CVE List - 2019 / February
Showing 501 - 600 of 838 CVEs for February 2019 (Page 6 of 9)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-8434 | 2019-02-18 | In CmsEasy 7.0, there is XSS via the ckplayer.php autoplay parameter. |
| CVE-2019-8435 | 2019-02-18 | admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header. |
| CVE-2019-8436 | 2019-02-18 | imcat 4.5 has Stored XSS via the root/run/adm.php fm[instop][note] parameter. |
| CVE-2019-8902 | 2019-02-18 | An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI. |
| CVE-2019-6453 | 2019-02-18 | mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from... |
| CVE-2019-8372 | 2019-02-18 | The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system... |
| CVE-2019-8903 | 2019-02-18 | index.js in Total.js Platform before 3.2.3 allows path traversal. |
| CVE-2019-8904 | 2019-02-18 | do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf. |
| CVE-2019-8905 | 2019-02-18 | do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. |
| CVE-2019-8906 | 2019-02-18 | do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused. |
| CVE-2019-8907 | 2019-02-18 | do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. |
| CVE-2018-12159 | 2019-02-18 | Buffer overflow in the command-line interface for Intel(R) PROSet Wireless v20.50 and before may allow an authenticated user to potentially enable denial of service via local access. |
| CVE-2018-3700 | 2019-02-18 | Code injection vulnerability in the installer for Intel(R) USB 3.0 eXtensible Host Controller Driver for Microsoft Windows 7 before version 5.0.4.43v2 may allow a user to potentially enable escalation of... |
| CVE-2019-0101 | 2019-02-18 | Authentication bypass in the Intel Unite(R) solution versions 3.2 through 3.3 may allow an unauthenticated user to potentially enable escalation of privilege to the Intel Unite(R) Solution administrative portal via... |
| CVE-2019-0102 | 2019-02-18 | Insufficient session authentication in web server for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access. |
| CVE-2019-0103 | 2019-02-18 | Insufficient file protection in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access. |
| CVE-2019-0104 | 2019-02-18 | Insufficient file protection in uninstall routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access. |
| CVE-2019-0105 | 2019-02-18 | Insufficient file permissions checking in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow authenticated user to potentially enable escalation of privilege via local access. |
| CVE-2019-0106 | 2019-02-18 | Insufficient run protection in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow a privileged user to potentially enable escalation of privilege via local access. |
| CVE-2019-0107 | 2019-02-18 | Insufficient user prompt in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow a privileged user to potentially enable escalation of privilege via local access. |
| CVE-2019-0108 | 2019-02-18 | Improper file permissions for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable disclosure of information via local access. |
| CVE-2019-0109 | 2019-02-18 | Improper folder permissions in Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable escalation of privilege via local access. |
| CVE-2019-0110 | 2019-02-18 | Insufficient key management for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access. |
| CVE-2019-0111 | 2019-02-18 | Improper file permissions for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access. |
| CVE-2019-0112 | 2019-02-18 | Improper flow control in crypto routines for Intel(R) Data Center Manager SDK before version 5.0.2 may allow a privileged user to potentially enable a denial of service via local access. |
| CVE-2019-0127 | 2019-02-18 | Logic error in the installer for Intel(R) OpenVINO(TM) 2018 R3 and before for Linux may allow a privileged user to potentially enable information disclosure via local access. |
| CVE-2019-8912 | 2019-02-18 | In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr. |
| CVE-2019-8908 | 2019-02-18 | An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and... |
| CVE-2019-8909 | 2019-02-18 | An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image. |
| CVE-2019-8910 | 2019-02-18 | An issue was discovered in WTCMS 1.0. It allows index.php?g=admin&m=setting&a=site_post CSRF. |
| CVE-2019-8911 | 2019-02-18 | An issue was discovered in WTCMS 1.0. It has stored XSS via the third text box (for the website statistics code). |
| CVE-2019-8917 | 2019-02-18 | SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect... |
| CVE-2019-7629 | 2019-02-18 | Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client. |
| CVE-2019-8919 | 2019-02-18 | The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it... |
| CVE-2019-8933 | 2019-02-19 | In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of... |
| CVE-2019-3812 | 2019-02-19 | QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute... |
| CVE-2019-8935 | 2019-02-19 | Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter. |
| CVE-2019-8939 | 2019-02-19 | data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page. |
| CVE-2019-5754 | 2019-02-19 | Implementation error in QUIC Networking in Google Chrome prior to 72.0.3626.81 allowed an attacker running or able to cause use of a proxy server to obtain cleartext of transport encryption... |
| CVE-2019-5755 | 2019-02-19 | Incorrect handling of negative zero in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. |
| CVE-2019-5756 | 2019-02-19 | Inappropriate memory management when caching in PDFium in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. |
| CVE-2019-5757 | 2019-02-19 | An incorrect object type assumption in SVG in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. |
| CVE-2019-5758 | 2019-02-19 | Incorrect object lifecycle management in Blink in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2019-5759 | 2019-02-19 | Incorrect lifetime handling in HTML select elements in Google Chrome on Android and Mac prior to 72.0.3626.81 allowed a remote attacker to potentially perform a sandbox escape via a crafted... |
| CVE-2019-5760 | 2019-02-19 | Insufficient checks of pointer validity in WebRTC in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2019-5761 | 2019-02-19 | Incorrect object lifecycle management in SwiftShader in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2019-5762 | 2019-02-19 | Inappropriate memory management when caching in PDFium in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. |
