CVE List - 2019 / June
Showing 301 - 400 of 1244 CVEs for June 2019 (Page 4 of 13)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-7311 | 2019-06-06 | An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. A lack of encryption in how the user login cookie (admin-auth) is stored on a victim's computer results in the admin... |
| CVE-2019-7220 | 2019-06-06 | X-Cart V5 is vulnerable to XSS via the CategoryFilter2 parameter. |
| CVE-2019-7215 | 2019-06-06 | Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means... |
| CVE-2019-12135 | 2019-06-06 | An unspecified vulnerability in the application server in PaperCut MF and NG versions 18.3.8 and earlier and versions 19.0.3 and earlier allows remote attackers to execute arbitrary code via an... |
| CVE-2019-12291 | 2019-06-06 | HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using... |
| CVE-2019-9929 | 2019-06-06 | Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions. |
| CVE-2019-6989 | 2019-06-06 | TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ipAddrDispose function. By sending specially crafted ICMP echo request packets, a remote authenticated attacker... |
| CVE-2019-6452 | 2019-06-06 | Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remote attackers to abuse the Test button in the machine address book to obtain a cleartext FTP or SMB password. |
| CVE-2019-6451 | 2019-06-06 | On SOYAL AR-727H and AR-829Ev5 devices, all CGI programs allow unauthenticated POST access. |
| CVE-2019-3579 | 2019-06-06 | MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter. |
| CVE-2019-3578 | 2019-06-06 | MyBB 1.8.19 has XSS in the resetpassword function. |
| CVE-2018-9839 | 2019-06-06 | An issue was discovered in MantisBT through 1.3.14, and 2.0.0. Using a crafted request on bug_report_page.php (modifying the 'm_id' parameter), any user with REPORTER access or above is able to... |
| CVE-2018-8047 | 2019-06-06 | vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web... |
| CVE-2019-12760 | 2019-06-06 | A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written... |
| CVE-2019-12761 | 2019-06-06 | A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be... |
| CVE-2019-5522 | 2019-06-06 | VMware Tools for Windows update addresses an out of bounds read vulnerability in vm3dmp driver which is installed with vmtools in Windows guest machines. This issue is present in versions... |
| CVE-2019-5525 | 2019-06-06 | VMware Workstation (15.x before 15.1.0) contains a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) backend. A malicious user with normal user privileges on the guest machine may exploit... |
| CVE-2019-3722 | 2019-06-06 | XML External Entity (XXE) Injection Vulnerability |
| CVE-2019-3723 | 2019-06-06 | Web Parameter Tampering Vulnerability |
| CVE-2019-3790 | 2019-06-06 | Ops Manager uaa client issues tokens after refresh token expiration |
| CVE-2019-12492 | 2019-06-06 | Gallagher Command Centre before 7.80.939, 7.90.x before 7.90.961, and 8.x before 8.00.1128 allows arbitrary event creation and information disclosure via the FT Command Centre Service and FT Controller Service services. |
| CVE-2019-11523 | 2019-06-06 | Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example, send the "open... |
| CVE-2019-12762 | 2019-06-06 | Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen anomalies via a radio signal between 198 kHz and 203 kHz, as demonstrated by a transmitter and antenna hidden just... |
| CVE-2019-4161 | 2019-06-06 | IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID:... |
| CVE-2019-4162 | 2019-06-06 | IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 is missing the HTTP Strict Transport Security header. Users can navigate by mistake to the unencrypted version of the web application... |
| CVE-2019-4217 | 2019-06-06 | IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious... |
| CVE-2019-4218 | 2019-06-06 | IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 159227. |
| CVE-2019-4219 | 2019-06-06 | IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID:... |
| CVE-2019-4257 | 2019-06-06 | IBM InfoSphere Information Server 11.5 and 11.7 is affected by an information disclosure vulnerability. Sensitive information in an error message may be used to conduct further attacks against the system.... |
| CVE-2019-12763 | 2019-06-07 | The Security Camera CZ application through 1.6.8 for Android stores potentially sensitive recorded video in external data storage, which is readable by any application. |
| CVE-2019-12771 | 2019-06-07 | Command injection is possible in ThinStation through 6.1.1 via shell metacharacters after the cgi-bin/CdControl.cgi action= substring, or after the cgi-bin/VolControl.cgi OK= substring. |
| CVE-2019-6530 | 2019-06-07 | Panasonic FPWIN Pro version 7.3.0.0 and prior allows attacker-created project files to be loaded by an authenticated user causing heap-based buffer overflows, which may lead to remote code execution. |
| CVE-2019-6532 | 2019-06-07 | Panasonic FPWIN Pro version 7.3.0.0 and prior allows attacker-created project files to be loaded by an authenticated user triggering incompatible type errors because the resource does not have expected properties.... |
| CVE-2019-8283 | 2019-06-07 | Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it. |
