CVE List - 2019 / September
Showing 501 - 600 of 1531 CVEs for September 2019 (Page 6 of 16)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-16257 | 2019-09-12 | Some Motorola devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or... |
| CVE-2019-16256 | 2019-09-12 | Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or... |
| CVE-2019-10392 | 2019-09-12 | Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection. |
| CVE-2019-10393 | 2019-09-12 | A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in... |
| CVE-2019-10394 | 2019-09-12 | A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed... |
| CVE-2019-10395 | 2019-09-12 | Jenkins Build Environment Plugin 1.6 and earlier did not escape variables shown on its views, resulting in a cross-site scripting vulnerability in Jenkins 2.145, 2.138.1, or older, exploitable by users... |
| CVE-2019-10396 | 2019-09-12 | Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions. |
| CVE-2019-10397 | 2019-09-12 | Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. |
| CVE-2019-10398 | 2019-09-12 | Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the... |
| CVE-2019-10399 | 2019-09-12 | A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions in increment and decrement expressions allowed attackers to... |
| CVE-2019-10400 | 2019-09-12 | A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to... |
| CVE-2019-16261 | 2019-09-12 | Tripp Lite PDUMH15AT 12.04.0053 and SU750XL 12.04.0052 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to... |
| CVE-2019-3638 | 2019-09-12 | Web Gateway (MWG) - Reflected Cross Site Scripting vulnerability |
| CVE-2019-16238 | 2019-09-12 | Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged for session hijacking by retrieving the session cookie from the administrator login. |
| CVE-2019-5956 | 2019-09-12 | Directory traversal vulnerability in WonderCMS 2.6.0 and earlier allows remote attackers to delete arbitrary files via unspecified vectors. |
| CVE-2019-5975 | 2019-09-12 | DOM-based cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.10.2 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2019-5976 | 2019-09-12 | Cybozu Garoon 4.0.0 to 4.10.2 allows an attacker with administrative rights to cause a denial of service condition via unspecified vectors. |
| CVE-2019-5977 | 2019-09-12 | Mail header injection vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 may allow a remote authenticated attackers to alter mail header via the application 'E-Mail'. |
| CVE-2019-5978 | 2019-09-12 | Open redirect vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the application 'Scheduler'. |
| CVE-2019-5985 | 2019-09-12 | Cross-site scripting vulnerability in Hikari Denwa router/Home GateWay (Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI firmware version... |
| CVE-2019-5986 | 2019-09-12 | Cross-site request forgery (CSRF) vulnerability in Hikari Denwa router/Home GateWay (Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI... |
| CVE-2019-5991 | 2019-09-12 | SQL injection vulnerability in the Cybozu Garoon 4.0.0 to 4.10.3 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2019-5992 | 2019-09-12 | Cross-site request forgery (CSRF) vulnerability in WordPress Ultra Simple Paypal Shopping Cart v4.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2019-5993 | 2019-09-12 | Cross-site request forgery (CSRF) vulnerability in Category Specific RSS feed Subscription version v2.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2019-5996 | 2019-09-12 | SQL injection vulnerability in the Video Insight VMS 7.3.2.5 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2019-6003 | 2019-09-12 | Cross-site scripting vulnerability in EC-CUBE plugin 'Amazon Pay Plugin 2.12,2.13' version 2.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2019-6004 | 2019-09-12 | Open redirect vulnerability in ApeosWare Management Suite Ver.1.4.0.18 and earlier, and ApeosWare Management Suite 2 Ver.2.1.2.4 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct... |
| CVE-2019-6005 | 2019-09-12 | Smart TV Box firmware version prior to 1300 allows remote attackers to bypass access restriction to conduct arbitrary operations on the device without user's intent, such as installing arbitrary software... |
| CVE-2019-6007 | 2019-09-12 | Integer overflow vulnerability in apng-drawable 1.0.0 to 1.6.0 allows an attacker to cause a denial of service (DoS) condition or execute arbitrary code via unspecified vectors. |
| CVE-2019-6009 | 2019-09-12 | Open redirect vulnerability in SHIRASAGI v1.7.0 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
| CVE-2019-11773 | 2019-09-12 | Prior to 0.1, AIX builds of Eclipse OMR contain unused RPATHs which may facilitate code injection and privilege elevation by local users. |
| CVE-2019-11774 | 2019-09-12 | Prior to 0.1, all builds of Eclipse OMR contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning... |
