CVE List - 2019 / November
Showing 1101 - 1200 of 1679 CVEs for November 2019 (Page 12 of 17)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2011-3349 | 2019-11-19 | lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink,... |
| CVE-2011-3350 | 2019-11-19 | masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping. |
| CVE-2011-3352 | 2019-11-19 | Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula... |
| CVE-2019-6176 | 2019-11-20 | A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service. |
| CVE-2019-6184 | 2019-11-20 | A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation. |
| CVE-2019-6186 | 2019-11-20 | A potential vulnerability was reported in Lenovo System Interface Foundation versions before v1.1.18.3 that could allow an authenticated user to execute code as another user. |
| CVE-2019-6187 | 2019-11-20 | A stored CSV Injection vulnerability was reported in Lenovo XClarity Controller (XCC) that could allow an administrative or other appropriately permissioned user to store malformed data in certain XCC server... |
| CVE-2019-6189 | 2019-11-20 | A potential vulnerability was reported in Lenovo System Interface Foundation versions before v1.1.18.3 that could allow an administrative user to load an unsigned DLL. |
| CVE-2019-6191 | 2019-11-20 | A potential vulnerability in the discontinued LenovoPaper software version 1.0.0.22 may allow local privilege escalation. |
| CVE-2019-15071 | 2019-11-20 | Openfind MAIL2000 Webmail Pre-Auth Cross-Site Scripting |
| CVE-2019-15073 | 2019-11-20 | Openfind MAIL2000 Webmail Pre-Auth Open Redirect |
| CVE-2019-15072 | 2019-11-20 | Openfind MAIL2000 Webmail Post-Auth Cross-Site Scripting |
| CVE-2019-16200 | 2019-11-20 | GNU Serveez through 0.2.2 has an Information Leak. An attacker may send an HTTP POST request to the /cgi-bin/reader URI. The attacker must include a Content-length header with a large... |
| CVE-2012-6136 | 2019-11-20 | tuned 2.10.0 creates its PID file with insecure permissions which allows local users to kill arbitrary processes. |
| CVE-2013-0193 | 2019-11-20 | Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0194 and CVE-2013-0195. |
| CVE-2013-0194 | 2019-11-20 | Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0193 and CVE-2013-0195. |
| CVE-2013-0195 | 2019-11-20 | Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0193 and CVE-2013-0194. |
| CVE-2011-1028 | 2019-11-20 | The $smarty.template variable in Smarty3 allows attackers to possibly execute arbitrary PHP code via the sysplugins/smarty_internal_compile_private_special_variable.php file. |
| CVE-2016-5194 | 2019-11-20 | Unspecified vulnerabilities in Google Chrome before 54.0.2840.59. |
| CVE-2016-9652 | 2019-11-20 | Multiple unspecified vulnerabilities in Google Chrome before 55.0.2883.75. |
| CVE-2019-5540 | 2019-11-20 | VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain an information disclosure vulnerability in vmnetdhcp. Successful exploitation of this issue may allow an attacker on a guest VM... |
| CVE-2019-5541 | 2019-11-20 | VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain an out-of-bounds write vulnerability in the e1000e virtual network adapter. Successful exploitation of this issue may lead to code... |
| CVE-2019-5542 | 2019-11-20 | VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain a denial-of-service vulnerability in the RPC handler. Successful exploitation of this issue may allow attackers with normal user privileges... |
| CVE-2011-0529 | 2019-11-20 | Weborf before 0.12.5 is affected by a Denial of Service (DOS) due to malformed fields in HTTP. |
| CVE-2019-10765 | 2019-11-20 | iobroker.admin before 3.6.12 allows attacker to include file contents from outside the `/log/file1/` directory. |
| CVE-2010-4660 | 2019-11-20 | Unspecified vulnerability in statusnet through 2010 due to the way addslashes are used in SQL string escapes.. |
| CVE-2019-4530 | 2019-11-20 | IBM Maximo Asset Management 7.6, 7.6.1, and 7.6.1.1 could allow an authenticated user to delete a record that they should not normally be able to. IBM X-Force ID: 165586. |
| CVE-2019-4561 | 2019-11-20 | IBM Security Identity Manager 6.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit... |
| CVE-2010-4659 | 2019-11-20 | Cross-site scripting (XSS) vulnerability in statusnet through 2010 in error message contents. |
| CVE-2019-18858 | 2019-11-20 | CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Control runtime systems, has a Buffer Overflow. |
| CVE-2019-3466 | 2019-11-20 | The pg_ctlcluster script in postgresql-common in versions prior to 210 didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation. |
| CVE-2015-1606 | 2019-11-20 | The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted... |
| CVE-2015-1607 | 2019-11-20 | kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read... |
