
2019-08-17 CVE-2019-13069 Extenua Incorrect Permission Assignment FOR Critical Resource vulnerability in Extenua Silvershield

extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM.

7.2
2019-08-16 CVE-2019-15084 Maxx Incorrect Permission Assignment FOR Critical Resource vulnerability in Maxx Waves Maxx Audio 1.6.2.0

Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions.

7.2
2019-08-14 CVE-2019-1190 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory.An attacker who successfully exploited the vulnerability could execute code with elevated permissions.To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.The security update addresses the vulnerability by ensuring the Windows kernel image properly handles objects in memory., aka 'Windows Image Elevation of Privilege Vulnerability'.

7.2
2019-08-14 CVE-2019-1184 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls, aka 'Windows Elevation of Privilege Vulnerability'.

7.2
2019-08-14 CVE-2019-1176 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Elevation of Privilege Vulnerability'.

7.2
2019-08-14 CVE-2019-1170 Microsoft Missing Authorization vulnerability in Microsoft products

An elevation of privilege vulnerability exists when reparse points are created by sandboxed processes allowing sandbox escape, aka 'Windows NTFS Elevation of Privilege Vulnerability'.

7.2
2019-08-14 CVE-2019-1169 Microsoft Unspecified vulnerability in Microsoft Windows 7 and Windows Server 2008

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2019-08-14 CVE-2019-1168 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.To exploit this vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Windows p2pimsvc Elevation of Privilege Vulnerability'.

7.2
2019-08-14 CVE-2019-1164 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

7.2
2019-08-14 CVE-2019-1162 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system, aka 'Windows ALPC Elevation of Privilege Vulnerability'.

7.2
2019-08-14 CVE-2019-1159 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

7.2
2019-08-13 CVE-2019-12808 Estsoft Permissions, Privileges, and Access Controls vulnerability in Estsoft Altools 18.1

ALTOOLS update service 18.1 and earlier versions contains a local privilege escalation vulnerability due to insecure permission.

7.2
2019-08-13 CVE-2019-5681 Nvidia
Google
Unspecified vulnerability in Nvidia Shield Experience

NVIDIA Shield TV Experience prior to v8.0, contains a vulnerability in the custom NVIDIA API used in the mount system service where user data could be overridden, which may lead to code execution, denial of service, or information disclosure.

7.2
2019-08-13 CVE-2017-18509 Linux
Canonical
Debian
Improper Input Validation vulnerability in multiple products

An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11.

7.2

258 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-12 CVE-2019-14969 Netwrix Incorrect Permission Assignment FOR Critical Resource vulnerability in Netwrix Auditor 9.7

Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders.

6.9
2019-08-18 CVE-2019-15149 Networkgenomics 7PK - Security Features vulnerability in Networkgenomics Mitogen

** DISPUTED ** core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child.

6.8
2019-08-18 CVE-2019-15140 Imagemagick USE After Free vulnerability in Imagemagick 7.0.843

coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.

6.8
2019-08-16 CVE-2019-15115 Peter S Login Redirect Project Cross-Site Request Forgery (CSRF) vulnerability in Peter'S Login Redirect Project Peter'S Login Redirect

The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.

6.8
2019-08-16 CVE-2019-15114 Ncrafts Cross-Site Request Forgery (CSRF) vulnerability in Ncrafts Formcraft

The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.

6.8
2019-08-16 CVE-2019-15113 Codeermeneer Cross-Site Request Forgery (CSRF) vulnerability in Codeermeneer Companion Sitemap Generator

The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.

6.8
2019-08-16 CVE-2018-20974 Joomsky Cross-Site Request Forgery (CSRF) vulnerability in Joomsky JS JOB Manager

The js-jobs plugin before 1.0.7 for WordPress has CSRF.

6.8
2019-08-16 CVE-2018-20972 Codeermeneer Cross-Site Request Forgery (CSRF) vulnerability in Codeermeneer Companion Auto Update

The companion-auto-update plugin before 3.2.1 for WordPress has CSRF.

6.8
2019-08-16 CVE-2018-20971 Churchadminplugin Cross-Site Request Forgery (CSRF) vulnerability in Churchadminplugin Church Admin

The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan.

6.8
2019-08-16 CVE-2017-18547 Neliosoftware Cross-Site Request Forgery (CSRF) vulnerability in Neliosoftware Nelio AB Testing

The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.

6.8
2019-08-16 CVE-2017-18546 Jayj Quicktag Project Cross-Site Request Forgery (CSRF) vulnerability in Jayj Quicktag Project Jayj Quicktag

The jayj-quicktag plugin before 1.3.2 for WordPress has CSRF.

6.8
2019-08-16 CVE-2017-18544 Invite Anyone Project Cross-Site Request Forgery (CSRF) vulnerability in Invite Anyone Project Invite Anyone

The invite-anyone plugin before 1.3.16 for WordPress has admin-panel CSRF.

6.8
2019-08-16 CVE-2015-9322 Erident Custom Login AND Dashboard Project Cross-Site Request Forgery (CSRF) vulnerability in Erident Custom Login and Dashboard Project Erident Custom Login and Dashboard

The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF.

6.8
2019-08-15 CVE-2019-13516 Osisoft Cross-Site Request Forgery (CSRF) vulnerability in Osisoft PI web API

In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect.

6.8
2019-08-15 CVE-2019-13514 Deltaww USE After Free vulnerability in Deltaww Delta Industrial Automation Dopsoft

In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application.

6.8
2019-08-15 CVE-2019-13513 Deltaww Out-Of-Bounds Read vulnerability in Deltaww Delta Industrial Automation Dopsoft

In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger multiple out-of-bounds read vulnerabilities, which may allow information disclosure, remote code execution, or crash of the application.

6.8
2019-08-15 CVE-2019-13510 Rockwellautomation USE After Free vulnerability in Rockwellautomation Arena Simulation Software

Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain a USE AFTER FREE CWE-416.

6.8
2019-08-15 CVE-2019-12809 Yes24 Improper Input Validation vulnerability in Yes24 Viewer Activex 1.0.327.50126

Yes24ViewerX ActiveX Control 1.0.327.50126 and earlier versions contains a vulnerability that could allow remote attackers to download and execute arbitrary files by setting the arguments to the ActiveX method.

6.8
2019-08-15 CVE-2018-14668 Yandex Cross-Site Request Forgery (CSRF) vulnerability in Yandex Clickhouse

In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.

6.8
2019-08-15 CVE-2019-14422 Tortoisesvn Unspecified vulnerability in Tortoisesvn 1.12.1

An issue was discovered in in TortoiseSVN 1.12.1.

