CVE List - 2019 / September
Showing 1001 - 1100 of 1531 CVEs for September 2019 (Page 11 of 16)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-10413 | 2019-09-25 | Jenkins Data Theorem: CI/CD Plugin 1.3 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission,... |
| CVE-2019-10414 | 2019-09-25 | Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or... |
| CVE-2019-10415 | 2019-09-25 | Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access... |
| CVE-2019-10416 | 2019-09-25 | Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read... |
| CVE-2019-10417 | 2019-09-25 | Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. |
| CVE-2019-10418 | 2019-09-25 | Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. |
| CVE-2019-10419 | 2019-09-25 | Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file... |
| CVE-2019-10420 | 2019-09-25 | Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
| CVE-2019-10421 | 2019-09-25 | Jenkins Azure Event Grid Build Notifier Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or... |
| CVE-2019-10422 | 2019-09-25 | Jenkins Call Remote Job Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to... |
| CVE-2019-10423 | 2019-09-25 | Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
| CVE-2019-10424 | 2019-09-25 | Jenkins elOyente Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
| CVE-2019-10425 | 2019-09-25 | Jenkins Google Calendar Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the... |
| CVE-2019-10426 | 2019-09-25 | Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
| CVE-2019-10427 | 2019-09-25 | Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. |
| CVE-2019-10428 | 2019-09-25 | Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. |
| CVE-2019-10429 | 2019-09-25 | Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
| CVE-2019-10430 | 2019-09-25 | Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to... |
| CVE-2019-16194 | 2019-09-25 | SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php. |
| CVE-2019-16701 | 2019-09-25 | pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value. |
| CVE-2019-16188 | 2019-09-25 | HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted... |
| CVE-2019-16880 | 2019-09-25 | An issue was discovered in the linea crate through 0.9.4 for Rust. There is double free in the Matrix::zip_elements method. |
| CVE-2019-10098 | 2019-09-25 | In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL... |
| CVE-2019-16881 | 2019-09-25 | An issue was discovered in the portaudio-rs crate through 0.3.1 for Rust. There is a use-after-free with resultant arbitrary code execution because of a lack of unwind safety in stream_callback... |
| CVE-2019-16882 | 2019-09-25 | An issue was discovered in the string-interner crate before 0.7.1 for Rust. It allows attackers to read from memory locations associated with dangling pointers, because of a cloning flaw. |
| CVE-2015-9409 | 2019-09-25 | The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resultant XSS in pages/alo-easymail-admin-options.php. |
| CVE-2019-6651 | 2019-09-25 | In BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.5.1-11.6.4, BIG-IQ 7.0.0, 6.0.0-6.1.0,5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, the Configuration utility login page may not follow best security practices when handling... |
| CVE-2019-16887 | 2019-09-25 | In IrfanView 4.53, Data from a Faulting Address controls a subsequent Write Address starting at image00400000+0x000000000001dcfc. |
| CVE-2019-6652 | 2019-09-25 | In BIG-IQ 6.0.0-6.1.0, services for stats do not require authentication nor do they implement any form of Transport Layer Security (TLS). |
| CVE-2019-6653 | 2019-09-25 | There is a Stored Cross Site Scripting vulnerability in the undisclosed page of a BIG-IQ 6.0.0-6.1.0 or 5.2.0-5.4.0 system. The attack can be stored by users granted the Device Manager... |
| CVE-2019-15067 | 2019-09-25 | An authentication bypass vulnerability discovered in Smart Battery A2-25DE |
| CVE-2019-15068 | 2019-09-25 | A broken access control vulnerability discovered in Smart Battery A4 |
