Weekly Vulnerabilities Reports > August 26 to September 1, 2019
Overview
383 new vulnerabilities reported during this period, including 107 critical vulnerabilities and 142 high severity vulnerabilities. This weekly summary report vulnerabilities in 480 products from 226 vendors including Adobe, Debian, Ithemes, Cisco, and Videolan. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Cross-Site Request Forgery (CSRF)", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".
- 336 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 144 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 327 reported vulnerabilities are exploitable by an anonymous user.
- Adobe has the most reported vulnerabilities, with 34 reported vulnerabilities.
- Adobe has the most reported critical vulnerabilities, with 14 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
107 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-28 | CVE-2019-12643 | Cisco | Improper Authentication vulnerability in Cisco IOS XE 15.5(3)S3.16/16.6.5 A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. | 10.0 |
2019-08-26 | CVE-2019-13020 | Trms | Server-Side Request Forgery (SSRF) vulnerability in Trms Tightrope Media Carousel The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI/v0/fetch?url= SSRF. | 10.0 |
2019-08-30 | CVE-2019-15826 | Wpserveur | Unspecified vulnerability in Wpserveur WPS Hide Login The wps-hide-login plugin before 1.5.3 for WordPress has a protection bypass via wp-login.php in the Referer field. | 9.8 |
2019-08-30 | CVE-2019-15825 | Wpserveur | Unspecified vulnerability in Wpserveur WPS Hide Login The wps-hide-login plugin before 1.5.3 for WordPress has an action=rp&key&login protection bypass. | 9.8 |
2019-08-30 | CVE-2019-15824 | Wpserveur | Unspecified vulnerability in Wpserveur WPS Hide Login The wps-hide-login plugin before 1.5.3 for WordPress has an adminhash protection bypass. | 9.8 |
2019-08-30 | CVE-2019-15823 | Wpserveur | Unspecified vulnerability in Wpserveur WPS Hide Login The wps-hide-login plugin before 1.5.3 for WordPress has an action=confirmaction protection bypass. | 9.8 |
2019-08-30 | CVE-2019-15822 | Wpserveur | Path Traversal vulnerability in Wpserveur WPS Child Theme Generator 1.0/1.1 The wps-child-theme-generator plugin before 1.2 for WordPress has classes/helpers.php directory traversal. | 9.8 |
2019-08-30 | CVE-2019-15819 | Restaurant Reservations Project | Missing Authentication for Critical Function vulnerability in Restaurant Reservations Project Restaurant Reservations The nd-restaurant-reservations plugin before 1.5 for WordPress has no requirement for nd_rst_import_settings_php_function authentication. | 9.8 |
2019-08-30 | CVE-2019-5608 | Freebsd Netapp | Out-of-bounds Write vulnerability in multiple products In FreeBSD 12.0-STABLE before r350648, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350650, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. | 9.8 |
2019-08-29 | CVE-2019-15806 | Commscope | Inadequate Encryption Strength vulnerability in Commscope Tr4400 Firmware A1.00.004180301 CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/basic_sett.html. | 9.8 |
2019-08-29 | CVE-2019-15805 | Commscope | Inadequate Encryption Strength vulnerability in Commscope Tr4400 Firmware A1.00.004180301 CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/login.html. | 9.8 |
2019-08-29 | CVE-2019-15717 | Irssi Canonical | Use After Free vulnerability in multiple products Irssi 1.2.x before 1.2.2 has a use-after-free if the IRC server sends a double CAP. | 9.8 |
2019-08-29 | CVE-2019-11500 | Dovecot Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. | 9.8 |
2019-08-29 | CVE-2019-15788 | Nvidia | Integer Overflow or Wraparound vulnerability in Nvidia Clara Genomics Analysis 0.1.0 Clara Genomics Analysis before 0.2.0 has an integer overflow for cudapoa memory management in allocate_block.cpp. | 9.8 |
2019-08-29 | CVE-2019-15786 | Robotis | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Robotis Dynamixel SDK ROBOTIS Dynamixel SDK through 3.7.11 has a buffer overflow via a large rxpacket. | 9.8 |
2019-08-29 | CVE-2019-15785 | Fontforge | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Fontforge FontForge 20190813 through 20190820 has a buffer overflow in PrefsUI_LoadPrefs in prefs.c. | 9.8 |
2019-08-29 | CVE-2019-15784 | Srtalliance | Improper Validation of Array Index vulnerability in Srtalliance Secure Reliable Transport Secure Reliable Transport (SRT) through 1.3.4 has a CSndUList array overflow if there are many SRT connections. | 9.8 |
2019-08-29 | CVE-2019-15783 | Lute TAB Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lute-Tab Project Lute-Tab Lute-Tab before 2019-08-23 has a buffer overflow in pdf_print.cc. | 9.8 |
2019-08-29 | CVE-2019-15780 | Strategy11 | Deserialization of Untrusted Data vulnerability in Strategy11 Formidable Form Builder The formidable plugin before 4.02.01 for WordPress has unsafe deserialization. | 9.8 |
2019-08-29 | CVE-2019-14943 | Gitlab | Use of Hard-coded Credentials vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. | 9.8 |
2019-08-29 | CVE-2018-21007 | Wisetr | Improper Access Control vulnerability in Wisetr User Email Verification for Woocommerce The woo-confirmation-email plugin before 3.2.0 for WordPress has no blocking of direct access to supportive xl folders inside uploads. | 9.8 |
2019-08-29 | CVE-2019-13405 | Androvideo | Missing Authentication for Critical Function vulnerability in Androvideo VD 1 Firmware 230 A broken access control vulnerability found in Advan VD-1 firmware version 230 leads to insecure ADB service. | 9.8 |
2019-08-29 | CVE-2019-11064 | Androvideo Geovision | Improper Authentication vulnerability in multiple products A vulnerability of remote credential disclosure was discovered in Advan VD-1 firmware versions up to 230. | 9.8 |
2019-08-28 | CVE-2019-9933 | Lexmark | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lexmark products Various Lexmark products have a Buffer Overflow (issue 3 of 3). | 9.8 |
2019-08-28 | CVE-2019-9932 | Lexmark | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lexmark products Various Lexmark products have a Buffer Overflow (issue 2 of 3). | 9.8 |
2019-08-28 | CVE-2019-9930 | Lexmark | Integer Overflow or Wraparound vulnerability in Lexmark products Various Lexmark products have an Integer Overflow. | 9.8 |
2019-08-28 | CVE-2019-15294 | Gallagher | Information Exposure Through Log Files vulnerability in Gallagher Command Centre 8.10 An issue was discovered in Gallagher Command Centre 8.10 before 8.10.1092(MR2). | 9.8 |
2019-08-28 | CVE-2012-6719 | Sharebar Project | SQL Injection vulnerability in Sharebar Project Sharebar The sharebar plugin before 1.2.2 for WordPress has SQL injection. | 9.8 |
2019-08-27 | CVE-2019-13486 | Xymon Debian | Out-of-bounds Write vulnerability in multiple products In Xymon through 4.3.28, a stack-based buffer overflow exists in the status-log viewer component because of expansion in svcstatus.c. | 9.8 |
2019-08-27 | CVE-2019-13485 | Xymon Debian | Out-of-bounds Write vulnerability in multiple products In Xymon through 4.3.28, a stack-based buffer overflow vulnerability exists in the history viewer component via a long hostname or service parameter to history.c. | 9.8 |
2019-08-27 | CVE-2019-13484 | Xymon Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products In Xymon through 4.3.28, a buffer overflow exists in the status-log viewer CGI because of expansion in appfeed.c. | 9.8 |
2019-08-27 | CVE-2019-13455 | Xymon Debian | Out-of-bounds Write vulnerability in multiple products In Xymon through 4.3.28, a stack-based buffer overflow vulnerability exists in the alert acknowledgment CGI tool because of expansion in acknowledge.c. | 9.8 |
2019-08-27 | CVE-2019-13452 | Xymon Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products In Xymon through 4.3.28, a buffer overflow vulnerability exists in reportlog.c. | 9.8 |
2019-08-27 | CVE-2019-13451 | Xymon Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products In Xymon through 4.3.28, a buffer overflow vulnerability exists in history.c. | 9.8 |
2019-08-27 | CVE-2019-13273 | Xymon Debian | Out-of-bounds Write vulnerability in multiple products In Xymon through 4.3.28, a buffer overflow vulnerability exists in the csvinfo CGI script. | 9.8 |
2019-08-27 | CVE-2019-14314 | Imagely | SQL Injection vulnerability in Imagely Nextgen Gallery A SQL injection vulnerability exists in the Imagely NextGEN Gallery plugin before 3.2.11 for WordPress. | 9.8 |
2019-08-27 | CVE-2015-9352 | WP Polls Project | SQL Injection vulnerability in Wp-Polls Project Wp-Polls 2.70/2.71 The wp-polls plugin before 2.72 for WordPress has SQL injection. | 9.8 |
2019-08-27 | CVE-2015-9351 | Slickremix | Improper Input Validation vulnerability in Slickremix Feed Them Social The feed-them-social plugin before 1.7.0 for WordPress has possible shortcode execution in the Facebook Feeds load more button. | 9.8 |
2019-08-27 | CVE-2019-15659 | Genetechsolutions | SQL Injection vulnerability in Genetechsolutions PIE Register The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969. | 9.8 |
2019-08-27 | CVE-2019-15646 | Carrcommunications | SQL Injection vulnerability in Carrcommunications Rsvpmaker The rsvpmaker plugin before 6.2 for WordPress has SQL injection. | 9.8 |
2019-08-27 | CVE-2018-21005 | Bbpress Move Topics Project | Code Injection vulnerability in Bbpress Move Topics Project Bbpress Move Topics The bbp-move-topics plugin before 1.1.6 for WordPress has code injection. | 9.8 |
2019-08-27 | CVE-2018-21004 | Carrcommunications | SQL Injection vulnerability in Carrcommunications Rsvpmaker The rsvpmaker plugin before 5.6.4 for WordPress has SQL injection. | 9.8 |