6.8
2019-08-15 CVE-2019-13221 STB Vorbis Project Out-Of-Bounds Write vulnerability in STB Vorbis Project STB Vorbis

A stack buffer overflow in the compute_codewords function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file.

6.8
2019-08-15 CVE-2019-13217 STB Vorbis Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in STB Vorbis Project STB Vorbis

A heap buffer overflow in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file.

6.8
2019-08-14 CVE-2019-14216 WP SVG Icons Project Cross-Site Request Forgery (CSRF) vulnerability in WP SVG Icons Project WP SVG Icons

An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress.

6.8
2019-08-14 CVE-2019-0716 Microsoft Unspecified vulnerability in Microsoft products

A denial of service vulnerability exists when Windows improperly handles objects in memory, aka 'Windows Denial of Service Vulnerability'.

6.8
2019-08-14 CVE-2019-10199 Redhat Improper Input Validation vulnerability in Redhat Keycloak

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests.

6.8
2019-08-14 CVE-2019-15050 Axiosys Out-Of-Bounds Read vulnerability in Axiosys Bento4 1.5.1.0

An issue was discovered in Bento4 1.5.1.0.

6.8
2019-08-14 CVE-2019-15049 Axiosys Out-Of-Bounds Read vulnerability in Axiosys Bento4 1.5.1.0

An issue was discovered in Bento4 1.5.1.0.

6.8
2019-08-14 CVE-2019-15048 Axiosys Out-Of-Bounds Write vulnerability in Axiosys Bento4 1.5.1.0

An issue was discovered in Bento4 1.5.1.0.

6.8
2019-08-14 CVE-2019-15047 Axiosys Out-Of-Bounds Read vulnerability in Axiosys Bento4 1.5.1.0

An issue was discovered in Bento4 1.5.1.0.

6.8
2019-08-14 CVE-2018-20968 Smackcoders Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Ultimate Exporter

The wp-ultimate-exporter plugin before 1.4.2 for WordPress has CSRF.

6.8
2019-08-14 CVE-2018-20967 Smackcoders Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders WP Ultimate CSV Importer

The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.

6.8
2019-08-14 CVE-2017-18513 Responsive Cross-Site Request Forgery (CSRF) vulnerability in Responsive Menu

The responsive-menu plugin before 3.1.4 for WordPress has no CSRF protection mechanism for the admin interface.

6.8
2019-08-14 CVE-2017-18512 Supsystic Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Newsletter BY Supsystic

The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF.

6.8
2019-08-14 CVE-2017-18511 Wpmudev Cross-Site Request Forgery (CSRF) vulnerability in Wpmudev Custom Sidebars

The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF.

6.8
2019-08-14 CVE-2017-18510 Wpmudev Cross-Site Request Forgery (CSRF) vulnerability in Wpmudev Custom Sidebars 3.0.8.1

The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions.

6.8
2019-08-14 CVE-2016-10885 WP Editor Project Cross-Site Request Forgery (CSRF) vulnerability in WP Editor Project WP Editor

The wp-editor plugin before 1.2.6 for WordPress has CSRF.

6.8
2019-08-14 CVE-2016-10884 Simple Membership Plugin Cross-Site Request Forgery (CSRF) vulnerability in Simple-Membership-Plugin Simple Membership

The simple-membership plugin before 3.3.3 for WordPress has multiple CSRF issues.

6.8
2019-08-14 CVE-2016-10882 Google DOC Embedder Project Cross-Site Request Forgery (CSRF) vulnerability in Google DOC Embedder Project Google DOC Embedder

The google-document-embedder plugin before 2.6.2 for WordPress has CSRF.

6.8
2019-08-14 CVE-2015-9309 Flippercode Cross-Site Request Forgery (CSRF) vulnerability in Flippercode Google MAP

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.

6.8
2019-08-14 CVE-2015-9308 Flippercode Cross-Site Request Forgery (CSRF) vulnerability in Flippercode Google MAP

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature.

6.8
2019-08-14 CVE-2015-9307 Flippercode Cross-Site Request Forgery (CSRF) vulnerability in Flippercode Google MAP

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature.

6.8
2019-08-14 CVE-2013-7476 Simple Fields Project Cross-Site Request Forgery (CSRF) vulnerability in Simple Fields Project Simple Fields

The simple-fields plugin before 1.2 for WordPress has CSRF in the admin interface.

6.8
2019-08-14 CVE-2019-8062 Adobe Untrusted Search Path vulnerability in Adobe After Effects

Adobe After Effects versions 16 and earlier have an insecure library loading (dll hijacking) vulnerability.

6.8
2019-08-14 CVE-2019-7961 Adobe Untrusted Search Path vulnerability in Adobe Prelude CC 8.1

Adobe Prelude CC versions 8.1 and earlier have an insecure library loading (dll hijacking) vulnerability.

6.8
2019-08-14 CVE-2019-7931 Adobe Untrusted Search Path vulnerability in Adobe Premiere PRO CC 13.1.2

Adobe Premiere Pro CC versions 13.1.2 and earlier have an insecure library loading (dll hijacking) vulnerability.

6.8
2019-08-14 CVE-2019-7870 Adobe Untrusted Search Path vulnerability in Adobe Character Animator 2.1

Adobe Character Animator versions 2.1 and earlier have an insecure library loading (dll hijacking) vulnerability.

6.8
2019-08-13 CVE-2019-9516 Apple
Apache
Canonical
Debian
Fedoraproject
Synology
Opensuse
Redhat
Oracle
Mcafee
Nginx
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.

6.8
2019-08-13 CVE-2019-5299 Huawei Improper Verification of Cryptographic Signature vulnerability in Huawei Hima-Al00B Firmware 9.0.0.200(C00E200R2P1)

Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL00C00B175 have a signature verification bypass vulnerability.

6.8
2019-08-13 CVE-2019-5223 Huawei Improper Authentication vulnerability in Huawei Pcmanager 9.1.3.1

PCManager 9.1.3.1 has an improper authentication vulnerability.

6.8
2019-08-13 CVE-2019-11207 Tibco Cross-Site Request Forgery (CSRF) vulnerability in Tibco products

The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enterprise Virtual Appliance, and TIBCO LogLogic Log Management Intelligence contains multiple vulnerabilities that theoretically allow persistent and reflected cross-site scripting (XSS) attacks, as well as cross-site request forgery (CSRF) attacks.

6.8
2019-08-13 CVE-2019-14984 EQ 3 Missing Authentication FOR Critical Function vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.

6.8
2019-08-13 CVE-2019-12807 Estsoft
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Estsoft Alzip

Alzip 10.83 and earlier version contains a stack-based buffer overflow vulnerability, caused by improper bounds checking during the parsing of crafted ISO archive file format.