| CVE-2019-14236 | 2019-09-12 | On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated by observing CPU registers and the... |
| CVE-2019-14237 | 2019-09-12 | On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by observing CPU registers and... |
| CVE-2019-8069 | 2019-09-12 | Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and earlier versions have a Same Origin Method Execution vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of... |
| CVE-2019-8076 | 2019-09-12 | Adobe application manager installer version 10.0 have an Insecure Library Loading (DLL hijacking) vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user. |
| CVE-2019-8070 | 2019-09-12 | Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and earlier versions have a Use after free vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the... |
| CVE-2019-11898 | 2019-09-12 | Unauthorized APE administration privileges can be achieved by reverse engineering one of the APE service tools. The service tool is discontinued with Bosch Access Professional Edition (APE) 3.8. |
| CVE-2019-11899 | 2019-09-12 | An unauthenticated attacker can achieve unauthorized access to sensitive data by exploiting Windows SMB protocol on a client installation. With Bosch Access Professional Edition (APE) 3.8, client installations need to... |
| CVE-2019-13534 | 2019-09-12 | Philips IntelliVue WLAN, portable patient monitors, WLAN Version A, Firmware A.03.09, WLAN Version A, Firmware A.03.09, Part #: M8096-67501, WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version... |
| CVE-2019-13530 | 2019-09-12 | Philips IntelliVue WLAN, portable patient monitors, WLAN Version A, Firmware A.03.09, WLAN Version A, Firmware A.03.09, Part #: M8096-67501, WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version... |
| CVE-2019-16275 | 2019-09-12 | hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should... |
| CVE-2019-16277 | 2019-09-13 | PicoC 2.1 has a heap-based buffer overflow in StringStrcpy in cstdlib/string.c when called from ExpressionParseFunctionCall in expression.c. |
| CVE-2017-18612 | 2019-09-13 | The wp-whois-domain plugin 1.0.0 for WordPress has XSS via the pages/func-whois.php domain parameter. |
| CVE-2017-18613 | 2019-09-13 | The trust-form plugin 2.0 for WordPress has XSS via the wp-admin/admin.php?page=trust-form-edit page parameter. |
| CVE-2017-18614 | 2019-09-13 | The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via the admin.php order parameter. |
| CVE-2017-18615 | 2019-09-13 | The kama-clic-counter plugin before 3.5.0 for WordPress has XSS. |
| CVE-2016-10938 | 2019-09-13 | The copy-me plugin 1.0.0 for WordPress has CSRF for copying non-public posts to a public location. |
| CVE-2016-10939 | 2019-09-13 | The xtremelocator plugin 1.5 for WordPress has SQL injection via the id parameter. |
| CVE-2016-10940 | 2019-09-13 | The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter. |
| CVE-2016-10941 | 2019-09-13 | The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF. |
| CVE-2016-10942 | 2019-09-13 | The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF. |
| CVE-2016-10943 | 2019-09-13 | The zx-csv-upload plugin 1 for WordPress has SQL injection via the id parameter. |
| CVE-2016-10944 | 2019-09-13 | The multisite-post-duplicator plugin before 1.1.3 for WordPress has wp-admin/tools.php?page=mpd CSRF. |
| CVE-2016-10945 | 2019-09-13 | The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF. |
| CVE-2016-10946 | 2019-09-13 | The wp-d3 plugin before 2.4.1 for WordPress has CSRF. |
| CVE-2016-10947 | 2019-09-13 | The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin. |
| CVE-2016-10948 | 2019-09-13 | The Post Indexer plugin before 3.0.6.2 for WordPress has incorrect handling of data passed to the unserialize function. |
| CVE-2016-10949 | 2019-09-13 | The Relevanssi Premium plugin before 1.14.6.1 for WordPress has SQL injection with resultant unsafe unserialization. |
| CVE-2016-10950 | 2019-09-13 | The sirv plugin before 1.3.2 for WordPress has SQL injection via the id parameter. |
| CVE-2016-10951 | 2019-09-13 | The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter. |
| CVE-2016-10952 | 2019-09-13 | The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter. |
| CVE-2016-10953 | 2019-09-13 | The Headway theme before 3.8.9 for WordPress has XSS via the license key field. |
| CVE-2016-10954 | 2019-09-13 | The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload. |
| CVE-2016-10955 | 2019-09-13 | The cysteme-finder plugin before 1.4 for WordPress has unrestricted file upload because of incorrect session tracking. |
| CVE-2019-12516 | 2019-09-13 | The slickquiz plugin through 1.3.7.1 for WordPress allows SQL Injection by Subscriber users, as demonstrated by a /wp-admin/admin.php?page=slickquiz-scores&id= or /wp-admin/admin.php?page=slickquiz-edit&id= or /wp-admin/admin.php?page=slickquiz-preview&id= URI. |