2019-08-27 | CVE-2018-21003 | Themekraft | SQL Injection vulnerability in Themekraft Buddyforms The buddyforms plugin before 2.2.8 for WordPress has SQL injection. | 9.8 |
2019-08-27 | CVE-2016-10935 | Visser | Permissions, Privileges, and Access Controls vulnerability in Visser Store Exporter for Woocommerce The woocommerce-exporter plugin before 1.8.4 for WordPress has privilege escalation. | 9.8 |
2019-08-27 | CVE-2015-9344 | Perafox | SQL Injection vulnerability in Perafox Link LOG The link-log plugin before 2.1 for WordPress has SQL injection. | 9.8 |
2019-08-26 | CVE-2019-15657 | Eslint Utils Project | Unspecified vulnerability in Eslint-Utils Project Eslint-Utils In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code. | 9.8 |
2019-08-26 | CVE-2019-15651 | Wolfssl | Out-of-bounds Read vulnerability in Wolfssl 4.1.0 wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex. | 9.8 |
2019-08-26 | CVE-2019-15497 | Blackbox Onelan | Use of Hard-coded Credentials vulnerability in multiple products Black Box iCOMPEL 9.2.3 through 11.1.4, as used in ONELAN Net-Top-Box 9.2.3 through 11.1.4 and other products, has default credentials that allow remote attackers to access devices remotely via SSH, HTTP, HTTPS, and FTP. | 9.8 |
2019-08-26 | CVE-2019-9569 | Deltacontrols | Out-of-bounds Write vulnerability in Deltacontrols Entelibus Firmware 3.40B571848 Buffer Overflow in dactetra in Delta Controls enteliBUS Manager V3.40_B-571848 allows remote unauthenticated users to execute arbitrary code and possibly cause a denial of service via unspecified vectors. | 9.8 |
2019-08-26 | CVE-2019-8001 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7998 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7997 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7993 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7992 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7990 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7975 | Adobe | Type Confusion vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7974 | Adobe | Type Confusion vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7973 | Adobe | Type Confusion vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7972 | Adobe | Type Confusion vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7971 | Adobe | Type Confusion vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7970 | Adobe | Type Confusion vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7969 | Adobe | Type Confusion vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability. | 9.8 |
2019-08-26 | CVE-2019-7968 | Adobe | Command Injection vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a command injection vulnerability. | 9.8 |
2019-08-26 | CVE-2019-15548 | Ncurses Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ncurses Project Ncurses An issue was discovered in the ncurses crate through 5.99.0 for Rust. | 9.8 |
2019-08-26 | CVE-2019-15543 | Slice Deque Project | Out-of-bounds Write vulnerability in Slice-Deque Project Slice-Deque An issue was discovered in the slice-deque crate before 0.2.0 for Rust. | 9.8 |
2019-08-26 | CVE-2019-15533 | Xayr | SQL Injection vulnerability in Xayr Xenfcoresharp XENFCoreSharp before 2019-07-16 allows SQL injection in web/verify.php. | 9.8 |
2019-08-26 | CVE-2019-15503 | Altavoz | OS Command Injection vulnerability in Altavoz Prontuscms 11.2.101/12.0.3.0 cgi-cpn/xcoding/prontus_videocut.cgi in AltaVoz Prontus (aka ProntusCMS) through 12.0.3.0 has "Improper Neutralization of Special Elements used in an OS Command," allowing attackers to execute OS commands via an HTTP GET parameter. | 9.8 |
2019-08-26 | CVE-2018-20998 | Arrayfire | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Arrayfire An issue was discovered in the arrayfire crate before 3.6.0 for Rust. | 9.8 |
2019-08-26 | CVE-2018-20997 | Rust Openssl Project | Use After Free vulnerability in Rust-Openssl Project Rust-Openssl An issue was discovered in the openssl crate before 0.10.9 for Rust. | 9.8 |
2019-08-26 | CVE-2018-20996 | Crossbeam Project | Double Free vulnerability in Crossbeam Project Crossbeam An issue was discovered in the crossbeam crate before 0.4.1 for Rust. | 9.8 |
2019-08-26 | CVE-2018-20995 | Slice Deque Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Slice-Deque Project Slice-Deque An issue was discovered in the slice-deque crate before 0.1.16 for Rust. | 9.8 |
2019-08-26 | CVE-2019-15558 | XM Online | SQL Injection vulnerability in Xm-Online Xm^Online 2 - Common Utils and Endpoints 0.2.1 XM^online 2 Common Utils and Endpoints 0.2.1 allows SQL injection, related to Constants.java, DropSchemaResolver.java, and SchemaChangeResolver.java. | 9.8 |
2019-08-26 | CVE-2019-15557 | XM Online | SQL Injection vulnerability in Xm-Online Xm^Online 2 User Account and Authentication Server 1.0.0 XM^online 2 User Account and Authentication server 1.0.0 allows SQL injection via a tenant key. | 9.8 |
2019-08-26 | CVE-2019-15555 | Wellness Project | SQL Injection vulnerability in Wellness Project Wellness FredReinink Wellness-app before 2019-06-19 allows SQL injection, related to dietTrack.php, exerciseGenerator.php, fitnessTrack.php, and server.php. | 9.8 |
2019-08-26 | CVE-2019-15560 | Reviews Module Project | SQL Injection vulnerability in Reviews Module Project Reviews Module 20190601/20190602/20190603 The Reviews Module before 2019-06-14 for OpenSource Table allows SQL injection in database/index.js. | 9.8 |
2019-08-26 | CVE-2019-15559 | Hawn Project | SQL Injection vulnerability in Hawn Project Hawn DianoxDragon Hawn before 2019-07-10 allows SQL injection. | 9.8 |
2019-08-26 | CVE-2019-15574 | Cipsoft | SQL Injection vulnerability in Cipsoft Gesior-Aac Gesior-AAC before 2019-05-01 allows serviceID SQL injection in accountmanagement.php. | 9.8 |
2019-08-26 | CVE-2019-15573 | Cipsoft | SQL Injection vulnerability in Cipsoft Gesior-Aac Gesior-AAC before 2019-05-01 allows SQL injection in tankyou.php. | 9.8 |
2019-08-26 | CVE-2019-15572 | Cipsoft | SQL Injection vulnerability in Cipsoft Gesior-Aac Gesior-AAC before 2019-05-01 allows ServiceCategoryID SQL injection in shop.php. | 9.8 |
2019-08-26 | CVE-2019-15571 | Clonos Project | SQL Injection vulnerability in Clonos Project Clonos The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php. | 9.8 |
2019-08-26 | CVE-2019-15570 | Bedita | SQL Injection vulnerability in Bedita BEdita through 4.0.0-RC2 allows SQL injection during a save operation for a relation with parameters. | 9.8 |
2019-08-26 | CVE-2019-15569 | GOV | SQL Injection vulnerability in GOV Ccd-Data-Store-Api HM Courts & Tribunals ccd-data-store-api before 2019-06-10 allows SQL injection, related to SearchQueryFactoryOperation.java and SortDirection.java. | 9.8 |
2019-08-26 | CVE-2019-15568 | Idseq | SQL Injection vulnerability in Idseq Idseq-Web idseq-web before 2019-07-01 in Infectious Disease Sequencing Platform IDseq allows SQL injection via tax_levels. | 9.8 |
2019-08-26 | CVE-2019-15567 | Openforis | SQL Injection vulnerability in Openforis Arena OpenForis Arena before 2019-05-07 allows SQL injection in the sorting feature. | 9.8 |
2019-08-26 | CVE-2019-15566 | Alfresco | SQL Injection vulnerability in Alfresco The Alfresco application before 1.8.7 for Android allows SQL injection in HistorySearchProvider.java. | 9.8 |
2019-08-26 | CVE-2019-15565 | Webimpacto | SQL Injection vulnerability in Webimpacto Icommktconnector The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php. | 9.8 |
2019-08-26 | CVE-2019-15564 | Compassionuk | SQL Injection vulnerability in Compassionuk Compassion Switzerland 10.01.4 The Compassion Switzerland addons 10.01.4 for Odoo allow SQL injection in models/partner_compassion.py. | 9.8 |
2019-08-26 | CVE-2019-15563 | Ohdsi | SQL Injection vulnerability in Ohdsi Webapi Observational Health Data Sciences and Informatics (OHDSI) WebAPI before 2.7.2 allows SQL injection in FeatureExtractionService.java. | 9.8 |
2019-08-26 | CVE-2019-15554 | Servo | Out-of-bounds Write vulnerability in Servo Smallvec An issue was discovered in the smallvec crate before 0.6.10 for Rust. | 9.8 |
2019-08-26 | CVE-2019-15552 | Libflate Project | Use After Free vulnerability in Libflate Project Libflate An issue was discovered in the libflate crate before 0.1.25 for Rust. | 9.8 |
2019-08-26 | CVE-2019-15551 | Servo | Double Free vulnerability in Servo Smallvec An issue was discovered in the smallvec crate before 0.6.10 for Rust. | 9.8 |
2019-08-26 | CVE-2019-14307 | Ricoh | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ricoh products Several Ricoh printers have multiple buffer overflows parsing HTTP parameter settings for SNMP, which allow an attacker to cause a denial of service or code execution via crafted requests to the web server. | 9.8 |
2019-08-26 | CVE-2019-14305 | Ricoh | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ricoh products Several Ricoh printers have multiple buffer overflows parsing HTTP parameter settings for Wi-Fi, mDNS, POP3, SMTP, and notification alerts, which allow an attacker to cause a denial of service or code execution via crafted requests to the web server. | 9.8 |
2019-08-26 | CVE-2019-14300 | Ricoh | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ricoh products Several Ricoh printers have multiple buffer overflows parsing HTTP cookie headers, which allow an attacker to cause a denial of service or code execution via crafted requests to the web server. | 9.8 |
2019-08-26 | CVE-2018-21000 | Safe Transmute Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Safe-Transmute Project Safe-Transmute An issue was discovered in the safe-transmute crate before 0.10.1 for Rust. | 9.8 |
