CVE List - 2019 / August
Showing 1401 - 1500 of 2001 CVEs for August 2019 (Page 15 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-15074 | 2019-08-21 | The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment... |
| CVE-2019-1937 | 2019-08-21 | Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Authentication Bypass Vulnerability |
| CVE-2019-1936 | 2019-08-21 | Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Command Injection Vulnerability |
| CVE-2019-1935 | 2019-08-21 | Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data SCP User Default Credentials Vulnerability |
| CVE-2019-1908 | 2019-08-21 | Cisco Integrated Management Controller Information Disclosure Vulnerability |
| CVE-2019-1907 | 2019-08-21 | Cisco Integrated Management Controller Substring Comparison Privilege Escalation Vulnerability |
| CVE-2019-15045 | 2019-08-21 | AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality |
| CVE-2019-1984 | 2019-08-21 | Cisco Enterprise Network Functions Virtualization Infrastructure Software Arbitrary File Write Vulnerability |
| CVE-2019-1974 | 2019-08-21 | Cisco IMC Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Authentication Bypass Vulnerability |
| CVE-2019-1948 | 2019-08-21 | Cisco Webex Meetings Mobile (iOS) SSL Certificate Validation Vulnerability |
| CVE-2019-1938 | 2019-08-21 | Cisco UCS Director and Cisco UCS Director Express for Big Data API Authentication Bypass Vulnerability |
| CVE-2019-14258 | 2019-08-21 | The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988. |
| CVE-2019-14257 | 2019-08-21 | pyraw in Zenoss 2.5.3 allows local privilege escalation by modifying environment variables to redirect execution before privileges are dropped, aka ZEN-31765. |
| CVE-2019-14246 | 2019-08-21 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account. |
| CVE-2019-14245 | 2019-08-21 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account. |
| CVE-2019-13599 | 2019-08-21 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times. |
| CVE-2019-13477 | 2019-08-21 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account. |
| CVE-2019-13476 | 2019-08-21 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page. |
| CVE-2019-11601 | 2019-08-21 | Path traversal in the backup & restore functionality of ProSyst mBS SDK and Bosch IoT Gateway Software |
| CVE-2019-10687 | 2019-08-21 | KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request. |
| CVE-2019-11602 | 2019-08-21 | Leakage of stack traces in the backup & restore functionality of ProSyst mBS SDK and Bosch IoT Gateway Software |
| CVE-2018-17791 | 2019-08-21 | Newgen OmniFlow Intelligent Business Process Suite (iBPS) 7.0 has an "improper server side validation" vulnerability where client-side validations are tampered, and inappropriate information is stored on the server side and... |
| CVE-2019-11603 | 2019-08-21 | Path traversal in ProSyst mBS SDK and Bosch IoT Gateway Software |
| CVE-2019-15315 | 2019-08-21 | Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions that lack... |
| CVE-2019-15316 | 2019-08-21 | Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race... |
| CVE-2019-5638 | 2019-08-21 | Rapid7 Nexpose Insufficient Session Management |
| CVE-2019-14685 | 2019-08-21 | A local privilege escalation vulnerability exists in Trend Micro Security 2019 (v15.0) in which, if exploited, would allow an attacker to manipulate a specific product feature to load a malicious... |
| CVE-2019-14686 | 2019-08-21 | A DLL hijacking vulnerability exists in the Trend Micro Security's 2019 consumer family of products (v15) Folder Shield component and the standalone Trend Micro Ransom Buster (1.0) tool in which,... |
| CVE-2019-6177 | 2019-08-21 | A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo... |
| CVE-2016-10916 | 2019-08-22 | The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319. |
| CVE-2017-18570 | 2019-08-22 | The cforms2 plugin before 14.13 for WordPress has SQL injection in the tracking DB GUI via Delete Entries or Download Entries. |
