CVE List - 2019 / July
Showing 301 - 400 of 1618 CVEs for July 2019 (Page 4 of 17)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-5969 | 2019-07-05 | Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login. |
| CVE-2019-5970 | 2019-07-05 | Cross-site scripting vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2019-5971 | 2019-07-05 | Cross-site request forgery (CSRF) vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2019-5972 | 2019-07-05 | Cross-site scripting vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2019-5973 | 2019-07-05 | Cross-site request forgery (CSRF) vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2019-5974 | 2019-07-05 | Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2019-5979 | 2019-07-05 | Cross-site request forgery (CSRF) vulnerability in Personalized WooCommerce Cart Page 2.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2019-5980 | 2019-07-05 | Cross-site request forgery (CSRF) vulnerability in Related YouTube Videos versions prior to 1.9.9 allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2019-5981 | 2019-07-05 | Improper authorization vulnerability in VAIO Update 7.3.0.03150 and earlier allows an attackers to execute arbitrary executable file with administrative privilege via unspecified vectors. |
| CVE-2019-5982 | 2019-07-05 | Improper download file verification vulnerability in VAIO Update 7.3.0.03150 and earlier allows remote attackers to conduct a man-in-the-middle attack via a malicous wireless LAN access point. A successful exploitation may... |
| CVE-2019-5983 | 2019-07-05 | Cross-site request forgery (CSRF) vulnerability in HTML5 Maps 1.6.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2019-5984 | 2019-07-05 | Cross-site request forgery (CSRF) vulnerability in Custom CSS Pro 1.0.3 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2019-13313 | 2019-07-05 | libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line. |
| CVE-2019-13314 | 2019-07-05 | virt-bootstrap 1.1.0 allows local users to discover a root password by listing a process, because this password may be present in the --root-password option to virt_bootstrap.py. |
| CVE-2019-13339 | 2019-07-05 | In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie. |
| CVE-2019-13340 | 2019-07-05 | In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520,... |
| CVE-2019-13341 | 2019-07-05 | In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie. |
| CVE-2019-13344 | 2019-07-05 | An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if... |
| CVE-2018-14027 | 2019-07-05 | Digisol Wireless Wifi Home Router HR-3300 allows XSS via the userid or password parameter to the admin login page. |
| CVE-2019-13345 | 2019-07-05 | The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter. |
| CVE-2018-12621 | 2019-07-05 | An issue was discovered in Eventum 3.5.0. /htdocs/switch.php has an Open Redirect via the current_page parameter. |
| CVE-2019-13351 | 2019-07-05 | posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is... |
| CVE-2019-13352 | 2019-07-05 | WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic secret for generating support PINs for the 'forgot password' feature. By knowing this static secret and the corresponding algorithm for calculating... |
| CVE-2019-12971 | 2019-07-05 | BKS EBK Ethernet-Buskoppler Pro before 3.01 allows Unrestricted Upload of a File with a Dangerous Type. |
| CVE-2018-14528 | 2019-07-05 | Invoxia NVX220 devices allow TELNET access as admin with a default password. |
| CVE-2018-14529 | 2019-07-05 | Invoxia NVX220 devices allow access to /bin/sh via escape from a restricted CLI, leading to disclosure of password hashes. |
| CVE-2018-14733 | 2019-07-05 | The Odoo Community Association (OCA) dbfilter_from_header module makes Odoo 8.x, 9.x, 10.x, and 11.x vulnerable to ReDoS (regular expression denial of service) under certain circumstances. |
| CVE-2018-16386 | 2019-07-05 | An issue was discovered in SWIFT Alliance Web Platform 7.1.23. A log injection (and an arbitrary log filename) can be achieved via the PATH_INFO to swp/login/EJBRemoteService/, related to com.swift.ejbgwt.j2ee.client.EjBlnvocationException error... |
| CVE-2019-13358 | 2019-07-05 | lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt... |
| CVE-2019-10638 | 2019-07-05 | In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When... |
| CVE-2019-10639 | 2019-07-05 | The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the... |
| CVE-2019-1892 | 2019-07-06 | Cisco Small Business Series Switches Memory Corruption Vulnerability |
| CVE-2019-1891 | 2019-07-06 | Cisco Small Business Series Switches HTTP Denial of Service Vulnerability |
| CVE-2019-1887 | 2019-07-06 | Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability |
| CVE-2019-1911 | 2019-07-06 | Cisco Unified Communications Domain Manager Restricted Shell Escape Vulnerability |