2019-08-26 | CVE-2018-20991 | Servo | Double Free vulnerability in Servo Smallvec An issue was discovered in the smallvec crate before 0.6.3 for Rust. | 9.8 |
2019-08-26 | CVE-2019-14308 | Ricoh | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ricoh products Several Ricoh printers have multiple buffer overflows parsing LPD packets, which allow an attacker to cause a denial of service or code execution via crafted requests to the LPD service. | 9.8 |
2019-08-26 | CVE-2019-15562 | Gorm | SQL Injection vulnerability in Gorm GORM before 1.9.10 allows SQL injection via incomplete parentheses. | 9.8 |
2019-08-26 | CVE-2019-15561 | Flashlingo Project | SQL Injection vulnerability in Flashlingo Project Flashlingo FlashLingo before 2019-06-12 allows SQL injection, related to flashlingo.js and db.js. | 9.8 |
2019-08-26 | CVE-2019-15556 | Social Network Project | SQL Injection vulnerability in Social Network Project Social Network Pvanloon1983 social_network before 2019-07-03 allows SQL injection in includes/form_handlers/register_handler.php. | 9.8 |
2019-08-26 | CVE-2019-15524 | Cszcms | Unrestricted Upload of File with Dangerous Type vulnerability in Cszcms CSZ CMS 1.2.3 CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI. | 9.8 |
2019-08-26 | CVE-2019-15521 | Spoon Library Fork CMS | Deserialization of Untrusted Data vulnerability in multiple products Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object. | 9.8 |
2019-08-26 | CVE-2019-15534 | Raml Module Builder Project | SQL Injection vulnerability in Raml-Module-Builder Project Raml-Module-Builder 26.4.0 Raml-Module-Builder 26.4.0 allows SQL Injection in PostgresClient.update. | 9.8 |
2019-08-28 | CVE-2019-15753 | Openstack | Allocation of Resources Without Limits or Throttling vulnerability in Openstack Os-Vif 1.15.0/1.15.1/1.16.0 In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. | 9.1 |
2019-08-28 | CVE-2019-10058 | Lexmark | Unspecified vulnerability in Lexmark products Various Lexmark products have Incorrect Access Control. | 9.1 |
2019-08-26 | CVE-2019-4169 | IBM | Insecure Default Initialization of Resource vulnerability in IBM Open Power Op910/Op920 IBM Open Power Firmware OP910 and OP920 could allow access to BMC via IPMI using default OpenBMC password even after BMC password was changed away from the default password. | 9.1 |
2019-08-26 | CVE-2019-15304 | Progradegrill | Insecure Default Initialization of Resource vulnerability in Progradegrill Wifi Grilling Thermometer Firmware 1.0050006 Lierda Grill Temperature Monitor V1.00_50006 has a default password of admin for the admin account, which allows an attacker to cause a Denial of Service or Information Disclosure via the undocumented access-point configuration page located on the device. | 9.1 |
142 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-30 | CVE-2019-15841 | Cross-Site Request Forgery (CSRF) vulnerability in Facebook for Woocommerce The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CSRF via ajax_woo_infobanner_post_click, ajax_woo_infobanner_post_xout, or ajax_fb_toggle_visibility. | 8.8 | |
2019-08-30 | CVE-2019-15840 | Cross-Site Request Forgery (CSRF) vulnerability in Facebook for Woocommerce 1.9.11/1.9.12/1.9.13 The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CSRF. | 8.8 | |
2019-08-30 | CVE-2019-15835 | WP Better Permalinks Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Better Permalinks Project WP Better Permalinks The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF. | 8.8 |
2019-08-30 | CVE-2019-15834 | Webp Converter FOR Media Project | Cross-Site Request Forgery (CSRF) vulnerability in Webp Converter for Media Project Webp Converter for Media 1.0.0/1.0.1/1.0.2 The webp-converter-for-media plugin before 1.0.3 for WordPress has CSRF. | 8.8 |
2019-08-30 | CVE-2019-15832 | WP BUY | Cross-Site Request Forgery (CSRF) vulnerability in Wp-Buy Visitor Traffic Real Time Statistics The visitors-traffic-real-time-statistics plugin before 1.13 for WordPress has CSRF. | 8.8 |
2019-08-30 | CVE-2019-15831 | WP BUY | Cross-Site Request Forgery (CSRF) vulnerability in Wp-Buy Visitor Traffic Real Time Statistics The visitors-traffic-real-time-statistics plugin before 1.12 for WordPress has CSRF in the settings page. | 8.8 |
2019-08-30 | CVE-2019-15828 | Tribulant | Cross-Site Request Forgery (CSRF) vulnerability in Tribulant ONE Click SSL The one-click-ssl plugin before 1.4.7 for WordPress has CSRF. | 8.8 |
2019-08-30 | CVE-2015-9380 | 10Web | Cross-Site Request Forgery (CSRF) vulnerability in 10Web Photo Gallery The photo-gallery plugin before 1.2.42 for WordPress has CSRF. | 8.8 |
2019-08-30 | CVE-2019-13526 | Datalogic | Improper Authentication vulnerability in Datalogic Av7000 Firmware Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code. | 8.8 |
2019-08-29 | CVE-2019-3394 | Atlassian | Path Traversal vulnerability in Atlassian Confluence There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. | 8.8 |
2019-08-29 | CVE-2019-15781 | Weblizar | Cross-Site Request Forgery (CSRF) vulnerability in Weblizar Social Likebox & Feed The facebook-by-weblizar plugin before 2.8.5 for WordPress has CSRF. | 8.8 |
2019-08-29 | CVE-2019-15779 | Quadlayers | Cross-Site Request Forgery (CSRF) vulnerability in Quadlayers WP Social Feed Gallery The insta-gallery plugin before 2.4.8 for WordPress has no nonce validation for qligg_dismiss_notice or qligg_form_item_delete. | 8.8 |
2019-08-29 | CVE-2019-15745 | Equeshome | Use of Hard-coded Credentials vulnerability in Equeshome ELF Smart Plug Firmware The Eques elf smart plug and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app. | 8.8 |
2019-08-29 | CVE-2019-15770 | Hallme | Cross-Site Request Forgery (CSRF) vulnerability in Hallme Woocommerce Address Book The woo-address-book plugin before 1.6.0 for WordPress has save calls without nonce verification checks. | 8.8 |
2019-08-29 | CVE-2019-15769 | Haktansuren | Cross-Site Request Forgery (CSRF) vulnerability in Haktansuren Handl UTM Grabber The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF via add_option and update_option. | 8.8 |
2019-08-29 | CVE-2019-11063 | Asus | Missing Authentication for Critical Function vulnerability in Asus Smarthome A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. | 8.8 |
2019-08-28 | CVE-2019-15496 | Manageyourteam | Cross-Site Request Forgery (CSRF) vulnerability in Manageyourteam MYT Project Management 1.5.1 MyT Project Management 1.5.1 lacks CSRF protection and, for example, allows a user/create CSRF attack. | 8.8 |
2019-08-28 | CVE-2019-13348 | ENG | Insufficiently Protected Credentials vulnerability in ENG Knowage In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases. | 8.8 |
2019-08-28 | CVE-2019-10390 | Jenkins | Unspecified vulnerability in Jenkins Splunk A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | 8.8 |
2019-08-28 | CVE-2019-10384 | Jenkins Oracle Redhat | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user. | 8.8 |
2019-08-27 | CVE-2019-15701 | Bloodhound Project | OS Command Injection vulnerability in Bloodhound Project Bloodhound 2.2.0 components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remote attackers to execute arbitrary OS commands (by spawning a child process as the current user on the victim's machine) when the search function's autocomplete feature is used. | 8.8 |
2019-08-27 | CVE-2019-13270 | Edimax | Improper Input Validation vulnerability in Edimax Br-6208Ac V1 Firmware Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. | 8.8 |
2019-08-27 | CVE-2019-13269 | Edimax | Improper Input Validation vulnerability in Edimax Br-6208Ac V1 Firmware Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. | 8.8 |
2019-08-27 | CVE-2019-13268 | TP Link | Improper Input Validation vulnerability in Tp-Link Archer C2 V1 Firmware and Archer C3200 V1 Firmware TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. | 8.8 |
2019-08-27 | CVE-2019-13267 | TP Link | Unspecified vulnerability in Tp-Link Archer C2 V1 Firmware and Archer C3200 V1 Firmware TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. | 8.8 |
2019-08-27 | CVE-2019-13266 | TP Link | Incorrect Resource Transfer Between Spheres vulnerability in Tp-Link Archer C2 V1 Firmware and Archer C3200 V1 Firmware TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. | 8.8 |
2019-08-27 | CVE-2019-13265 | Dlink | Unspecified vulnerability in Dlink Dir-825/Ac G1 Firmware D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. | 8.8 |
2019-08-27 | CVE-2019-13264 | Dlink | Unspecified vulnerability in Dlink Dir-825/Ac G1 Firmware D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. | 8.8 |
2019-08-27 | CVE-2019-13263 | Dlink | Incorrect Resource Transfer Between Spheres vulnerability in Dlink Dir-825/Ac G1 Firmware D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. | 8.8 |
2019-08-27 | CVE-2019-13271 | Edimax | Unspecified vulnerability in Edimax Br-6208Ac V1 Firmware Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. | 8.8 |
2019-08-27 | CVE-2019-11457 | Micropyramid | Cross-Site Request Forgery (CSRF) vulnerability in Micropyramid Django CRM 0.2.1 Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/. | 8.8 |
2019-08-27 | CVE-2019-15660 | Butlerblog | Cross-Site Request Forgery (CSRF) vulnerability in Butlerblog Wp-Members The wp-members plugin before 3.2.8 for WordPress has CSRF. | 8.8 |
2019-08-27 | CVE-2019-15649 | Elearningfreak | Unrestricted Upload of File with Dangerous Type vulnerability in Elearningfreak Insert or Embed Articulate Content The insert-or-embed-articulate-content-into-wordpress plugin before 4.2999 for WordPress has insufficient restrictions on file upload. | 8.8 |
