Weekly Vulnerabilities Reports > August 26 to September 1, 2019

Overview

383 new vulnerabilities reported during this period, including 107 critical vulnerabilities and 142 high severity vulnerabilities. This weekly summary report vulnerabilities in 480 products from 226 vendors including Adobe, Debian, Ithemes, Cisco, and Videolan. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Cross-Site Request Forgery (CSRF)", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 336 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 144 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 327 reported vulnerabilities are exploitable by an anonymous user.
  • Adobe has the most reported vulnerabilities, with 34 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 14 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

107 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-28 CVE-2019-12643 Cisco Improper Authentication vulnerability in Cisco IOS XE 15.5(3)S3.16/16.6.5

A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device.

10.0
2019-08-26 CVE-2019-13020 Trms Server-Side Request Forgery (SSRF) vulnerability in Trms Tightrope Media Carousel

The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI/v0/fetch?url= SSRF.

10.0
2019-08-30 CVE-2019-15826 Wpserveur Unspecified vulnerability in Wpserveur WPS Hide Login

The wps-hide-login plugin before 1.5.3 for WordPress has a protection bypass via wp-login.php in the Referer field.

9.8
2019-08-30 CVE-2019-15825 Wpserveur Unspecified vulnerability in Wpserveur WPS Hide Login

The wps-hide-login plugin before 1.5.3 for WordPress has an action=rp&key&login protection bypass.

9.8
2019-08-30 CVE-2019-15824 Wpserveur Unspecified vulnerability in Wpserveur WPS Hide Login

The wps-hide-login plugin before 1.5.3 for WordPress has an adminhash protection bypass.

9.8
2019-08-30 CVE-2019-15823 Wpserveur Unspecified vulnerability in Wpserveur WPS Hide Login

The wps-hide-login plugin before 1.5.3 for WordPress has an action=confirmaction protection bypass.

9.8
2019-08-30 CVE-2019-15822 Wpserveur Path Traversal vulnerability in Wpserveur WPS Child Theme Generator 1.0/1.1

The wps-child-theme-generator plugin before 1.2 for WordPress has classes/helpers.php directory traversal.

9.8
2019-08-30 CVE-2019-15819 Restaurant Reservations Project Missing Authentication for Critical Function vulnerability in Restaurant Reservations Project Restaurant Reservations

The nd-restaurant-reservations plugin before 1.5 for WordPress has no requirement for nd_rst_import_settings_php_function authentication.

9.8
2019-08-30 CVE-2019-5608 Freebsd
Netapp
Out-of-bounds Write vulnerability in multiple products

In FreeBSD 12.0-STABLE before r350648, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350650, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs.

9.8
2019-08-29 CVE-2019-15806 Commscope Inadequate Encryption Strength vulnerability in Commscope Tr4400 Firmware A1.00.004180301

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/basic_sett.html.

9.8
2019-08-29 CVE-2019-15805 Commscope Inadequate Encryption Strength vulnerability in Commscope Tr4400 Firmware A1.00.004180301

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/login.html.

9.8
2019-08-29 CVE-2019-15717 Irssi
Canonical
Use After Free vulnerability in multiple products

Irssi 1.2.x before 1.2.2 has a use-after-free if the IRC server sends a double CAP.

9.8
2019-08-29 CVE-2019-11500 Dovecot
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings.

9.8
2019-08-29 CVE-2019-15788 Nvidia Integer Overflow or Wraparound vulnerability in Nvidia Clara Genomics Analysis 0.1.0

Clara Genomics Analysis before 0.2.0 has an integer overflow for cudapoa memory management in allocate_block.cpp.

9.8
2019-08-29 CVE-2019-15786 Robotis Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Robotis Dynamixel SDK

ROBOTIS Dynamixel SDK through 3.7.11 has a buffer overflow via a large rxpacket.

9.8
2019-08-29 CVE-2019-15785 Fontforge Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Fontforge

FontForge 20190813 through 20190820 has a buffer overflow in PrefsUI_LoadPrefs in prefs.c.

9.8
2019-08-29 CVE-2019-15784 Srtalliance Improper Validation of Array Index vulnerability in Srtalliance Secure Reliable Transport

Secure Reliable Transport (SRT) through 1.3.4 has a CSndUList array overflow if there are many SRT connections.

9.8
2019-08-29 CVE-2019-15783 Lute TAB Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lute-Tab Project Lute-Tab

Lute-Tab before 2019-08-23 has a buffer overflow in pdf_print.cc.

9.8
2019-08-29 CVE-2019-15780 Strategy11 Deserialization of Untrusted Data vulnerability in Strategy11 Formidable Form Builder

The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.

9.8
2019-08-29 CVE-2019-14943 Gitlab Use of Hard-coded Credentials vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4.

9.8
2019-08-29 CVE-2018-21007 Wisetr Improper Access Control vulnerability in Wisetr User Email Verification for Woocommerce

The woo-confirmation-email plugin before 3.2.0 for WordPress has no blocking of direct access to supportive xl folders inside uploads.

9.8
2019-08-29 CVE-2019-13405 Androvideo Missing Authentication for Critical Function vulnerability in Androvideo VD 1 Firmware 230

A broken access control vulnerability found in Advan VD-1 firmware version 230 leads to insecure ADB service.

9.8
2019-08-29 CVE-2019-11064 Androvideo
Geovision
Improper Authentication vulnerability in multiple products

A vulnerability of remote credential disclosure was discovered in Advan VD-1 firmware versions up to 230.

9.8
2019-08-28 CVE-2019-9933 Lexmark Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lexmark products

Various Lexmark products have a Buffer Overflow (issue 3 of 3).

9.8
2019-08-28 CVE-2019-9932 Lexmark Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lexmark products

Various Lexmark products have a Buffer Overflow (issue 2 of 3).

9.8
2019-08-28 CVE-2019-9930 Lexmark Integer Overflow or Wraparound vulnerability in Lexmark products

Various Lexmark products have an Integer Overflow.

9.8
2019-08-28 CVE-2019-15294 Gallagher Information Exposure Through Log Files vulnerability in Gallagher Command Centre 8.10

An issue was discovered in Gallagher Command Centre 8.10 before 8.10.1092(MR2).

9.8
2019-08-28 CVE-2012-6719 Sharebar Project SQL Injection vulnerability in Sharebar Project Sharebar

The sharebar plugin before 1.2.2 for WordPress has SQL injection.

9.8
2019-08-27 CVE-2019-13486 Xymon
Debian
Out-of-bounds Write vulnerability in multiple products

In Xymon through 4.3.28, a stack-based buffer overflow exists in the status-log viewer component because of   expansion in svcstatus.c.

9.8
2019-08-27 CVE-2019-13485 Xymon
Debian
Out-of-bounds Write vulnerability in multiple products

In Xymon through 4.3.28, a stack-based buffer overflow vulnerability exists in the history viewer component via a long hostname or service parameter to history.c.

9.8
2019-08-27 CVE-2019-13484 Xymon
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

In Xymon through 4.3.28, a buffer overflow exists in the status-log viewer CGI because of   expansion in appfeed.c.

9.8
2019-08-27 CVE-2019-13455 Xymon
Debian
Out-of-bounds Write vulnerability in multiple products

In Xymon through 4.3.28, a stack-based buffer overflow vulnerability exists in the alert acknowledgment CGI tool because of   expansion in acknowledge.c.

9.8
2019-08-27 CVE-2019-13452 Xymon
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

In Xymon through 4.3.28, a buffer overflow vulnerability exists in reportlog.c.

9.8
2019-08-27 CVE-2019-13451 Xymon
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

In Xymon through 4.3.28, a buffer overflow vulnerability exists in history.c.

9.8
2019-08-27 CVE-2019-13273 Xymon
Debian
Out-of-bounds Write vulnerability in multiple products

In Xymon through 4.3.28, a buffer overflow vulnerability exists in the csvinfo CGI script.

9.8
2019-08-27 CVE-2019-14314 Imagely SQL Injection vulnerability in Imagely Nextgen Gallery

A SQL injection vulnerability exists in the Imagely NextGEN Gallery plugin before 3.2.11 for WordPress.

9.8
2019-08-27 CVE-2015-9352 WP Polls Project SQL Injection vulnerability in Wp-Polls Project Wp-Polls 2.70/2.71

The wp-polls plugin before 2.72 for WordPress has SQL injection.

9.8
2019-08-27 CVE-2015-9351 Slickremix Improper Input Validation vulnerability in Slickremix Feed Them Social

The feed-them-social plugin before 1.7.0 for WordPress has possible shortcode execution in the Facebook Feeds load more button.

9.8
2019-08-27 CVE-2019-15659 Genetechsolutions SQL Injection vulnerability in Genetechsolutions PIE Register

The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969.

9.8
2019-08-27 CVE-2019-15646 Carrcommunications SQL Injection vulnerability in Carrcommunications Rsvpmaker

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

9.8
2019-08-27 CVE-2018-21005 Bbpress Move Topics Project Code Injection vulnerability in Bbpress Move Topics Project Bbpress Move Topics

The bbp-move-topics plugin before 1.1.6 for WordPress has code injection.

9.8
2019-08-27 CVE-2018-21004 Carrcommunications SQL Injection vulnerability in Carrcommunications Rsvpmaker

The rsvpmaker plugin before 5.6.4 for WordPress has SQL injection.

9.8
2019-08-27 CVE-2018-21003 Themekraft SQL Injection vulnerability in Themekraft Buddyforms

The buddyforms plugin before 2.2.8 for WordPress has SQL injection.