| CVE-2019-15069 | 2019-09-25 | An unsafe authentication interface was discovered in Smart Battery A4 |
| CVE-2019-12204 | 2019-09-25 | In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access. |
| CVE-2019-12245 | 2019-09-25 | SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension. |
| CVE-2019-12203 | 2019-09-25 | SilverStripe through 4.3.3 allows session fixation in the "change password" form. |
| CVE-2019-12205 | 2019-09-25 | SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS. |
| CVE-2019-6654 | 2019-09-25 | On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This... |
| CVE-2019-6655 | 2019-09-25 | On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data. |
| CVE-2019-6656 | 2019-09-25 | BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Vulnerable versions of the client are bundled with BIG-IP APM versions 15.0.0-15.0.1,... |
| CVE-2019-14666 | 2019-09-25 | GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset... |
| CVE-2019-15941 | 2019-09-25 | OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist... |
| CVE-2019-16889 | 2019-09-25 | Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of... |
| CVE-2019-12646 | 2019-09-25 | Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability |
| CVE-2019-12650 | 2019-09-25 | Cisco IOS XE Software Web UI Command Injection Vulnerabilities |
| CVE-2019-12649 | 2019-09-25 | Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability |
| CVE-2019-12648 | 2019-09-25 | Cisco IOx for IOS Software Guest Operating System Unauthorized Access Vulnerability |
| CVE-2019-4571 | 2019-09-25 | IBM Content Navigator 3.0CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to... |
| CVE-2019-12647 | 2019-09-25 | Cisco IOS and IOS XE Software IP Ident Denial of Service Vulnerability |
| CVE-2019-12651 | 2019-09-25 | Cisco IOS XE Software Web UI Command Injection Vulnerabilities |
| CVE-2019-12653 | 2019-09-25 | Cisco IOS XE Software Raw Socket Transport Denial of Service Vulnerability |
| CVE-2019-12655 | 2019-09-25 | Cisco IOS XE Software FTP Application Layer Gateway for NAT, NAT64, and ZBFW Denial of Service Vulnerability |
| CVE-2019-12657 | 2019-09-25 | Cisco IOS XE Software Unified Threat Defense Denial of Service Vulnerability |
| CVE-2019-12659 | 2019-09-25 | Cisco IOS XE Software HTTP Server Denial of Service Vulnerability |
| CVE-2019-12661 | 2019-09-25 | Cisco IOS XE Software Virtualization Manager CLI Command Injection Vulnerability |
| CVE-2019-12663 | 2019-09-25 | Cisco IOS XE Software TrustSec Protected Access Credential Provisioning Denial of Service Vulnerability |
| CVE-2019-12665 | 2019-09-25 | Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability |
| CVE-2019-12667 | 2019-09-25 | Cisco IOS XE Software Stored Cross-Site Scripting Vulnerability |
| CVE-2019-12669 | 2019-09-25 | Cisco IOS and IOS XE Software Change of Authorization Denial of Service Vulnerability |
| CVE-2019-12671 | 2019-09-25 | Cisco IOS XE Software Consent Token Bypass Vulnerability |
| CVE-2019-12709 | 2019-09-25 | Cisco IOS XR Software for Cisco ASR 9000 VMAN CLI Privilege Escalation Vulnerability |
| CVE-2019-12652 | 2019-09-25 | Cisco Catalyst 4000 Series Switches TCP Denial of Service Vulnerability |
| CVE-2019-12654 | 2019-09-25 | Cisco IOS and IOS XE Software Session Initiation Protocol Denial of Service Vulnerability |
| CVE-2019-12656 | 2019-09-25 | Cisco IOx Application Environment Denial of Service Vulnerability |
| CVE-2019-12658 | 2019-09-25 | Cisco IOS XE Software Filesystem Exhaustion Denial of Service Vulnerability |
| CVE-2019-12660 | 2019-09-25 | Cisco IOS XE Software ASIC Register Write Vulnerability |
| CVE-2019-12662 | 2019-09-25 | Cisco NX-OS and IOS XE Software Virtual Service Image Signature Bypass Vulnerability |
| CVE-2019-12664 | 2019-09-25 | Cisco IOS XE Software ISDN Data Leak Vulnerability |
| CVE-2019-12666 | 2019-09-25 | Cisco IOS XE Software Path Traversal Vulnerability |
| CVE-2019-12668 | 2019-09-25 | Cisco IOS and IOS XE Software Stored Banner Cross-Site Scripting Vulnerability |
