CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2013-4658 22 Dir. Trav. 2019-10-25 2019-10-29
10.0
None Remote Low Not required Complete Complete Complete
Linksys EA6500 has SMB Symlink Traversal allowing symbolic links to be created to locations outside of the Samba share.
2 CVE-2018-4031 94 2019-10-31 2019-11-06
10.0
None Remote Low Not required Complete Complete Complete
An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostname is extracted from captured HTTP/HTTPS requests and inserted as part of a Lua statement without prior sanitization, which results in arbitrary Lua script execution in the kernel. An attacker could send an HTTP request to exploit this vulnerability.
3 CVE-2018-21025 269 2019-10-08 2019-10-11
10.0
None Remote Low Not required Complete Complete Complete
In Centreon VM through 19.04.3, centreon-backup.pl allows attackers to become root via a crafted script, due to incorrect rights of sourced configuration files.
4 CVE-2019-1372 Exec Code 2019-10-10 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
An remote code execution vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying memory to it.An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.The security update addresses the vulnerability by ensuring that Azure App Service sanitizes user inputs., aka 'Azure App Service Remote Code Execution Vulnerability'.
5 CVE-2019-3980 20 2019-10-08 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.
6 CVE-2019-8186 787 Exec Code 2019-10-17 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution .
7 CVE-2019-8195 119 Exec Code Overflow 2019-10-17 2021-11-22
10.0
None Remote Low Not required Complete Complete Complete
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .
8 CVE-2019-8196 119 Exec Code Overflow 2019-10-17 2021-11-22
10.0
None Remote Low Not required Complete Complete Complete
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .
9 CVE-2019-8237 327 Bypass 2019-10-23 2021-11-22
10.0
None Remote Low Not required Complete Complete Complete
Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an insufficiently robust encryption vulnerability. Successful exploitation could lead to security feature bypass.
10 CVE-2019-9531 287 Exec Code 2019-10-10 2019-10-17
10.0
None Remote Low Not required Complete Complete Complete
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, allows unauthenticated access to port 5454. This could allow an unauthenticated, remote attacker to connect to this port via Telnet and execute 86 Attention (AT) commands, including some that provide unauthenticated, shell-like access to the device.
11 CVE-2019-9533 798 2019-10-10 2020-10-16
10.0
None Remote Low Not required Complete Complete Complete
The root password of the Cobham EXPLORER 710 is the same for all versions of firmware up to and including v1.08. This could allow an attacker to reverse-engineer the password from available versions to gain authenticated access to the device.
12 CVE-2019-9535 74 Exec Code 2019-10-09 2021-10-26
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability exists in the way that iTerm2 integrates with tmux's control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content.
13 CVE-2019-11526 94 2019-10-10 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Softing uaGate SI 1.60.01. A maintenance script, that is executable via sudo, is vulnerable to file path injection. This enables the Attacker to write files with superuser privileges in specific locations.
14 CVE-2019-12157 20 2019-10-02 2021-01-26
10.0
None Remote Low Not required Complete Complete Complete
In JetBrains UpSource versions before 2018.2 build 1293, there is credential disclosure via RPC commands.
15 CVE-2019-12941 307 2019-10-14 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
AutoPi Wi-Fi/NB and 4G/LTE devices before 2019-10-15 allows an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID.
16 CVE-2019-13547 306 2019-10-31 2021-05-13
10.0
None Remote Low Not required Complete Complete Complete
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. There is an unsecured function that allows anyone who can access the IP address to use the function without authentication.
17 CVE-2019-13551 22 Exec Code Dir. Trav. 2019-10-31 2021-05-13
10.0
None Remote Low Not required Complete Complete Complete
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Path traversal vulnerabilities are caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage these vulnerabilities to remotely execute code while posing as an administrator.
18 CVE-2019-13553 798 2019-10-25 2020-02-10
10.0
None Remote Low Not required Complete Complete Complete
Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point.