9.8
2019-08-27 CVE-2016-10935 Visser Permissions, Privileges, and Access Controls vulnerability in Visser Store Exporter for Woocommerce

The woocommerce-exporter plugin before 1.8.4 for WordPress has privilege escalation.

9.8
2019-08-27 CVE-2015-9344 Perafox SQL Injection vulnerability in Perafox Link LOG

The link-log plugin before 2.1 for WordPress has SQL injection.

9.8
2019-08-26 CVE-2019-15657 Eslint Utils Project Unspecified vulnerability in Eslint-Utils Project Eslint-Utils

In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.

9.8
2019-08-26 CVE-2019-15651 Wolfssl Out-of-bounds Read vulnerability in Wolfssl 4.1.0

wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex.

9.8
2019-08-26 CVE-2019-15497 Blackbox
Onelan
Use of Hard-coded Credentials vulnerability in multiple products

Black Box iCOMPEL 9.2.3 through 11.1.4, as used in ONELAN Net-Top-Box 9.2.3 through 11.1.4 and other products, has default credentials that allow remote attackers to access devices remotely via SSH, HTTP, HTTPS, and FTP.

9.8
2019-08-26 CVE-2019-9569 Deltacontrols Out-of-bounds Write vulnerability in Deltacontrols Entelibus Firmware 3.40B571848

Buffer Overflow in dactetra in Delta Controls enteliBUS Manager V3.40_B-571848 allows remote unauthenticated users to execute arbitrary code and possibly cause a denial of service via unspecified vectors.

9.8
2019-08-26 CVE-2019-8001 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

9.8
2019-08-26 CVE-2019-7998 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

9.8
2019-08-26 CVE-2019-7997 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

9.8
2019-08-26 CVE-2019-7993 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability.

9.8
2019-08-26 CVE-2019-7992 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

9.8
2019-08-26 CVE-2019-7990 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability.

9.8
2019-08-26 CVE-2019-7975 Adobe Type Confusion vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability.

9.8
2019-08-26 CVE-2019-7974 Adobe Type Confusion vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability.

9.8
2019-08-26 CVE-2019-7973 Adobe Type Confusion vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability.

9.8
2019-08-26 CVE-2019-7972 Adobe Type Confusion vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability.

9.8
2019-08-26 CVE-2019-7971 Adobe Type Confusion vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability.

9.8
2019-08-26 CVE-2019-7970 Adobe Type Confusion vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability.

9.8
2019-08-26 CVE-2019-7969 Adobe Type Confusion vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability.

9.8
2019-08-26 CVE-2019-7968 Adobe Command Injection vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a command injection vulnerability.

9.8
2019-08-26 CVE-2019-15548 Ncurses Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ncurses Project Ncurses

An issue was discovered in the ncurses crate through 5.99.0 for Rust.

9.8
2019-08-26 CVE-2019-15543 Slice Deque Project Out-of-bounds Write vulnerability in Slice-Deque Project Slice-Deque

An issue was discovered in the slice-deque crate before 0.2.0 for Rust.

9.8
2019-08-26 CVE-2019-15533 Xayr SQL Injection vulnerability in Xayr Xenfcoresharp

XENFCoreSharp before 2019-07-16 allows SQL injection in web/verify.php.

9.8
2019-08-26 CVE-2019-15503 Altavoz OS Command Injection vulnerability in Altavoz Prontuscms 11.2.101/12.0.3.0

cgi-cpn/xcoding/prontus_videocut.cgi in AltaVoz Prontus (aka ProntusCMS) through 12.0.3.0 has "Improper Neutralization of Special Elements used in an OS Command," allowing attackers to execute OS commands via an HTTP GET parameter.

9.8
2019-08-26 CVE-2018-20998 Arrayfire Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Arrayfire

An issue was discovered in the arrayfire crate before 3.6.0 for Rust.

9.8
2019-08-26 CVE-2018-20997 Rust Openssl Project Use After Free vulnerability in Rust-Openssl Project Rust-Openssl

An issue was discovered in the openssl crate before 0.10.9 for Rust.

9.8
2019-08-26 CVE-2018-20996 Crossbeam Project Double Free vulnerability in Crossbeam Project Crossbeam

An issue was discovered in the crossbeam crate before 0.4.1 for Rust.

9.8
2019-08-26 CVE-2018-20995 Slice Deque Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Slice-Deque Project Slice-Deque

An issue was discovered in the slice-deque crate before 0.1.16 for Rust.

9.8
2019-08-26 CVE-2019-15558 XM Online SQL Injection vulnerability in Xm-Online Xm^Online 2 - Common Utils and Endpoints 0.2.1

XM^online 2 Common Utils and Endpoints 0.2.1 allows SQL injection, related to Constants.java, DropSchemaResolver.java, and SchemaChangeResolver.java.

9.8
2019-08-26 CVE-2019-15557 XM Online SQL Injection vulnerability in Xm-Online Xm^Online 2 User Account and Authentication Server 1.0.0

XM^online 2 User Account and Authentication server 1.0.0 allows SQL injection via a tenant key.

9.8
2019-08-26 CVE-2019-15555 Wellness Project SQL Injection vulnerability in Wellness Project Wellness

FredReinink Wellness-app before 2019-06-19 allows SQL injection, related to dietTrack.php, exerciseGenerator.php, fitnessTrack.php, and server.php.

9.8
2019-08-26 CVE-2019-15560 Reviews Module Project SQL Injection vulnerability in Reviews Module Project Reviews Module 20190601/20190602/20190603

The Reviews Module before 2019-06-14 for OpenSource Table allows SQL injection in database/index.js.

9.8
2019-08-26 CVE-2019-15559 Hawn Project SQL Injection vulnerability in Hawn Project Hawn

DianoxDragon Hawn before 2019-07-10 allows SQL injection.

9.8
2019-08-26 CVE-2019-15574 Cipsoft SQL Injection vulnerability in Cipsoft Gesior-Aac

Gesior-AAC before 2019-05-01 allows serviceID SQL injection in accountmanagement.php.

9.8
2019-08-26 CVE-2019-15573 Cipsoft SQL Injection vulnerability in Cipsoft Gesior-Aac

Gesior-AAC before 2019-05-01 allows SQL injection in tankyou.php.

9.8
2019-08-26 CVE-2019-15572 Cipsoft SQL Injection vulnerability in Cipsoft Gesior-Aac

Gesior-AAC before 2019-05-01 allows ServiceCategoryID SQL injection in shop.php.

9.8
2019-08-26 CVE-2019-15571 Clonos Project SQL Injection vulnerability in Clonos Project Clonos

The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php.

9.8
2019-08-26 CVE-2019-15570 Bedita SQL Injection vulnerability in Bedita

BEdita through 4.0.0-RC2 allows SQL injection during a save operation for a relation with parameters.

9.8
2019-08-26 CVE-2019-15569 GOV SQL Injection vulnerability in GOV Ccd-Data-Store-Api

HM Courts & Tribunals ccd-data-store-api before 2019-06-10 allows SQL injection, related to SearchQueryFactoryOperation.java and SortDirection.java.

9.8
2019-08-26 CVE-2019-15568 Idseq SQL Injection vulnerability in Idseq Idseq-Web

idseq-web before 2019-07-01 in Infectious Disease Sequencing Platform IDseq allows SQL injection via tax_levels.

9.8
2019-08-26 CVE-2019-15567 Openforis SQL Injection vulnerability in Openforis Arena

OpenForis Arena before 2019-05-07 allows SQL injection in the sorting feature.

9.8
2019-08-26 CVE-2019-15566 Alfresco SQL Injection vulnerability in Alfresco

The Alfresco application before 1.8.7 for Android allows SQL injection in HistorySearchProvider.java.

9.8
2019-08-26 CVE-2019-15565 Webimpacto SQL Injection vulnerability in Webimpacto Icommktconnector

The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php.

9.8
2019-08-26 CVE-2019-15564 Compassionuk SQL Injection vulnerability in Compassionuk Compassion Switzerland 10.01.4

The Compassion Switzerland addons 10.01.4 for Odoo allow SQL injection in models/partner_compassion.py.

9.8
2019-08-26 CVE-2019-15563 Ohdsi SQL Injection vulnerability in Ohdsi Webapi

Observational Health Data Sciences and Informatics (OHDSI) WebAPI before 2.7.2 allows SQL injection in FeatureExtractionService.java.

9.8
2019-08-26 CVE-2019-15554 Servo Out-of-bounds Write vulnerability in Servo Smallvec

An issue was discovered in the smallvec crate before 0.6.10 for Rust.

9.8
2019-08-26 CVE-2019-15552 Libflate Project Use After Free vulnerability in Libflate Project Libflate

An issue was discovered in the libflate crate before 0.1.25 for Rust.

9.8
2019-08-26 CVE-2019-15551 Servo Double Free vulnerability in Servo Smallvec

An issue was discovered in the smallvec crate before 0.6.10 for Rust.

9.8
2019-08-26 CVE-2019-14307 Ricoh Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ricoh products

Several Ricoh printers have multiple buffer overflows parsing HTTP parameter settings for SNMP, which allow an attacker to cause a denial of service or code execution via crafted requests to the web server.

9.8
2019-08-26 CVE-2019-14305 Ricoh Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ricoh products

Several Ricoh printers have multiple buffer overflows parsing HTTP parameter settings for Wi-Fi, mDNS, POP3, SMTP, and notification alerts, which allow an attacker to cause a denial of service or code execution via crafted requests to the web server.

