CVE List - 2019 / July
Showing 801 - 900 of 1618 CVEs for July 2019 (Page 9 of 17)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-3971 | 2019-07-17 | Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to a local Denial of Service affecting CmdVirth.exe via its LPC port "cmdvrtLPCServerPort". A low privileged local process can connect to this... |
| CVE-2019-3972 | 2019-07-17 | Comodo Antivirus versions 12.0.0.6810 and below are vulnerable to Denial of Service affecting CmdAgent.exe via an unprotected section object "<GUID>_CisSharedMemBuff". This section object is exposed by CmdAgent and contains a... |
| CVE-2019-3973 | 2019-07-17 | Comodo Antivirus versions 11.0.0.6582 and below are vulnerable to Denial of Service affecting CmdGuard.sys via its filter port "cmdServicePort". A low privileged process can crash CmdVirth.exe to decrease the port's... |
| CVE-2019-13640 | 2019-07-17 | In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command... |
| CVE-2019-5222 | 2019-07-17 | There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An... |
| CVE-2019-13643 | 2019-07-18 | Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream... |
| CVE-2019-13644 | 2019-07-18 | Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and... |
| CVE-2019-13645 | 2019-07-18 | Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing.... |
| CVE-2019-13646 | 2019-07-18 | Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query. NOTE: It is asserted that an attacker must have... |
| CVE-2019-13647 | 2019-07-18 | Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.... |
| CVE-2016-10763 | 2019-07-18 | The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body. |
| CVE-2016-10762 | 2019-07-18 | The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used. |
| CVE-2019-1010094 | 2019-07-18 | domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php http://127.0.0.1/admin/users/edit.php?uid=2. The... |
| CVE-2019-1010095 | 2019-07-18 | DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can add the administrator account. The component is: admin/users/add.php. The attack... |
| CVE-2019-1010096 | 2019-07-18 | DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change the read-only user to admin. The component is: admin/users/edit.php?uid=2.... |
| CVE-2019-1010054 | 2019-07-18 | Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function... |
| CVE-2019-1010066 | 2019-07-18 | Lawrence Livermore National Laboratory msr-safe v1.1.0 is affected by: Incorrect Access Control. The impact is: An attacker could modify model specific registers. The component is: ioctl handling. The attack vector... |
| CVE-2019-1010069 | 2019-07-18 | moinejf abcm2ps 8.13.20 is affected by: Incorrect Access Control. The impact is: Allows attackers to cause a denial of service attack via a crafted file. The component is: front.c, function... |
| CVE-2019-13915 | 2019-07-18 | b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files. First, the attacker can write code in the editor, and compile and run it approximately three times... |
| CVE-2019-13607 | 2019-07-18 | The Opera Mini application through 16.0.14 for iOS has a UXSS vulnerability that can be triggered by performing navigation to a javascript: URL. |
| CVE-2019-9230 | 2019-07-18 | An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.253. A cross-site scripting (XSS) vulnerability in the search function of the... |
| CVE-2019-13575 | 2019-07-18 | A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on... |
| CVE-2019-9231 | 2019-07-18 | An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions before 7.20A.202.307. A Cross-Site Request Forgery (CSRF) vulnerability in the management web interface allows... |
| CVE-2019-13509 | 2019-07-18 | In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug... |
| CVE-2019-3570 | 2019-07-18 | Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an... |
| CVE-2019-3734 | 2019-07-18 | Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain an improper authorization vulnerability in NAS Server quotas configuration. A remote authenticated Unisphere Operator could potentially exploit this vulnerability to... |
| CVE-2019-3741 | 2019-07-18 | Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain a plain-text password storage vulnerability. A Unisphere user’s (including the admin privilege user) password is stored in a plain text... |
| CVE-2019-3794 | 2019-07-18 | UAA - Login app subject to clickjacking attack |
| CVE-2019-1010104 | 2019-07-18 | TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php... |
| CVE-2019-13948 | 2019-07-18 | SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData function in include/functions.php does not properly block XSS payloads, as demonstrated by a crafted use of the onerror attribute of... |
| CVE-2019-13949 | 2019-07-18 | SyGuestBook A5 Version 1.2 has no CSRF protection mechanism, as demonstrated by CSRF for an index.php?c=Administrator&a=update admin password change. |
| CVE-2019-13950 | 2019-07-18 | index.php?c=admin&a=index in SyGuestBook A5 Version 1.2 has stored XSS via a reply to a comment. |
| CVE-2019-1010268 | 2019-07-18 | Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers.... |
| CVE-2019-1010065 | 2019-07-18 | The Sleuth Kit 4.6.0 and earlier is affected by: Integer Overflow. The impact is: Opening crafted disk image triggers crash in tsk/fs/hfs_dent.c:237. The component is: Overflow in fls tool used... |
