CVE List - 2019 / November
Showing 1201 - 1300 of 1679 CVEs for November 2019 (Page 13 of 17)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-15704 | 2019-11-21 | A clear text storage of sensitive information vulnerability in FortiClient for Mac may allow a local attacker to read sensitive information logged in the console window when the user connects... |
| CVE-2018-9195 | 2019-11-21 | Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information... |
| CVE-2019-17650 | 2019-11-21 | An Improper Neutralization of Special Elements used in a Command vulnerability in one of FortiClient for Mac OS root processes, may allow a local user of the system on which... |
| CVE-2019-6693 | 2019-11-21 | Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data,... |
| CVE-2018-8879 | 2019-11-21 | Stack-based buffer overflow in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to execute arbitrary code by providing a long... |
| CVE-2019-5509 | 2019-11-21 | ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and use... |
| CVE-2019-17272 | 2019-11-21 | All versions of ONTAP Select Deploy administration utility are susceptible to a vulnerability which when successfully exploited could allow an administrative user to escalate their privileges. |
| CVE-2019-5086 | 2019-11-21 | An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools, version 1.0.7. An integer overflow can occur while walking through tiles that... |
| CVE-2019-5087 | 2019-11-21 | An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row's allocation size,... |
| CVE-2019-10767 | 2019-11-21 | An attacker can include file contents from outside the `/adapter/xxx/` directory, where `xxx` is the name of an existent adapter like "admin". It is exploited using the administrative web panel... |
| CVE-2019-5071 | 2019-11-21 | An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can... |
| CVE-2019-5072 | 2019-11-21 | An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can... |
| CVE-2019-19191 | 2019-11-21 | Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This... |
| CVE-2019-16405 | 2019-11-21 | Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and... |
| CVE-2019-16406 | 2019-11-21 | Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco... |
| CVE-2019-18886 | 2019-11-21 | An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed... |
| CVE-2019-18890 | 2019-11-21 | A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query. |
| CVE-2019-15511 | 2019-11-21 | An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service... |
| CVE-2019-19006 | 2019-11-21 | Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. |
| CVE-2019-19033 | 2019-11-21 | Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded... |
| CVE-2019-18349 | 2019-11-21 | HotkeyP through 4.9 r96 allows privilege escalation in the privilege function in Commands.cpp. |
| CVE-2019-16758 | 2019-11-21 | In Lexmark Services Monitor 2.27.4.0.39 (running on TCP port 2070), a remote attacker can use a directory traversal technique using /../../../ or ..%2F..%2F..%2F to obtain local files on the host... |
| CVE-2019-19197 | 2019-11-21 | IOCTL Handling in the kyrld.sys driver in Kyrol Internet Security 9.0.6.9 allows an attacker to achieve privilege escalation, denial-of-service, and code execution via usermode because 0x9C402401 using METHOD_NEITHER results in... |
| CVE-2019-5636 | 2019-11-21 | Beckhoff TwinCAT Discovery Service Denial of Service |
| CVE-2019-5637 | 2019-11-21 | Beckhoff TwinCAT Profinet Driver Divide-by-Zero Denial of Service |
| CVE-2013-3314 | 2019-11-21 | The Loftek Nexus 543 IP Camera allows remote attackers to obtain (1) IP addresses via a request to get_realip.cgi or (2) firmware versions (ui and system), timestamp, serial number, p2p... |
| CVE-2013-3313 | 2019-11-21 | The Loftek Nexus 543 IP Camera stores passwords in cleartext, which allows remote attackers to obtain sensitive information via an HTTP GET request to check_users.cgi. NOTE: cleartext passwords can also... |
| CVE-2013-3312 | 2019-11-21 | Multiple cross-site request forgery (CSRF) vulnerabilities in the Loftek Nexus 543 IP Camera allow remote attackers to hijack the authentication of unspecified victims for requests that change (1) passwords or... |
| CVE-2013-3311 | 2019-11-21 | Directory traversal vulnerability in the Loftek Nexus 543 IP Camera allows remote attackers to read arbitrary files via a .. (dot dot) in the URL of an HTTP GET request. |
| CVE-2015-2793 | 2019-11-21 | Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 allows remote attackers to inject arbitrary web script or HTML via the openid_identifier parameter in a verify action to ikiwiki.cgi. |
| CVE-2019-19202 | 2019-11-21 | In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. |
| CVE-2019-19204 | 2019-11-21 | An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based... |
| CVE-2019-19203 | 2019-11-21 | An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the... |