9.8
2019-08-26 CVE-2019-14300 Ricoh Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ricoh products

Several Ricoh printers have multiple buffer overflows parsing HTTP cookie headers, which allow an attacker to cause a denial of service or code execution via crafted requests to the web server.

9.8
2019-08-26 CVE-2018-21000 Safe Transmute Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Safe-Transmute Project Safe-Transmute

An issue was discovered in the safe-transmute crate before 0.10.1 for Rust.

9.8
2019-08-26 CVE-2018-20991 Servo Double Free vulnerability in Servo Smallvec

An issue was discovered in the smallvec crate before 0.6.3 for Rust.

9.8
2019-08-26 CVE-2019-14308 Ricoh Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ricoh products

Several Ricoh printers have multiple buffer overflows parsing LPD packets, which allow an attacker to cause a denial of service or code execution via crafted requests to the LPD service.

9.8
2019-08-26 CVE-2019-15562 Gorm SQL Injection vulnerability in Gorm

GORM before 1.9.10 allows SQL injection via incomplete parentheses.

9.8
2019-08-26 CVE-2019-15561 Flashlingo Project SQL Injection vulnerability in Flashlingo Project Flashlingo

FlashLingo before 2019-06-12 allows SQL injection, related to flashlingo.js and db.js.

9.8
2019-08-26 CVE-2019-15556 Social Network Project SQL Injection vulnerability in Social Network Project Social Network

Pvanloon1983 social_network before 2019-07-03 allows SQL injection in includes/form_handlers/register_handler.php.

9.8
2019-08-26 CVE-2019-15524 Cszcms Unrestricted Upload of File with Dangerous Type vulnerability in Cszcms CSZ CMS 1.2.3

CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI.

9.8
2019-08-26 CVE-2019-15521 Spoon Library
Fork CMS
Deserialization of Untrusted Data vulnerability in multiple products

Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object.

9.8
2019-08-26 CVE-2019-15534 Raml Module Builder Project SQL Injection vulnerability in Raml-Module-Builder Project Raml-Module-Builder 26.4.0

Raml-Module-Builder 26.4.0 allows SQL Injection in PostgresClient.update.

9.8
2019-08-28 CVE-2019-15753 Openstack Allocation of Resources Without Limits or Throttling vulnerability in Openstack Os-Vif 1.15.0/1.15.1/1.16.0

In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network.

9.1
2019-08-28 CVE-2019-10058 Lexmark Unspecified vulnerability in Lexmark products

Various Lexmark products have Incorrect Access Control.

9.1
2019-08-26 CVE-2019-4169 IBM Insecure Default Initialization of Resource vulnerability in IBM Open Power Op910/Op920

IBM Open Power Firmware OP910 and OP920 could allow access to BMC via IPMI using default OpenBMC password even after BMC password was changed away from the default password.

9.1
2019-08-26 CVE-2019-15304 Progradegrill Insecure Default Initialization of Resource vulnerability in Progradegrill Wifi Grilling Thermometer Firmware 1.0050006

Lierda Grill Temperature Monitor V1.00_50006 has a default password of admin for the admin account, which allows an attacker to cause a Denial of Service or Information Disclosure via the undocumented access-point configuration page located on the device.

9.1

142 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-30 CVE-2019-15841 Facebook Cross-Site Request Forgery (CSRF) vulnerability in Facebook for Woocommerce

The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CSRF via ajax_woo_infobanner_post_click, ajax_woo_infobanner_post_xout, or ajax_fb_toggle_visibility.

8.8
2019-08-30 CVE-2019-15840 Facebook Cross-Site Request Forgery (CSRF) vulnerability in Facebook for Woocommerce 1.9.11/1.9.12/1.9.13

The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CSRF.

8.8
2019-08-30 CVE-2019-15835 WP Better Permalinks Project Cross-Site Request Forgery (CSRF) vulnerability in WP Better Permalinks Project WP Better Permalinks

The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF.

8.8
2019-08-30 CVE-2019-15834 Webp Converter FOR Media Project Cross-Site Request Forgery (CSRF) vulnerability in Webp Converter for Media Project Webp Converter for Media 1.0.0/1.0.1/1.0.2

The webp-converter-for-media plugin before 1.0.3 for WordPress has CSRF.

8.8
2019-08-30 CVE-2019-15832 WP BUY Cross-Site Request Forgery (CSRF) vulnerability in Wp-Buy Visitor Traffic Real Time Statistics

The visitors-traffic-real-time-statistics plugin before 1.13 for WordPress has CSRF.

8.8
2019-08-30 CVE-2019-15831 WP BUY Cross-Site Request Forgery (CSRF) vulnerability in Wp-Buy Visitor Traffic Real Time Statistics

The visitors-traffic-real-time-statistics plugin before 1.12 for WordPress has CSRF in the settings page.

8.8
2019-08-30 CVE-2019-15828 Tribulant Cross-Site Request Forgery (CSRF) vulnerability in Tribulant ONE Click SSL

The one-click-ssl plugin before 1.4.7 for WordPress has CSRF.

8.8
2019-08-30 CVE-2015-9380 10Web Cross-Site Request Forgery (CSRF) vulnerability in 10Web Photo Gallery

The photo-gallery plugin before 1.2.42 for WordPress has CSRF.

8.8
2019-08-30 CVE-2019-13526 Datalogic Improper Authentication vulnerability in Datalogic Av7000 Firmware

Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code.

8.8
2019-08-29 CVE-2019-3394 Atlassian Path Traversal vulnerability in Atlassian Confluence

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting.

8.8
2019-08-29 CVE-2019-15781 Weblizar Cross-Site Request Forgery (CSRF) vulnerability in Weblizar Social Likebox & Feed

The facebook-by-weblizar plugin before 2.8.5 for WordPress has CSRF.

8.8
2019-08-29 CVE-2019-15779 Quadlayers Cross-Site Request Forgery (CSRF) vulnerability in Quadlayers WP Social Feed Gallery

The insta-gallery plugin before 2.4.8 for WordPress has no nonce validation for qligg_dismiss_notice or qligg_form_item_delete.

8.8
2019-08-29 CVE-2019-15745 Equeshome Use of Hard-coded Credentials vulnerability in Equeshome ELF Smart Plug Firmware

The Eques elf smart plug and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app.

8.8
2019-08-29 CVE-2019-15770 Hallme Cross-Site Request Forgery (CSRF) vulnerability in Hallme Woocommerce Address Book

The woo-address-book plugin before 1.6.0 for WordPress has save calls without nonce verification checks.

8.8
2019-08-29 CVE-2019-15769 Haktansuren Cross-Site Request Forgery (CSRF) vulnerability in Haktansuren Handl UTM Grabber

The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF via add_option and update_option.

8.8
2019-08-29 CVE-2019-11063 Asus Missing Authentication for Critical Function vulnerability in Asus Smarthome

A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication.

8.8
2019-08-28 CVE-2019-15496 Manageyourteam Cross-Site Request Forgery (CSRF) vulnerability in Manageyourteam MYT Project Management 1.5.1

MyT Project Management 1.5.1 lacks CSRF protection and, for example, allows a user/create CSRF attack.

8.8
2019-08-28 CVE-2019-13348 ENG Insufficiently Protected Credentials vulnerability in ENG Knowage

In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases.

8.8
2019-08-28 CVE-2019-10390 Jenkins Unspecified vulnerability in Jenkins Splunk

A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

8.8
2019-08-28 CVE-2019-10384 Jenkins
Oracle
Redhat
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

8.8
2019-08-27 CVE-2019-15701 Bloodhound Project OS Command Injection vulnerability in Bloodhound Project Bloodhound 2.2.0

components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remote attackers to execute arbitrary OS commands (by spawning a child process as the current user on the victim's machine) when the search function's autocomplete feature is used.

8.8
2019-08-27 CVE-2019-13270 Edimax Improper Input Validation vulnerability in Edimax Br-6208Ac V1 Firmware

Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

8.8
2019-08-27 CVE-2019-13269 Edimax Improper Input Validation vulnerability in Edimax Br-6208Ac V1 Firmware

Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

8.8
2019-08-27 CVE-2019-13268 TP Link Improper Input Validation vulnerability in Tp-Link Archer C2 V1 Firmware and Archer C3200 V1 Firmware

TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

8.8
2019-08-27 CVE-2019-13267 TP Link Unspecified vulnerability in Tp-Link Archer C2 V1 Firmware and Archer C3200 V1 Firmware

TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

8.8
2019-08-27 CVE-2019-13266 TP Link Incorrect Resource Transfer Between Spheres vulnerability in Tp-Link Archer C2 V1 Firmware and Archer C3200 V1 Firmware

TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

8.8
2019-08-27 CVE-2019-13265 Dlink Unspecified vulnerability in Dlink Dir-825/Ac G1 Firmware

D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

8.8
2019-08-27 CVE-2019-13264 Dlink Unspecified vulnerability in Dlink Dir-825/Ac G1 Firmware

D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

8.8
2019-08-27 CVE-2019-13263 Dlink Incorrect Resource Transfer Between Spheres vulnerability in Dlink Dir-825/Ac G1 Firmware

D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

8.8
2019-08-27 CVE-2019-13271 Edimax Unspecified vulnerability in Edimax Br-6208Ac V1 Firmware

Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

8.8
2019-08-27 CVE-2019-11457 Micropyramid Cross-Site Request Forgery (CSRF) vulnerability in Micropyramid Django CRM 0.2.1

Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/.

