CVE List - 2019 / June
Showing 401 - 500 of 1244 CVEs for June 2019 (Page 5 of 13)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-12504 | 2019-06-07 | Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP2002 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's... |
| CVE-2019-12506 | 2019-06-07 | Due to unencrypted and unauthenticated data communication, the wireless presenter Logitech R700 Laser Presentation Remote R-R0010 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary... |
| CVE-2019-9084 | 2019-06-07 | In Hoteldruid before 2.3.1, a division by zero was discovered in $num_tabelle in tab_tariffe.php (aka the numtariffa1 parameter) due to the mishandling of non-numeric values, as demonstrated by the /tab_tariffe.php?anno=[YEAR]&numtariffa1=1a... |
| CVE-2019-9087 | 2019-06-07 | HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter. |
| CVE-2019-9086 | 2019-06-07 | HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter. |
| CVE-2019-10226 | 2019-06-10 | HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of... |
| CVE-2019-12387 | 2019-06-10 | In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF. |
| CVE-2019-5243 | 2019-06-10 | There is a Clickjacking vulnerability in Huawei HG255s product. An attacker may trick user to click a link and affect the integrity of a device by exploiting this vulnerability. |
| CVE-2019-12780 | 2019-06-10 | The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an... |
| CVE-2019-6241 | 2019-06-10 | In Bevywise MQTTRoute 1.1 build 1018-002, a connect packet combined with a malformed unsubscribe request packet can be used to cause a Denial of Service attack against the broker. |
| CVE-2018-20352 | 2019-06-10 | Use-after-free vulnerability in the mg_cgi_ev_handler function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution. |
| CVE-2018-20353 | 2019-06-10 | An invalid read of 8 bytes due to a use-after-free vulnerability during a "NULL test" in the mg_http_get_proto_data function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and... |
| CVE-2018-20354 | 2019-06-10 | An invalid read of 8 bytes due to a use-after-free vulnerability during a "return" in the mg_http_get_proto_data function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier... |
| CVE-2018-20355 | 2019-06-10 | An invalid write of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a... |
| CVE-2018-20356 | 2019-06-10 | An invalid read of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a... |
| CVE-2019-11877 | 2019-06-10 | XSS on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRouter.20180616 allows attackers to steal credentials without being connected to the network. The attack vector is a crafted ESSID. |
| CVE-2019-9879 | 2019-06-10 | The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation. |
| CVE-2019-9880 | 2019-06-10 | An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such... |
| CVE-2019-9881 | 2019-06-10 | The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. |
| CVE-2019-11517 | 2019-06-10 | WampServer before 3.1.9 has CSRF in add_vhost.php because the synchronizer pattern implemented as remediation of CVE-2018-8817 was incomplete. An attacker could add/delete any vhosts without the consent of the owner. |
| CVE-2019-12786 | 2019-06-10 | An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the... |
| CVE-2019-12787 | 2019-06-10 | An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the... |
| CVE-2019-12788 | 2019-06-10 | An issue was discovered in Photodex ProShow Producer v9.0.3797 (an application that runs with Administrator privileges). It is possible to perform a buffer overflow via a crafted file. |
| CVE-2019-12790 | 2019-06-10 | In radare2 through 3.5.1, there is a heap-based buffer over-read in the r_egg_lang_parsechar function of egg_lang.c. This allows remote attackers to cause a denial of service (application crash) or possibly... |
| CVE-2019-11027 | 2019-06-10 | Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to... |
| CVE-2019-11881 | 2019-06-10 | A vulnerability exists in Rancher before 2.2.4 in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols.... |
| CVE-2017-13718 | 2019-06-10 | The HTTP API supported by Starry Station (aka Starry Router) allows brute forcing the PIN setup by the user on the device, and this allows an attacker to change the... |
| CVE-2017-13717 | 2019-06-10 | Starry Station (aka Starry Router) sets the Access-Control-Allow-Origin header to "*". This allows any hosted file on any domain to make calls to the device's webserver and brute force the... |