2019-08-27 | CVE-2019-15647 | Groundhogg | Code Injection vulnerability in Groundhogg The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution. | 8.8 |
2019-08-27 | CVE-2019-15645 | Zoho | Cross-Site Request Forgery (CSRF) vulnerability in Zoho Salesiq The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF. | 8.8 |
2019-08-27 | CVE-2018-21006 | Bbpress Move Topics Project | Cross-Site Request Forgery (CSRF) vulnerability in Bbpress Move Topics Project Bbpress Move Topics The bbp-move-topics plugin before 1.1.6 for WordPress has CSRF. | 8.8 |
2019-08-27 | CVE-2018-21002 | Joomsky | Cross-Site Request Forgery (CSRF) vulnerability in Joomsky JS Help Desk The js-support-ticket plugin before 2.0.6 for WordPress has CSRF. | 8.8 |
2019-08-27 | CVE-2015-9343 | Impress | Cross-Site Request Forgery (CSRF) vulnerability in Impress WP Rollback The wp-rollback plugin before 1.2.3 for WordPress has CSRF. | 8.8 |
2019-08-26 | CVE-2019-7996 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7995 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7994 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7991 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7989 | Adobe | Command Injection vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a command injection vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7988 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7986 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7985 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7984 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7983 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7982 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7980 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7979 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7978 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability. | 8.8 |
2019-08-26 | CVE-2019-7976 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. | 8.8 |
2019-08-26 | CVE-2019-15642 | Webmin | Code Injection vulnerability in Webmin rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. | 8.8 |
2019-08-29 | CVE-2019-11248 | Kubernetes | Missing Authorization vulnerability in Kubernetes The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. | 8.2 |
2019-08-26 | CVE-2019-4513 | IBM | XXE vulnerability in IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 8.2 |
2019-08-29 | CVE-2019-11247 | Kubernetes Redhat | Incorrect Authorization vulnerability in multiple products The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. | 8.1 |
2019-08-29 | CVE-2019-11061 | Asus | Missing Authentication for Critical Function vulnerability in Asus Hg100 Firmware 1.05.12/4.00.06 A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication. | 8.1 |
2019-08-26 | CVE-2019-15637 | Tableau | XXE vulnerability in Tableau products Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. | 8.1 |
2019-08-26 | CVE-2016-10931 | Rust Openssl Project | Improper Certificate Validation vulnerability in Rust-Openssl Project Rust-Openssl An issue was discovered in the openssl crate before 0.9.0 for Rust. | 8.1 |
2019-08-30 | CVE-2019-12810 | Estsoft | Out-of-bounds Write vulnerability in Estsoft Alsee A memory corruption vulnerability exists in the .PSD parsing functionality of ALSee v5.3 ~ v8.39. | 7.8 |
2019-08-30 | CVE-2019-2390 | Mongodb | Unspecified vulnerability in Mongodb An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. | 7.8 |
2019-08-30 | CVE-2019-1966 | Cisco | Unspecified vulnerability in Cisco Nx-Os and Unified Computing System A vulnerability in a specific CLI command within the local management (local-mgmt) context for Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to gain elevated privileges as the root user on an affected device. | 7.8 |
2019-08-29 | CVE-2019-8461 | Checkpoint | Untrusted Search Path vulnerability in Checkpoint products Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. | 7.8 |
2019-08-29 | CVE-2019-11396 | Avira | Link Following vulnerability in Avira Free Security Suite and Software Updater An issue was discovered in Avira Free Security Suite 10. | 7.8 |
2019-08-29 | CVE-2019-14970 | Videolan Debian | Out-of-bounds Write vulnerability in multiple products A vulnerability in mkv::event_thread_t in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer overflow via a crafted .mkv file. | 7.8 |
2019-08-29 | CVE-2019-14778 | Videolan Debian | Use After Free vulnerability in multiple products The mkv::virtual_segment_c::seek method of demux/mkv/virtual_segment.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free. | 7.8 |
2019-08-29 | CVE-2019-14777 | Videolan Debian | Use After Free vulnerability in multiple products The Control function of demux/mkv/mkv.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free. | 7.8 |
2019-08-29 | CVE-2019-14776 | Videolan Debian | Out-of-bounds Read vulnerability in multiple products A heap-based buffer over-read exists in DemuxInit() in demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 via a crafted .mkv file. | 7.8 |
2019-08-29 | CVE-2019-14533 | Videolan Debian | Use After Free vulnerability in multiple products The Control function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 has a use-after-free. | 7.8 |
2019-08-29 | CVE-2019-14535 | Videolan Debian | Divide By Zero vulnerability in multiple products A divide-by-zero error exists in the SeekIndex function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1. | 7.8 |
2019-08-29 | CVE-2019-14498 | Videolan Debian | Divide By Zero vulnerability in multiple products A divide-by-zero error exists in the Control function of demux/caf.c in VideoLAN VLC media player 3.0.7.1. | 7.8 |
2019-08-29 | CVE-2019-14438 | Videolan Debian | Out-of-bounds Read vulnerability in multiple products A heap-based buffer over-read in xiph_PackHeaders() in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer over-read via a crafted .ogg file. | 7.8 |
2019-08-29 | CVE-2019-14437 | Videolan Debian | Improper Validation of Array Index vulnerability in multiple products The xiph_SplitHeaders function in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 does not check array bounds properly. | 7.8 |
2019-08-29 | CVE-2019-11476 | Canonical | Integer Overflow or Wraparound vulnerability in Canonical Ubuntu Linux An integer overflow in whoopsie before versions 0.2.52.5ubuntu0.1, 0.2.62ubuntu0.1, 0.2.64ubuntu0.1, 0.2.66, results in an out-of-bounds write to a heap allocated buffer when processing large crash dumps. | 7.8 |
2019-08-29 | CVE-2019-15767 | GNU | Out-of-bounds Write vulnerability in GNU Chess 6.2.5 In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_load function in frontend/cmd.cc via a crafted chess position in an EPD file. | 7.8 |
2019-08-29 | CVE-2019-5530 | Bitrock | Unspecified vulnerability in Bitrock Installbuilder Windows binaries generated with InstallBuilder versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature. | 7.8 |
2019-08-29 | CVE-2019-11245 | Kubernetes | Permissions, Privileges, and Access Controls vulnerability in Kubernetes 1.13.6/1.14.2 In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. | 7.8 |
2019-08-29 | CVE-2017-14202 | Zephyrproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Zephyrproject Zephyr Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a serial or telnet connected user to cause a crash, possibly with arbitrary code execution. | 7.8 |
2019-08-29 | CVE-2017-14201 | Zephyrproject | Use After Free vulnerability in Zephyrproject Zephyr Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly remote code execution. | 7.8 |
2019-08-28 | CVE-2019-15752 | Docker Apache | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command. | 7.8 |
2019-08-28 | CVE-2019-15720 | Cloudberrylab | Improper Privilege Management vulnerability in Cloudberrylab Backup 6.1.2.34 CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pre or Post backup action. | 7.8 |
2019-08-26 | CVE-2019-12532 | Insyde | Unspecified vulnerability in Insyde products Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. | 7.8 |
2019-08-26 | CVE-2019-4448 | IBM | Improper Privilege Management vulnerability in IBM DB2 High Performance Unload Load 6.1/6.1.0.1/6.1.0.2 IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum and db2hpum_debug binaries are setuid root and have built-in options that allow an low privileged user the ability to load arbitrary db2 libraries from a privileged context. | 7.8 |
2019-08-26 | CVE-2019-4447 | IBM | Uncontrolled Search Path Element vulnerability in IBM DB2 High Performance Unload Load 6.1/6.1.0.1/6.1.0.2 IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum_debug is a setuid root binary which trusts the PATH environment variable. | 7.8 |
2019-08-28 | CVE-2019-1965 | Cisco | Missing Release of Resource after Effective Lifetime vulnerability in Cisco Nx-Os A vulnerability in the Virtual Shell (VSH) session management for Cisco NX-OS Software could allow an authenticated, remote attacker to cause a VSH process to fail to delete upon termination. | 7.7 |
2019-08-30 | CVE-2019-15839 | Shaosina | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Shaosina Sina Extension for Elementor The sina-extension-for-elementor plugin before 2.2.1 for WordPress has local file inclusion. | 7.5 |
2019-08-30 | CVE-2019-15630 | Mulesoft | Path Traversal vulnerability in Mulesoft API Gateway and Mule Runtime Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process. | 7.5 |
2019-08-30 | CVE-2019-15026 | Memcached | Out-of-bounds Read vulnerability in Memcached 1.5.16 memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c. | 7.5 |
2019-08-30 | CVE-2019-15821 | Bold Themes | Unspecified vulnerability in Bold-Themes Bold Page Builder The bold-page-builder plugin before 2.3.2 for WordPress has no protection against modifying settings and importing data. | 7.5 |