| CVE-2019-19207 | 2019-11-21 | rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. |
| CVE-2015-3140 | 2019-11-21 | Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies SynaMan before 3.5 Build 1451, Syncrify before 3.7 Build 856, and SynTail before 1.5 Build 567 |
| CVE-2014-8356 | 2019-11-21 | The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object... |
| CVE-2012-1001 | 2019-11-21 | Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to... |
| CVE-2014-2901 | 2019-11-21 | wolfssl before 3.2.0 does not properly issue certificates for a server's hostname. |
| CVE-2014-2902 | 2019-11-21 | wolfssl before 3.2.0 does not properly authorize CA certificate for signing other certificates. |
| CVE-2014-2904 | 2019-11-21 | wolfssl before 3.2.0 has a server certificate that is not properly authorized for server authentication. |
| CVE-2019-11325 | 2019-11-21 | An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP... |
| CVE-2019-18887 | 2019-11-21 | An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to... |
| CVE-2019-18888 | 2019-11-21 | An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for... |
| CVE-2019-18889 | 2019-11-21 | An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related... |
| CVE-2014-5254 | 2019-11-21 | xcfa before 5.0.1 creates temporary files insecurely which could allow local users to launch a symlink attack and overwrite arbitrary files. |
| CVE-2014-5255 | 2019-11-21 | xcfa before 5.0.1 creates temporary files insecurely which could allow local users to launch a symlink attack and overwrite arbitrary files. Note: A different vulnerability than CVE-2014-5254. |
| CVE-2019-18933 | 2019-11-21 | In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or... |
| CVE-2012-1637 | 2019-11-21 | Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x-2.x before 6.x-2.1, 6.x-3.x before 6.x-3.1, and 7.x-3.x before 7.x-3.3 for Drupal. |
| CVE-2012-2078 | 2019-11-21 | Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal. |
| CVE-2012-2079 | 2019-11-21 | A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal. |
| CVE-2019-10206 | 2019-11-22 | ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could... |
| CVE-2019-13157 | 2019-11-22 | nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive. |
| CVE-2018-10854 | 2019-11-22 | cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper... |
| CVE-2019-10203 | 2019-11-22 | PowerDNS Authoritative daemon , pdns versions 4.0.x before 4.0.9, 4.1.x before 4.1.11, exiting when encountering a serial between 2^31 and 2^32-1 while trying to notify a slave leads to DoS. |
| CVE-2019-19227 | 2019-11-22 | In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in... |
| CVE-2015-5694 | 2019-11-22 | Designate does not enforce the DNS protocol limit concerning record set sizes |
| CVE-2015-1780 | 2019-11-22 | oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain to any data-center |
| CVE-2015-7810 | 2019-11-22 | libbluray MountManager class has a time-of-check time-of-use (TOCTOU) race when expanding JAR files |
| CVE-2012-3407 | 2019-11-22 | plow has local buffer overflow vulnerability |
| CVE-2014-3585 | 2019-11-22 | redhat-upgrade-tool: Does not check GPG signatures when upgrading versions |
| CVE-2019-4214 | 2019-11-22 | IBM SmartCloud Analytics 1.3.1 through 1.3.5 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in... |
| CVE-2019-4215 | 2019-11-22 | IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a... |
| CVE-2019-4216 | 2019-11-22 | IBM SmartCloud Analytics 1.3.1 through 1.3.5 is vulnerable to possible host header injection attack that could lead to HTTP cache poisoning or firewall bypass. IBM X-Force ID: 159187. |
| CVE-2019-4243 | 2019-11-22 | IBM SmartCloud Analytics 1.3.1 through 1.3.5 allows unauthorized disclosure of information like accessing solrconfig.xml and could allow an attacker to perform disruptive administrator tasks. IBM X-Force ID: 159517. |
| CVE-2019-4569 | 2019-11-22 | IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.16 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality... |
| CVE-2019-4570 | 2019-11-22 | IBM Tivoli Netcool Impact 7.1.0 through 7.1.0.16 generates an error message that includes sensitive information about its environment, users, or associated data. IBM X-Force ID: 166720. |
| CVE-2019-3427 | 2019-11-22 | The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a code injection vulnerability. An attacker could exploit the vulnerability to inject malicious code into the management page, resulting... |
| CVE-2019-3428 | 2019-11-22 | The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a configuration error vulnerability. An attacker could directly access the management portal in HTTP, resulting in users’ information leakage. |
| CVE-2019-19013 | 2019-11-22 | A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request. |
| CVE-2012-0812 | 2019-11-22 | PostfixAdmin 2.3.4 has multiple XSS vulnerabilities |
| CVE-2012-0877 | 2019-11-22 | PyXML: Hash table collisions CPU usage Denial of Service |