| CVE-2019-10331 | 2019-06-11 | A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. |
| CVE-2019-10332 | 2019-06-11 | A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials. |
| CVE-2019-10333 | 2019-06-11 | Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration... |
| CVE-2019-10334 | 2019-06-11 | Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files. |
| CVE-2019-10335 | 2019-06-11 | A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to... |
| CVE-2019-10336 | 2019-06-11 | A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript... |
| CVE-2019-10337 | 2019-06-11 | An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro... |
| CVE-2019-10338 | 2019-06-11 | A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials. |
| CVE-2019-10339 | 2019-06-11 | A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking... |
| CVE-2019-12749 | 2019-06-11 | dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie... |
| CVE-2019-12794 | 2019-06-11 | An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users).... |
| CVE-2018-11800 | 2019-06-11 | SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table. |
| CVE-2018-11801 | 2019-06-11 | SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table. |
| CVE-2019-11334 | 2019-06-11 | An authentication bypass in website post requests in the Tzumi Electronics Klic Lock application 1.0.9 for mobile devices allows attackers to access resources (that are not otherwise accessible without proper... |
| CVE-2019-12764 | 2019-06-11 | An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users. |
| CVE-2019-12765 | 2019-06-11 | An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection. |
| CVE-2019-12766 | 2019-06-11 | An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors. |
| CVE-2019-3409 | 2019-06-11 | All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by command injection vulnerability. Due to inadequate parameter verification, unauthorized users can take advantage of this... |
| CVE-2019-3410 | 2019-06-11 | All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by Cross-Site Request Forgery vulnerability,which stems from the fact that WEB applications do not adequately verify... |
| CVE-2019-3411 | 2019-06-11 | All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by information leak vulnerability. Due to some interfaces can obtain the WebUI login password without login, an attacker can... |
| CVE-2019-3412 | 2019-06-11 | All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by command execution vulnerability. Due to some interfaces do not adequately verify parameters, an attacker can execute arbitrary commands... |
| CVE-2019-3413 | 2019-06-11 | All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an XSS vulnerability. Due to the lack of correct validation of client data in WEB applications, which results in users... |
| CVE-2019-12153 | 2019-06-11 | Lack of validation in the HTML parser in RealObjects PDFreactor before 10.1.10722 leads to SSRF, allowing attackers to access network or file resources on behalf of the server by supplying... |
| CVE-2019-12154 | 2019-06-11 | XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file contents and/or... |
| CVE-2017-18377 | 2019-06-11 | An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd variable, as demonstrated by a... |
| CVE-2017-18378 | 2019-06-11 | In NETGEAR ReadyNAS Surveillance before 1.4.3-17 x86 and before 1.1.4-7 ARM, $_GET['uploaddir'] is not escaped and is passed to system() through $tmp_upload_dir, leading to upgrade_handle.php?cmd=writeuploaddir remote command execution. |
| CVE-2018-20841 | 2019-06-11 | HooToo TripMate Titan HT-TM05 and HT-05 routers with firmware 2.000.022 and 2.000.082 allow remote command execution via shell metacharacters in the mac parameter of a protocol.csp?function=set&fname=security&opt=mac_table request. |
| CVE-2010-5330 | 2019-06-11 | On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The... |
| CVE-2009-5156 | 2019-06-11 | An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string. |
| CVE-2009-5157 | 2019-06-11 | On Linksys WAG54G2 1.00.10 devices, there is authenticated command injection via shell metacharacters in the setup.cgi c4_ping_ipaddr variable. |
| CVE-2016-10760 | 2019-06-11 | On Seowon Intech routers, there is a Command Injection vulnerability in diagnostic.cgi via shell metacharacters in the ping_ipaddr parameter. |
| CVE-2013-7471 | 2019-06-11 | An issue was discovered in soap.cgi?service=WANIPConn1 on D-Link DIR-845 before v1.02b03, DIR-600 before v2.17b01, DIR-645 before v1.04b11, DIR-300 rev. B, and DIR-865 devices. There is Command Injection via shell metacharacters... |