| CVE-2019-1909 | 2019-07-06 | Cisco IOS XR Software Border Gateway Protocol Denial of Service Vulnerability |
| CVE-2019-1894 | 2019-07-06 | Cisco Enterprise NFV Infrastructure Software Arbitrary File Read and Write Vulnerability |
| CVE-2019-1893 | 2019-07-06 | Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability |
| CVE-2019-1922 | 2019-07-06 | Cisco IP Phone 7800 and 8800 Series Session Initiation Protocol Denial of Service Vulnerability |
| CVE-2019-1921 | 2019-07-06 | Cisco Email Security Appliance Content Filter Bypass Vulnerability |
| CVE-2019-1933 | 2019-07-06 | Cisco Email Security Appliance Content Filter Bypass Vulnerability |
| CVE-2019-1932 | 2019-07-06 | Cisco Advanced Malware Protection for Endpoints Windows Command Injection Vulnerability |
| CVE-2019-1931 | 2019-07-06 | Cisco Firepower Management Center RSS Cross-Site Scripting Vulnerabilities |
| CVE-2019-1930 | 2019-07-06 | Cisco Firepower Management Center RSS Cross-Site Scripting Vulnerabilities |
| CVE-2019-13362 | 2019-07-06 | Codedoc v3.2 has a stack-based buffer overflow in add_variable in codedoc.c, related to codedoc_strlcpy. |
| CVE-2019-13370 | 2019-07-06 | index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator. |
| CVE-2019-13372 | 2019-07-06 | /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an... |
| CVE-2019-13373 | 2019-07-06 | An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. Input does not get validated and arbitrary SQL statements can be executed in the database via the... |
| CVE-2019-13374 | 2019-07-06 | A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the... |
| CVE-2019-13375 | 2019-07-06 | A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 in PayAction.class.php with the index.php/Pay/passcodeAuth parameter passcode. The vulnerability does not need any authentication. |
| CVE-2019-13183 | 2019-07-07 | Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings. |
| CVE-2019-13379 | 2019-07-07 | On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device's web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults&src=RA... |
| CVE-2019-13390 | 2019-07-07 | In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in libavformat/rawenc.c. |
| CVE-2019-13391 | 2019-07-07 | In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has a heap-based buffer over-read because of incorrect calls to GetCacheViewVirtualPixels. |
| CVE-2019-13398 | 2019-07-08 | Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrl_save_profile.cgi (save parameter) and cgi-bin/ddns.cgi. |
| CVE-2019-13399 | 2019-07-08 | Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation. |
| CVE-2019-13400 | 2019-07-08 | Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext. These credentials can be retrieved via cgi-bin/getuserinfo.cgi?mode=info. |
| CVE-2019-13401 | 2019-07-08 | Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/. |
| CVE-2019-13402 | 2019-07-08 | /usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v1.2.0.0 devices implement an incomplete factory-reset process. A backdoor can persist because neither system accounts nor the set of services is reset. |
| CVE-2019-13404 | 2019-07-08 | The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old... |
| CVE-2018-11563 | 2019-07-08 | An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in... |
| CVE-2019-12171 | 2019-07-08 | Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed... |
| CVE-2019-12174 | 2019-07-08 | hide.me before 2.4.4 on macOS suffers from a privilege escalation vulnerability in the connectWithExecutablePath:configFilePath:configFileName method of the me_hide_vpnhelper.Helper class in the me.hide.vpnhelper macOS privilege helper tool. This method takes user-supplied... |
| CVE-2019-13413 | 2019-07-08 | The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection via inc/rencontre_widget.php. |
| CVE-2019-13414 | 2019-07-08 | The Rencontre plugin before 3.1.3 for WordPress allows XSS via inc/rencontre_widget.php. |
| CVE-2019-13354 | 2019-07-08 | The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6. |
| CVE-2019-10973 | 2019-07-08 | Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface. |
| CVE-2019-2104 | 2019-07-08 | In HIDL, safe_union, and other C++ structs/unions being sent to application processes, there are uninitialized fields. This could lead to local information disclosure with no additional execution privileges needed. User... |
| CVE-2019-2105 | 2019-07-08 | In FileInputStream::Read of file_input_stream.cc, there is a possible memory corruption due to uninitialized data. This could lead to remote code execution in an unprivileged process with no additional execution privileges... |
| CVE-2019-2106 | 2019-07-08 | In ihevcd_sao_shift_ctb of ihevcd_sao.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges... |
| CVE-2019-2107 | 2019-07-08 | In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges... |