19 CVE-2019-13649 78 2019-10-24 2019-10-28
10.0
None Remote Low Not required Complete Complete Complete
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow externalPort OS Command Injection (issue 1 of 5).
20 CVE-2019-13650 78 2019-10-24 2019-10-28
10.0
None Remote Low Not required Complete Complete Complete
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow internalPort OS Command Injection (issue 2 of 5).
21 CVE-2019-13651 78 2019-10-24 2019-10-28
10.0
None Remote Low Not required Complete Complete Complete
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow portMappingProtocol OS Command Injection (issue 3 of 5).
22 CVE-2019-13652 78 2019-10-24 2019-10-28
10.0
None Remote Low Not required Complete Complete Complete
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow serviceName OS Command Injection (issue 4 of 5).
23 CVE-2019-13653 78 2019-10-24 2019-10-28
10.0
None Remote Low Not required Complete Complete Complete
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow triggerPort OS Command Injection (issue 5 of 5).
24 CVE-2019-14450 22 Exec Code Dir. Trav. 2019-10-28 2019-10-31
10.0
None Remote Low Not required Complete Complete Complete
A directory traversal vulnerability was discovered in RepetierServer.exe in Repetier-Server 0.8 through 0.91 that allows for the creation of a user controlled XML file at an unintended location. When this is combined with CVE-2019-14451, an attacker can upload an "external command" configuration as a printer configuration, and achieve remote code execution. After exploitation, loading of the external command configuration is dependent on a system reboot or service restart.
25 CVE-2019-14451 434 Exec Code 2019-10-25 2019-10-28
10.0
None Remote Low Not required Complete Complete Complete
RepetierServer.exe in Repetier-Server 0.8 through 0.91 does not properly validate the XML data structure provided when uploading a new printer configuration. When this is combined with CVE-2019-14450, an attacker can upload an "external command" configuration as a printer configuration, and achieve remote code execution. After exploitation, loading of the external command configuration is dependent on a system reboot or service restart.
26 CVE-2019-14930 798 +Priv 2019-10-28 2019-10-30
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Undocumented hard-coded user passwords for root, ineaadmin, mitsadmin, and maint could allow an attacker to gain unauthorised access to the RTU. (Also, the accounts ineaadmin and mitsadmin are able to escalate privileges to root without supplying a password due to insecure entries in /etc/sudoers on the RTU.)
27 CVE-2019-14931 78 Exec Code 2019-10-28 2019-10-30
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data.
28 CVE-2019-15066 Exec Code 2019-10-17 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
An “invalid command” handler issue was discovered in HiNet GPON firmware < I040GWR190731. It allows an attacker to execute arbitrary command through port 6998. CVSS 3.0 Base score 10.0. CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
29 CVE-2019-15260 DoS +Priv 2019-10-16 2021-11-02
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in Cisco Aironet Access Points (APs) Software could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device with elevated privileges. The vulnerability is due to insufficient access control for certain URLs on an affected device. An attacker could exploit this vulnerability by requesting specific URLs from an affected AP. An exploit could allow the attacker to gain access to the device with elevated privileges. While the attacker would not be granted access to all possible configuration options, it could allow the attacker to view sensitive information and replace some options with values of their choosing, including wireless network configuration. It would also allow the attacker to disable the AP, creating a denial of service (DoS) condition for clients associated with the AP.
30 CVE-2019-15746 94 Exec Code 2019-10-07 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
SITOS six Build v6.2.1 allows an attacker to inject arbitrary PHP commands. As a result, an attacker can compromise the running server and execute system commands in the context of the web user.
31 CVE-2019-15751 434 Exec Code 2019-10-07 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
An unrestricted file upload vulnerability in SITOS six Build v6.2.1 allows remote attackers to execute arbitrary code by uploading a SCORM file with an executable extension. This allows an unauthenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to the web root of the application.
32 CVE-2019-15859 200 +Info 2019-10-09 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
Password disclosure in the web interface on socomec DIRIS A-40 devices before 48250501 allows a remote attacker to get full access to a device via the /password.jsn URI.