| CVE-2019-12670 | 2019-09-25 | Cisco IOS XE Software IOx Guest Shell Namespace Protection Vulnerability |
| CVE-2019-12672 | 2019-09-25 | Cisco IOS XE Software Arbitrary Code Execution Vulnerability |
| CVE-2019-12717 | 2019-09-25 | Cisco NX-OS Software Virtualization Manager Command Injection Vulnerability |
| CVE-2019-16890 | 2019-09-25 | Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments. |
| CVE-2019-16253 | 2019-09-25 | The Text-to-speech Engine (aka SamsungTTS) application before 3.0.02.7 and 3.0.00.101 for Android allows a local attacker to escalate privileges, e.g., to system privileges. The Samsung case ID is 101755. |
| CVE-2017-18635 | 2019-09-25 | An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the... |
| CVE-2015-9410 | 2019-09-25 | The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter. |
| CVE-2015-9411 | 2019-09-25 | The Postmatic plugin before 1.4.6 for WordPress has XSS. |
| CVE-2015-9412 | 2019-09-25 | The Royal-Slider plugin before 3.2.7 for WordPress has XSS via the rstype parameter. |
| CVE-2015-9413 | 2019-09-25 | The eshop plugin through 6.3.13 for WordPress has CSRF with resultant XSS via the wp-admin/admin.php?page=eshop-downloads.php title parameter. |
| CVE-2015-9414 | 2019-09-25 | The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter. |
| CVE-2015-9415 | 2019-09-25 | The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion. |
| CVE-2015-9416 | 2019-09-25 | The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header. |
| CVE-2015-9417 | 2019-09-25 | The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS. |
| CVE-2015-9418 | 2019-09-25 | The Watu Pro plugin before 4.9.0.8 for WordPress has CSRF that allows an attacker to delete quizzes. |
| CVE-2019-16910 | 2019-09-26 | Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to... |
| CVE-2015-9419 | 2019-09-26 | The captain-slider plugin 1.0.6 for WordPress has XSS via a Title or Caption section. |
| CVE-2015-9420 | 2019-09-26 | The soundcloud-is-gold plugin before 2.3.2 for WordPress has XSS via the wp-admin/admin-ajax.php?action=get_soundcloud_player id parameter. |
| CVE-2015-9421 | 2019-09-26 | The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omsc_popup id parameter. |
| CVE-2015-9422 | 2019-09-26 | The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has CSRF with resultant XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load plugnedit_width, pnemedcount, PlugneditBGColor, PlugneditEditorMargin, or plugneditcontent parameters. |
| CVE-2015-9423 | 2019-09-26 | The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters. |
| CVE-2015-9424 | 2019-09-26 | The multicons plugin before 3.0 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=multicons%2Fmulticons.php global_url or admin_url parameter. |
| CVE-2015-9425 | 2019-09-26 | The social-locker plugin before 4.2.5 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=opanda-item&page=license-manager-sociallocker-next licensekey parameter. |
| CVE-2015-9426 | 2019-09-26 | The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter. |
| CVE-2015-9427 | 2019-09-26 | The googmonify plugin through 0.5.1 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=googmonify.php PID or AID parameter. |
| CVE-2015-9428 | 2019-09-26 | The wplegalpages plugin before 1.1 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=legal-pages lp-domain-name, lp-business-name, lp-phone, lp-street, lp-city-state, lp-country, lp-email, lp-address, or lp-niche parameters. |
| CVE-2015-9429 | 2019-09-26 | The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter. |
| CVE-2015-9430 | 2019-09-26 | The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header. |
| CVE-2015-9449 | 2019-09-26 | The microblog-poster plugin before 1.6.2 for WordPress has SQL Injection via the wp-admin/options-general.php?page=microblogposter.php account_id parameter. |
| CVE-2019-16901 | 2019-09-26 | Advantech WebAccess/HMI Designer 2.1.9.31 has Exception Handler Chain corruption starting at Unknown Symbol @ 0x0000000000000000 called from ntdll!RtlRaiseStatus+0x00000000000000b4. |