| CVE-2019-18790 | 2019-11-22 | An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before 16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be... |
| CVE-2019-18976 | 2019-11-22 | An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through 13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0... |
| CVE-2019-17445 | 2019-11-22 | An issue was discovered in Eracent EDA, EPA, EPM, EUA, FLW, and SUM Agent through 10.2.26. The agent executable, when installed for non-root operations (scanning), can be forced to copy... |
| CVE-2019-15652 | 2019-11-22 | The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices before 18.1.0 doesn't properly sanitize input for error messages, leading to the ability to inject client-side code. |
| CVE-2019-18610 | 2019-11-22 | An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization... |
| CVE-2019-17446 | 2019-11-22 | An issue was discovered in Eracent EPA Agent through 10.2.26. The agent executable, when installed for non-root operations (scanning), can be used to start external programs with elevated permissions because... |
| CVE-2013-6880 | 2019-11-22 | Open redirect in proxy.php in FlashCanvas before 1.6 allows remote attackers to redirect users to arbitrary web sites and conduct cross-site scripting (XSS) attacks via the HTTP Referer header. |
| CVE-2019-9536 | 2019-11-22 | Apple iPhone 3GS bootrom malloc implementation returns a non-NULL pointer when unable to allocate memory, aka 'alloc8'. An attacker with physical access to the device can install arbitrary firmware. |
| CVE-2013-6811 | 2019-11-22 | Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credentials or enable... |
| CVE-2014-6310 | 2019-11-22 | Buffer overflow in CHICKEN 4.9.0 and 4.9.0.1 may allow remote attackers to execute arbitrary code via the 'select' function. |
| CVE-2013-6239 | 2019-11-22 | Cross-site scripting (XSS) vulnerability in the photo gallery model in Exis Contexis before 2.0 allows remote attackers to inject arbitrary web script or HTML via the image parameter in a... |
| CVE-2013-6879 | 2019-11-22 | The Mijosoft MijoSearch component 2.0.1 and earlier for Joomla! allows remote attackers to obtain sensitive information via a request to component/mijosearch/search, which reveals the installation path in an error message. |
| CVE-2013-6878 | 2019-11-22 | Cross-site scripting (XSS) vulnerability in the Mijosoft MijoSearch component 2.0.4 and earlier for Joomla! allows remote attackers to inject arbitrary web script or HTML via the query parameter to component/mijosearch/search. |
| CVE-2014-6311 | 2019-11-22 | generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges. |
| CVE-2014-1238 | 2019-11-22 | Cross-site scripting (XSS) vulnerability in ui/common/managedlistdialog.aspx in Gael Q-Pulse 0.6 and earlier. |
| CVE-2019-16763 | 2019-11-22 | XSS in Pannellum from 2.5.0 through 2.5.4 |
| CVE-2014-2213 | 2019-11-22 | Open redirect vulnerability in the password reset functionality in POSH 3.0 through 3.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL... |
| CVE-2014-2214 | 2019-11-22 | Multiple cross-site scripting (XSS) vulnerabilities in POSH (aka Posh portal or Portaneo) 3.0 through 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) error parameter... |
| CVE-2012-6077 | 2019-11-22 | W3 Total Cache before 0.9.2.5 allows remote attackers to retrieve password hash information due to insecure storage of database cache files. |
| CVE-2019-19240 | 2019-11-22 | Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests with a large Host header. The GoAhead WebsRedirect uses a static host buffer that has a limited length and can overflow. This... |
| CVE-2013-6234 | 2019-11-22 | Unrestricted file upload vulnerability in the Worksheet designer in SpagoBI before 4.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing... |
| CVE-2012-6078 | 2019-11-22 | W3 Total Cache before 0.9.2.5 generates hash keys insecurely which allows remote attackers to predict the values of the hashes. |
| CVE-2013-0202 | 2019-11-22 | Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php. |
| CVE-2013-0203 | 2019-11-22 | Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2)... |
| CVE-2012-6079 | 2019-11-22 | W3 Total Cache before 0.9.2.5 exposes sensitive cached database information which allows remote attackers to download this information via their hash keys. |
| CVE-2019-3654 | 2019-11-22 | Client Proxy (MCP) - Authentication Bypass vulnerability |
| CVE-2019-13566 | 2019-11-22 | An issue was discovered in the ROS communications-related packages (aka ros_comm or ros-melodic-ros-comm) through 1.14.3. A buffer overflow allows attackers to cause a denial of service and possibly execute arbitrary... |
| CVE-2019-18622 | 2019-11-22 | An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. |
| CVE-2019-18910 | 2019-11-22 | The Citrix Receiver wrapper function does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with local user privileges. |