| CVE-2015-9333 | 2019-08-22 | The cforms2 plugin before 14.6.10 for WordPress has SQL injection. |
| CVE-2019-15314 | 2019-08-22 | tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI. |
| CVE-2015-9335 | 2019-08-22 | The limit-attempts plugin before 1.1.1 for WordPress has SQL injection during IP address handling. |
| CVE-2016-10917 | 2019-08-22 | The search-everything plugin before 8.1.6 for WordPress has SQL injection related to empty search strings, a different vulnerability than CVE-2014-2316. |
| CVE-2017-18571 | 2019-08-22 | The search-everything plugin before 8.1.7 for WordPress has SQL injection related to WordPress 4.7.x, a different vulnerability than CVE-2014-2316. |
| CVE-2015-9336 | 2019-08-22 | The clean-login plugin before 1.5.1 for WordPress has reflected XSS. |
| CVE-2019-15317 | 2019-08-22 | The give plugin before 2.4.7 for WordPress has XSS via a donor name. |
| CVE-2016-10918 | 2019-08-22 | The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF. |
| CVE-2016-10919 | 2019-08-22 | The wassup plugin before 1.9.1 for WordPress has XSS via the Top stats widget or the wassupURI::add_siteurl method, a different vulnerability than CVE-2012-2633. |
| CVE-2013-7477 | 2019-08-22 | The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form. |
| CVE-2019-14511 | 2019-08-22 | Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1... |
| CVE-2013-7478 | 2019-08-22 | The events-manager plugin before 5.5 for WordPress has XSS via EM_Ticket::get_post. |
| CVE-2013-7479 | 2019-08-22 | The events-manager plugin before 5.3.9 for WordPress has XSS in the search form field. |
| CVE-2013-7480 | 2019-08-22 | The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas. |
| CVE-2012-6716 | 2019-08-22 | The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links. |
| CVE-2017-18572 | 2019-08-22 | The gnucommerce plugin before 1.4.2 for WordPress has XSS. |
| CVE-2016-10920 | 2019-08-22 | The gnucommerce plugin before 0.5.7-BETA for WordPress has XSS. |
| CVE-2016-10921 | 2019-08-22 | The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL injection. |
| CVE-2017-18573 | 2019-08-22 | The simple-login-log plugin before 1.1.2 for WordPress has SQL injection. |
| CVE-2018-20979 | 2019-08-22 | The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type. |
| CVE-2018-20980 | 2019-08-22 | The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering. |
| CVE-2009-5158 | 2019-08-22 | The google-analyticator plugin before 5.2.1 for WordPress has insufficient HTML sanitization for Google Analytics API text. |
| CVE-2018-20981 | 2019-08-22 | The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests. |
| CVE-2017-18574 | 2019-08-22 | The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder. |
| CVE-2019-15318 | 2019-08-22 | The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input field. |
| CVE-2013-7481 | 2019-08-22 | The contact-form-plugin plugin before 3.3.5 for WordPress has XSS. |
| CVE-2018-20982 | 2019-08-22 | The media-library-assistant plugin before 2.74 for WordPress has XSS via the Media/Assistant or Settings/Media Library assistant admin submenu screens. |
| CVE-2017-18575 | 2019-08-22 | The newstatpress plugin before 1.2.5 for WordPress has multiple stored XSS issues. |
| CVE-2016-10922 | 2019-08-22 | The woocommerce-store-toolkit plugin before 1.5.7 for WordPress has privilege escalation. |
| CVE-2016-10923 | 2019-08-22 | The woocommerce-store-toolkit plugin before 1.5.8 for WordPress has privilege escalation. |
| CVE-2017-18576 | 2019-08-22 | The event-notifier plugin before 1.2.1 for WordPress has XSS via the loading animation. |
| CVE-2016-10924 | 2019-08-22 | The ebook-download plugin before 1.2 for WordPress has directory traversal. |
| CVE-2017-18577 | 2019-08-22 | The mailchimp-for-wp plugin before 4.1.8 for WordPress has XSS via the return value of add_query_arg. |