2019-08-30 | CVE-2019-15816 | Wpexpertdeveloper | Open Redirect vulnerability in Wpexpertdeveloper WP Private Content Plus The wp-private-content-plus plugin before 2.0 for WordPress has no protection against option changes via save_settings_page and other save_ functions. | 7.5 |
2019-08-30 | CVE-2019-6113 | Onkyo | Path Traversal vulnerability in Onkyo Tx-Nr686 Firmware 1030500010400010 Directory traversal vulnerability on ONKYO TX-NR686 1030-5000-1040-0010 A/V Receiver devices allows remote attackers to read arbitrary files via a .. | 7.5 |
2019-08-30 | CVE-2019-5612 | Freebsd Netapp | Race Condition vulnerability in multiple products In FreeBSD 12.0-STABLE before r351264, 12.0-RELEASE before 12.0-RELEASE-p10, 11.3-STABLE before r351265, 11.3-RELEASE before 11.3-RELEASE-p3, and 11.2-RELEASE before 11.2-RELEASE-p14, the kernel driver for /dev/midistat implements a read handler that is not thread-safe. | 7.5 |
2019-08-30 | CVE-2019-5611 | Freebsd Netapp | Improper Input Validation vulnerability in multiple products In FreeBSD 12.0-STABLE before r350828, 12.0-RELEASE before 12.0-RELEASE-p10, 11.3-STABLE before r350829, 11.3-RELEASE before 11.3-RELEASE-p3, and 11.2-RELEASE before 11.2-RELEASE-p14, a missing check in the function to arrange data in a chain of mbufs could cause data returned not to be contiguous. | 7.5 |
2019-08-30 | CVE-2019-5610 | Freebsd Netapp | Out-of-bounds Read vulnerability in multiple products In FreeBSD 12.0-STABLE before r350637, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350638, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bsnmp library is not properly validating the submitted length from a type-length-value encoding. | 7.5 |
2019-08-30 | CVE-2019-5609 | Freebsd | Out-of-bounds Write vulnerability in Freebsd 11.2/11.3/12.0 In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350619, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bhyve e1000 device emulation used a guest-provided value to determine the size of the on-stack buffer without validation when TCP segmentation offload is requested for a transmitted packet. | 7.5 |
2019-08-30 | CVE-2019-1977 | Cisco | State Issues vulnerability in Cisco Nx-Os A vulnerability within the Endpoint Learning feature of Cisco Nexus 9000 Series Switches running in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an endpoint device in certain circumstances. | 7.5 |
2019-08-30 | CVE-2019-1968 | Cisco | Improper Encoding or Escaping of Output vulnerability in Cisco Nx-Os A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. | 7.5 |
2019-08-30 | CVE-2019-1967 | Cisco | Resource Exhaustion vulnerability in Cisco Nx-Os A vulnerability in the Network Time Protocol (NTP) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2019-08-30 | CVE-2019-12402 | Apache Fedoraproject Oracle | Infinite Loop vulnerability in multiple products The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. | 7.5 |
2019-08-29 | CVE-2019-13608 | Citrix | XXE vulnerability in Citrix Storefront Server Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks. | 7.5 |
2019-08-29 | CVE-2019-15502 | Teamspeak | Unspecified vulnerability in Teamspeak The TeamSpeak client before 3.3.2 allows remote servers to trigger a crash via the 0xe2 0x81 0xa8 0xe2 0x81 0xa7 byte sequence, aka Unicode characters U+2068 (FIRST STRONG ISOLATE) and U+2067 (RIGHT-TO-LEFT ISOLATE). | 7.5 |
2019-08-29 | CVE-2019-15787 | Libzetta RS Project | Integer Overflow or Wraparound vulnerability in Libzetta-Rs Project Libzetta-Rs 0.1.1/0.1.2 libZetta.rs through 0.1.2 has an integer overflow in the zpool parser (for error stats) that leads to a panic. | 7.5 |
2019-08-29 | CVE-2019-13408 | Androvideo Geovision | Missing Authorization vulnerability in multiple products A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230. | 7.5 |
2019-08-29 | CVE-2019-13406 | Androvideo | Missing Authentication for Critical Function vulnerability in Androvideo VD 1 Firmware 230 A broken access control vulnerability found in Advan VD-1 firmware versions up to 230. | 7.5 |
2019-08-29 | CVE-2019-11060 | Asus | Allocation of Resources Without Limits or Throttling vulnerability in Asus Hg100 Firmware 1.05.12 The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time. | 7.5 |
2019-08-29 | CVE-2017-18594 | Nmap | Double Free vulnerability in Nmap 7.70 nse_libssh2.cc in Nmap 7.70 is subject to a denial of service condition due to a double free when an SSH connection fails, as demonstrated by a leading \n character to ssh-brute.nse or ssh-auth-methods.nse. | 7.5 |
2019-08-28 | CVE-2019-9931 | Lexmark | Unspecified vulnerability in Lexmark products Various Lexmark printers contain a denial of service vulnerability in the SNMP service that can be exploited to crash the device. | 7.5 |
2019-08-28 | CVE-2019-10056 | Suricata IDS | Out-of-bounds Write vulnerability in Suricata-Ids Suricata 4.1.3/4.1.4 An issue was discovered in Suricata 4.1.3. | 7.5 |
2019-08-28 | CVE-2019-10055 | Suricata IDS | Reachable Assertion vulnerability in Suricata-Ids Suricata 4.1.4 An issue was discovered in Suricata 4.1.3. | 7.5 |
2019-08-28 | CVE-2019-10054 | Suricata IDS | Integer Underflow (Wrap or Wraparound) vulnerability in Suricata-Ids Suricata 4.1.3 An issue was discovered in Suricata 4.1.3. | 7.5 |
2019-08-28 | CVE-2019-10052 | Suricata IDS | Improper Enforcement of Message or Data Structure vulnerability in Suricata-Ids Suricata 4.1.3 An issue was discovered in Suricata 4.1.3. | 7.5 |
2019-08-28 | CVE-2019-10051 | Suricata IDS | Improper Check for Unusual or Exceptional Conditions vulnerability in Suricata-Ids Suricata 4.1.3/4.1.4 An issue was discovered in Suricata 4.1.3. | 7.5 |
2019-08-28 | CVE-2019-1964 | Cisco | Improper Input Validation vulnerability in Cisco Nx-Os A vulnerability in the IPv6 traffic processing of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an unexpected restart of the netstack process on an affected device. | 7.5 |
2019-08-28 | CVE-2019-1962 | Cisco | Improper Input Validation vulnerability in Cisco Nx-Os A vulnerability in the Cisco Fabric Services component of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause process crashes, which can result in a denial of service (DoS) condition on an affected system. | 7.5 |
2019-08-27 | CVE-2019-15702 | Riot OS | Infinite Loop vulnerability in Riot-Os Riot In the TCP implementation (gnrc_tcp) in RIOT through 2019.07, the parser for TCP options does not terminate on all inputs, allowing a denial-of-service, because sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c has an infinite loop for an unknown zero-length option. | 7.5 |
2019-08-27 | CVE-2017-18592 | WC Marketplace | Unrestricted Upload of File with Dangerous Type vulnerability in Wc-Marketplace WC Catalog Enquiry The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has an incorrect wp_upload directory for file uploads. | 7.5 |
2019-08-27 | CVE-2015-9348 | Codepeople | Improper Input Validation vulnerability in Codepeople Sell Downloads The sell-downloads plugin before 1.0.8 for WordPress has insufficient restrictions on brute-force guessing of purchase IDs. | 7.5 |
2019-08-27 | CVE-2015-9345 | Petersplugins | Improper Input Validation vulnerability in Petersplugins Link LOG The link-log plugin before 2.0 for WordPress has HTTP Response Splitting. | 7.5 |
2019-08-26 | CVE-2019-8460 | Openbsd | Unspecified vulnerability in Openbsd OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service. | 7.5 |
2019-08-26 | CVE-2019-15547 | Ncurses Project | Use of Externally-Controlled Format String vulnerability in Ncurses Project Ncurses An issue was discovered in the ncurses crate through 5.99.0 for Rust. | 7.5 |
2019-08-26 | CVE-2019-15546 | Pancurses Project | Use of Externally-Controlled Format String vulnerability in Pancurses Project Pancurses An issue was discovered in the pancurses crate through 0.16.1 for Rust. | 7.5 |
2019-08-26 | CVE-2019-15545 | Libp2P | Improper Verification of Cryptographic Signature vulnerability in Libp2P An issue was discovered in the libp2p-core crate before 0.8.1 for Rust. | 7.5 |
2019-08-26 | CVE-2019-15544 | Rust Protobuf Project Apache | Allocation of Resources Without Limits or Throttling vulnerability in multiple products An issue was discovered in the protobuf crate before 2.6.0 for Rust. | 7.5 |
2019-08-26 | CVE-2019-15542 | Ammonia Project | Uncontrolled Recursion vulnerability in Ammonia Project Ammonia An issue was discovered in the ammonia crate before 2.1.0 for Rust. | 7.5 |
2019-08-26 | CVE-2018-20989 | Untrusted Project | Integer Underflow (Wrap or Wraparound) vulnerability in Untrusted Project Untrusted 0.5.1/0.6.0 An issue was discovered in the untrusted crate before 0.6.2 for Rust. | 7.5 |
2019-08-26 | CVE-2017-18589 | Cookie Project | Improper Input Validation vulnerability in Cookie Project Cookie An issue was discovered in the cookie crate before 0.7.6 for Rust. | 7.5 |
2019-08-26 | CVE-2019-15640 | Limesurvey | Improper Input Validation vulnerability in Limesurvey Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image. | 7.5 |
2019-08-26 | CVE-2019-15549 | Asn1 DER Project | Resource Exhaustion vulnerability in Asn1 DER Project Asn1 DER An issue was discovered in the asn1_der crate before 0.6.2 for Rust. | 7.5 |
2019-08-26 | CVE-2019-15553 | Memoffset Project | Use of Uninitialized Resource vulnerability in Memoffset Project Memoffset An issue was discovered in the memoffset crate before 0.5.0 for Rust. | 7.5 |
2019-08-26 | CVE-2019-15550 | Simdjson Project | Out-of-bounds Read vulnerability in Simdjson Project Simdjson 0.1.14 An issue was discovered in the simd-json crate before 0.1.15 for Rust. | 7.5 |
