CVE List - 2019 / December
Showing 401 - 500 of 1578 CVEs for December 2019 (Page 5 of 16)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-15008 | 2019-12-11 | The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch... |
| CVE-2019-15009 | 2019-12-11 | The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability. |
| CVE-2019-14899 | 2019-12-11 | A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using... |
| CVE-2019-10772 | 2019-12-11 | It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer. |
| CVE-2014-0163 | 2019-12-11 | Openshift has shell command injection flaws due to unsanitized data being passed into shell commands. |
| CVE-2019-18377 | 2019-12-11 | Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application... |
| CVE-2019-18378 | 2019-12-11 | Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into... |
| CVE-2019-18379 | 2019-12-11 | Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a server-side request forgery (SSRF) exploit, which is a type of issue that can let an attacker send crafted requests... |
| CVE-2019-19583 | 2019-12-11 | An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain... |
| CVE-2019-19582 | 2019-12-11 | An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because certain bit iteration is mishandled. In a number... |
| CVE-2019-19581 | 2019-12-11 | An issue was discovered in Xen through 4.12.x allowing 32-bit Arm guest OS users to cause a denial of service (out-of-bounds access) because certain bit iteration is mishandled. In a... |
| CVE-2019-19580 | 2019-12-11 | An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations, because... |
| CVE-2019-19578 | 2019-12-11 | An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect... |
| CVE-2019-19577 | 2019-12-11 | An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM guest OS users to cause a denial of service or possibly gain privileges by triggering data-structure access during... |
| CVE-2019-14317 | 2019-12-11 | wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces. This allows a remote attacker to compute the long term private key from several hundred DSA... |
| CVE-2019-19650 | 2019-12-11 | Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. |
| CVE-2013-4968 | 2019-12-11 | Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related... |
| CVE-2019-19649 | 2019-12-11 | Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. |
| CVE-2013-3542 | 2019-12-11 | Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware 1.0.4.11, have a hardcoded account "!#/" with the same password, which makes... |
| CVE-2013-3691 | 2019-12-11 | AirLive POE-2600HD allows remote attackers to cause a denial of service (device reset) via a long URL. |
| CVE-2013-4303 | 2019-12-11 | includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "."... |
| CVE-2014-7257 | 2019-12-11 | SQL injection vulnerability in DBD::PgPP 0.05 and earlier |
| CVE-2013-5978 | 2019-12-11 | Multiple cross-site scripting (XSS) vulnerabilities in products.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) Product... |
| CVE-2013-5743 | 2019-12-11 | Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7. |
| CVE-2019-19373 | 2019-12-11 | An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger... |
| CVE-2019-19374 | 2019-12-11 | An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user... |
| CVE-2019-19729 | 2019-12-11 | An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the... |
| CVE-2019-0395 | 2019-12-11 | SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability. |
| CVE-2019-0398 | 2019-12-11 | Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the... |
| CVE-2019-0399 | 2019-12-11 | SAP Portfolio and Project Management, before versions S4CORE 102, 103, EPPM 100 and CPRXRPM 500_702, 600_740, 610_740; unintentionally allows a user to discover accounting information of the Projects in Project... |
| CVE-2019-0402 | 2019-12-11 | SAP Adaptive Server Enterprise, before versions 15.7 and 16.0, under certain conditions exposes some sensitive information to the admin, leading to Information Disclosure. |
| CVE-2019-0403 | 2019-12-11 | SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. |
| CVE-2019-0404 | 2019-12-11 | SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure. |
| CVE-2019-0405 | 2019-12-11 | SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration... |
| CVE-2019-17087 | 2019-12-11 | Unauthorized file download vulnerability in all supported versions of Micro Focus AcuToWeb. The vulnerability could be exploited to enumerate and download files from the filesystem of the system running AcuToWeb,... |