| CVE-2019-5763 | 2019-02-19 | Failure to check error conditions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2019-5764 | 2019-02-19 | Incorrect pointer management in WebRTC in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2019-5765 | 2019-02-19 | An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted... |
| CVE-2019-5766 | 2019-02-19 | Incorrect handling of origin taint checking in Canvas in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page. |
| CVE-2019-5767 | 2019-02-19 | Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/security... |
| CVE-2019-5768 | 2019-02-19 | DevTools API not correctly gating on extension capability in DevTools in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to read... |
| CVE-2019-5769 | 2019-02-19 | Incorrect handling of invalid end character position when front rendering in Blink in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted... |
| CVE-2019-5770 | 2019-02-19 | Insufficient input validation in WebGL in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. |
| CVE-2019-5771 | 2019-02-19 | An incorrect JIT of GLSL shaders in SwiftShader in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code via a crafted HTML page. |
| CVE-2019-5772 | 2019-02-19 | Sharing of objects over calls into JavaScript runtime in PDFium in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. |
| CVE-2019-5773 | 2019-02-19 | Insufficient origin validation in IndexedDB in Google Chrome prior to 72.0.3626.81 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML... |
| CVE-2019-5774 | 2019-02-19 | Omission of the .desktop filetype from the Safe Browsing checklist in SafeBrowsing in Google Chrome on Linux prior to 72.0.3626.81 allowed an attacker who convinced a user to download a... |
| CVE-2019-5775 | 2019-02-19 | Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted... |
| CVE-2019-5776 | 2019-02-19 | Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted... |
| CVE-2019-5777 | 2019-02-19 | Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted... |
| CVE-2019-5778 | 2019-02-19 | A missing case for handling special schemes in permission request checks in Extensions in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious... |
| CVE-2019-5779 | 2019-02-19 | Insufficient policy validation in ServiceWorker in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. |
| CVE-2019-5780 | 2019-02-19 | Insufficient restrictions on what can be done with Apple Events in Google Chrome on macOS prior to 72.0.3626.81 allowed a local attacker to execute JavaScript via Apple Events. |
| CVE-2019-5781 | 2019-02-19 | Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted... |
| CVE-2019-5782 | 2019-02-19 | Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |
| CVE-2019-5783 | 2019-02-19 | Missing URI encoding of untrusted input in DevTools in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform a Dangling Markup Injection attack via a crafted HTML page. |
| CVE-2018-1996 | 2019-02-19 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain... |
| CVE-2018-9867 | 2019-02-19 | In SonicWall SonicOS, administrators without full permissions can download imported certificates. Occurs when administrators who are not in the SonicWall Administrators user group attempt to download imported certificates. This vulnerability... |
| CVE-2018-20025 | 2019-02-19 | Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0. |
| CVE-2018-20026 | 2019-02-19 | Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0. |
| CVE-2019-7164 | 2019-02-20 | SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. |
| CVE-2018-19106 | 2019-02-20 | Avi Vantage before 17.2.13 uses an invalid URL encoding during a redirect operation, aka AV-33959. |
| CVE-2019-8942 | 2019-02-20 | WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a... |
| CVE-2019-8943 | 2019-02-20 | WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing... |
| CVE-2019-8944 | 2019-02-20 | An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log... |
| CVE-2019-8948 | 2019-02-20 | PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163. |
| CVE-2019-8950 | 2019-02-20 | The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET. |
| CVE-2018-20240 | 2019-02-20 | The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the... |
| CVE-2018-20241 | 2019-02-20 | The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS)... |
| CVE-2019-8331 | 2019-02-20 | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. |
| CVE-2019-8953 | 2019-02-20 | The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php. |
| CVE-2018-20030 | 2019-02-20 | An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to exhaust available CPU resources. |
| CVE-2019-8954 | 2019-02-20 | In Indexhibit 2.1.5, remote attackers can execute arbitrary code via the v parameter (in conjunction with the id parameter) in a upd_jxcode=true action to the ndxzstudio/?a=system URI. |
| CVE-2018-5818 | 2019-02-20 | An error within the "parse_rollei()" function (internal/dcraw_common.cpp) within LibRaw versions prior to 0.19.1 can be exploited to trigger an infinite loop. |
| CVE-2018-5817 | 2019-02-20 | A type confusion error within the "unpacked_load_raw()" function within LibRaw versions prior to 0.19.1 (internal/dcraw_common.cpp) can be exploited to trigger an infinite loop. |
| CVE-2018-5819 | 2019-02-20 | An error within the "parse_sinar_ia()" function (internal/dcraw_common.cpp) within LibRaw versions prior to 0.19.1 can be exploited to exhaust available CPU resources. |
| CVE-2019-3924 | 2019-02-20 | MikroTik RouterOS before 6.43.12 (stable) and 6.42.12 (long-term) is vulnerable to an intermediary vulnerability. The software will execute user defined network requests to both WAN and LAN clients. A remote... |
| CVE-2019-1003024 | 2019-02-20 | A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint... |
| CVE-2019-1003025 | 2019-02-20 | A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using... |
| CVE-2019-1003026 | 2019-02-20 | A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost... |
| CVE-2019-1003027 | 2019-02-20 | A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and... |
| CVE-2019-1003028 | 2019-02-20 | A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS... |
| CVE-2019-3474 | 2019-02-20 | Path traversal vulnerability in Filr web application |
| CVE-2019-3475 | 2019-02-20 | Local privilege escalation in Filr famtd |
| CVE-2018-15380 | 2019-02-20 | Cisco HyperFlex Software Command Injection Vulnerability |
| CVE-2019-8996 | 2019-02-21 | In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow. |
| CVE-2019-5727 | 2019-02-21 | Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has... |
| CVE-2013-7469 | 2019-02-21 | Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks. |