33 CVE-2019-15900 1187 Exec Code 2019-10-18 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. On platforms without strtonum(3), sscanf was used without checking for error cases. Instead, the uninitialized variable errstr was checked and in some cases returned success even if sscanf failed. The result was that, instead of reporting that the supplied username or group name did not exist, it would execute the command as root.
34 CVE-2019-15940 306 2019-10-01 2019-10-04
10.0
None Remote Low Not required Complete Complete Complete
Victure PC530 devices allow unauthenticated TELNET access as root.
35 CVE-2019-16662 78 Exec Code 2019-10-28 2019-10-29
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
36 CVE-2019-17059 78 Exec Code 2019-10-11 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
A shell injection vulnerability on the Sophos Cyberoam firewall appliance with CyberoamOS before 10.6.6 MR-6 allows remote attackers to execute arbitrary commands via the Web Admin and SSL VPN consoles.
37 CVE-2019-17124 276 2019-10-09 2019-10-15
10.0
None Remote Low Not required Complete Complete Complete
Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.
38 CVE-2019-17181 120 Overflow 2019-10-28 2019-11-01
10.0
None Remote Low Not required Complete Complete Complete
A remote SEH buffer overflow has been discovered in IntraSrv 1.0 (2007-06-03). An attacker may send a crafted HTTP GET or HEAD request that can result in a compromise of the hosting system.
39 CVE-2019-17269 78 Exec Code 2019-10-07 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
Intellian Remote Access 3.18 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the Ping Test field.
40 CVE-2019-17506 306 2019-10-11 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
41 CVE-2019-17508 78 2019-10-11 2019-10-16
10.0
None Remote Low Not required Complete Complete Complete
On D-Link DIR-859 A3-1.06 and DIR-850 A1.13 devices, /etc/services/DEVICE.TIME.php allows command injection via the $SERVER variable.
42 CVE-2019-17509 78 Exec Code 2019-10-11 2019-10-15
10.0
None Remote Low Not required Complete Complete Complete
D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetMasterWLanSettings with shell metacharacters to /squashfs-root/www/HNAP1/control/SetMasterWLanSettings.php.
43 CVE-2019-17510 78 Exec Code 2019-10-11 2019-10-15
10.0
None Remote Low Not required Complete Complete Complete
D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetWizardConfig with shell metacharacters to /squashfs-root/www/HNAP1/control/SetWizardConfig.php.
44 CVE-2019-17526 94 Exec Code 2019-10-18 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').popen('whoami').read() line. NOTE: the vendor's position is that the product is "vulnerable by design" and the current behavior will be retained.
45 CVE-2019-17600 352 2019-10-15 2019-11-16
10.0
None Remote Low Not required Complete Complete Complete
Intelbras IWR 1000N 1.6.4 devices allow disclosure of the administrator login name and password because v1/system/user is mishandled.
46 CVE-2019-18189 22 Dir. Trav. Bypass 2019-10-28 2019-11-05
10.0
None Remote Low Not required Complete Complete Complete
A directory traversal vulnerability in Trend Micro Apex One, OfficeScan (11.0, XG) and Worry-Free Business Security (9.5, 10.0) may allow an attacker to bypass authentication and log on to an affected product's management console as a root user. The vulnerability does not require authentication.
47 CVE-2019-18200 2019-10-24 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, they are prone to keystroke injection attacks.
48 CVE-2013-4848 352 CSRF 2019-10-25 2019-10-28
9.3
None Remote Medium Not required Complete Complete Complete
TP-Link TL-WDR4300 version 3.13.31 has multiple CSRF vulnerabilities.
49 CVE-2019-1060 611 Exec Code 2019-10-10 2019-10-11
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.
50 CVE-2019-1311 Exec Code 2019-10-10 2020-08-24
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists when the Windows Imaging API improperly handles objects in memory, aka 'Windows Imaging API Remote Code Execution Vulnerability'.
Total number of vulnerabilities : 1567   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.