8.8
2019-08-27 CVE-2019-15660 Butlerblog Cross-Site Request Forgery (CSRF) vulnerability in Butlerblog Wp-Members

The wp-members plugin before 3.2.8 for WordPress has CSRF.

8.8
2019-08-27 CVE-2019-15649 Elearningfreak Unrestricted Upload of File with Dangerous Type vulnerability in Elearningfreak Insert or Embed Articulate Content

The insert-or-embed-articulate-content-into-wordpress plugin before 4.2999 for WordPress has insufficient restrictions on file upload.

8.8
2019-08-27 CVE-2019-15647 Groundhogg Code Injection vulnerability in Groundhogg

The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution.

8.8
2019-08-27 CVE-2019-15645 Zoho Cross-Site Request Forgery (CSRF) vulnerability in Zoho Salesiq

The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF.

8.8
2019-08-27 CVE-2018-21006 Bbpress Move Topics Project Cross-Site Request Forgery (CSRF) vulnerability in Bbpress Move Topics Project Bbpress Move Topics

The bbp-move-topics plugin before 1.1.6 for WordPress has CSRF.

8.8
2019-08-27 CVE-2018-21002 Joomsky Cross-Site Request Forgery (CSRF) vulnerability in Joomsky JS Help Desk

The js-support-ticket plugin before 2.0.6 for WordPress has CSRF.

8.8
2019-08-27 CVE-2015-9343 Impress Cross-Site Request Forgery (CSRF) vulnerability in Impress WP Rollback

The wp-rollback plugin before 1.2.3 for WordPress has CSRF.

8.8
2019-08-26 CVE-2019-7996 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

8.8
2019-08-26 CVE-2019-7995 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

8.8
2019-08-26 CVE-2019-7994 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

8.8
2019-08-26 CVE-2019-7991 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

8.8
2019-08-26 CVE-2019-7989 Adobe Command Injection vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a command injection vulnerability.

8.8
2019-08-26 CVE-2019-7988 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

8.8
2019-08-26 CVE-2019-7986 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

8.8
2019-08-26 CVE-2019-7985 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability.

8.8
2019-08-26 CVE-2019-7984 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

8.8
2019-08-26 CVE-2019-7983 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

8.8
2019-08-26 CVE-2019-7982 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

8.8
2019-08-26 CVE-2019-7980 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability.

8.8
2019-08-26 CVE-2019-7979 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

8.8
2019-08-26 CVE-2019-7978 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability.

8.8
2019-08-26 CVE-2019-7976 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

8.8
2019-08-26 CVE-2019-15642 Webmin Code Injection vulnerability in Webmin

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call.

8.8
2019-08-29 CVE-2019-11248 Kubernetes Missing Authorization vulnerability in Kubernetes

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port.

8.2
2019-08-26 CVE-2019-4513 IBM XXE vulnerability in IBM Security Access Manager for Enterprise Single Sign-On 8.2.2

IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

8.2
2019-08-29 CVE-2019-11247 Kubernetes
Redhat
Incorrect Authorization vulnerability in multiple products

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced.

8.1
2019-08-29 CVE-2019-11061 Asus Missing Authentication for Critical Function vulnerability in Asus Hg100 Firmware 1.05.12/4.00.06

A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication.

8.1
2019-08-26 CVE-2019-15637 Tableau XXE vulnerability in Tableau products

Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS.

8.1
2019-08-26 CVE-2016-10931 Rust Openssl Project Improper Certificate Validation vulnerability in Rust-Openssl Project Rust-Openssl

An issue was discovered in the openssl crate before 0.9.0 for Rust.

8.1
2019-08-30 CVE-2019-12810 Estsoft Out-of-bounds Write vulnerability in Estsoft Alsee

A memory corruption vulnerability exists in the .PSD parsing functionality of ALSee v5.3 ~ v8.39.

7.8
2019-08-30 CVE-2019-2390 Mongodb Unspecified vulnerability in Mongodb

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility.

7.8
2019-08-30 CVE-2019-1966 Cisco Unspecified vulnerability in Cisco Nx-Os and Unified Computing System

A vulnerability in a specific CLI command within the local management (local-mgmt) context for Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to gain elevated privileges as the root user on an affected device.

7.8
2019-08-29 CVE-2019-8461 Checkpoint Untrusted Search Path vulnerability in Checkpoint products

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed.

7.8
2019-08-29 CVE-2019-11396 Avira Link Following vulnerability in Avira Free Security Suite and Software Updater

An issue was discovered in Avira Free Security Suite 10.

7.8
2019-08-29 CVE-2019-14970 Videolan
Debian
Out-of-bounds Write vulnerability in multiple products

A vulnerability in mkv::event_thread_t in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer overflow via a crafted .mkv file.

7.8
2019-08-29 CVE-2019-14778 Videolan
Debian
Use After Free vulnerability in multiple products

The mkv::virtual_segment_c::seek method of demux/mkv/virtual_segment.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.

7.8
2019-08-29 CVE-2019-14777 Videolan
Debian
Use After Free vulnerability in multiple products

The Control function of demux/mkv/mkv.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.

7.8
2019-08-29 CVE-2019-14776 Videolan
Debian
Out-of-bounds Read vulnerability in multiple products

A heap-based buffer over-read exists in DemuxInit() in demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 via a crafted .mkv file.

7.8
2019-08-29 CVE-2019-14533 Videolan
Debian
Use After Free vulnerability in multiple products

The Control function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 has a use-after-free.

7.8
2019-08-29 CVE-2019-14535 Videolan
Debian
Divide By Zero vulnerability in multiple products

A divide-by-zero error exists in the SeekIndex function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1.

7.8
2019-08-29 CVE-2019-14498 Videolan
Debian
Divide By Zero vulnerability in multiple products

A divide-by-zero error exists in the Control function of demux/caf.c in VideoLAN VLC media player 3.0.7.1.

7.8
2019-08-29 CVE-2019-14438 Videolan
Debian
Out-of-bounds Read vulnerability in multiple products

A heap-based buffer over-read in xiph_PackHeaders() in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer over-read via a crafted .ogg file.

7.8
2019-08-29 CVE-2019-14437 Videolan
Debian
Improper Validation of Array Index vulnerability in multiple products

The xiph_SplitHeaders function in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 does not check array bounds properly.

7.8
2019-08-29 CVE-2019-11476 Canonical Integer Overflow or Wraparound vulnerability in Canonical Ubuntu Linux

An integer overflow in whoopsie before versions 0.2.52.5ubuntu0.1, 0.2.62ubuntu0.1, 0.2.64ubuntu0.1, 0.2.66, results in an out-of-bounds write to a heap allocated buffer when processing large crash dumps.

7.8
2019-08-29 CVE-2019-15767 GNU Out-of-bounds Write vulnerability in GNU Chess 6.2.5

In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_load function in frontend/cmd.cc via a crafted chess position in an EPD file.

7.8
2019-08-29 CVE-2019-5530 Bitrock Unspecified vulnerability in Bitrock Installbuilder

Windows binaries generated with InstallBuilder versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature.

7.8
2019-08-29 CVE-2019-11245 Kubernetes Permissions, Privileges, and Access Controls vulnerability in Kubernetes 1.13.6/1.14.2

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node.

7.8
2019-08-29 CVE-2017-14202 Zephyrproject Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Zephyrproject Zephyr

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a serial or telnet connected user to cause a crash, possibly with arbitrary code execution.

7.8
2019-08-29 CVE-2017-14201 Zephyrproject Use After Free vulnerability in Zephyrproject Zephyr

Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly remote code execution.

7.8
2019-08-28 CVE-2019-15752 Docker
Apache
Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.

7.8
2019-08-28 CVE-2019-15720 Cloudberrylab Improper Privilege Management vulnerability in Cloudberrylab Backup 6.1.2.34

CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pre or Post backup action.

7.8
2019-08-26 CVE-2019-12532 Insyde Unspecified vulnerability in Insyde products

Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access.

7.8
2019-08-26 CVE-2019-4448 IBM Improper Privilege Management vulnerability in IBM DB2 High Performance Unload Load 6.1/6.1.0.1/6.1.0.2

IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum and db2hpum_debug binaries are setuid root and have built-in options that allow an low privileged user the ability to load arbitrary db2 libraries from a privileged context.

7.8
2019-08-26 CVE-2019-4447 IBM Uncontrolled Search Path Element vulnerability in IBM DB2 High Performance Unload Load 6.1/6.1.0.1/6.1.0.2

IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum_debug is a setuid root binary which trusts the PATH environment variable.

7.8
2019-08-28 CVE-2019-1965 Cisco Missing Release of Resource after Effective Lifetime vulnerability in Cisco Nx-Os

A vulnerability in the Virtual Shell (VSH) session management for Cisco NX-OS Software could allow an authenticated, remote attacker to cause a VSH process to fail to delete upon termination.

7.7
2019-08-30 CVE-2019-15839 Shaosina Inclusion of Functionality from Untrusted Control Sphere vulnerability in Shaosina Sina Extension for Elementor

The sina-extension-for-elementor plugin before 2.2.1 for WordPress has local file inclusion.

7.5
2019-08-30 CVE-2019-15630 Mulesoft Path Traversal vulnerability in Mulesoft API Gateway and Mule Runtime

Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process.