| CVE-2016-10925 | 2019-08-22 | The peters-login-redirect plugin before 2.9.1 for WordPress has XSS during the editing of redirect URLs. |
| CVE-2013-7482 | 2019-08-22 | The reflex-gallery plugin before 1.4.3 for WordPress has XSS. |
| CVE-2008-7321 | 2019-08-22 | The tubepress plugin before 1.6.5 for WordPress has XSS. |
| CVE-2018-20983 | 2019-08-22 | The wp-retina-2x plugin before 5.2.3 for WordPress has XSS. |
| CVE-2014-10383 | 2019-08-22 | The memphis-documents-library plugin before 3.0 for WordPress has Remote File Inclusion. |
| CVE-2014-10384 | 2019-08-22 | The memphis-documents-library plugin before 3.0 for WordPress has Local File Inclusion. |
| CVE-2014-10385 | 2019-08-22 | The memphis-documents-library plugin before 3.0 for WordPress has XSS via $_REQUEST. |
| CVE-2016-10926 | 2019-08-22 | The nelio-ab-testing plugin before 4.5.9 for WordPress has SSRF in ajax/iesupport.php. |
| CVE-2016-10927 | 2019-08-22 | The nelio-ab-testing plugin before 4.5.11 for WordPress has SSRF in ajax/iesupport.php. |
| CVE-2019-15319 | 2019-08-22 | The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce. |
| CVE-2019-15320 | 2019-08-22 | The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled. |
| CVE-2019-15321 | 2019-08-22 | The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled. |
| CVE-2018-20984 | 2019-08-22 | The patreon-connect plugin before 1.2.2 for WordPress has Object Injection. |
| CVE-2019-15322 | 2019-08-22 | The shortcode-factory plugin before 2.8 for WordPress has Local File Inclusion. |
| CVE-2017-18580 | 2019-08-22 | The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode. |
| CVE-2018-20985 | 2019-08-22 | The wp-payeezy-pay plugin before 2.98 for WordPress has local file inclusion in pay.php, donate.php, donate-rec, and pay-rec. |
| CVE-2017-18581 | 2019-08-22 | The time-sheets plugin before 1.5.0 for WordPress has XSS via the old timesheet list. |
| CVE-2017-18582 | 2019-08-22 | The time-sheets plugin before 1.5.2 for WordPress has multiple XSS issues. |
| CVE-2019-15323 | 2019-08-22 | The ad-inserter plugin before 2.4.20 for WordPress has path traversal. |
| CVE-2019-15324 | 2019-08-22 | The ad-inserter plugin before 2.4.22 for WordPress has remote code execution. |
| CVE-2015-9337 | 2019-08-22 | The profile-builder plugin before 2.1.4 for WordPress has no access control for activating or deactivating addons via AJAX. |
| CVE-2017-18583 | 2019-08-22 | The post-pay-counter plugin before 2.731 for WordPress has PHP Object Injection. |
| CVE-2017-18584 | 2019-08-22 | The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action. |
| CVE-2019-5632 | 2019-08-22 | Hickory Smart Lock Insecure Storage on Android |
| CVE-2019-5633 | 2019-08-22 | Hickory Smart Lock Insecure Storage on iOS |
| CVE-2019-5634 | 2019-08-22 | Hickory Smart Lock Insecure Logging on Android |
| CVE-2019-5635 | 2019-08-22 | Hickory Smart Lock Cleartext Password |
| CVE-2018-18572 | 2019-08-22 | osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute... |
| CVE-2018-18573 | 2019-08-22 | osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code... |
| CVE-2019-11013 | 2019-08-22 | Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside... |
| CVE-2019-11029 | 2019-08-22 | Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Download() method of AutoUpdateService in SMServer.exe, leading to Directory Traversal. An attacker could use ..\ with this method to iterate... |
| CVE-2019-11030 | 2019-08-22 | Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which... |
| CVE-2019-11031 | 2019-08-22 | Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-update feature of IDVRUpdateService2 in DVRServer.exe. An attacker can upload files with a Setup-Files action, and then execute these files... |
| CVE-2019-9153 | 2019-08-22 | Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature. |
| CVE-2019-9154 | 2019-08-22 | Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed. |
| CVE-2019-9155 | 2019-08-22 | A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve... |