6.8
2019-08-13 CVE-2019-12806 Crosscert
Microsoft
Buffer Errors vulnerability in Crosscert Unisign 2.0.4.0

UniSign 2.0.4.0 and earlier version contains a stack-based buffer overflow vulnerability which can overwrite the stack with arbitrary data, due to a buffer overflow in a library.

6.8
2019-08-13 CVE-2018-20964 Codepeople Cross-Site Request Forgery (CSRF) vulnerability in Codepeople Contact Form Email

The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.

6.8
2019-08-12 CVE-2017-18504 Wpdeveloper Cross-Site Request Forgery (CSRF) vulnerability in Wpdeveloper Twitter Cards Meta

The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF.

6.8
2019-08-12 CVE-2016-10876 Wpseeds Cross-Site Request Forgery (CSRF) vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 4.3.1 for WordPress has CSRF.

6.8
2019-08-12 CVE-2016-10874 Wpseeds Cross-Site Request Forgery (CSRF) vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 4.3.3 for WordPress has CSRF.

6.8
2019-08-14 CVE-2019-1161 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the MpSigStub.exe for Defender allows file deletion in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Defender Elevation of Privilege Vulnerability'.

6.6
2019-08-16 CVE-2019-14923 Eyesofnetwork OS Command Injection vulnerability in Eyesofnetwork 5.10

EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field.

6.5
2019-08-15 CVE-2019-14788 Tribulant Path Traversal vulnerability in Tribulant Newsletter

wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value.

6.5
2019-08-15 CVE-2019-14755 Leaftecnologia Unrestricted Upload of File With Dangerous Type vulnerability in Leaftecnologia Leaf Admin 61.9.0212.10F

The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type.

6.5
2019-08-14 CVE-2019-1258 Microsoft Unspecified vulnerability in Microsoft Active Directory Authentication Library and Nuget

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens, aka 'Azure Active Directory Authentication Library Elevation of Privilege Vulnerability'.

6.5
2019-08-14 CVE-2019-1229 Microsoft Unspecified vulnerability in Microsoft Dynamics 365 9.0

An elevation of privilege vulnerability exists in Dynamics On-Premise v9, aka 'Dynamics On-Premise Elevation of Privilege Vulnerability'.

6.5
2019-08-14 CVE-2019-0349 SAP Missing Authorization vulnerability in SAP Advanced Business Application Programming Platform Kernel

SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute “Go to statement” without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check

6.5
2019-08-14 CVE-2019-0351 SAP Unspecified vulnerability in SAP Netweaver

A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50.

6.5
2019-08-14 CVE-2019-0343 SAP Code Injection vulnerability in SAP Commerce Cloud

SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application, leading to Code Injection.

6.5
2019-08-12 CVE-2019-14966 Frappe SQL Injection vulnerability in Frappe

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4.

6.5
2019-08-14 CVE-2019-15058 STB Project Out-Of-Bounds Read vulnerability in STB Project STB 2.23

stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer over-read in stbi__tga_load, leading to Information Disclosure or Denial of Service.

6.4
2019-08-14 CVE-2019-13030 Mediola Forced Browsing vulnerability in Mediola NEO Server

eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details.

6.4
2019-08-14 CVE-2019-9583 EQ 3 Resource Exhaustion vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware

eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login.

6.4
2019-08-13 CVE-2019-12479 Twentytwenty Storage Project Path Traversal vulnerability in Twentytwenty.Storage Project Twentytwenty.Storage 2.11.0

An issue was discovered in 20|20 Storage 2.11.0.

6.4
2019-08-12 CVE-2019-13462 Lansweeper SQL Injection vulnerability in Lansweeper

Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.

6.4
2019-08-17 CVE-2019-14937 Vanderbilt SQL Injection vulnerability in Vanderbilt Redcap

REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php.

6.0
2019-08-14 CVE-2019-15062 Dolibarr Cross-Site Request Forgery (CSRF) vulnerability in Dolibarr 11.0.0

An issue was discovered in Dolibarr 11.0.0-alpha.

6.0
2019-08-14 CVE-2019-15053 Atlassian Cross-Site Scripting vulnerability in Atlassian Html Include and Replace Macro 1.4.0/1.4.1/1.4.2

The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.

6.0
2019-08-16 CVE-2019-15119 NPS Project Incorrect Permission Assignment FOR Critical Resource vulnerability in NPS Project NPS

lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user.

5.8
2019-08-15 CVE-2019-9013 Codesys USE of A Broken OR Risky Cryptographic Algorithm vulnerability in Codesys products

An issue was discovered in 3S-Smart CODESYS V3 products.

5.8
2019-08-15 CVE-2019-13222 STB Vorbis Project Out-Of-Bounds Read vulnerability in STB Vorbis Project STB Vorbis

An out-of-bounds read of a global buffer in the draw_line function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.

5.8
2019-08-15 CVE-2019-13220 STB Vorbis Project USE of Uninitialized Resource vulnerability in STB Vorbis Project STB Vorbis

Use of uninitialized stack variables in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.

5.8
2019-08-14 CVE-2019-14526 Netgear Cross-Site Request Forgery (CSRF) vulnerability in Netgear Mr1100 Firmware

An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03.

5.8
2019-08-14 CVE-2019-3639 Mcafee Improper Restriction of Rendered UI Layers OR Frames vulnerability in Mcafee web Gateway

Clickjack vulnerability in Adminstrator web console in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows remote attackers to conduct clickjacking attacks via a crafted web page that contains an iframe via does not send an X-Frame-Options HTTP header.

5.8
2019-08-14 CVE-2016-10883 Mijnpress Cross-Site Request Forgery (CSRF) vulnerability in Mijnpress Simple ADD Pages OR Posts

The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users.

5.8
2019-08-14 CVE-2019-14975 Artifex Out-Of-Bounds Read vulnerability in Artifex Mupdf

Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_chartorune in fitz/string.c because pdf/pdf-op-filter.c does not check for a missing string.

5.8
2019-08-13 CVE-2019-5280 Huawei Improper Certificate Validation vulnerability in Huawei Cloudlink Phone 7900 Firmware V600R019C10

The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability.

5.8
2019-08-13 CVE-2019-14516 Uidai Improper Certificate Validation vulnerability in Uidai Maadhaar 1.2.7

The mAadhaar application 1.2.7 for Android lacks SSL Certificate Validation, leading to man-in-the-middle attacks against requests for FAQs or Help.