7.5
2019-08-30 CVE-2019-15026 Memcached Out-of-bounds Read vulnerability in Memcached 1.5.16

memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.

7.5
2019-08-30 CVE-2019-15821 Bold Themes Unspecified vulnerability in Bold-Themes Bold Page Builder

The bold-page-builder plugin before 2.3.2 for WordPress has no protection against modifying settings and importing data.

7.5
2019-08-30 CVE-2019-15816 Wpexpertdeveloper Open Redirect vulnerability in Wpexpertdeveloper WP Private Content Plus

The wp-private-content-plus plugin before 2.0 for WordPress has no protection against option changes via save_settings_page and other save_ functions.

7.5
2019-08-30 CVE-2019-6113 Onkyo Path Traversal vulnerability in Onkyo Tx-Nr686 Firmware 1030500010400010

Directory traversal vulnerability on ONKYO TX-NR686 1030-5000-1040-0010 A/V Receiver devices allows remote attackers to read arbitrary files via a ..

7.5
2019-08-30 CVE-2019-5612 Freebsd
Netapp
Race Condition vulnerability in multiple products

In FreeBSD 12.0-STABLE before r351264, 12.0-RELEASE before 12.0-RELEASE-p10, 11.3-STABLE before r351265, 11.3-RELEASE before 11.3-RELEASE-p3, and 11.2-RELEASE before 11.2-RELEASE-p14, the kernel driver for /dev/midistat implements a read handler that is not thread-safe.

7.5
2019-08-30 CVE-2019-5611 Freebsd
Netapp
Improper Input Validation vulnerability in multiple products

In FreeBSD 12.0-STABLE before r350828, 12.0-RELEASE before 12.0-RELEASE-p10, 11.3-STABLE before r350829, 11.3-RELEASE before 11.3-RELEASE-p3, and 11.2-RELEASE before 11.2-RELEASE-p14, a missing check in the function to arrange data in a chain of mbufs could cause data returned not to be contiguous.

7.5
2019-08-30 CVE-2019-5610 Freebsd
Netapp
Out-of-bounds Read vulnerability in multiple products

In FreeBSD 12.0-STABLE before r350637, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350638, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bsnmp library is not properly validating the submitted length from a type-length-value encoding.

7.5
2019-08-30 CVE-2019-5609 Freebsd Out-of-bounds Write vulnerability in Freebsd 11.2/11.3/12.0

In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350619, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bhyve e1000 device emulation used a guest-provided value to determine the size of the on-stack buffer without validation when TCP segmentation offload is requested for a transmitted packet.

7.5
2019-08-30 CVE-2019-1977 Cisco State Issues vulnerability in Cisco Nx-Os

A vulnerability within the Endpoint Learning feature of Cisco Nexus 9000 Series Switches running in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an endpoint device in certain circumstances.

7.5
2019-08-30 CVE-2019-1968 Cisco Improper Encoding or Escaping of Output vulnerability in Cisco Nx-Os

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart.

7.5
2019-08-30 CVE-2019-1967 Cisco Resource Exhaustion vulnerability in Cisco Nx-Os

A vulnerability in the Network Time Protocol (NTP) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.5
2019-08-30 CVE-2019-12402 Apache
Fedoraproject
Oracle
Infinite Loop vulnerability in multiple products

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs.

7.5
2019-08-29 CVE-2019-13608 Citrix XXE vulnerability in Citrix Storefront Server

Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.

7.5
2019-08-29 CVE-2019-15502 Teamspeak Unspecified vulnerability in Teamspeak

The TeamSpeak client before 3.3.2 allows remote servers to trigger a crash via the 0xe2 0x81 0xa8 0xe2 0x81 0xa7 byte sequence, aka Unicode characters U+2068 (FIRST STRONG ISOLATE) and U+2067 (RIGHT-TO-LEFT ISOLATE).

7.5
2019-08-29 CVE-2019-15787 Libzetta RS Project Integer Overflow or Wraparound vulnerability in Libzetta-Rs Project Libzetta-Rs 0.1.1/0.1.2

libZetta.rs through 0.1.2 has an integer overflow in the zpool parser (for error stats) that leads to a panic.

7.5
2019-08-29 CVE-2019-13408 Androvideo
Geovision
Missing Authorization vulnerability in multiple products

A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230.

7.5
2019-08-29 CVE-2019-13406 Androvideo Missing Authentication for Critical Function vulnerability in Androvideo VD 1 Firmware 230

A broken access control vulnerability found in Advan VD-1 firmware versions up to 230.

7.5
2019-08-29 CVE-2019-11060 Asus Allocation of Resources Without Limits or Throttling vulnerability in Asus Hg100 Firmware 1.05.12

The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time.

7.5
2019-08-29 CVE-2017-18594 Nmap Double Free vulnerability in Nmap 7.70

nse_libssh2.cc in Nmap 7.70 is subject to a denial of service condition due to a double free when an SSH connection fails, as demonstrated by a leading \n character to ssh-brute.nse or ssh-auth-methods.nse.

7.5
2019-08-28 CVE-2019-9931 Lexmark Unspecified vulnerability in Lexmark products

Various Lexmark printers contain a denial of service vulnerability in the SNMP service that can be exploited to crash the device.

7.5
2019-08-28 CVE-2019-10056 Suricata IDS Out-of-bounds Write vulnerability in Suricata-Ids Suricata 4.1.3/4.1.4

An issue was discovered in Suricata 4.1.3.

7.5
2019-08-28 CVE-2019-10055 Suricata IDS Reachable Assertion vulnerability in Suricata-Ids Suricata 4.1.4

An issue was discovered in Suricata 4.1.3.

7.5
2019-08-28 CVE-2019-10054 Suricata IDS Integer Underflow (Wrap or Wraparound) vulnerability in Suricata-Ids Suricata 4.1.3

An issue was discovered in Suricata 4.1.3.

7.5
2019-08-28 CVE-2019-10052 Suricata IDS Improper Enforcement of Message or Data Structure vulnerability in Suricata-Ids Suricata 4.1.3

An issue was discovered in Suricata 4.1.3.

7.5
2019-08-28 CVE-2019-10051 Suricata IDS Improper Check for Unusual or Exceptional Conditions vulnerability in Suricata-Ids Suricata 4.1.3/4.1.4

An issue was discovered in Suricata 4.1.3.

7.5
2019-08-28 CVE-2019-1964 Cisco Improper Input Validation vulnerability in Cisco Nx-Os

A vulnerability in the IPv6 traffic processing of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an unexpected restart of the netstack process on an affected device.

7.5
2019-08-28 CVE-2019-1962 Cisco Improper Input Validation vulnerability in Cisco Nx-Os

A vulnerability in the Cisco Fabric Services component of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause process crashes, which can result in a denial of service (DoS) condition on an affected system.

7.5
2019-08-27 CVE-2019-15702 Riot OS Infinite Loop vulnerability in Riot-Os Riot

In the TCP implementation (gnrc_tcp) in RIOT through 2019.07, the parser for TCP options does not terminate on all inputs, allowing a denial-of-service, because sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c has an infinite loop for an unknown zero-length option.

7.5
2019-08-27 CVE-2017-18592 WC Marketplace Unrestricted Upload of File with Dangerous Type vulnerability in Wc-Marketplace WC Catalog Enquiry

The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has an incorrect wp_upload directory for file uploads.

7.5
2019-08-27 CVE-2015-9348 Codepeople Improper Input Validation vulnerability in Codepeople Sell Downloads

The sell-downloads plugin before 1.0.8 for WordPress has insufficient restrictions on brute-force guessing of purchase IDs.

7.5
2019-08-27 CVE-2015-9345 Petersplugins Improper Input Validation vulnerability in Petersplugins Link LOG

The link-log plugin before 2.0 for WordPress has HTTP Response Splitting.

7.5
2019-08-26 CVE-2019-8460 Openbsd Unspecified vulnerability in Openbsd

OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service.

7.5
2019-08-26 CVE-2019-15547 Ncurses Project Use of Externally-Controlled Format String vulnerability in Ncurses Project Ncurses

An issue was discovered in the ncurses crate through 5.99.0 for Rust.

7.5
2019-08-26 CVE-2019-15546 Pancurses Project Use of Externally-Controlled Format String vulnerability in Pancurses Project Pancurses

An issue was discovered in the pancurses crate through 0.16.1 for Rust.

7.5
2019-08-26 CVE-2019-15545 Libp2P Improper Verification of Cryptographic Signature vulnerability in Libp2P

An issue was discovered in the libp2p-core crate before 0.8.1 for Rust.

7.5
2019-08-26 CVE-2019-15544 Rust Protobuf Project
Apache
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

An issue was discovered in the protobuf crate before 2.6.0 for Rust.

7.5
2019-08-26 CVE-2019-15542 Ammonia Project Uncontrolled Recursion vulnerability in Ammonia Project Ammonia

An issue was discovered in the ammonia crate before 2.1.0 for Rust.

7.5
2019-08-26 CVE-2018-20989 Untrusted Project Integer Underflow (Wrap or Wraparound) vulnerability in Untrusted Project Untrusted 0.5.1/0.6.0

An issue was discovered in the untrusted crate before 0.6.2 for Rust.

7.5
2019-08-26 CVE-2017-18589 Cookie Project Improper Input Validation vulnerability in Cookie Project Cookie

An issue was discovered in the cookie crate before 0.7.6 for Rust.

7.5
2019-08-26 CVE-2019-15640 Limesurvey Improper Input Validation vulnerability in Limesurvey

Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image.