| CVE-2019-13951 | 2019-07-18 | The set_ipv4() function in zscan_rfc1035.rl in gdnsd 3.x before 3.2.1 has a stack-based buffer overflow via a long and malformed IPv4 address in zone data. |
| CVE-2019-13952 | 2019-07-18 | The set_ipv6() function in zscan_rfc1035.rl in gdnsd before 2.4.3 and 3.x before 3.2.1 has a stack-based buffer overflow via a long and malformed IPv6 address in zone data. |
| CVE-2019-1010261 | 2019-07-18 | Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL... |
| CVE-2019-1010259 | 2019-07-18 | SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component... |
| CVE-2019-11230 | 2019-07-18 | In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\Update.log file with a symlink. The next time the product attempts... |
| CVE-2019-13956 | 2019-07-18 | Discuz!ML 3.2 through 3.4 allows remote attackers to execute arbitrary PHP code via a modified language cookie, as demonstrated by changing 4gH4_0df5_language=en to 4gH4_0df5_language=en'.phpinfo().'; (if the random prefix 4gH4_0df5_ were... |
| CVE-2019-1010252 | 2019-07-18 | The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input-validation. The impact is: A network administrator (or attacker) can install unintended flow rules in the switch by mistake.... |
| CVE-2019-1010251 | 2019-07-18 | Open Information Security Foundation Suricata prior to version 4.1.2 is affected by: Denial of Service - DNS detection bypass. The impact is: An attacker can evade a signature detection with... |
| CVE-2019-1010250 | 2019-07-18 | The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input-validation. The impact is: A network administrator (or attacker) can install unintended flow rules in the switch by mistake.... |
| CVE-2019-1010249 | 2019-07-18 | The Linux Foundation ONOS 2.0.0 and earlier is affected by: Integer Overflow. The impact is: A network administrator (or attacker) can install unintended flow rules in the switch by mistake.... |
| CVE-2019-1010248 | 2019-07-18 | Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. The impact is: Unauthenticated mysql database access. The component is: Web login form. The attack vector is: An attacker... |
| CVE-2019-3592 | 2019-07-18 | MA for Windows update addresses weak directory permissions |
| CVE-2019-1010246 | 2019-07-18 | MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure. The impact is: MySQL database content disclosure (e.g. username, password). The component is: The API call in the... |
| CVE-2019-1010279 | 2019-07-18 | Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with... |
| CVE-2019-1010112 | 2019-07-18 | OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Forgery (CSRF). The impact is: The victim clicks on adding an administrator account. The component is: admincp.php. The attack... |
| CVE-2019-8286 | 2019-07-18 | Information Disclosure in Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security versions up to 2019 could potentially disclose unique Product ID by forcing victim to visit a specially crafted webpage... |
| CVE-2019-13959 | 2019-07-18 | In Bento4 1.5.1-627, AP4_DataBuffer::SetDataSize does not handle reallocation failures, leading to a memory copy into a NULL pointer. This is different from CVE-2018-20186. |
| CVE-2019-13960 | 2019-07-18 | In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE:... |
| CVE-2019-13961 | 2019-07-18 | A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php. |
| CVE-2019-13962 | 2019-07-18 | lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height. |
| CVE-2019-7850 | 2019-07-18 | Adobe Campaign Classic version 18.10.5-8984 and earlier versions have a Command injection vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user. |
| CVE-2019-7848 | 2019-07-18 | Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Inadequate access control vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user. |
| CVE-2019-7847 | 2019-07-18 | Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file... |
| CVE-2019-7846 | 2019-07-18 | Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper error handling vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user. |
| CVE-2019-7941 | 2019-07-18 | Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Information Exposure Through an Error Message vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current... |
| CVE-2019-7843 | 2019-07-18 | Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Insufficient input validation vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user. |
| CVE-2019-7956 | 2019-07-18 | Adobe Dreamweaver direct download installer versions 19.0 and below, 18.0 and below have an Insecure Library Loading (DLL hijacking) vulnerability. Successful exploitation could lead to Privilege Escalation in the context... |
| CVE-2019-7955 | 2019-07-18 | Adobe Experience Manager version 6.4 and ealier have a Reflected Cross-site Scripting vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user. |
| CVE-2019-7954 | 2019-07-18 | Adobe Experience Manager version 6.4 and ealier have a Stored Cross-site Scripting vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user. |
| CVE-2019-7953 | 2019-07-18 | Adobe Experience Manager version 6.4 and ealier have a Cross-Site Request Forgery vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user. |
| CVE-2019-7963 | 2019-07-18 | Adobe Bridge CC version 9.0.2 and earlier versions have an out of bound read vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user. |