| CVE-2011-4454 | 2019-11-20 | Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-remind_password.php, (2) tiki-index.php, (3)... |
| CVE-2011-4455 | 2019-11-20 | Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php,... |
| CVE-2013-1816 | 2019-11-20 | MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request. |
| CVE-2012-1257 | 2019-11-20 | Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor. |
| CVE-2013-1817 | 2019-11-20 | MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information. |
| CVE-2013-2091 | 2019-11-20 | SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php. |
| CVE-2013-2092 | 2019-11-20 | Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php. |
| CVE-2013-2093 | 2019-11-20 | Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands. |
| CVE-2015-3167 | 2019-11-20 | contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes... |
| CVE-2015-3166 | 2019-11-20 | The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to... |
| CVE-2019-6853 | 2019-11-20 | A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a... |
| CVE-2019-6852 | 2019-11-20 | A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific... |
| CVE-2019-19221 | 2019-11-21 | In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive. |
| CVE-2019-19039 | 2019-11-21 | __btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the... |
| CVE-2019-19036 | 2019-11-21 | btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero. |
| CVE-2019-19037 | 2019-11-21 | ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero. |
| CVE-2013-7171 | 2019-11-21 | Slackware 14.0 and 14.1, and Slackware LLVM 3.0-i486-2 and 3.3-i486-2, contain world-writable permissions on the /tmp directory which could allow remote attackers to execute arbitrary code with root privileges. |
| CVE-2012-2238 | 2019-11-21 | trytond 2.4: ModelView.button fails to validate authorization |
| CVE-2013-7172 | 2019-11-21 | Slackware 13.1, 13.37, 14.0 and 14.1 contain world-writable permissions on the iodbctest and iodbctestw programs within the libiodbc package, which could allow local users to use RPATH information to execute... |
| CVE-2012-2350 | 2019-11-21 | pam_shield before 0.9.4: Default configuration does not perform protective action |
| CVE-2014-0083 | 2019-11-21 | The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA passwords. |
| CVE-2012-3543 | 2019-11-21 | mono 2.10.x ASP.NET Web Form Hash collision DoS |
| CVE-2012-3460 | 2019-11-21 | cumin: At installation postgresql database user created without password |
| CVE-2014-0084 | 2019-11-21 | Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly. |
| CVE-2019-18958 | 2019-11-21 | Nitro Pro before 13.2 creates a debug.log file in the directory where a .pdf file is located, if the .pdf document was produced by an OCR operation on the JPEG... |
| CVE-2019-16538 | 2019-11-21 | A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed... |
| CVE-2019-16539 | 2019-11-21 | A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles. |
| CVE-2019-16540 | 2019-11-21 | A path traversal vulnerability in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete arbitrary files on the Jenkins master. |
| CVE-2019-16541 | 2019-11-21 | Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. |
| CVE-2019-16542 | 2019-11-21 | Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read... |
| CVE-2019-16543 | 2019-11-21 | Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the... |
| CVE-2019-16544 | 2019-11-21 | Jenkins QMetry for JIRA - Test Management Plugin 1.12 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with... |
| CVE-2019-16545 | 2019-11-21 | Jenkins QMetry for JIRA - Test Management Plugin transmits credentials in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure. |
| CVE-2019-16546 | 2019-11-21 | Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. |
| CVE-2019-16547 | 2019-11-21 | Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and... |
| CVE-2019-16548 | 2019-11-21 | A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents. |
| CVE-2012-4524 | 2019-11-21 | xlockmore before 5.43 'dclock' security bypass vulnerability |
| CVE-2014-1935 | 2019-11-21 | 9base 1:6-6 and 1:6-7 insecurely creates temporary files which results in predictable filenames. |
| CVE-2014-1936 | 2019-11-21 | rc before 1.7.1-5 insecurely creates temporary files. |
| CVE-2014-1937 | 2019-11-21 | Gamera before 3.4.1 insecurely creates temporary files. |
| CVE-2014-1938 | 2019-11-21 | python-rply before 0.7.4 insecurely creates temporary files. |
| CVE-2014-3700 | 2019-11-21 | eDeploy through at least 2014-10-14 has remote code execution due to eval() of untrusted data |
| CVE-2019-17421 | 2019-11-21 | Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file... |