| CVE-2019-18245 | 2019-12-11 | Reliable Controls LicenseManager versions 3.4 and prior may allow an authenticated user to insert malicious code into the system root path, which may allow execution of code with elevated privileges... |
| CVE-2019-18232 | 2019-12-11 | SafeNet Sentinel LDK License Manager, all versions prior to 7.101(only Microsoft Windows versions are affected) is vulnerable when configured as a service. This vulnerability may allow an attacker with local... |
| CVE-2019-3989 | 2019-12-11 | Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when retrieving internal network configuration data. |
| CVE-2019-3988 | 2019-12-11 | Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via... |
| CVE-2019-3987 | 2019-12-11 | Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via... |
| CVE-2019-3986 | 2019-12-11 | Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via... |
| CVE-2019-3985 | 2019-12-11 | Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via... |
| CVE-2019-3983 | 2019-12-11 | Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary code and commands on the device due to insufficient UART protections. |
| CVE-2019-10694 | 2019-12-11 | The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they... |
| CVE-2019-10695 | 2019-12-11 | When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE... |
| CVE-2019-7004 | 2019-12-11 | Avaya IP Office XSS Vulnerability |
| CVE-2019-5090 | 2019-12-11 | An exploitable information disclosure vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an out-of-bounds read, resulting in information disclosure. An... |
| CVE-2019-5093 | 2019-12-11 | An exploitable code execution vulnerability exists in the DICOM network response functionality of LEADTOOLS libltdic.so version 20.0.2019.3.15. A specially crafted packet can cause an integer overflow, resulting in heap corruption.... |
| CVE-2019-5085 | 2019-12-11 | An exploitable code execution vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an integer overflow, resulting in heap corruption. An... |
| CVE-2019-5091 | 2019-12-11 | An exploitable denial-of-service vulnerability exists in the Dicom-packet parsing functionality of LEADTOOLS libltdic.so version 20.0.2019.3.15. A specially crafted packet can cause an infinite loop, resulting in a denial of service.... |
| CVE-2019-5154 | 2019-12-11 | An exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20.0.2019.3.15. A specially crafted J2K image file can cause an out of bounds write of a null... |
| CVE-2019-5092 | 2019-12-11 | An exploitable heap out of bounds write vulnerability exists in the UI tag parsing functionality of the DICOM image format of LEADTOOLS 20.0.2019.3.15. A specially crafted DICOM image can cause... |
| CVE-2017-18640 | 2019-12-12 | The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564. |
| CVE-2019-19726 | 2019-12-12 | OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When... |
| CVE-2019-19750 | 2019-12-12 | minerstat msOS before 2019-10-23 does not have a unique SSH key for each instance of the product. |
| CVE-2019-19740 | 2019-12-12 | Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable. |
| CVE-2019-19746 | 2019-12-12 | make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type. |
| CVE-2019-19748 | 2019-12-12 | The Work Time Calendar app before 4.7.1 for Jira allows XSS. |
| CVE-2019-10484 | 2019-12-12 | Use after free issue occurs when command destructors access dynamically allocated response buffer which is already deallocated during previous command teardwon sequence in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT,... |
| CVE-2019-10485 | 2019-12-12 | Infinite loop while decoding compressed data can lead to overrun condition in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music,... |
| CVE-2019-10493 | 2019-12-12 | Position determination accuracy may be degraded due to wrongly decoded information in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, MDM9206, MDM9207C,... |
| CVE-2019-10494 | 2019-12-12 | Race condition between the camera functions due to lack of resource lock which will lead to memory corruption and UAF issue in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer... |
| CVE-2019-10511 | 2019-12-12 | Possibility of memory overflow while decoding GSNDCP compressed mode PDU in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon... |
| CVE-2019-10520 | 2019-12-12 | An unprivileged application can allocate GPU memory by calling memory allocation ioctl function and can exhaust all the memory which results in out of memory in Snapdragon Mobile, Snapdragon Voice... |
| CVE-2019-10530 | 2019-12-12 | Lack of check of data truncation on user supplied data in kernel leads to buffer overflow in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice &... |