| CVE-2019-0220 | 2019-06-11 | A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule... |
| CVE-2019-12143 | 2019-06-11 | A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. An attacker can supply a string using special patterns via the SCP protocol to... |
| CVE-2019-12144 | 2019-06-11 | An issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. Attackers have the ability to abuse a path traversal vulnerability using the SCP protocol. Attackers who... |
| CVE-2019-12145 | 2019-06-11 | A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. An attacker can supply a string using special patterns via the SCP protocol to... |
| CVE-2019-12146 | 2019-06-11 | A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. Attackers have the ability to abuse a flaw in the SCP listener by crafting... |
| CVE-2019-0196 | 2019-06-11 | A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when... |
| CVE-2019-12795 | 2019-06-11 | daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could... |
| CVE-2019-12149 | 2019-06-11 | SQL injection vulnerability in silverstripe/restfulserver module 1.0.x before 1.0.9, 2.0.x before 2.0.4, and 2.1.x before 2.1.2 and silverstripe/registry module 2.1.x before 2.1.1 and 2.2.x before 2.2.1 allows attackers to execute... |
| CVE-2019-0197 | 2019-06-11 | A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an... |
| CVE-2017-15123 | 2019-06-12 | A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use... |
| CVE-2019-10150 | 2019-06-12 | It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability... |
| CVE-2019-3873 | 2019-06-12 | It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a... |
| CVE-2019-3888 | 2019-06-12 | A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using... |
| CVE-2019-3872 | 2019-06-12 | It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send... |
| CVE-2019-10925 | 2019-06-12 | A vulnerability has been identified in SIMATIC MV400 family (All Versions < V7.0.6). An authenticated attacker could escalate privileges by sending specially crafted requests to the integrated webserver. The security... |
| CVE-2019-10926 | 2019-06-12 | A vulnerability has been identified in SIMATIC MV400 family (All Versions < V7.0.6). Communication with the device is not encrypted. Data transmitted between the device and the user can be... |
| CVE-2019-6567 | 2019-06-12 | A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All Versions < V5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0),... |
| CVE-2019-6571 | 2019-06-12 | A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). An attacker with... |
| CVE-2019-6580 | 2019-06-12 | A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a),... |
| CVE-2019-6581 | 2019-06-12 | A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a),... |
| CVE-2019-6582 | 2019-06-12 | A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a),... |
| CVE-2019-6584 | 2019-06-12 | A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). The integrated webserver... |
| CVE-2019-10157 | 2019-06-12 | It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local... |
| CVE-2019-0620 | 2019-06-12 | Windows Hyper-V Remote Code Execution Vulnerability |
| CVE-2019-0709 | 2019-06-12 | Windows Hyper-V Remote Code Execution Vulnerability |
| CVE-2019-0710 | 2019-06-12 | Windows Hyper-V Denial of Service Vulnerability |
| CVE-2019-0711 | 2019-06-12 | Windows Hyper-V Denial of Service Vulnerability |
| CVE-2019-0713 | 2019-06-12 | Windows Hyper-V Denial of Service Vulnerability |
| CVE-2019-0722 | 2019-06-12 | Windows Hyper-V Remote Code Execution Vulnerability |
| CVE-2019-0888 | 2019-06-12 | ActiveX Data Objects (ADO) Remote Code Execution Vulnerability |
| CVE-2019-0904 | 2019-06-12 | Jet Database Engine Remote Code Execution Vulnerability |
| CVE-2019-0905 | 2019-06-12 | Jet Database Engine Remote Code Execution Vulnerability |
| CVE-2019-0906 | 2019-06-12 | Jet Database Engine Remote Code Execution Vulnerability |
| CVE-2019-0907 | 2019-06-12 | Jet Database Engine Remote Code Execution Vulnerability |
| CVE-2019-0908 | 2019-06-12 | Jet Database Engine Remote Code Execution Vulnerability |
| CVE-2019-0909 | 2019-06-12 | Jet Database Engine Remote Code Execution Vulnerability |
| CVE-2019-0920 | 2019-06-12 | Scripting Engine Memory Corruption Vulnerability |
| CVE-2019-0941 | 2019-06-12 | Microsoft IIS Server Denial of Service Vulnerability |
| CVE-2019-0943 | 2019-06-12 | Windows ALPC Elevation of Privilege Vulnerability |
| CVE-2019-0948 | 2019-06-12 | Windows Event Viewer Information Disclosure Vulnerability |