2019-08-26 | CVE-2018-20999 | Orion Project | Incorrect Calculation vulnerability in Orion Project Orion An issue was discovered in the orion crate before 0.11.2 for Rust. | 7.5 |
2019-08-26 | CVE-2018-20994 | Trust DNS Proto Project | Uncontrolled Recursion vulnerability in Trust-Dns-Proto Project Trust-Dns-Proto An issue was discovered in the trust-dns-proto crate before 0.5.0-alpha.3 for Rust. | 7.5 |
2019-08-26 | CVE-2018-20993 | Yaml Rust Project | Uncontrolled Recursion vulnerability in Yaml-Rust Project Yaml-Rust An issue was discovered in the yaml-rust crate before 0.4.1 for Rust. | 7.5 |
2019-08-26 | CVE-2018-20990 | TAR Project | Link Following vulnerability in TAR Project TAR An issue was discovered in the tar crate before 0.4.16 for Rust. | 7.5 |
2019-08-26 | CVE-2019-15541 | Rustls Project | Argument Injection or Modification vulnerability in Rustls Project Rustls rustls-mio/examples/tlsserver.rs in the rustls crate before 0.16.0 for Rust allows attackers to cause a denial of service (loop of conn_event and ready) by arranging for a client to never be writable. | 7.5 |
2019-08-26 | CVE-2019-15506 | Kaseya | Missing Authentication for Critical Function vulnerability in Kaseya Virtual System Administrator An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37. | 7.5 |
2019-08-26 | CVE-2019-15658 | Connect PG Simple Project | SQL Injection vulnerability in Connect-Pg-Simple Project Connect-Pg-Simple connect-pg-simple before 6.0.1 allows SQL injection if tableName or schemaName is untrusted data. | 7.3 |
2019-08-29 | CVE-2019-11364 | Prophecyinternational | OS Command Injection vulnerability in Prophecyinternational Snare Central An OS Command Injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to inject arbitrary OS commands via the ServerConf/DataManagement/DiskManager.php FORMNAS_share parameter. | 7.2 |
2019-08-29 | CVE-2019-11363 | Prophecyinternational | SQL Injection vulnerability in Prophecyinternational Snare Central A SQL injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to execute arbitrary SQL commands via the AgentConsole/UserGroupQuery.php ShowUser parameter. | 7.2 |
2019-08-28 | CVE-2015-9353 | TRI | SQL Injection vulnerability in TRI Gigpress The gigpress plugin before 2.3.11 for WordPress has SQL injection in the admin area, a different vulnerability than CVE-2015-4066. | 7.2 |
2019-08-29 | CVE-2019-7307 | Apport Project | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apport Project Apport Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2.20.9-0ubuntu7.7, 2.20.10-0ubuntu27.1, 2.20.11-0ubuntu5 contained a TOCTTOU vulnerability when reading the users ~/.apport-ignore.xml file, which allows a local attacker to replace this file with a symlink to any other file on the system and so cause Apport to include the contents of this other file in the resulting crash report. | 7.0 |
133 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-30 | CVE-2019-9697 | Symantec | Unspecified vulnerability in Symantec Management Center 2.0/2.1/2.2 An information disclosure vulnerability in the Management Center (MC) REST API 2.0, 2.1, and 2.2 prior to 2.2.2.1 allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access. | 6.5 |
2019-08-30 | CVE-2018-18371 | Broadcom | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Advanced Secure Gateway and Symantec Proxysg The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser. | 6.5 |
2019-08-29 | CVE-2019-15759 | Webassembly | NULL Pointer Dereference vulnerability in Webassembly Binaryen An issue was discovered in Binaryen 1.38.32. | 6.5 |
2019-08-29 | CVE-2019-15758 | Webassembly | Reachable Assertion vulnerability in Webassembly Binaryen An issue was discovered in Binaryen 1.38.32. | 6.5 |
2019-08-29 | CVE-2019-15757 | Libmirage Project | NULL Pointer Dereference vulnerability in Libmirage Project Libmirage 3.2.2 libMirage 3.2.2 in CDemu has a NULL pointer dereference in the NRG parser in parser.c. | 6.5 |
2019-08-29 | CVE-2019-11250 | Kubernetes Redhat | Information Exposure Through Log Files vulnerability in multiple products The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. | 6.5 |
2019-08-29 | CVE-2019-11249 | Kubernetes Redhat | Path Traversal vulnerability in multiple products The kubectl cp command allows copying files between containers and the user machine. | 6.5 |
2019-08-29 | CVE-2019-11246 | Kubernetes | Path Traversal vulnerability in Kubernetes The kubectl cp command allows copying files between containers and the user machine. | 6.5 |
2019-08-29 | CVE-2019-10724 | Lenovo | Unspecified vulnerability in Lenovo products There is a vulnerability with the Dolby DAX2 API system services in which a low-privileged user can terminate arbitrary processes that are running at a higher privilege. | 6.5 |
2019-08-28 | CVE-2019-10057 | Lexmark | Cross-Site Request Forgery (CSRF) vulnerability in Lexmark products Various Lexmark products have CSRF. | 6.5 |
2019-08-28 | CVE-2019-1963 | Cisco | Improper Input Validation vulnerability in Cisco Nx-Os A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. | 6.5 |
2019-08-28 | CVE-2019-10391 | Jenkins | Cleartext Transmission of Sensitive Information vulnerability in Jenkins IBM Application Security on Cloud Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. | 6.5 |
2019-08-27 | CVE-2019-15648 | Elearningfreak | Missing Authorization vulnerability in Elearningfreak Insert or Embed Articulate Content The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber. | 6.5 |
2019-08-26 | CVE-2019-15055 | Mikrotik | Path Traversal vulnerability in Mikrotik Routeros MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. | 6.5 |
2019-08-26 | CVE-2019-8000 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. | 6.5 |
2019-08-26 | CVE-2019-7999 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. | 6.5 |
2019-08-26 | CVE-2019-7987 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. | 6.5 |
2019-08-26 | CVE-2019-7981 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. | 6.5 |
2019-08-26 | CVE-2019-7977 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop CC Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. | 6.5 |
2019-08-26 | CVE-2019-15641 | Webmin | XXE vulnerability in Webmin xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. | 6.5 |
2019-08-26 | CVE-2019-15515 | Discourse | Cross-Site Request Forgery (CSRF) vulnerability in Discourse 2.3.2 Discourse 2.3.2 sends the CSRF token in the query string. | 6.5 |
2019-08-26 | CVE-2018-20992 | Claxon Project | Use of Uninitialized Resource vulnerability in Claxon Project Claxon An issue was discovered in the claxon crate before 0.4.1 for Rust. | 6.5 |
2019-08-29 | CVE-2019-4536 | IBM | Improper Privilege Management vulnerability in IBM I 7.4 IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles. | 6.3 |
2019-08-30 | CVE-2019-15842 | Easy PDF Restaurant Menu Upload Project | Cross-site Scripting vulnerability in Easy PDF Restaurant Menu Upload Project Easy PDF Restaurant Menu Upload 1.0/1.1/1.1.1 The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress has XSS. | 6.1 |
2019-08-30 | CVE-2019-15838 | Kunalnagar | Cross-site Scripting vulnerability in Kunalnagar Custom 404 PRO The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS, a different vulnerability than CVE-2019-14789. | 6.1 |
2019-08-30 | CVE-2019-15833 | Simple Mail Address Encoder Project | Cross-site Scripting vulnerability in Simple Mail Address Encoder Project Simple Mail Address Encoder The simple-mail-address-encoder plugin before 1.7 for WordPress has reflected XSS. | 6.1 |
2019-08-30 | CVE-2019-15820 | Login OR Logout Menu Item Project | Open Redirect vulnerability in Login or Logout Menu Item Project Login or Logout Menu Item 1.0.0/1.1.0/1.1.1 The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no requirement for lolmi_save_settings authentication. | 6.1 |
2019-08-30 | CVE-2019-15818 | Webcraftic | Open Redirect vulnerability in Webcraftic Simple 301 Redirects The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist. | 6.1 |
2019-08-30 | CVE-2019-15817 | Realestateconnected | Cross-site Scripting vulnerability in Realestateconnected Easy Property Listings The easy-property-listings plugin before 3.4 for WordPress has XSS. | 6.1 |
2019-08-30 | CVE-2018-18370 | Broadcom | Cross-site Scripting vulnerability in Broadcom Advanced Secure Gateway and Symantec Proxysg The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser. | 6.1 |
2019-08-30 | CVE-2018-15512 | Totemo | Cross-site Scripting vulnerability in Totemo Totemomail 6.0.0 Cross-site scripting (XSS) vulnerability in the 'Authorisation Service' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML. | 6.1 |
2019-08-30 | CVE-2018-15511 | Totemo | Cross-site Scripting vulnerability in Totemo Totemomail 6.0.0 Cross-site scripting (XSS) vulnerability in the 'Notification template' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML. | 6.1 |
2019-08-30 | CVE-2018-15510 | Totemo | Cross-site Scripting vulnerability in Totemo Totemomail 6.0.0 Cross-site scripting (XSS) vulnerability in the 'Certificate' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML. | 6.1 |
2019-08-29 | CVE-2019-15811 | Domainmod | Cross-site Scripting vulnerability in Domainmod In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS. | 6.1 |
2019-08-29 | CVE-2019-15771 | Components FOR WP Bakery Page Builder Project | Open Redirect vulnerability in Components for WP Bakery Page Builder Project Components for WP Bakery Page Builder The nd-shortcodes plugin before 6.0 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | 6.1 |