5.8
2019-08-14 CVE-2019-0723 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

5.5
2019-08-14 CVE-2019-0718 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

5.5
2019-08-14 CVE-2019-0717 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

5.5
2019-08-14 CVE-2019-0715 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

5.5
2019-08-14 CVE-2019-0714 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

5.5
2019-08-14 CVE-2019-10201 Redhat Improper Authentication vulnerability in Redhat Keycloak and Single Sign-On

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures.

5.5
2019-08-14 CVE-2019-0340 SAP XXE vulnerability in SAP Enable NOW

The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability.

5.5
2019-08-18 CVE-2019-15129 Humanica Information Exposure vulnerability in Humanica Humatrix 7 1.0.0.203/1.0.0.681

The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_name] URI.

5.0
2019-08-18 CVE-2019-15137 Eprosima Unspecified vulnerability in Eprosima Fast-Rtps

The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.

5.0
2019-08-18 CVE-2019-15136 Eprosima Missing Authorization vulnerability in Eprosima Fast-Rtps

The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.

5.0
2019-08-18 CVE-2019-15135 OMG Cleartext Transmission of Sensitive Information vulnerability in OMG DDS Security 1.1

The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability information on a Data Distribution Service (DDS) network.

5.0
2019-08-17 CVE-2019-15132 Zabbix
Debian
Information Exposure vulnerability in multiple products

Zabbix through 4.4.0alpha1 allows User Enumeration.

5.0
2019-08-16 CVE-2017-18545 Invite Anyone Project Improper Input Validation vulnerability in Invite Anyone Project Invite Anyone

The invite-anyone plugin before 1.3.16 for WordPress has incorrect escaping of untrusted Dashboard and front-end input.

5.0
2019-08-16 CVE-2019-8063 Adobe
Apple
Microsoft
Information Exposure vulnerability in Adobe Creative Cloud

Creative Cloud Desktop Application 4.6.1 and earlier versions have an insecure transmission of sensitive data vulnerability.

5.0
2019-08-16 CVE-2019-7957 Adobe
Apple
Microsoft
Unspecified vulnerability in Adobe Creative Cloud

Creative Cloud Desktop Application versions 4.6.1 and earlier have a security bypass vulnerability.

5.0
2019-08-15 CVE-2019-10081 Apache
Debian
Out-Of-Bounds Write vulnerability in multiple products

HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes.

5.0
2019-08-15 CVE-2018-14672 Yandex Path Traversal vulnerability in Yandex Clickhouse

In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.

5.0
2019-08-15 CVE-2018-14669 Yandex Information Exposure vulnerability in Yandex Clickhouse

ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.

5.0
2019-08-15 CVE-2019-12854 Squid Cache
Debian
Fedoraproject
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory.

5.0
2019-08-15 CVE-2019-14800 Foliovision Information Exposure vulnerability in Foliovision FV Flowplayer Video Player

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1 URI.

5.0
2019-08-14 CVE-2019-1225 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protocol Server Information Disclosure Vulnerability'.

5.0
2019-08-14 CVE-2019-1224 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protocol Server Information Disclosure Vulnerability'.

5.0
2019-08-14 CVE-2019-1223 Microsoft Unspecified vulnerability in Microsoft products

A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability'.

5.0
2019-08-14 CVE-2019-1206 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server, aka 'Windows DHCP Server Denial of Service Vulnerability'.

5.0
2019-08-14 CVE-2019-1187 Microsoft XXE vulnerability in Microsoft products

A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input, aka 'XmlLite Runtime Denial of Service Vulnerability'.

5.0
2019-08-14 CVE-2019-15052 Gradle Insufficiently Protected Credentials vulnerability in Gradle

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host.

5.0
2019-08-14 CVE-2019-15046 Zohocorp Information Exposure vulnerability in Zohocorp Manageengine Servicedesk Plus

Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.

5.0
2019-08-14 CVE-2019-0345 SAP Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Application Server Java

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.

5.0
2019-08-14 CVE-2019-0338 SAP Information Exposure vulnerability in SAP Gateway

During an OData V2/V4 request in SAP Gateway, versions 750, 751, 752, 753, the HTTP Header attributes cache-control and pragma were not properly set, allowing an attacker to access restricted information, resulting in Information Disclosure.

5.0
2019-08-14 CVE-2019-0331 SAP Unspecified vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3

Under certain conditions, SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, allows an attacker to access sensitive data such as directory structure, leading to Information Disclosure.

5.0
2019-08-14 CVE-2014-10375 GNU Numeric Errors vulnerability in GNU Exosip 3.5.0/4.0.0/4.1.0

handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles a negative value in a content-length header.

5.0
2019-08-14 CVE-2019-15028 Joomla Unspecified vulnerability in Joomla Joomla!

In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.

5.0
2019-08-13 CVE-2019-10943 Siemens Improper Access Control vulnerability in Siemens products

A vulnerability has been identified in SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl.

5.0
2019-08-13 CVE-2019-10942 Siemens Resource Exhaustion vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X-200 switch family (incl.

5.0
2019-08-13 CVE-2019-14993 Istio Incorrect Regular Expression vulnerability in Istio

Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.

5.0
2019-08-13 CVE-2019-8448 Atlassian Information Exposure vulnerability in Atlassian Jira

The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

5.0
2019-08-13 CVE-2019-13419 Search Guard Information Exposure vulnerability in Search-Guard Search Guard

Search Guard versions before 23.1 had an issue that for aggregations clear text values of anonymised fields were leaked.

5.0
2019-08-12 CVE-2019-13418 Search Guard Improper Validation of Array Index vulnerability in Search-Guard Search Guard

Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized.

5.0
2019-08-12 CVE-2019-13417 Search Guard Information Exposure vulnerability in Search-Guard Search Guard

Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.

5.0
2019-08-12 CVE-2019-14951 Telenav Improper Restriction of Excessive Authentication Attempts vulnerability in Telenav Scout GPS Link

The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile.

5.0
2019-08-12 CVE-2019-14932 Humanica Information Exposure vulnerability in Humanica Humatrix 7 1.0.0.203/1.0.0.681

The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates' information on the website via a modified selApp variable to personalData/resumeDetail.cfm.

5.0
2019-08-16 CVE-2019-15118 Linux Uncontrolled Recursion vulnerability in Linux Kernel

check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.

4.9
2019-08-16 CVE-2019-15098 Linux
Netapp
Canonical
Opensuse
Null Pointer Dereference vulnerability in multiple products

drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.

4.9
2019-08-15 CVE-2019-10140 Linux
Redhat
Null Pointer Dereference vulnerability in Linux Kernel

A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs.

4.9
2019-08-14 CVE-2019-0334 SAP Cross-Site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3

When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could potentially allow a user to escalate privileges via session hijacking.

4.9
2019-08-14 CVE-2019-9506 Google
Blackberry
Apple
Cryptographic Issues vulnerability in multiple products

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation.