| CVE-2019-8282 | 2019-06-07 | Gemalto Admin Control Center, all versions prior to 7.92, uses cleartext HTTP to communicate with www3.safenet-inc.com to obtain language packs. This allows attacker to do man-in-the-middle (MITM) attack and replace... |
| CVE-2019-4066 | 2019-06-07 | IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 could allow an authenciated user to create arbitrary users which could cause ID management issues and result in code execution. IBM X-Force... |
| CVE-2019-4067 | 2019-06-07 | IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM... |
| CVE-2019-4068 | 2019-06-07 | IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 is vulnerable to user enumeration, allowing an attacker to brute force into the system. IBM X-Force ID: 157013. |
| CVE-2019-4069 | 2019-06-07 | IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 does not properly validate file types, allowing an attacker to upload malicious content. IBM X-Force ID: 157014. |
| CVE-2019-4070 | 2019-06-07 | IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended... |
| CVE-2019-12477 | 2019-06-07 | Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri= URI. |
| CVE-2018-6185 | 2019-06-07 | In Cloudera Navigator Key Trustee KMS 5.12 and 5.13, incorrect default ACL values allow remote access to purge and undelete API calls on encryption zone keys. The Navigator Key Trustee... |
| CVE-2018-5798 | 2019-06-07 | This CVE relates to an unspecified cross site scripting vulnerability in Cloudera Manager. |
| CVE-2018-5265 | 2019-06-07 | Ubiquiti EdgeOS 1.9.1 on EdgeRouter Lite devices allows remote attackers to execute arbitrary code with admin credentials, because /opt/vyatta/share/vyatta-cfg/templates/system/static-host-mapping/host-name/node.def does not sanitize the 'alias' or 'ips' parameter for shell metacharacters. |
| CVE-2019-12774 | 2019-06-07 | A number of stored XSS vulnerabilities have been identified in the web configuration feature in ENTTEC Datagate Mk2 70044_update_05032019-482 that could allow an unauthenticated threat actor to inject malicious code... |
| CVE-2019-12775 | 2019-06-07 | An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They allow high-privileged root access by www-data via sudo without requiring appropriate... |
| CVE-2019-12776 | 2019-06-07 | An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They include a hard-coded SSH backdoor for remote SSH and SCP access... |
| CVE-2019-12777 | 2019-06-07 | An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They replace secure and protected directory permissions (set as default by the... |
| CVE-2018-5264 | 2019-06-07 | Ubiquiti UniFi 52 devices, when Hotspot mode is used, allow remote attackers to bypass intended restrictions on "free time" Wi-Fi usage by sending a /guest/s/default/ request to obtain a cookie,... |
| CVE-2018-20523 | 2019-06-07 | Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's... |
| CVE-2018-20135 | 2019-06-07 | Samsung Galaxy Apps before 4.4.01.7 allows modification of the hostname used for load balancing on installations of applications through a man-in-the-middle attack. An attacker may trick Galaxy Apps into using... |
| CVE-2018-20091 | 2019-06-07 | An SQL injection vulnerability was found in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. This would allow any authenticated user to run arbitrary queries against CDSW's internal database. The... |
| CVE-2018-20014 | 2019-06-07 | In UrBackup 2.2.6, an attacker can send a malformed request to the client over the network, and trigger a fileservplugin/CClientThread.cpp CClientThread::GetFileHashAndMetadata NULL pointer dereference, leading to shutting down the client... |
| CVE-2018-19999 | 2019-06-07 | The local management interface in SolarWinds Serv-U FTP Server 15.1.6.25 has incorrect access controls that permit local users to bypass authentication in the application and execute code in the context... |
| CVE-2019-3477 | 2019-06-07 | Micro Focus Solution Business Manager versions prior to 11.4.2 is susceptible to open redirect. |
| CVE-2018-19860 | 2019-06-07 | Broadcom firmware before summer 2014 on Nexus 5 BCM4335C0 2012-12-11, Raspberry Pi 3 BCM43438A1 2014-06-02, and unspecifed other devices does not properly restrict LMP commnds and executes certain memory contents... |
| CVE-2018-19802 | 2019-06-07 | aubio v0.4.0 to v0.4.8 has a new_aubio_onset NULL pointer dereference. |
| CVE-2018-19801 | 2019-06-07 | aubio v0.4.0 to v0.4.8 has a NULL pointer dereference in new_aubio_filterbank via invalid n_filters. |
| CVE-2018-19800 | 2019-06-07 | aubio v0.4.0 to v0.4.8 has a Buffer Overflow in new_aubio_tempo. |
| CVE-2018-19465 | 2019-06-07 | Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html. |
| CVE-2018-19462 | 2019-06-07 | admin\db\DoSql.php in EmpireCMS through 7.5 allows remote attackers to execute arbitrary PHP code via SQL injection that uses a .php filename in a SELECT INTO OUTFILE statement to admin/admin.php. |
| CVE-2018-19461 | 2019-06-07 | admin\db\DoSql.php in EmpireCMS through 7.5 allows XSS via crafted SQL syntax to admin/admin.php. |
| CVE-2018-19452 | 2019-06-07 | A use after free in the TextBox field Mouse Enter action in IReader_ContentProvider can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031. An attacker can... |