7.5
2019-08-26 CVE-2019-15549 Asn1 DER Project Resource Exhaustion vulnerability in Asn1 DER Project Asn1 DER

An issue was discovered in the asn1_der crate before 0.6.2 for Rust.

7.5
2019-08-26 CVE-2019-15553 Memoffset Project Use of Uninitialized Resource vulnerability in Memoffset Project Memoffset

An issue was discovered in the memoffset crate before 0.5.0 for Rust.

7.5
2019-08-26 CVE-2019-15550 Simdjson Project Out-of-bounds Read vulnerability in Simdjson Project Simdjson 0.1.14

An issue was discovered in the simd-json crate before 0.1.15 for Rust.

7.5
2019-08-26 CVE-2018-20999 Orion Project Incorrect Calculation vulnerability in Orion Project Orion

An issue was discovered in the orion crate before 0.11.2 for Rust.

7.5
2019-08-26 CVE-2018-20994 Trust DNS Proto Project Uncontrolled Recursion vulnerability in Trust-Dns-Proto Project Trust-Dns-Proto

An issue was discovered in the trust-dns-proto crate before 0.5.0-alpha.3 for Rust.

7.5
2019-08-26 CVE-2018-20993 Yaml Rust Project Uncontrolled Recursion vulnerability in Yaml-Rust Project Yaml-Rust

An issue was discovered in the yaml-rust crate before 0.4.1 for Rust.

7.5
2019-08-26 CVE-2018-20990 TAR Project Link Following vulnerability in TAR Project TAR

An issue was discovered in the tar crate before 0.4.16 for Rust.

7.5
2019-08-26 CVE-2019-15541 Rustls Project Argument Injection or Modification vulnerability in Rustls Project Rustls

rustls-mio/examples/tlsserver.rs in the rustls crate before 0.16.0 for Rust allows attackers to cause a denial of service (loop of conn_event and ready) by arranging for a client to never be writable.

7.5
2019-08-26 CVE-2019-15506 Kaseya Missing Authentication for Critical Function vulnerability in Kaseya Virtual System Administrator

An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37.

7.5
2019-08-26 CVE-2019-15658 Connect PG Simple Project SQL Injection vulnerability in Connect-Pg-Simple Project Connect-Pg-Simple

connect-pg-simple before 6.0.1 allows SQL injection if tableName or schemaName is untrusted data.

7.3
2019-08-29 CVE-2019-11364 Prophecyinternational OS Command Injection vulnerability in Prophecyinternational Snare Central

An OS Command Injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to inject arbitrary OS commands via the ServerConf/DataManagement/DiskManager.php FORMNAS_share parameter.

7.2
2019-08-29 CVE-2019-11363 Prophecyinternational SQL Injection vulnerability in Prophecyinternational Snare Central

A SQL injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to execute arbitrary SQL commands via the AgentConsole/UserGroupQuery.php ShowUser parameter.

7.2
2019-08-28 CVE-2015-9353 TRI SQL Injection vulnerability in TRI Gigpress

The gigpress plugin before 2.3.11 for WordPress has SQL injection in the admin area, a different vulnerability than CVE-2015-4066.

7.2
2019-08-29 CVE-2019-7307 Apport Project Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apport Project Apport

Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2.20.9-0ubuntu7.7, 2.20.10-0ubuntu27.1, 2.20.11-0ubuntu5 contained a TOCTTOU vulnerability when reading the users ~/.apport-ignore.xml file, which allows a local attacker to replace this file with a symlink to any other file on the system and so cause Apport to include the contents of this other file in the resulting crash report.

7.0

133 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-30 CVE-2019-9697 Symantec Unspecified vulnerability in Symantec Management Center 2.0/2.1/2.2

An information disclosure vulnerability in the Management Center (MC) REST API 2.0, 2.1, and 2.2 prior to 2.2.2.1 allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access.

6.5
2019-08-30 CVE-2018-18371 Broadcom Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Advanced Secure Gateway and Symantec Proxysg

The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser.

6.5
2019-08-29 CVE-2019-15759 Webassembly NULL Pointer Dereference vulnerability in Webassembly Binaryen

An issue was discovered in Binaryen 1.38.32.

6.5
2019-08-29 CVE-2019-15758 Webassembly Reachable Assertion vulnerability in Webassembly Binaryen

An issue was discovered in Binaryen 1.38.32.

6.5
2019-08-29 CVE-2019-15757 Libmirage Project NULL Pointer Dereference vulnerability in Libmirage Project Libmirage 3.2.2

libMirage 3.2.2 in CDemu has a NULL pointer dereference in the NRG parser in parser.c.

6.5
2019-08-29 CVE-2019-11250 Kubernetes
Redhat
Information Exposure Through Log Files vulnerability in multiple products

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher.

6.5
2019-08-29 CVE-2019-11249 Kubernetes
Redhat
Path Traversal vulnerability in multiple products

The kubectl cp command allows copying files between containers and the user machine.

6.5
2019-08-29 CVE-2019-11246 Kubernetes Path Traversal vulnerability in Kubernetes

The kubectl cp command allows copying files between containers and the user machine.

6.5
2019-08-29 CVE-2019-10724 Lenovo Unspecified vulnerability in Lenovo products

There is a vulnerability with the Dolby DAX2 API system services in which a low-privileged user can terminate arbitrary processes that are running at a higher privilege.

6.5
2019-08-28 CVE-2019-10057 Lexmark Cross-Site Request Forgery (CSRF) vulnerability in Lexmark products

Various Lexmark products have CSRF.

6.5
2019-08-28 CVE-2019-1963 Cisco Improper Input Validation vulnerability in Cisco Nx-Os

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly.

6.5
2019-08-28 CVE-2019-10391 Jenkins Cleartext Transmission of Sensitive Information vulnerability in Jenkins IBM Application Security on Cloud

Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.

6.5
2019-08-27 CVE-2019-15648 Elearningfreak Missing Authorization vulnerability in Elearningfreak Insert or Embed Articulate Content

The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber.

6.5
2019-08-26 CVE-2019-15055 Mikrotik Path Traversal vulnerability in Mikrotik Routeros

MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files.

6.5
2019-08-26 CVE-2019-8000 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

6.5
2019-08-26 CVE-2019-7999 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

6.5
2019-08-26 CVE-2019-7987 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

6.5
2019-08-26 CVE-2019-7981 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

6.5
2019-08-26 CVE-2019-7977 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop CC

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

6.5
2019-08-26 CVE-2019-15641 Webmin XXE vulnerability in Webmin

xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks.

6.5
2019-08-26 CVE-2019-15515 Discourse Cross-Site Request Forgery (CSRF) vulnerability in Discourse 2.3.2

Discourse 2.3.2 sends the CSRF token in the query string.

6.5
2019-08-26 CVE-2018-20992 Claxon Project Use of Uninitialized Resource vulnerability in Claxon Project Claxon

An issue was discovered in the claxon crate before 0.4.1 for Rust.

6.5
2019-08-29 CVE-2019-4536 IBM Improper Privilege Management vulnerability in IBM I 7.4

IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles.

6.3
2019-08-30 CVE-2019-15842 Easy PDF Restaurant Menu Upload Project Cross-site Scripting vulnerability in Easy PDF Restaurant Menu Upload Project Easy PDF Restaurant Menu Upload 1.0/1.1/1.1.1

The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress has XSS.

6.1
2019-08-30 CVE-2019-15838 Kunalnagar Cross-site Scripting vulnerability in Kunalnagar Custom 404 PRO

The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS, a different vulnerability than CVE-2019-14789.

6.1
2019-08-30 CVE-2019-15833 Simple Mail Address Encoder Project Cross-site Scripting vulnerability in Simple Mail Address Encoder Project Simple Mail Address Encoder

The simple-mail-address-encoder plugin before 1.7 for WordPress has reflected XSS.

6.1
2019-08-30 CVE-2019-15820 Login OR Logout Menu Item Project Open Redirect vulnerability in Login or Logout Menu Item Project Login or Logout Menu Item 1.0.0/1.1.0/1.1.1

The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no requirement for lolmi_save_settings authentication.

6.1
2019-08-30 CVE-2019-15818 Webcraftic Open Redirect vulnerability in Webcraftic Simple 301 Redirects

The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist.

6.1
2019-08-30 CVE-2019-15817 Realestateconnected Cross-site Scripting vulnerability in Realestateconnected Easy Property Listings

The easy-property-listings plugin before 3.4 for WordPress has XSS.

6.1
2019-08-30 CVE-2018-18370 Broadcom Cross-site Scripting vulnerability in Broadcom Advanced Secure Gateway and Symantec Proxysg

The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser.

6.1
2019-08-30 CVE-2018-15512 Totemo Cross-site Scripting vulnerability in Totemo Totemomail 6.0.0

Cross-site scripting (XSS) vulnerability in the 'Authorisation Service' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML.

6.1
2019-08-30 CVE-2018-15511 Totemo Cross-site Scripting vulnerability in Totemo Totemomail 6.0.0

Cross-site scripting (XSS) vulnerability in the 'Notification template' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML.

6.1
2019-08-30 CVE-2018-15510 Totemo Cross-site Scripting vulnerability in Totemo Totemomail 6.0.0

Cross-site scripting (XSS) vulnerability in the 'Certificate' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML.

6.1
2019-08-29 CVE-2019-15811 Domainmod Cross-site Scripting vulnerability in Domainmod

In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS.