2019-08-29 | CVE-2019-15782 | Webtorrent | Cross-site Scripting vulnerability in Webtorrent WebTorrent before 0.107.6 allows XSS in the HTTP server via a title or file name. | 6.1 |
2019-08-29 | CVE-2019-15776 | Webcraftic | Open Redirect vulnerability in Webcraftic Simple 301 Redirects-Addon-Bulk Uploader The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file. | 6.1 |
2019-08-29 | CVE-2019-15775 | Learning Courses Project | Open Redirect vulnerability in Learning Courses Project Learning Courses The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | 6.1 |
2019-08-29 | CVE-2019-15774 | Booking Project | Open Redirect vulnerability in Booking Project Booking The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | 6.1 |
2019-08-29 | CVE-2019-15773 | Travel Management Project | Open Redirect vulnerability in Travel Management Project Travel Management The nd-travel plugin before 1.7 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | 6.1 |
2019-08-29 | CVE-2019-15772 | Donations Project | Open Redirect vulnerability in Donations Project Donations The nd-donations plugin before 1.4 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | 6.1 |
2019-08-29 | CVE-2019-13407 | Androvideo Geovision | Cross-site Scripting vulnerability in multiple products A XSS found in Advan VD-1 firmware versions up to 230. | 6.1 |
2019-08-28 | CVE-2019-5590 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortiweb The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form. | 6.1 |
2019-08-28 | CVE-2019-13189 | ENG | Cross-site Scripting vulnerability in ENG Knowage In Knowage through 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page. | 6.1 |
2019-08-28 | CVE-2015-9359 | Automattic | Cross-site Scripting vulnerability in Automattic Jetpack The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9379 | Ithemes | Cross-site Scripting vulnerability in Ithemes Builder Style Manager iThemes Builder Style Manager before 0.7.7 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9378 | Ithemes | Cross-site Scripting vulnerability in Ithemes Builder Theme Market iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9377 | Ithemes | Cross-site Scripting vulnerability in Ithemes Builder Theme Depot iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9376 | Ithemes | Cross-site Scripting vulnerability in Ithemes Mobile iThemes Mobile before 1.2.8 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9375 | Ithemes | Cross-site Scripting vulnerability in Ithemes Table Rate Shipping Table Rate Shipping Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9374 | Ithemes | Cross-site Scripting vulnerability in Ithemes Stripe Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9373 | Webdevstudios | Cross-site Scripting vulnerability in Webdevstudios Ithemes Paypal PRO PayPal Pro Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9372 | Ithemes | Cross-site Scripting vulnerability in Ithemes Membership Membership Add-on for iThemes Exchange before 1.3.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9371 | Ithemes | Cross-site Scripting vulnerability in Ithemes Manual Purchases Manual Purchases Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9370 | Ithemes | Cross-site Scripting vulnerability in Ithemes Invoices Invoices Add-on for iThemes Exchange before 1.4.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9369 | Ithemes | Cross-site Scripting vulnerability in Ithemes Easy US Sales Taxes Easy US Sales Taxes Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2019-15713 | MY Calendar Project | Cross-site Scripting vulnerability in MY Calendar Project MY Calendar The my-calendar plugin before 3.1.10 for WordPress has XSS. | 6.1 |
2019-08-28 | CVE-2017-18593 | Updraftplus | Cross-site Scripting vulnerability in Updraftplus The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cases where an attacker controls a string logged to a log file. | 6.1 |
2019-08-28 | CVE-2015-9368 | Ithemes | Cross-site Scripting vulnerability in Ithemes Easy EU Value Added (Vat) Taxes Easy EU Value Added (VAT) Taxes Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9367 | Ithemes | Cross-site Scripting vulnerability in Ithemes Easy Canadian Sales Taxes Easy Canadian Sales Taxes Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9366 | Ithemes | Cross-site Scripting vulnerability in Ithemes Custom URL Tracking Custom URL Tracking Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9365 | Ithemes | Cross-site Scripting vulnerability in Ithemes Authorize.Net Authorize.net Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9364 | 2Checkout | Cross-site Scripting vulnerability in 2Checkout Ithemes 2Checkout 2Checkout Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9363 | Ithemes | Cross-site Scripting vulnerability in Ithemes Exchange iThemes Exchange before 1.12.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9362 | Never5 | Cross-site Scripting vulnerability in Never5 Post Connector The Post Connector plugin before 1.0.4 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9361 | Never5 | Cross-site Scripting vulnerability in Never5 Related Posts The Related Posts plugin before 1.8.2 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9360 | Updraftplus | Cross-site Scripting vulnerability in Updraftplus The updraftplus plugin before 1.9.64 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9358 | Feedwordpress Project | Cross-site Scripting vulnerability in Feedwordpress Project Feedwordpress The feedwordpress plugin before 2015.0514 for WordPress has XSS via add_query_arg() and remove_query_arg(). | 6.1 |
2019-08-28 | CVE-2015-9357 | Automattic | Cross-site Scripting vulnerability in Automattic Akismet The akismet plugin before 3.1.5 for WordPress has XSS. | 6.1 |
2019-08-28 | CVE-2015-9356 | WP Vipergb Project | Cross-site Scripting vulnerability in Wp-Vipergb Project Wp-Vipergb The wp-vipergb plugin before 1.3.16 for WordPress has XSS via add_query_arg() and remove_query_arg(), a different issue than CVE-2014-9460. | 6.1 |
2019-08-28 | CVE-2015-9355 | Simbahosting | Cross-site Scripting vulnerability in Simbahosting Two-Factor-Authentication The two-factor-authentication plugin before 1.1.10 for WordPress has XSS in the admin area. | 6.1 |
2019-08-28 | CVE-2012-6718 | Sharebar Project | Cross-site Scripting vulnerability in Sharebar Project Sharebar The sharebar plugin before 1.2.2 for WordPress has XSS, a different issue than CVE-2013-3491. | 6.1 |
2019-08-28 | CVE-2012-6717 | Redirection | Cross-site Scripting vulnerability in Redirection The redirection plugin before 2.2.12 for WordPress has XSS, a different issue than CVE-2011-4562. | 6.1 |
2019-08-28 | CVE-2011-5329 | Redirection | Cross-site Scripting vulnerability in Redirection The redirection plugin before 2.2.9 for WordPress has XSS in the admin menu, a different issue than CVE-2011-4562. | 6.1 |
2019-08-27 | CVE-2019-15700 | Frappe | Cross-site Scripting vulnerability in Frappe public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text. | 6.1 |
2019-08-27 | CVE-2019-13274 | Xymon Debian | Cross-site Scripting vulnerability in multiple products In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CGI script due to insufficient filtering of the db parameter. | 6.1 |
2019-08-27 | CVE-2017-18591 | Gdragon | Cross-site Scripting vulnerability in Gdragon GD Rating System The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php. | 6.1 |
2019-08-27 | CVE-2016-10936 | WP Polls Project | Cross-site Scripting vulnerability in Wp-Polls Project Wp-Polls The wp-polls plugin before 2.73.1 for WordPress has XSS via the Poll bar option. | 6.1 |
2019-08-27 | CVE-2015-9350 | Slickremix | Cross-site Scripting vulnerability in Slickremix Feed Them Social The feed-them-social plugin before 1.7.0 for WordPress has reflected XSS in the Facebook Feeds load more button. | 6.1 |
2019-08-27 | CVE-2019-15644 | Zoho | Cross-site Scripting vulnerability in Zoho Salesiq The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS. | 6.1 |
2019-08-27 | CVE-2019-15643 | Etoilewebdesign | Cross-site Scripting vulnerability in Etoilewebdesign Ultimate FAQ The ultimate-faqs plugin before 1.8.22 for WordPress has XSS. | 6.1 |
2019-08-27 | CVE-2019-13236 | Alkacon | Cross-site Scripting vulnerability in Alkacon Opencms 10.5.4/10.5.5 In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface. | 6.1 |
2019-08-27 | CVE-2019-13235 | Alkacon | Cross-site Scripting vulnerability in Alkacon Opencms Apollo Template 10.5.4/10.5.5 In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form. | 6.1 |
2019-08-27 | CVE-2019-13234 | Alkacon | Cross-site Scripting vulnerability in Alkacon Opencms Apollo Template 10.5.4/10.5.5 In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine. | 6.1 |
2019-08-27 | CVE-2018-21001 | Bologer | Cross-site Scripting vulnerability in Bologer Anycomment 0.0.1/0.0.2/0.0.32 The anycomment plugin before 0.0.33 for WordPress has XSS. | 6.1 |
2019-08-27 | CVE-2017-18590 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Timesheet The timesheet plugin before 0.1.5 for WordPress has multiple XSS issues. | 6.1 |
2019-08-27 | CVE-2016-10934 | Check Email Project | Cross-site Scripting vulnerability in Check Email Project Check Email The check-email plugin before 0.5.2 for WordPress has XSS. | 6.1 |
2019-08-27 | CVE-2015-9349 | Cksource | Cross-site Scripting vulnerability in Cksource Ckeditor The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has reflected XSS in the "built-in (old)" file browser. | 6.1 |
2019-08-27 | CVE-2015-9347 | Plot | Cross-site Scripting vulnerability in Plot Plotly 1.0.0/1.0.1/1.0.2 The wp-plotly plugin before 1.0.3 for WordPress has XSS by authors. | 6.1 |