| CVE-2019-12517 | 2019-09-13 | An XSS issue was discovered in the slickquiz plugin through 1.3.7.1 for WordPress. The save_quiz_score functionality available via the /wp-admin/admin-ajax.php endpoint allows unauthenticated users to submit quiz solutions/answers, which are... |
| CVE-2019-13363 | 2019-09-13 | admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF. |
| CVE-2019-13364 | 2019-09-13 | admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF. |
| CVE-2019-12922 | 2019-09-13 | A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page. |
| CVE-2019-15030 | 2019-09-13 | In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability,... |
| CVE-2019-15031 | 2019-09-13 | In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local... |
| CVE-2019-3646 | 2019-09-13 | McAfee Total Protection - Free Antivirus Trial: DLL Search Order Hijacking vulnerability |
| CVE-2019-16289 | 2019-09-13 | The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter. |
| CVE-2019-16288 | 2019-09-13 | On Tenda N301 wireless routers, a long string in the wifiSSID parameter of a goform/setWifi POST request causes the device to crash. |
| CVE-2010-5333 | 2019-09-13 | The web server in Integard Pro and Home before 2.0.0.9037 and 2.2.x before 2.2.0.9037 has a buffer overflow via a long password in an administration login POST request, leading to... |
| CVE-2019-16293 | 2019-09-13 | The Create Discoveries feature of Open-AudIT before 3.2.0 allows an authenticated attacker to execute arbitrary OS commands via a crafted value for a URL field. |
| CVE-2019-10937 | 2019-09-13 | A vulnerability has been identified in SIMATIC TDC CP51M1 (All versions < V1.1.7). An attacker with network access to the device could cause a Denial-of-Service condition by sending a specially... |
| CVE-2019-13918 | 2019-09-13 | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). The web interface has no means to prevent password guessing attacks. The vulnerability could be... |
| CVE-2019-13919 | 2019-09-13 | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some pages that should only be accessible by a privileged user can also be accessed... |
| CVE-2019-13920 | 2019-09-13 | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF)... |
| CVE-2019-13922 | 2019-09-13 | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). An attacker with administrative privileges can obtain the hash of a connected device's password. The... |
| CVE-2019-13923 | 2019-09-13 | A vulnerability has been identified in IE/WSN-PA Link WirelessHART Gateway (All versions). The integrated configuration web server of the affected device could allow Cross-Site Scripting (XSS) attacks if unsuspecting users... |
| CVE-2018-7081 | 2019-09-13 | A remote code execution vulnerability is present in network-listening components in some versions of ArubaOS. An attacker with the ability to transmit specially-crafted IP traffic to a mobility controller could... |
| CVE-2019-5314 | 2019-09-13 | Some web components in the ArubaOS software are vulnerable to HTTP Response splitting (CRLF injection) and Reflected XSS. An attacker would be able to accomplish this by sending certain URL... |
| CVE-2019-5315 | 2019-09-13 | A command injection vulnerability is present in the web management interface of ArubaOS that permits an authenticated user to execute arbitrary commands on the underlying operating system. A malicious administrator... |
| CVE-2019-13532 | 2019-09-13 | CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working... |
| CVE-2019-13548 | 2019-09-13 | CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which could cause a stack overflow and create a denial-of-service... |
| CVE-2019-11660 | 2019-09-13 | Privileges manipulation in Micro Focus Data Protector, versions 10.00, 10.01, 10.02, 10.03, 10.04, 10.10, 10.20, 10.30, 10.40. This vulnerability could be exploited by a low-privileged user to execute a custom... |
| CVE-2019-5484 | 2019-09-13 | Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted. |
| CVE-2019-5485 | 2019-09-13 | NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name. |
| CVE-2019-16303 | 2019-09-13 | A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker... |
| CVE-2019-16305 | 2019-09-14 | In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle... |
| CVE-2019-16314 | 2019-09-14 | Indexhibit 2.1.5 allows a product reinstallation, with resultant remote code execution, via /ndxzstudio/install.php?p=2. |
| CVE-2019-16313 | 2019-09-14 | ifw8 Router ROM v4.31 allows credential disclosure by reading the action/usermanager.htm HTML source code. |
| CVE-2019-16312 | 2019-09-14 | s-cms V3.0 has XSS in index.php?type=text via the S_id parameter. |
| CVE-2019-16311 | 2019-09-14 | NIUSHOP V1.11 has CSRF via search_info to index.php. |
| CVE-2019-16310 | 2019-09-14 | NIUSHOP V1.11 has XSS via the index.php?s=/admin URI. |
| CVE-2019-16309 | 2019-09-14 | FlameCMS 3.3.5 has SQL injection in account/login.php via accountName. |
| CVE-2019-16294 | 2019-09-14 | SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file. |