| CVE-2018-19451 | 2019-06-07 | A command injection can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031 when using the Open File action on a Field. An attacker can leverage... |
| CVE-2019-12601 | 2019-06-07 | SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3). |
| CVE-2019-12600 | 2019-06-07 | SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3). |
| CVE-2019-12598 | 2019-06-07 | SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3). |
| CVE-2019-12599 | 2019-06-07 | SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection. |
| CVE-2019-10160 | 2019-06-07 | A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit... |
| CVE-2018-10690 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server.... |
| CVE-2018-10691 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download... |
| CVE-2018-10692 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site... |
| CVE-2018-10693 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However,... |
| CVE-2018-10694 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who... |
| CVE-2018-10695 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's... |
| CVE-2018-10696 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against... |
| CVE-2018-10697 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is... |
| CVE-2019-2090 | 2019-06-07 | In isPackageDeviceAdminOnAnyUser of PackageManagerService.java, there is a possible permissions bypass due to a missing permissions check. This could lead to local escalation of privilege, with no additional permissions required. User... |
| CVE-2019-2091 | 2019-06-07 | In GetPermittedAccessibilityServicesForUser of DevicePolicyManagerService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege, with no additional permissions required. User... |
| CVE-2019-2092 | 2019-06-07 | In isSeparateProfileChallengeAllowed of DevicePolicyManagerService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege, with no additional permissions required. User... |
| CVE-2018-10698 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM... |
| CVE-2019-2093 | 2019-06-07 | In huff_dec_1D of nlc_dec.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges... |
| CVE-2019-2094 | 2019-06-07 | In parseMPEGCCData of NuPlayerCCDecoder.cpp, there is a possible out of bounds write due to missing bounds checks. This could lead to remote code execution with no additional execution privileges needed.... |
| CVE-2019-2095 | 2019-06-07 | In callGenIDChangeListeners and related functions of SkPixelRef.cpp, there is a possible use after free due to a race condition. This could lead to remote code execution with no additional execution... |
| CVE-2019-2096 | 2019-06-07 | In EffectRelease of EffectBundle.cpp, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege in the audio server with no additional... |
| CVE-2018-10699 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to... |
| CVE-2019-2097 | 2019-06-07 | In HAliasAnalyzer.Query of hydrogen-alias-analysis.h, there is possible memory corruption due to type confusion. This could lead to remote code execution from a malicious proxy configuration, with no additional execution privileges... |
| CVE-2019-2102 | 2019-06-07 | In the Bluetooth Low Energy (BLE) specification, there is a provided example Long Term Key (LTK). If a BLE device were to use this as a hardcoded LTK, it is... |
| CVE-2019-2098 | 2019-06-07 | In areNotificationsEnabledForPackage of NotificationManagerService.java, there is a possible permissions bypass due to a missing permissions check. This could lead to local escalation of privilege, with no additional privileges needed. User... |
| CVE-2019-2099 | 2019-06-07 | In nfa_rw_store_ndef_rx_buf of nfa_rw_act.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.... |
| CVE-2019-2101 | 2019-06-07 | In uvc_parse_standard_control of uvc_driver.c, there is a possible out-of-bound read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction... |
| CVE-2019-12779 | 2019-06-07 | libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL. |
| CVE-2018-10700 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker... |
| CVE-2018-10701 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality... |
| CVE-2018-10702 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality... |
| CVE-2018-10703 | 2019-06-07 | An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality... |
| CVE-2019-3955 | 2019-06-07 | Dameware Remote Mini Control version 12.1.0.34 and prior contains a unauthenticated remote heap overflow due to the server not properly validating RsaPubKeyLen during key negotiation. An unauthenticated remote attacker can... |
| CVE-2019-3956 | 2019-06-07 | Dameware Remote Mini Control version 12.1.0.34 and prior contains an unauthenticated remote buffer over-read due to the server not properly validating CltDHPubKeyLen during key negotiation, which could crash the application... |
| CVE-2019-3957 | 2019-06-07 | Dameware Remote Mini Control version 12.1.0.34 and prior contains an unauthenticated remote buffer over-read due to the server not properly validating RsaSignatureLen during key negotiation, which could crash the application... |
| CVE-2019-12505 | 2019-06-07 | Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP1001 v1.3C is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a... |