2019-08-27 | CVE-2015-9346 | Codepeople | Cross-site Scripting vulnerability in Codepeople Polls CP The cp-polls plugin before 1.0.5 for WordPress has XSS. | 6.1 |
2019-08-27 | CVE-2015-9342 | Impress | Cross-site Scripting vulnerability in Impress WP Rollback The wp-rollback plugin before 1.2.3 for WordPress has XSS. | 6.1 |
2019-08-27 | CVE-2014-10395 | Codepeople | Cross-site Scripting vulnerability in Codepeople Polls CP The cp-polls plugin before 1.0.1 for WordPress has XSS in the votes list. | 6.1 |
2019-08-26 | CVE-2018-18668 | SIR | Cross-site Scripting vulnerability in SIR Gnuboard GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "homepage title" parameter, aka the adm/config_form_update.php cf_title parameter. | 6.1 |
2019-08-26 | CVE-2019-15501 | Lsoft | Cross-site Scripting vulnerability in Lsoft Listserv Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter. | 6.1 |
2019-08-26 | CVE-2019-15479 | Status Board Project | Cross-site Scripting vulnerability in Status Board Project Status Board 1.1.81 Status Board 1.1.81 has reflected XSS via dashboard.ts. | 6.1 |
2019-08-26 | CVE-2019-15532 | Gchq | Cross-site Scripting vulnerability in Gchq Cyberchef CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs. | 6.1 |
2019-08-26 | CVE-2019-15489 | Laracom | Cross-site Scripting vulnerability in Laracom 1.4.11 laracom (aka Laravel FREE E-Commerce Software) 1.4.11 has search?q= XSS. | 6.1 |
2019-08-26 | CVE-2019-15478 | Status Board Project | Cross-site Scripting vulnerability in Status Board Project Status Board 1.1.81 Status Board 1.1.81 has reflected XSS via logic.ts. | 6.1 |
2019-08-26 | CVE-2016-10933 | Portaudio Project | 7PK - Security Features vulnerability in Portaudio Project Portaudio 0.7.0 An issue was discovered in the portaudio crate through 0.7.0 for Rust. | 5.9 |
2019-08-29 | CVE-2019-14534 | Videolan Debian | NULL Pointer Dereference vulnerability in multiple products In VideoLAN VLC media player 3.0.7.1, there is a NULL pointer dereference at the function SeekPercent of demux/asf/asf.c that will lead to a denial of service attack. | 5.5 |
2019-08-28 | CVE-2019-15716 | Wtfutil | Incorrect Default Permissions vulnerability in Wtfutil WTF WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults. | 5.5 |
2019-08-30 | CVE-2019-15837 | Bitwise IT | Cross-site Scripting vulnerability in Bitwise-It Webp Express The webp-express plugin before 0.14.8 for WordPress has stored XSS. | 5.4 |
2019-08-30 | CVE-2019-15836 | Bootstrapped | Cross-site Scripting vulnerability in Bootstrapped WP Ultimate Recipe The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored XSS. | 5.4 |
2019-08-30 | CVE-2019-15830 | Icegram | Cross-site Scripting vulnerability in Icegram Engage The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS. | 5.4 |
2019-08-30 | CVE-2019-15827 | Onesignal | Cross-site Scripting vulnerability in Onesignal Onesignal-Free-Web-Push-Notifications 1.17.5 The onesignal-free-web-push-notifications plugin before 1.17.8 for WordPress has XSS via the subdomain parameter. | 5.4 |
2019-08-29 | CVE-2019-15778 | Getwooplugins | Cross-site Scripting vulnerability in Getwooplugins Additional Variation Images for Woocommerce The woo-variation-gallery plugin before 1.1.29 for WordPress has XSS. | 5.4 |
2019-08-29 | CVE-2019-15777 | Shapepress | Cross-site Scripting vulnerability in Shapepress WP Dsgvo Tools The shapepress-dsgvo plugin before 2.2.19 for WordPress has wp-admin/admin-ajax.php?action=admin-common-settings&admin_email= XSS. | 5.4 |
2019-08-28 | CVE-2019-15230 | Librenms | Cross-site Scripting vulnerability in Librenms 1.54 LibreNMS v1.54 has XSS in the Create User, Inventory, Add Device, Notifications, Alert Rule, Create Maintenance, and Alert Template sections of the admin console. | 5.4 |
2019-08-30 | CVE-2019-1969 | Cisco | Improper Input Validation vulnerability in Cisco Nx-Os A vulnerability in the implementation of the Simple Network Management Protocol (SNMP) Access Control List (ACL) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to perform SNMP polling of an affected device, even if it is configured to deny SNMP traffic. | 5.3 |
2019-08-30 | CVE-2018-15513 | Totemo | Improper Access Control vulnerability in Totemo Totemomail 6.0.0 Log viewer in totemomail 6.0.0 build 570 allows access to sessionIDs of high privileged users by leveraging access to a read-only auditor role. | 5.3 |
2019-08-29 | CVE-2019-14979 | Woocommerce | Improper Input Validation vulnerability in Woocommerce Paypal Checkout Payment Gateway 1.6.17 cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. | 5.3 |
2019-08-29 | CVE-2019-14978 | Woocommerce | Improper Input Validation vulnerability in Woocommerce Payu India Payment Gateway 2.1.1 /payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price. | 5.3 |
2019-08-28 | CVE-2019-10059 | Lexmark | 7PK - Security Features vulnerability in Lexmark products The legacy finger service (TCP port 79) is enabled by default on various older Lexmark devices. | 5.3 |
2019-08-28 | CVE-2019-9935 | Lexmark | Missing Authentication for Critical Function vulnerability in Lexmark products Various Lexmark products have Incorrect Access Control (issue 2 of 2). | 5.3 |
2019-08-28 | CVE-2019-9934 | Lexmark | Missing Authentication for Critical Function vulnerability in Lexmark products Various Lexmark products have Incorrect Access Control (issue 1 of 2). | 5.3 |
2019-08-28 | CVE-2019-15714 | Entropic Project | Path Traversal vulnerability in Entropic Project Entropic cli/lib/main.js in Entropic before 2019-06-13 does not reject / and \ in command names, which might allow a directory traversal attack in unusual situations. | 5.3 |
2019-08-26 | CVE-2017-18588 | Security Framework Project | Improper Certificate Validation vulnerability in Security-Framework Project Security-Framework An issue was discovered in the security-framework crate before 0.1.12 for Rust. | 5.3 |
2019-08-26 | CVE-2017-18587 | Hyper | CRLF Injection vulnerability in Hyper An issue was discovered in the hyper crate before 0.9.18 for Rust. | 5.3 |
2019-08-29 | CVE-2019-4133 | IBM | Unspecified vulnerability in IBM Cloud Automation Manager 3.1.2 IBM Cloud Automation Manager 3.1.2 could allow a malicious user on the client side (with access to client computer) to run a custom script. | 5.2 |
2019-08-30 | CVE-2019-12753 | Symantec | Unspecified vulnerability in Symantec Reporter 10.3/10.3.1.1/10.3.2.1 An information disclosure vulnerability in Symantec Reporter web UI 10.3 prior to 10.3.2.5 allows a malicious authenticated administrator user to obtain passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log Download servers that they might not otherwise be authorized to access. | 4.9 |
2019-08-30 | CVE-2019-15829 | Greentreelabs | Cross-site Scripting vulnerability in Greentreelabs Gallery Photoblocks The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp-admin/admin.php?page=photoblocks-edit&id= XSS. | 4.8 |
2019-08-30 | CVE-2019-12754 | Symantec | Cross-site Scripting vulnerability in Symantec VIP Symantec My VIP portal, previous version which has already been auto updated, was susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users or potentially bypass access controls such as the same-origin policy. | 4.8 |
2019-08-28 | CVE-2019-10383 | Jenkins Oracle Redhat | Cross-site Scripting vulnerability in multiple products A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages. | 4.8 |
2019-08-28 | CVE-2015-9354 | TRI BE | Cross-site Scripting vulnerability in Tri.Be Gigpress The gigpress plugin before 2.3.11 for WordPress has XSS. | 4.8 |
2019-08-26 | CVE-2016-10932 | Hyper | 7PK - Security Features vulnerability in Hyper An issue was discovered in the hyper crate before 0.9.4 for Rust on Windows. | 4.8 |
2019-08-29 | CVE-2019-15807 | Linux Redhat Debian | Memory Leak vulnerability in multiple products In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. | 4.7 |
2019-08-28 | CVE-2019-14694 | Comodo | Use After Free vulnerability in Comodo Antivirus 12.0.0.6870 A use-after-free flaw in the sandbox container implemented in cmdguard.sys in Comodo Antivirus 12.0.0.6870 can be triggered due to a race condition when handling IRP_MJ_CLEANUP requests in the minifilter for directory change notifications. | 4.7 |
2019-08-27 | CVE-2019-15666 | Linux Debian Opensuse | Out-of-bounds Read vulnerability in multiple products An issue was discovered in the Linux kernel before 5.0.19. | 4.4 |
2019-08-30 | CVE-2019-11658 | Microfocus | Information Exposure vulnerability in Microfocus Content Manager 9.1/9.2/9.3 Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3. | 4.3 |
2019-08-27 | CVE-2019-15698 | Octopus | Unspecified vulnerability in Octopus Server In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. | 4.3 |
2019-08-27 | CVE-2019-15650 | Easyupdatesmanager | Unspecified vulnerability in Easyupdatesmanager Easy Updates Manager The stops-core-theme-and-plugin-updates plugin before 8.0.5 for WordPress has insufficient restrictions on option changes (such as disabling unattended theme updates) because of a nonce check error. | 4.3 |
2019-08-27 | CVE-2019-13237 | Alkacon | Path Traversal vulnerability in Alkacon Opencms Apollo Template 10.5.4/10.5.5 In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp. | 4.3 |
2019-08-30 | CVE-2019-2389 | Mongodb | Improper Input Validation vulnerability in Mongodb Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. | 4.2 |
1 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-29 | CVE-2019-4132 | IBM | Unspecified vulnerability in IBM Cloud Automation Manager 3.1.2 IBM Cloud Automation Manager 3.1.2 could allow a user to be impropertly redirected and obtain sensitive information rather than receive a 404 error message. | 3.3 |