| CVE-2018-13916 | 2019-11-21 | Out-of-bounds memory access in Qurt kernel function when using the identifier to access Qurt kernel buffer to retrieve thread data. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics... |
| CVE-2019-10486 | 2019-11-21 | Race condition due to the lack of resource lock which will be concurrently modified in the memcpy statement leads to out of bound access in Snapdragon Auto, Snapdragon Consumer Electronics... |
| CVE-2019-10490 | 2019-11-21 | Use after free issue in Xtra daemon shutdown due to static object instance getting freed from a multiple places in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon... |
| CVE-2019-10503 | 2019-11-21 | Out-of-bounds access can occur in camera driver due to improper validation of array index in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon... |
| CVE-2019-10535 | 2019-11-21 | Improper validation for loop variable received from firmware can lead to out of bound access in WLAN function while iterating through loop in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics... |
| CVE-2019-10563 | 2019-11-21 | Buffer over-read can occur in fast message handler due to improper input validation while processing a message from firmware in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon... |
| CVE-2019-10566 | 2019-11-21 | Buffer overflow can occur in wlan module if supported rates or extended rates element length is greater than max rate set length in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics... |
| CVE-2019-10617 | 2019-11-21 | Low privilege users can access service configuration which contains registry data that admins uses to create or delete entries in the registry in QCA6174_9377.WIN.1.0 in QCA6174_9377 |
| CVE-2019-10627 | 2019-11-21 | Integer overflow to buffer overflow vulnerability in PostScript image handling code used by the PostScript- and PDF-compatible interpreters due to incorrect buffer size calculation. in PostScript and PDF printers that... |
| CVE-2019-2251 | 2019-11-21 | If a bitmap file is loaded from any un-authenticated source, there is a possibility that the bitmap can potentially cause stack buffer overflow. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity,... |
| CVE-2019-2266 | 2019-11-21 | Possible double free issue in kernel while handling the camera sensor and its sub modules power sequence in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile,... |
| CVE-2019-2268 | 2019-11-21 | Possible OOB read issue in P2P action frames while handling WLAN management frame in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice... |
| CVE-2019-2271 | 2019-11-21 | Buffer over read can happen while parsing downlink session management OTA messages if network sends un-intended values in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT,... |
| CVE-2019-2289 | 2019-11-21 | Lack of integrity check allows MODEM to accept any NAS messages which can result into authentication bypass of NAS in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT,... |
| CVE-2019-2295 | 2019-11-21 | Information disclosure due to lack of address range check done on the SysDBG buffers in SDI code. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT,... |
| CVE-2019-2297 | 2019-11-21 | Buffer overflow can occur while processing non-standard NAN message from user space. in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice &... |
| CVE-2019-2303 | 2019-11-21 | SNDCP module may access array out side its boundary when it receives malformed XID message. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile,... |
| CVE-2019-2315 | 2019-11-21 | While invoking the API to copy from fd or local buffer to the secure buffer, Parameters being populated are from non secure environment. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity,... |
| CVE-2019-2318 | 2019-11-21 | Non Secure Kernel can cause Trustzone to do an arbitrary memory read which will result into DOS in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile,... |
| CVE-2019-2329 | 2019-11-21 | Use after free issue in cleanup routine due to missing pointer sanitization for a failed start of a trusted application. in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon... |
| CVE-2019-2335 | 2019-11-21 | While processing Attach Reject message, Valid exit condition is not met resulting into an infinite loop in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon... |
| CVE-2019-2336 | 2019-11-21 | Subsequent use of the CBO listener may result in further memory corruption due to use after free issue. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial... |
| CVE-2019-2339 | 2019-11-21 | Out of bound access due to lack of check of whiltelist array size while reading the image elf segments. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon... |
| CVE-2019-16340 | 2019-11-21 | Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI. |