4.8
2019-08-16 CVE-2019-15117 Linux Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Linux Kernel

parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access.

4.6
2019-08-16 CVE-2019-15090 Linux
Canonical
Opensuse
Out-Of-Bounds Read vulnerability in Linux Kernel

An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12.

4.6
2019-08-14 CVE-2019-1186 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-08-14 CVE-2019-1185 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists due to a stack corruption in Windows Subsystem for Linux, aka 'Windows Subsystem for Linux Elevation of Privilege Vulnerability'.

4.6
2019-08-14 CVE-2019-1180 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-08-14 CVE-2019-1179 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-08-14 CVE-2019-1178 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-08-14 CVE-2019-1177 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-08-14 CVE-2019-1175 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-08-14 CVE-2019-1174 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-08-14 CVE-2019-1173 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-08-14 CVE-2019-3637 Mcafee Unspecified vulnerability in Mcafee File and Removable Media Protection

Privilege Escalation vulnerability in McAfee FRP 5.x prior to 5.1.0.209 allows local users to gain elevated privileges via running McAfee Tray with elevated privileges.

4.6
2019-08-13 CVE-2019-10928 Siemens Command Injection vulnerability in Siemens Scalance Sc-600 Firmware 2.0

A vulnerability has been identified in SCALANCE SC-600 (V2.0).

4.6
2019-08-12 CVE-2019-14935 3CX
Microsoft
Incorrect Permission Assignment FOR Critical Resource vulnerability in 3CX 15

3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.

4.6
2019-08-18 CVE-2019-15148 Gopro Out-Of-Bounds Write vulnerability in Gopro Gpmf-Parser 1.2.2

GoPro GPMF-parser 1.2.2 has an out-of-bounds write in OpenMP4Source in demo/GPMF_mp4reader.c.

4.3
2019-08-18 CVE-2019-15147 Gopro Out-Of-Bounds Read vulnerability in Gopro Gpmf-Parser 1.2.2

GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c.

4.3
2019-08-18 CVE-2019-15146 Gopro Out-Of-Bounds Read vulnerability in Gopro Gpmf-Parser 1.2.2

GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.

4.3
2019-08-18 CVE-2019-15145 Djvulibre Project Out-Of-Bounds Read vulnerability in Djvulibre Project Djvulibre 3.5.27

DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.

4.3
2019-08-18 CVE-2019-15144 Djvulibre Project Uncontrolled Recursion vulnerability in Djvulibre Project Djvulibre 3.5.27

In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h.

4.3
2019-08-18 CVE-2019-15143 Djvulibre Project Infinite Loop vulnerability in Djvulibre Project Djvulibre 3.5.27

In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp.

4.3
2019-08-18 CVE-2019-15142 Djvulibre Project Out-Of-Bounds Read vulnerability in Djvulibre Project Djvulibre 3.5.27

In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file.

4.3
2019-08-18 CVE-2019-15141 Imagemagick Out-Of-Bounds Read vulnerability in Imagemagick 7.0.843

WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF.

4.3
2019-08-18 CVE-2019-15139 Imagemagick Out-Of-Bounds Read vulnerability in Imagemagick 7.0.841

The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.

4.3
2019-08-17 CVE-2019-15133 Giflib Project
Canonical
Divide BY Zero vulnerability in multiple products

In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.

4.3
2019-08-16 CVE-2019-15116 Easydigitaldownloads Cross-Site Scripting vulnerability in Easydigitaldownloads Easy Digital Downloads

The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.

4.3
2019-08-16 CVE-2017-18542 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Zendesk Help Center

The zendesk-help-center plugin before 1.0.5 for WordPress has multiple XSS issues.

4.3
2019-08-16 CVE-2017-18541 Xakuro Cross-Site Scripting vulnerability in Xakuro XO Security

The xo-security plugin before 1.5.3 for WordPress has XSS.

4.3
2019-08-16 CVE-2019-15120 Kunena Cross-Site Scripting vulnerability in Kunena 5.0.2/5.0.3/5.0.4

The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode.

4.3
2019-08-16 CVE-2019-15095 Diaowen Cross-Site Scripting vulnerability in Diaowen Dwsurvey 20190722

DWSurvey through 2019-07-22 has reflected XSS via the design/qu-multi-fillblank!answers.action surveyId parameter.

4.3
2019-08-15 CVE-2019-13512 Fujielectric Out-Of-Bounds Read vulnerability in Fujielectric Frenic Loader 3.5.0.0

Fuji Electric FRENIC Loader 3.5.0.0 and prior is vulnerable to an out-of-bounds read vulnerability, which may allow an attacker to read limited information from the device.

4.3
2019-08-15 CVE-2019-13511 Rockwellautomation Information Exposure vulnerability in Rockwellautomation Arena Simulation Software

Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain an INFORMATION EXPOSURE CWE-200.

4.3
2019-08-15 CVE-2019-13377 W1 FI
Canonical
Fedoraproject
Information Exposure vulnerability in multiple products

The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used.

4.3
2019-08-15 CVE-2019-13223 STB Vorbis Project Reachable Assertion vulnerability in STB Vorbis Project STB Vorbis

A reachable assertion in the lookup1_values function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.

4.3
2019-08-15 CVE-2019-13219 STB Vorbis Project Null Pointer Dereference vulnerability in STB Vorbis Project STB Vorbis

A NULL pointer dereference in the get_window function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.

4.3
2019-08-15 CVE-2019-13218 STB Vorbis Project Divide BY Zero vulnerability in STB Vorbis Project STB Vorbis

Division by zero in the predict_point function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.

4.3
2019-08-15 CVE-2018-17790 Prospecta Cross-Site Scripting vulnerability in Prospecta Master Data Online 2.0

Prospecta Master Data Online (MDO) 2.0 has Stored XSS.

4.3
2019-08-15 CVE-2017-14232 Flif
Jasper Project
Resource Management Errors vulnerability in multiple products

The read_chunk function in flif-dec.cpp in Free Lossless Image Format (FLIF) 0.3 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted flif file.

4.3
2019-08-15 CVE-2019-14789 Custom 404 PRO Project Cross-Site Scripting vulnerability in Custom 404 PRO Project Custom 404 PRO 3.2.8

The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter.

4.3
2019-08-15 CVE-2019-14784 Codepeople Cross-Site Scripting vulnerability in Codepeople CP Contact Form With Paypal

The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.

4.3
2019-08-15 CVE-2019-14790 Limbcode Cross-Site Scripting vulnerability in Limbcode Limb-Gallery 1.4.0

The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter,

4.3
2019-08-14 CVE-2019-14427 Webstudio Cross-Site Scripting vulnerability in Webstudio Ultimate Loan Manager 2.0

XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.