| CVE-2019-2109 | 2019-07-08 | In MakeMPEG4VideoCodecSpecificData of AVIExtractor.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges... |
| CVE-2019-2111 | 2019-07-08 | In loop of DnsTlsSocket.cpp, there is a possible heap memory corruption due to a use after free. This could lead to remote code execution in the netd server with no... |
| CVE-2019-2112 | 2019-07-08 | In several functions of alarm.cc, there is possible memory corruption due to a use after free. This could lead to local code execution with no additional execution privileges needed. User... |
| CVE-2019-2113 | 2019-07-08 | In setup wizard there is a bypass of some checks when wifi connection is skipped. This could lead to factory reset protection bypass with no additional privileges needed. User interaction... |
| CVE-2019-2116 | 2019-07-08 | In save_attr_seq of sdp_discovery.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User... |
| CVE-2019-2117 | 2019-07-08 | In checkQueryPermission of TelephonyProvider.java, there is a possible disclosure of secure data due to a missing permission check. This could lead to local information disclosure about carrier systems with no... |
| CVE-2019-2118 | 2019-07-08 | In various functions of Parcel.cpp, there are uninitialized or partially initialized stack variables. These could lead to local information disclosure with no additional execution privileges needed. User interaction is not... |
| CVE-2019-2119 | 2019-07-08 | In multiple functions of key_store_service.cpp, there is a possible Information Disclosure due to improper locking. This could lead to local information disclosure of protected data with no additional execution privileges... |
| CVE-2019-9629 | 2019-07-08 | Sonatype Nexus Repository Manager before 3.17.0 establishes a default administrator user with weak defaults (fixed credentials). |
| CVE-2019-9630 | 2019-07-08 | Sonatype Nexus Repository Manager before 3.17.0 has a weak default of giving any unauthenticated user read permissions on the repository files and images. |
| CVE-2019-12930 | 2019-07-08 | A cross-site scripting (XSS) vulnerability in noMenu() and noSubMenu() in core/navigation/MENU.php in WIKINDX prior to version 5.8.1 allows remote attackers to inject arbitrary web script or HTML via the method... |
| CVE-2019-12923 | 2019-07-08 | In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter... |
| CVE-2019-12924 | 2019-07-08 | MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a... |
| CVE-2019-12925 | 2019-07-08 | MailEnable Enterprise Premium 10.23 was vulnerable to multiple directory traversal issues, with which authenticated users could add, remove, or potentially read files in arbitrary folders accessible by the IIS user.... |
| CVE-2019-12926 | 2019-07-08 | MailEnable Enterprise Premium 10.23 did not use appropriate access control checks in a number of areas. As a result, it was possible to perform a number of actions, when logged... |
| CVE-2019-12927 | 2019-07-08 | MailEnable Enterprise Premium 10.23 was vulnerable to stored and reflected cross-site scripting (XSS) attacks. Because the session cookie did not use the HttpOnly flag, it was possible to hijack the... |
| CVE-2019-13449 | 2019-07-09 | In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421. |
| CVE-2019-13450 | 2019-07-09 | In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because... |
| CVE-2018-15738 | 2019-07-09 | An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver file szkg64.sys contains an Arbitrary Write vulnerability due to not validating the output buffer address value from IOCtl 0x8000205F. |
| CVE-2018-14833 | 2019-07-09 | Intuit Lacerte 2017 has Incorrect Access Control. |
| CVE-2019-11889 | 2019-07-09 | Sony BRAVIA Smart TV devices allow remote attackers to cause a denial of service (device hang) via a crafted web page over HbbTV. |
| CVE-2019-11890 | 2019-07-09 | Sony Bravia Smart TV devices allow remote attackers to cause a denial of service (device hang or reboot) via a SYN flood attack over a wired or Wi-Fi LAN. |
| CVE-2019-12747 | 2019-07-09 | TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. |
| CVE-2019-12748 | 2019-07-09 | TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. |
| CVE-2019-12782 | 2019-07-09 | An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of... |
| CVE-2018-11307 | 2019-07-09 | An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2,... |
| CVE-2019-11019 | 2019-07-09 | Lack of authentication in case-exporting components in DDRT Dashcom Live through 2019-05-08 allows anyone to remotely access all claim details by visiting easily guessable exportpdf/all_claim_detail.php?claim_id= URLs. |
| CVE-2019-13454 | 2019-07-09 | ImageMagick 7.0.1-0 to 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c. |
| CVE-2019-13397 | 2019-07-09 | Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via arbitrary file extension while creating a support ticket. |