| CVE-2019-13969 | 2019-07-19 | Metinfo 6.x allows SQL Injection via the id parameter in an admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1 request. |
| CVE-2019-13970 | 2019-07-19 | In antSword before 2.1.0, self-XSS in the database configuration leads to code execution via modules/database/asp/index.js, modules/database/custom/index.js, modules/database/index.js, or modules/database/php/index.js. |
| CVE-2019-13971 | 2019-07-19 | OTCMS 3.81 allows XSS via the mode parameter in an apiRun.php?mudi=autoRun request. |
| CVE-2019-13972 | 2019-07-19 | LayerBB 1.1.3 allows XSS via the application/commands/new.php pm_title variable, a related issue to CVE-2019-17997. |
| CVE-2019-13973 | 2019-07-19 | LayerBB 1.1.3 allows admin/general.php arbitrary file upload because the custom_logo filename suffix is not restricted, and .php may be used. |
| CVE-2019-13974 | 2019-07-19 | LayerBB 1.1.3 allows conversations.php/cmd/new CSRF. |
| CVE-2019-13977 | 2019-07-19 | index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&idx=create&userid=0&bgrp=y, tg=delegat, tg=site&idx=create, tg=site&item=4, tg=admdir&idx=mdb&id=1, tg=notes&idx=Create, tg=admfaqs&idx=Add, or tg=admoc&idx=addoc&item=. |
| CVE-2019-13978 | 2019-07-19 | Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request. |
| CVE-2019-13648 | 2019-07-19 | In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and... |
| CVE-2019-11552 | 2019-07-19 | Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser... |
| CVE-2019-1010151 | 2019-07-19 | zzcms zzmcms 8.3 and earlier is affected by: File Delete to getshell. The impact is: getshell. The component is: /user/ppsave.php. |
| CVE-2019-12946 | 2019-07-19 | Elcom CMS before 10.7 has SQL Injection via EventSearchByState.aspx and EventSearchAdv.aspx. |
| CVE-2019-1010247 | 2019-07-19 | ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf... |
| CVE-2019-13984 | 2019-07-19 | Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated... |
| CVE-2019-13983 | 2019-07-19 | Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php. |
| CVE-2019-13982 | 2019-07-19 | interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 does not sanitize Markdown text before rendering a preview. |
| CVE-2019-13981 | 2019-07-19 | In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option... |
| CVE-2019-13980 | 2019-07-19 | In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx. |
| CVE-2019-13979 | 2019-07-19 | In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution. |
| CVE-2019-1010245 | 2019-07-19 | The Linux Foundation ONOS SDN Controller 1.15 and earlier versions is affected by: Improper Input Validation. The impact is: A remote attacker can execute arbitrary commands on the controller. The... |
| CVE-2019-1167 | 2019-07-19 | A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement, aka 'Windows Defender Application Control Security Feature Bypass Vulnerability'. |
| CVE-2019-1010113 | 2019-07-19 | Premium Software CLEditor 1.4.5 and earlier is affected by: Cross Site Scripting (XSS). The impact is: An attacker might be able to inject arbitrary html and script code into the... |
| CVE-2019-1010100 | 2019-07-19 | Akeo Consulting Rufus 3.0 and earlier is affected by: DLL search order hijacking. The impact is: Arbitrary code execution WITH escalation of privilege. The component is: Executable installers, portable executables... |
| CVE-2019-1010101 | 2019-07-19 | Akeo Consulting Rufus 3.0 and earlier is affected by: Insecure Permissions. The impact is: arbitrary code execution with escalation of privilege. The component is: Executable installer, portable executable (ALL executables... |
| CVE-2019-1010136 | 2019-07-19 | ChinaMobile GPN2.4P21-C-CN W2001EN-00 is affected by: Incorrect Access Control - Unauthenticated Remote Reboot. The impact is: PLC Wireless Router's are vulnerable to an unauthenticated remote reboot due. The component is:... |
| CVE-2015-7882 | 2019-07-19 | Authentication bypass when using LDAP authentication in MongoDB Enterprise Server |
| CVE-2019-1010142 | 2019-07-19 | scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite loop, resource consumption and program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is: over the network or... |
| CVE-2019-12193 | 2019-07-19 | H3C H3Cloud OS all versions allows SQL injection via the ear/grid_event sidx parameter. |
| CVE-2019-1010241 | 2019-07-19 | Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30... |
| CVE-2019-1010239 | 2019-07-19 | DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusual or Exceptional Conditions. The impact is: Null dereference, so attack can cause denial of service. The component is: cJSON_GetObjectItemCaseSensitive() function.... |
| CVE-2019-1010238 | 2019-07-19 | Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name:... |
| CVE-2019-11553 | 2019-07-19 | In Code42 for Enterprise through 6.8.4, an administrator without web restore permission but with the ability to manage users in an organization can impersonate a user with web restore permission.... |
| CVE-2018-17792 | 2019-07-19 | MDaemon Webmail (formerly WorldClient) has CSRF. |
| CVE-2019-12453 | 2019-07-19 | In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation. |
| CVE-2019-12820 | 2019-07-19 | A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner. Actions performed on the app such as changing a password, and personal information it... |