6.1
2019-08-29 CVE-2019-15771 Components FOR WP Bakery Page Builder Project Open Redirect vulnerability in Components for WP Bakery Page Builder Project Components for WP Bakery Page Builder

The nd-shortcodes plugin before 6.0 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

6.1
2019-08-29 CVE-2019-15782 Webtorrent Cross-site Scripting vulnerability in Webtorrent

WebTorrent before 0.107.6 allows XSS in the HTTP server via a title or file name.

6.1
2019-08-29 CVE-2019-15776 Webcraftic Open Redirect vulnerability in Webcraftic Simple 301 Redirects-Addon-Bulk Uploader

The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file.

6.1
2019-08-29 CVE-2019-15775 Learning Courses Project Open Redirect vulnerability in Learning Courses Project Learning Courses

The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

6.1
2019-08-29 CVE-2019-15774 Booking Project Open Redirect vulnerability in Booking Project Booking

The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

6.1
2019-08-29 CVE-2019-15773 Travel Management Project Open Redirect vulnerability in Travel Management Project Travel Management

The nd-travel plugin before 1.7 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

6.1
2019-08-29 CVE-2019-15772 Donations Project Open Redirect vulnerability in Donations Project Donations

The nd-donations plugin before 1.4 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

6.1
2019-08-29 CVE-2019-13407 Androvideo
Geovision
Cross-site Scripting vulnerability in multiple products

A XSS found in Advan VD-1 firmware versions up to 230.

6.1
2019-08-28 CVE-2019-5590 Fortinet Cross-site Scripting vulnerability in Fortinet Fortiweb

The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form.

6.1
2019-08-28 CVE-2019-13189 ENG Cross-site Scripting vulnerability in ENG Knowage

In Knowage through 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page.

6.1
2019-08-28 CVE-2015-9359 Automattic Cross-site Scripting vulnerability in Automattic Jetpack

The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9379 Ithemes Cross-site Scripting vulnerability in Ithemes Builder Style Manager

iThemes Builder Style Manager before 0.7.7 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9378 Ithemes Cross-site Scripting vulnerability in Ithemes Builder Theme Market

iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9377 Ithemes Cross-site Scripting vulnerability in Ithemes Builder Theme Depot

iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9376 Ithemes Cross-site Scripting vulnerability in Ithemes Mobile

iThemes Mobile before 1.2.8 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9375 Ithemes Cross-site Scripting vulnerability in Ithemes Table Rate Shipping

Table Rate Shipping Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9374 Ithemes Cross-site Scripting vulnerability in Ithemes Stripe

Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9373 Webdevstudios Cross-site Scripting vulnerability in Webdevstudios Ithemes Paypal PRO

PayPal Pro Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9372 Ithemes Cross-site Scripting vulnerability in Ithemes Membership

Membership Add-on for iThemes Exchange before 1.3.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9371 Ithemes Cross-site Scripting vulnerability in Ithemes Manual Purchases

Manual Purchases Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9370 Ithemes Cross-site Scripting vulnerability in Ithemes Invoices

Invoices Add-on for iThemes Exchange before 1.4.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9369 Ithemes Cross-site Scripting vulnerability in Ithemes Easy US Sales Taxes

Easy US Sales Taxes Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2019-15713 MY Calendar Project Cross-site Scripting vulnerability in MY Calendar Project MY Calendar

The my-calendar plugin before 3.1.10 for WordPress has XSS.

6.1
2019-08-28 CVE-2017-18593 Updraftplus Cross-site Scripting vulnerability in Updraftplus

The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cases where an attacker controls a string logged to a log file.

6.1
2019-08-28 CVE-2015-9368 Ithemes Cross-site Scripting vulnerability in Ithemes Easy EU Value Added (Vat) Taxes

Easy EU Value Added (VAT) Taxes Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9367 Ithemes Cross-site Scripting vulnerability in Ithemes Easy Canadian Sales Taxes

Easy Canadian Sales Taxes Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9366 Ithemes Cross-site Scripting vulnerability in Ithemes Custom URL Tracking

Custom URL Tracking Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9365 Ithemes Cross-site Scripting vulnerability in Ithemes Authorize.Net

Authorize.net Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9364 2Checkout Cross-site Scripting vulnerability in 2Checkout Ithemes 2Checkout

2Checkout Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9363 Ithemes Cross-site Scripting vulnerability in Ithemes Exchange

iThemes Exchange before 1.12.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9362 Never5 Cross-site Scripting vulnerability in Never5 Post Connector

The Post Connector plugin before 1.0.4 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9361 Never5 Cross-site Scripting vulnerability in Never5 Related Posts

The Related Posts plugin before 1.8.2 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9360 Updraftplus Cross-site Scripting vulnerability in Updraftplus

The updraftplus plugin before 1.9.64 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9358 Feedwordpress Project Cross-site Scripting vulnerability in Feedwordpress Project Feedwordpress

The feedwordpress plugin before 2015.0514 for WordPress has XSS via add_query_arg() and remove_query_arg().

6.1
2019-08-28 CVE-2015-9357 Automattic Cross-site Scripting vulnerability in Automattic Akismet

The akismet plugin before 3.1.5 for WordPress has XSS.

6.1
2019-08-28 CVE-2015-9356 WP Vipergb Project Cross-site Scripting vulnerability in Wp-Vipergb Project Wp-Vipergb

The wp-vipergb plugin before 1.3.16 for WordPress has XSS via add_query_arg() and remove_query_arg(), a different issue than CVE-2014-9460.

6.1
2019-08-28 CVE-2015-9355 Simbahosting Cross-site Scripting vulnerability in Simbahosting Two-Factor-Authentication

The two-factor-authentication plugin before 1.1.10 for WordPress has XSS in the admin area.

6.1
2019-08-28 CVE-2012-6718 Sharebar Project Cross-site Scripting vulnerability in Sharebar Project Sharebar

The sharebar plugin before 1.2.2 for WordPress has XSS, a different issue than CVE-2013-3491.

6.1
2019-08-28 CVE-2012-6717 Redirection Cross-site Scripting vulnerability in Redirection

The redirection plugin before 2.2.12 for WordPress has XSS, a different issue than CVE-2011-4562.

6.1
2019-08-28 CVE-2011-5329 Redirection Cross-site Scripting vulnerability in Redirection

The redirection plugin before 2.2.9 for WordPress has XSS in the admin menu, a different issue than CVE-2011-4562.

6.1
2019-08-27 CVE-2019-15700 Frappe Cross-site Scripting vulnerability in Frappe

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text.

6.1
2019-08-27 CVE-2019-13274 Xymon
Debian
Cross-site Scripting vulnerability in multiple products

In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CGI script due to insufficient filtering of the db parameter.

6.1
2019-08-27 CVE-2017-18591 Gdragon Cross-site Scripting vulnerability in Gdragon GD Rating System

The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php.

6.1
2019-08-27 CVE-2016-10936 WP Polls Project Cross-site Scripting vulnerability in Wp-Polls Project Wp-Polls

The wp-polls plugin before 2.73.1 for WordPress has XSS via the Poll bar option.

6.1
2019-08-27 CVE-2015-9350 Slickremix Cross-site Scripting vulnerability in Slickremix Feed Them Social

The feed-them-social plugin before 1.7.0 for WordPress has reflected XSS in the Facebook Feeds load more button.

6.1
2019-08-27 CVE-2019-15644 Zoho Cross-site Scripting vulnerability in Zoho Salesiq

The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS.

6.1
2019-08-27 CVE-2019-15643 Etoilewebdesign Cross-site Scripting vulnerability in Etoilewebdesign Ultimate FAQ

The ultimate-faqs plugin before 1.8.22 for WordPress has XSS.

6.1
2019-08-27 CVE-2019-13236 Alkacon Cross-site Scripting vulnerability in Alkacon Opencms 10.5.4/10.5.5

In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.

6.1
2019-08-27 CVE-2019-13235 Alkacon Cross-site Scripting vulnerability in Alkacon Opencms Apollo Template 10.5.4/10.5.5

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.

6.1
2019-08-27 CVE-2019-13234 Alkacon Cross-site Scripting vulnerability in Alkacon Opencms Apollo Template 10.5.4/10.5.5

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine.

6.1
2019-08-27 CVE-2018-21001 Bologer Cross-site Scripting vulnerability in Bologer Anycomment 0.0.1/0.0.2/0.0.32

The anycomment plugin before 0.0.33 for WordPress has XSS.

6.1
2019-08-27 CVE-2017-18590 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Timesheet

The timesheet plugin before 0.1.5 for WordPress has multiple XSS issues.

6.1
2019-08-27 CVE-2016-10934 Check Email Project Cross-site Scripting vulnerability in Check Email Project Check Email

The check-email plugin before 0.5.2 for WordPress has XSS.

6.1
2019-08-27 CVE-2015-9349 Cksource Cross-site Scripting vulnerability in Cksource Ckeditor

The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has reflected XSS in the "built-in (old)" file browser.

6.1
2019-08-27 CVE-2015-9347 Plot Cross-site Scripting vulnerability in Plot Plotly 1.0.0/1.0.1/1.0.2

The wp-plotly plugin before 1.0.3 for WordPress has XSS by authors.

6.1
2019-08-27 CVE-2015-9346 Codepeople Cross-site Scripting vulnerability in Codepeople Polls CP

The cp-polls plugin before 1.0.5 for WordPress has XSS.