4.3
2019-08-14 CVE-2019-1204 Microsoft Improper Input Validation vulnerability in Microsoft Office, Office 365 Proplus and Outlook

An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages, aka 'Microsoft Outlook Elevation of Privilege Vulnerability'.

4.3
2019-08-14 CVE-2019-1192 Microsoft Incorrect Authorization vulnerability in Microsoft Edge and Internet Explorer

A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins, aka 'Microsoft Browsers Security Feature Bypass Vulnerability'.

4.3
2019-08-14 CVE-2019-1172 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session, aka 'Windows Information Disclosure Vulnerability'.

4.3
2019-08-14 CVE-2019-1163 Microsoft Improper Validation of Integrity Check Value vulnerability in Microsoft products

A security feature bypass exists when Windows incorrectly validates CAB file signatures, aka 'Windows File Signature Security Feature Bypass Vulnerability'.

4.3
2019-08-14 CVE-2019-1030 Microsoft Information Exposure vulnerability in Microsoft Edge

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka 'Microsoft Edge Information Disclosure Vulnerability'.

4.3
2019-08-14 CVE-2018-19386 Solarwinds Cross-Site Scripting vulnerability in Solarwinds Database Performance Analyzer 11.1.457

SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI.

4.3
2019-08-14 CVE-2019-3635 Mcafee Information Exposure vulnerability in Mcafee web Gateway

Exfiltration of Data in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows attackers to obtain sensitive data via crafting a complex webpage that will trigger the Web Gateway to block the user accessing an iframe.

4.3
2019-08-14 CVE-2019-14974 Sugarcrm Cross-Site Scripting vulnerability in Sugarcrm 9.0.0

SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.

4.3
2019-08-14 CVE-2016-10881 Google DOC Embedder Project Cross-Site Scripting vulnerability in Google DOC Embedder Project Google DOC Embedder

The google-document-embedder plugin before 2.6.2 for WordPress has XSS.

4.3
2019-08-14 CVE-2016-10880 Google DOC Embedder Project Cross-Site Scripting vulnerability in Google DOC Embedder Project Google DOC Embedder

The google-document-embedder plugin before 2.6.1 for WordPress has XSS.

4.3
2019-08-14 CVE-2015-9314 Newstatpress Project Cross-Site Scripting vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.4 for WordPress has XSS related to the Referer header.

4.3
2019-08-14 CVE-2015-9312 Newstatpress Project Cross-Site Scripting vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.5 for WordPress has XSS related to an IMG element.

4.3
2019-08-14 CVE-2015-9311 Newstatpress Project Cross-Site Scripting vulnerability in Newstatpress Project Newstatpress

The newstatpress plugin before 1.0.6 for WordPress has reflected XSS.

4.3
2019-08-14 CVE-2019-0337 SAP Cross-Site Scripting vulnerability in SAP Netweaver Process Integration

Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious scripts in the url thereby resulting in Reflected Cross-Site Scripting (XSS) vulnerability

4.3
2019-08-14 CVE-2019-0335 SAP Cross-Site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3

Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account.

4.3
2019-08-14 CVE-2019-0332 SAP Cross-Site Scripting vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3

SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword in the search and it will be executed while search performs its action, resulting in Cross-Site Scripting (XSS) vulnerability.

4.3
2019-08-14 CVE-2019-14973 Libtiff Integer Overflow OR Wraparound vulnerability in Libtiff

_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards.

4.3
2019-08-13 CVE-2019-10929 Siemens Improper Access Control vulnerability in Siemens products

A vulnerability has been identified in SIMATIC CP 1626 (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl.

4.3
2019-08-13 CVE-2017-18488 Backup Guard Cross-Site Scripting vulnerability in Backup-Guard Backup Guard

The Backup Guard plugin before 1.1.47 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2017-18487 Google Adsense Project Cross-Site Scripting vulnerability in Google Adsense Project Google Adsense

The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2016-10867 Tipsandtricks HQ Cross-Site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages.

4.3
2019-08-13 CVE-2016-10866 Tipsandtricks HQ Cross-Site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2018-20963 Codepeople Cross-Site Scripting vulnerability in Codepeople Contact Form Email

The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.

4.3
2019-08-13 CVE-2017-18507 WP Livechat Cross-Site Scripting vulnerability in Wp-Livechat WP Live Chat Support

The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS.

4.3
2019-08-13 CVE-2017-18498 Presstigers Cross-Site Scripting vulnerability in Presstigers Simple JOB Board

The simple-job-board plugin before 2.4.4 for WordPress has reflected XSS via keyword search.

4.3
2019-08-13 CVE-2017-18497 W3Eden Cross-Site Scripting vulnerability in W3Eden Live Forms

The liveforms plugin before 3.4.0 for WordPress has XSS.

4.3
2019-08-13 CVE-2017-18496 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Htaccess

The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2017-18495 Mediaburst Cross-Site Scripting vulnerability in Mediaburst Gravity Forms

The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress has XSS.

4.3
2019-08-13 CVE-2017-18494 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Custom Search

The custom-search-plugin plugin before 1.36 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2017-18493 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Custom Admin Page 0.1/0.1.1

The custom-admin-page plugin before 0.1.2 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2017-18492 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Contact Form TO DB

The contact-form-to-db plugin before 1.5.7 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2017-18491 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Contact Form

The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2017-18490 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Contact Form Multi

The contact-form-multi plugin before 1.2.1 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2017-18489 Mediaburst Cross-Site Scripting vulnerability in Mediaburst Contact Form 7 - Clockwork SMS

The contact-form-7-sms-addon plugin before 2.4.0 for WordPress has XSS.

4.3
2019-08-13 CVE-2016-10871 Ibericode Cross-Site Scripting vulnerability in Ibericode Mailchimp

The mailchimp-for-wp plugin before 4.0.11 for WordPress has XSS on the integration settings page.

4.3
2019-08-13 CVE-2016-10870 Gtranslate Cross-Site Scripting vulnerability in Gtranslate Google Language Translator

The google-language-translator plugin before 5.0.06 for WordPress has XSS.

4.3
2019-08-13 CVE-2016-10869 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Contact Form

The contact-form-plugin plugin before 4.0.2 for WordPress has XSS.

4.3
2019-08-13 CVE-2016-10868 Tipsandtricks HQ Cross-Site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 4.0.5 for WordPress has XSS in the blacklist, file system, and file change detection settings pages.

4.3
2019-08-13 CVE-2015-9302 Simple Fields Project Cross-Site Scripting vulnerability in Simple Fields Project Simple Fields

The simple-fields plugin before 1.4.11 for WordPress has XSS.