| CVE-2019-10545 | 2019-12-12 | Null pointer dereference issue in kernel due to missing check related to LLC support in GPU in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Mobile, Snapdragon Voice... |
| CVE-2019-10555 | 2019-12-12 | Buffer overflow can occur due to usage of wrong datatype and missing length check before copying into buffer in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT,... |
| CVE-2019-10559 | 2019-12-12 | Accessing data buffer beyond the available data while parsing ogg clip can lead to null-pointer dereference and then memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT,... |
| CVE-2019-10571 | 2019-12-12 | Snapshot of IB can lead to invalid address access due to missing check for size in the related function in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer... |
| CVE-2019-10592 | 2019-12-12 | Possible integer overflow while multiplying two integers of 32 bit in QDCM API of get display modes as there is no check on the maximum mode count in Snapdragon Auto,... |
| CVE-2019-10618 | 2019-12-12 | Driver may access an invalid address while processing IO control due to lack of check of address validation in Snapdragon Connectivity in QCA6390 |
| CVE-2019-2288 | 2019-12-12 | Out of bound write in TZ while copying the secure dump structure on HLOS provided buffer as a part of memory dump in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon... |
| CVE-2019-2310 | 2019-12-12 | Out of bound read would occur while trying to read action category and action ID without validating the action length of the Rx Frame body in Snapdragon Auto, Snapdragon Consumer... |
| CVE-2019-2319 | 2019-12-12 | HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and... |
| CVE-2019-2320 | 2019-12-12 | Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT,... |
| CVE-2019-2321 | 2019-12-12 | Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity,... |
| CVE-2019-2337 | 2019-12-12 | While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon... |
| CVE-2019-2338 | 2019-12-12 | Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon... |
| CVE-2019-14849 | 2019-12-12 | A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting... |
| CVE-2019-13927 | 2019-12-12 | A vulnerability has been identified in Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 (All firmware versions < V6.00.320), Desigo PX automation... |
| CVE-2019-13945 | 2019-12-12 | A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family < V4.x (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family... |
| CVE-2019-15930 | 2019-12-12 | Intesync Solismed 3.3sp allows Clickjacking. |
| CVE-2019-15931 | 2019-12-12 | Intesync Solismed 3.3sp allows Directory Traversal, a different vulnerability than CVE-2019-16246. |
| CVE-2019-15932 | 2019-12-12 | Intesync Solismed 3.3sp has Incorrect Access Control. |
| CVE-2019-15933 | 2019-12-12 | Intesync Solismed 3.3sp has SQL Injection. |
| CVE-2019-15934 | 2019-12-12 | Intesync Solismed 3.3sp has CSRF. |
| CVE-2019-15935 | 2019-12-12 | Intesync Solismed 3.3sp has XSS. |
| CVE-2019-15936 | 2019-12-12 | Intesync Solismed 3.3sp allows Insecure File Upload. |
| CVE-2019-16246 | 2019-12-12 | Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution. |
| CVE-2019-17428 | 2019-12-12 | An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted. |
| CVE-2019-19247 | 2019-12-12 | Electronic Arts Origin through 10.5.x allows Elevation of Privilege (issue 1 of 2). |
| CVE-2019-19248 | 2019-12-12 | Electronic Arts Origin through 10.5.x allows Elevation of Privilege (issue 2 of 2). |
| CVE-2019-17358 | 2019-12-12 | Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and... |
| CVE-2019-18345 | 2019-12-12 | A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data... |
| CVE-2019-19198 | 2019-12-12 | The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS. |
| CVE-2019-4606 | 2019-12-12 | IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 could allow a local attacker to execute arbitrary code on the system, caused by an untrusted search path vulnerability.... |
| CVE-2019-19766 | 2019-12-12 | The Bitwarden server through 1.32.0 has a potentially unwanted KDF. |
| CVE-2019-13930 | 2019-12-12 | A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing... |
| CVE-2019-13931 | 2019-12-12 | A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow for an an attacker to craft the input in a form that is not... |
| CVE-2019-13932 | 2019-12-12 | A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web application requests could be manipulated, causing the the application to behave in unexpected ways for legitimate users.... |