6.1
2019-08-27 CVE-2015-9342 Impress Cross-site Scripting vulnerability in Impress WP Rollback

The wp-rollback plugin before 1.2.3 for WordPress has XSS.

6.1
2019-08-27 CVE-2014-10395 Codepeople Cross-site Scripting vulnerability in Codepeople Polls CP

The cp-polls plugin before 1.0.1 for WordPress has XSS in the votes list.

6.1
2019-08-26 CVE-2018-18668 SIR Cross-site Scripting vulnerability in SIR Gnuboard

GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "homepage title" parameter, aka the adm/config_form_update.php cf_title parameter.

6.1
2019-08-26 CVE-2019-15501 Lsoft Cross-site Scripting vulnerability in Lsoft Listserv

Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter.

6.1
2019-08-26 CVE-2019-15479 Status Board Project Cross-site Scripting vulnerability in Status Board Project Status Board 1.1.81

Status Board 1.1.81 has reflected XSS via dashboard.ts.

6.1
2019-08-26 CVE-2019-15532 Gchq Cross-site Scripting vulnerability in Gchq Cyberchef

CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs.

6.1
2019-08-26 CVE-2019-15489 Laracom Cross-site Scripting vulnerability in Laracom 1.4.11

laracom (aka Laravel FREE E-Commerce Software) 1.4.11 has search?q= XSS.

6.1
2019-08-26 CVE-2019-15478 Status Board Project Cross-site Scripting vulnerability in Status Board Project Status Board 1.1.81

Status Board 1.1.81 has reflected XSS via logic.ts.

6.1
2019-08-26 CVE-2016-10933 Portaudio Project 7PK - Security Features vulnerability in Portaudio Project Portaudio 0.7.0

An issue was discovered in the portaudio crate through 0.7.0 for Rust.

5.9
2019-08-29 CVE-2019-14534 Videolan
Debian
NULL Pointer Dereference vulnerability in multiple products

In VideoLAN VLC media player 3.0.7.1, there is a NULL pointer dereference at the function SeekPercent of demux/asf/asf.c that will lead to a denial of service attack.

5.5
2019-08-28 CVE-2019-15716 Wtfutil Incorrect Default Permissions vulnerability in Wtfutil WTF

WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults.

5.5
2019-08-30 CVE-2019-15837 Bitwise IT Cross-site Scripting vulnerability in Bitwise-It Webp Express

The webp-express plugin before 0.14.8 for WordPress has stored XSS.

5.4
2019-08-30 CVE-2019-15836 Bootstrapped Cross-site Scripting vulnerability in Bootstrapped WP Ultimate Recipe

The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored XSS.

5.4
2019-08-30 CVE-2019-15830 Icegram Cross-site Scripting vulnerability in Icegram Engage

The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS.

5.4
2019-08-30 CVE-2019-15827 Onesignal Cross-site Scripting vulnerability in Onesignal Onesignal-Free-Web-Push-Notifications 1.17.5

The onesignal-free-web-push-notifications plugin before 1.17.8 for WordPress has XSS via the subdomain parameter.

5.4
2019-08-29 CVE-2019-15778 Getwooplugins Cross-site Scripting vulnerability in Getwooplugins Additional Variation Images for Woocommerce

The woo-variation-gallery plugin before 1.1.29 for WordPress has XSS.

5.4
2019-08-29 CVE-2019-15777 Shapepress Cross-site Scripting vulnerability in Shapepress WP Dsgvo Tools

The shapepress-dsgvo plugin before 2.2.19 for WordPress has wp-admin/admin-ajax.php?action=admin-common-settings&admin_email= XSS.

5.4
2019-08-28 CVE-2019-15230 Librenms Cross-site Scripting vulnerability in Librenms 1.54

LibreNMS v1.54 has XSS in the Create User, Inventory, Add Device, Notifications, Alert Rule, Create Maintenance, and Alert Template sections of the admin console.

5.4
2019-08-30 CVE-2019-1969 Cisco Improper Input Validation vulnerability in Cisco Nx-Os

A vulnerability in the implementation of the Simple Network Management Protocol (SNMP) Access Control List (ACL) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to perform SNMP polling of an affected device, even if it is configured to deny SNMP traffic.

5.3
2019-08-30 CVE-2018-15513 Totemo Improper Access Control vulnerability in Totemo Totemomail 6.0.0

Log viewer in totemomail 6.0.0 build 570 allows access to sessionIDs of high privileged users by leveraging access to a read-only auditor role.

5.3
2019-08-29 CVE-2019-14979 Woocommerce Improper Input Validation vulnerability in Woocommerce Paypal Checkout Payment Gateway 1.6.17

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price.

5.3
2019-08-29 CVE-2019-14978 Woocommerce Improper Input Validation vulnerability in Woocommerce Payu India Payment Gateway 2.1.1

/payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price.

5.3
2019-08-28 CVE-2019-10059 Lexmark 7PK - Security Features vulnerability in Lexmark products

The legacy finger service (TCP port 79) is enabled by default on various older Lexmark devices.

5.3
2019-08-28 CVE-2019-9935 Lexmark Missing Authentication for Critical Function vulnerability in Lexmark products

Various Lexmark products have Incorrect Access Control (issue 2 of 2).

5.3
2019-08-28 CVE-2019-9934 Lexmark Missing Authentication for Critical Function vulnerability in Lexmark products

Various Lexmark products have Incorrect Access Control (issue 1 of 2).

5.3
2019-08-28 CVE-2019-15714 Entropic Project Path Traversal vulnerability in Entropic Project Entropic

cli/lib/main.js in Entropic before 2019-06-13 does not reject / and \ in command names, which might allow a directory traversal attack in unusual situations.

5.3
2019-08-26 CVE-2017-18588 Security Framework Project Improper Certificate Validation vulnerability in Security-Framework Project Security-Framework

An issue was discovered in the security-framework crate before 0.1.12 for Rust.

5.3
2019-08-26 CVE-2017-18587 Hyper CRLF Injection vulnerability in Hyper

An issue was discovered in the hyper crate before 0.9.18 for Rust.

5.3
2019-08-29 CVE-2019-4133 IBM Unspecified vulnerability in IBM Cloud Automation Manager 3.1.2

IBM Cloud Automation Manager 3.1.2 could allow a malicious user on the client side (with access to client computer) to run a custom script.

5.2
2019-08-30 CVE-2019-12753 Symantec Unspecified vulnerability in Symantec Reporter 10.3/10.3.1.1/10.3.2.1

An information disclosure vulnerability in Symantec Reporter web UI 10.3 prior to 10.3.2.5 allows a malicious authenticated administrator user to obtain passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log Download servers that they might not otherwise be authorized to access.

4.9
2019-08-30 CVE-2019-15829 Greentreelabs Cross-site Scripting vulnerability in Greentreelabs Gallery Photoblocks

The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp-admin/admin.php?page=photoblocks-edit&id= XSS.

4.8
2019-08-30 CVE-2019-12754 Symantec Cross-site Scripting vulnerability in Symantec VIP

Symantec My VIP portal, previous version which has already been auto updated, was susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users or potentially bypass access controls such as the same-origin policy.

4.8
2019-08-28 CVE-2019-10383 Jenkins
Oracle
Redhat
Cross-site Scripting vulnerability in multiple products

A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.

4.8
2019-08-28 CVE-2015-9354 TRI BE Cross-site Scripting vulnerability in Tri.Be Gigpress

The gigpress plugin before 2.3.11 for WordPress has XSS.

4.8
2019-08-26 CVE-2016-10932 Hyper 7PK - Security Features vulnerability in Hyper

An issue was discovered in the hyper crate before 0.9.4 for Rust on Windows.

4.8
2019-08-29 CVE-2019-15807 Linux
Redhat
Debian
Memory Leak vulnerability in multiple products

In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails.

4.7
2019-08-28 CVE-2019-14694 Comodo Use After Free vulnerability in Comodo Antivirus 12.0.0.6870

A use-after-free flaw in the sandbox container implemented in cmdguard.sys in Comodo Antivirus 12.0.0.6870 can be triggered due to a race condition when handling IRP_MJ_CLEANUP requests in the minifilter for directory change notifications.

4.7
2019-08-27 CVE-2019-15666 Linux
Debian
Opensuse
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in the Linux kernel before 5.0.19.

4.4
2019-08-30 CVE-2019-11658 Microfocus Information Exposure vulnerability in Microfocus Content Manager 9.1/9.2/9.3

Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3.

4.3
2019-08-27 CVE-2019-15698 Octopus Unspecified vulnerability in Octopus Server

In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values.

4.3
2019-08-27 CVE-2019-15650 Easyupdatesmanager Unspecified vulnerability in Easyupdatesmanager Easy Updates Manager

The stops-core-theme-and-plugin-updates plugin before 8.0.5 for WordPress has insufficient restrictions on option changes (such as disabling unattended theme updates) because of a nonce check error.

4.3
2019-08-27 CVE-2019-13237 Alkacon Path Traversal vulnerability in Alkacon Opencms Apollo Template 10.5.4/10.5.5

In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.

4.3
2019-08-30 CVE-2019-2389 Mongodb Improper Input Validation vulnerability in Mongodb

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.

4.2

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-29 CVE-2019-4132 IBM Unspecified vulnerability in IBM Cloud Automation Manager 3.1.2

IBM Cloud Automation Manager 3.1.2 could allow a user to be impropertly redirected and obtain sensitive information rather than receive a 404 error message.

3.3