4.3
2019-08-13 CVE-2015-9300 WP Events Plugin Cross-Site Scripting vulnerability in Wp-Events-Plugin Events Manager

The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2015-9299 WP Events Plugin Cross-Site Scripting vulnerability in Wp-Events-Plugin Events Manager

The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS.

4.3
2019-08-13 CVE-2015-9297 WP Events Plugin Cross-Site Scripting vulnerability in Wp-Events-Plugin Events Manager

The events-manager plugin before 5.6 for WordPress has XSS.

4.3
2019-08-13 CVE-2015-9296 Never5 Cross-Site Scripting vulnerability in Never5 Download Monitor

The download-monitor plugin before 1.7.1 for WordPress has XSS related to add_query_arg.

4.3
2019-08-13 CVE-2015-9295 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Contact Form

The contact-form-plugin plugin before 3.96 for WordPress has XSS.

4.3
2019-08-13 CVE-2015-9294 Tipsandtricks HQ Cross-Site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances.

4.3
2019-08-13 CVE-2015-9293 Tipsandtricks HQ Cross-Site Scripting vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature.

4.3
2019-08-13 CVE-2013-7475 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Contact Form

The contact-form-plugin plugin before 3.52 for WordPress has XSS.

4.3
2019-08-13 CVE-2012-6713 WP Jobmanager Cross-Site Scripting vulnerability in Wp-Jobmanager JOB Manager

The job-manager plugin before 0.7.19 for WordPress has multiple XSS issues.

4.3
2019-08-13 CVE-2019-13420 Search Guard Information Exposure vulnerability in Search-Guard Search Guard

Search Guard versions before 21.0 had an timing side channel issue when using the internal user database.

4.3
2019-08-12 CVE-2019-14982 Exiv2 Integer Overflow OR Wraparound vulnerability in Exiv2

In Exiv2 before v0.27.2, there is an integer overflow vulnerability in the WebPImage::getHeaderOffset function in webpimage.cpp.

4.3
2019-08-12 CVE-2019-14981 Imagemagick
Debian
Canonical
Opensuse
Divide BY Zero vulnerability in multiple products

In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function.

4.3
2019-08-12 CVE-2019-14980 Imagemagick USE After Free vulnerability in Imagemagick

In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.

4.3
2019-08-12 CVE-2019-14976 Icmsdev Cross-Site Scripting vulnerability in Icmsdev Icms 7.0.15

iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter.

4.3
2019-08-12 CVE-2019-14967 Frappe Cross-Site Scripting vulnerability in Frappe

An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12.

4.3
2019-08-12 CVE-2018-20966 Booster Cross-Site Scripting vulnerability in Booster FOR Woocommerce

The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.

4.3
2019-08-12 CVE-2018-20965 Ultimatemember Cross-Site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 2.0.4 for WordPress has XSS.

4.3
2019-08-12 CVE-2017-18505 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Twitter Button

The twitter-plugin plugin before 2.55 for WordPress has XSS.

4.3
2019-08-12 CVE-2017-18503 Wpdeveloper Cross-Site Scripting vulnerability in Wpdeveloper Twitter Cards Meta

The twitter-cards-meta plugin before 2.5.0 for WordPress has XSS.

4.3
2019-08-12 CVE-2017-18502 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Subscriber

The subscriber plugin before 1.3.5 for WordPress has multiple XSS issues.

4.3
2019-08-12 CVE-2017-18501 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Social Login 0.1

The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues.

4.3
2019-08-12 CVE-2017-18500 Bestwebsoft Cross-Site Scripting vulnerability in Bestwebsoft Social Buttons Pack

The social-buttons-pack plugin before 1.1.1 for WordPress has multiple XSS issues.

4.3
2019-08-12 CVE-2017-18499 Simple Membership Plugin Cross-Site Scripting vulnerability in Simple-Membership-Plugin Simple Membership

The simple-membership plugin before 3.5.7 for WordPress has XSS.

4.3
2019-08-12 CVE-2016-10872 Ultimatemember Cross-Site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.

4.3
2019-08-12 CVE-2015-9304 Ultimatemember Cross-Site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

4.3
2019-08-12 CVE-2015-9303 Simplesharebuttons Cross-Site Scripting vulnerability in Simplesharebuttons Simple Share Buttons Adder

The simple-share-buttons-adder plugin before 6.0.0 for WordPress has XSS.

4.3
2019-08-12 CVE-2019-14950 WP Livechat Cross-Site Scripting vulnerability in Wp-Livechat WP Live Chat Support

The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.

4.3
2019-08-12 CVE-2019-14949 Wpseeds Cross-Site Scripting vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 5.1.2 for WordPress has XSS.

4.3
2019-08-12 CVE-2017-18508 WP Livechat Cross-Site Scripting vulnerability in Wp-Livechat WP Live Chat Support

The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS.

4.3
2019-08-12 CVE-2017-18506 Wpovernight Cross-Site Scripting vulnerability in Wpovernight Woocommerce PDF Invoices& Packing Slips

The woocommerce-pdf-invoices-packing-slips plugin before 2.0.13 for WordPress has XSS via the tab or section variable on settings screens.

4.3
2019-08-12 CVE-2016-10879 WP Livechat Cross-Site Scripting vulnerability in Wp-Livechat WP Live Chat Support

The wp-live-chat-support plugin before 6.2.02 for WordPress has XSS.

4.3
2019-08-12 CVE-2016-10878 Flippercode Cross-Site Scripting vulnerability in Flippercode Google MAP

The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS.

4.3
2019-08-12 CVE-2016-10877 WP Editor Project Cross-Site Scripting vulnerability in WP Editor Project WP Editor

The wp-editor plugin before 1.2.6.3 for WordPress has multiple XSS issues.

4.3
2019-08-12 CVE-2016-10875 Wpseeds Cross-Site Scripting vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 4.3.1 for WordPress has XSS.

4.3
2019-08-12 CVE-2016-10873 Wpseeds Cross-Site Scripting vulnerability in Wpseeds WP Database Backup

The wp-database-backup plugin before 4.3.3 for WordPress has XSS.

4.3
2019-08-12 CVE-2015-9306 Smackcoders Cross-Site Scripting vulnerability in Smackcoders Ultimate CSV Importer

The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.

4.3
2019-08-12 CVE-2015-9305 Flippercode Cross-Site Scripting vulnerability in Flippercode Google MAP

The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS related to the add_query_arg() and remove_query_arg() functions.

4.3
2019-08-15 CVE-2019-13515 Osisoft Information Exposure Through LOG Files vulnerability in Osisoft PI web API

OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information.

4.0
2019-08-15 CVE-2018-12357 Arista Incorrect Permission Assignment FOR Critical Resource vulnerability in Arista Cloudvision Portal

Arista CloudVision Portal through 2018.1.1 has Incorrect Permissions.

4.0
2019-08-15 CVE-2019-14786 Rankmath Code Injection vulnerability in Rankmath SEO 1.0.27

The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter.

4.0
2019-08-14 CVE-2019-0348 SAP Cleartext Transmission of Sensitive Information vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2

SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted.

4.0
2019-08-14 CVE-2019-0346 SAP Cleartext Transmission of Sensitive Information vulnerability in SAP Businessobjects Business Intelligence 4.2

Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP NetWeaver BI systems, resulting in Information Disclosure.

4.0
2019-08-14 CVE-2019-0341 SAP Incorrect Permission Assignment FOR Critical Resource vulnerability in SAP Enable NOW 1902

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set.

4.0
2019-08-14 CVE-2019-0333 SAP Unspecified vulnerability in SAP Businessobjects Business Intelligence 4.2

In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data set instead of just what is part of their authorized security profile, resulting in Information Disclosure.

4.0
2019-08-13 CVE-2019-10927 Siemens Improper Input Validation vulnerability in Siemens products

A vulnerability has been identified in SCALANCE SC-600 (V2.0), SCALANCE XB-200 (V4.1), SCALANCE XC-200 (V4.1), SCALANCE XF-200BA (V4.1), SCALANCE XP-200 (V4.1), SCALANCE XR-300WG (V4.1).

4.0
2019-08-13 CVE-2019-14530 Open EMR Path Traversal vulnerability in Open-Emr Openemr

An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.

4.0
2019-08-12 CVE-2019-14940 Spdk Unspecified vulnerability in Spdk Storage Performance Development KIT

In Storage Performance Development Kit (SPDK) before 19.07, a user of a vhost can cause a crash if the target is sent invalid input.

4.0

30 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-14 CVE-2019-1211 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2017 and Visual Studio 2019

An elevation of privilege vulnerability exists in Git for Visual Studio when it improperly parses configuration files, aka 'Git for Visual Studio Elevation of Privilege Vulnerability'.

3.7
2019-08-14 CVE-2019-1202 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in the way Microsoft SharePoint handles session objects, aka 'Microsoft SharePoint Information Disclosure Vulnerability'.

3.6
2019-08-16 CVE-2019-15108 Wso2 Cross-Site Scripting vulnerability in Wso2 API Manager

An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457.

3.5
2019-08-15 CVE-2018-12101 Clippercms Cross-Site Scripting vulnerability in Clippercms 1.3.3

CMS Clipper 1.3.3 has XSS in the Security tab search, User Groups, Resource Groups, and User/Resource Group Links fields.

3.5
2019-08-15 CVE-2019-14518 Modx Cross-Site Scripting vulnerability in Modx Evolution CMS 2.0.0

** DISPUTED ** Evolution CMS 2.0.x allows XSS via a description and new category location in a template.

3.5
2019-08-15 CVE-2019-3418 ZTE Cross-Site Scripting vulnerability in ZTE Zxhn F670 Firmware

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS).

3.5
2019-08-15 CVE-2019-15081 Opencart Cross-Site Scripting vulnerability in Opencart

OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.

3.5
2019-08-15 CVE-2019-14795 Toggle THE Title Project Cross-Site Scripting vulnerability in Toggle-The-Title Project Toggle-The-Title 1.4

The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter.

3.5
2019-08-14 CVE-2019-1218 Microsoft Cross-Site Scripting vulnerability in Microsoft Outlook

A spoofing vulnerability exists in the way Microsoft Outlook iOS software parses specifically crafted email messages, aka 'Outlook iOS Spoofing Vulnerability'.

3.5
2019-08-14 CVE-2019-1203 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.

3.5
2019-08-13 CVE-2019-13416 Search Guard Improper Authorization vulnerability in Search-Guard Search Guard

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).

3.5
2019-08-13 CVE-2019-13415 Search Guard Improper Authorization vulnerability in Search-Guard Search Guard

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see.

3.5
2019-08-13 CVE-2019-14987 Schben Cross-Site Scripting vulnerability in Schben Framework 2.0.7

Adive Framework through 2.0.7 is affected by XSS in the Create New Table and Create New Navigation Link functions.

3.5
2019-08-12 CVE-2019-14947 Ultimatemember Cross-Site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.

3.5
2019-08-12 CVE-2019-14946 Ultimatemember Cross-Site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.

3.5
2019-08-12 CVE-2019-14945 Ultimatemember Cross-Site Scripting vulnerability in Ultimatemember Ultimate Member

The ultimate-member plugin before 2.0.54 for WordPress has XSS.

3.5
2019-08-12 CVE-2019-14948 Najeebmedia Cross-Site Scripting vulnerability in Najeebmedia Ppom FOR Woocommerce

The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure.

3.5
2019-08-15 CVE-2018-14008 Arista Improper Authentication vulnerability in Arista EOS

Arista EOS through 4.21.0F allows a crash because 802.1x authentication is mishandled.

3.3
2019-08-16 CVE-2016-10894 Xtrlock Project
Debian
7PK - Security Features vulnerability in multiple products

xtrlock through 2.10 does not block multitouch events.

2.1
2019-08-14 CVE-2019-1228 Microsoft Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'.

2.1
2019-08-14 CVE-2019-1227 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'.

2.1
2019-08-14 CVE-2019-1171 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage, aka 'SymCrypt Information Disclosure Vulnerability'.

2.1
2019-08-14 CVE-2019-1158 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows Graphics Component Information Disclosure Vulnerability'.

2.1
2019-08-14 CVE-2019-1154 Microsoft Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows Graphics Component Information Disclosure Vulnerability'.

2.1
2019-08-14 CVE-2019-1153 Microsoft Out-Of-Bounds Read vulnerability in Microsoft products

An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'.

2.1
2019-08-14 CVE-2019-1148 Microsoft Out-Of-Bounds Read vulnerability in Microsoft products

An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'.

2.1
2019-08-14 CVE-2019-1143 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows Graphics Component Information Disclosure Vulnerability'.

2.1
2019-08-14 CVE-2019-1078 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'.

2.1
2019-08-12 CVE-2019-14359 Real SEC Information Exposure vulnerability in Real-Sec BC Vault Firmware

** DISPUTED ** On BC Vault devices, a side channel for the row-based SSD1309 OLED display was found.

2.1
2019-08-12 CVE-2019-14939 Mysql Project Information Exposure vulnerability in Mysql Project Mysql 2.17.1

An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js.

2.1