CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2019 (CVSS score >= 9)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-15752 732 +Priv 2019-08-28 2020-08-31
9.3
None Remote Medium Not required Complete Complete Complete
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.
2 CVE-2019-15530 78 2019-08-23 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the LoginPassword field to Login.
3 CVE-2019-15529 78 2019-08-23 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Username field to Login.
4 CVE-2019-15528 78 2019-08-23 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Interface field to SetStaticRouteSettings.
5 CVE-2019-15527 78 2019-08-23 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the MaxIdTime field to SetWanSettings.
6 CVE-2019-15526 78 2019-08-23 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Type field to SetWanSettings, a related issue to CVE-2019-13482.
7 CVE-2019-15519 22 Dir. Trav. 2019-08-23 2019-08-30
10.0
None Remote Low Not required Complete Complete Complete
Power-Response before 2019-02-02 allows directory traversal (up to the application's main directory) via a plugin.
8 CVE-2019-15505 125 2019-08-23 2019-09-04
10.0
None Remote Low Not required Complete Complete Complete
drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir).
9 CVE-2019-15504 415 2019-08-23 2019-09-04
10.0
None Remote Low Not required Complete Complete Complete
drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir).
10 CVE-2019-15503 78 Exec Code 2019-08-26 2019-08-30
10.0
None Remote Low Not required Complete Complete Complete
cgi-cpn/xcoding/prontus_videocut.cgi in AltaVoz Prontus (aka ProntusCMS) through 12.0.3.0 has "Improper Neutralization of Special Elements used in an OS Command," allowing attackers to execute OS commands via an HTTP GET parameter.
11 CVE-2019-15498 88 Exec Code 2019-08-23 2020-08-24
9.3
None Remote Medium Not required Complete Complete Complete
cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh.
12 CVE-2019-15497 798 2019-08-26 2019-09-04
10.0
None Remote Low Not required Complete Complete Complete
Black Box iCOMPEL 9.2.3 through 11.1.4, as used in ONELAN Net-Top-Box 9.2.3 through 11.1.4 and other products, has default credentials that allow remote attackers to access devices remotely via SSH, HTTP, HTTPS, and FTP.
13 CVE-2019-15295 426 2019-08-21 2019-08-28
9.3
None Remote Medium Not required Complete Complete Complete
An Untrusted Search Path vulnerability in the ServiceInstance.dll library versions 1.0.15.119 and lower, as used in Bitdefender Antivirus Free 2020 versions prior to 1.0.15.138, allows an attacker to load an arbitrary DLL file from the search path.
14 CVE-2019-15292 416 2019-08-21 2019-09-03
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.
15 CVE-2019-15130 434 2019-08-18 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parameter. Moreover, the attacker can upload executable content (e.g., asp or aspx) for executing OS commands on the server.
16 CVE-2019-15107 78 2019-08-16 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
17 CVE-2019-15105 89 Sql 2019-08-16 2019-08-26
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.
18 CVE-2019-15104 89 Sql 2019-08-16 2019-08-26
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.
19 CVE-2019-15027 78 Exec Code 2019-08-14 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows attackers to execute arbitrary commands as root via shell metacharacters in a filename under /data, because clear_emmc_nomedia_entry in platform/mt6577/external/meta/emmc/meta_clr_emmc.c invokes 'system("/system/bin/rm -r /data/' followed by this filename upon an eMMC clearance from a Meta Mode boot. NOTE: compromise of Fire OS on the Amazon Echo Dot would require a second hypothetical vulnerability that allows creation of the required file under /data.
20 CVE-2019-14986 2019-08-13 2020-08-24
9.3
None Remote Medium Not required Complete Complete Complete
eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installed allow administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as "Set root password") are exposed.
21 CVE-2019-14771 20 Exec Code 2019-08-08 2019-08-19
9.3
None Remote Medium Not required Complete Complete Complete
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, potentially allowing non-configuration scripts to be uploaded to the server. (This attack is mitigated by the attacker needing the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.)
22 CVE-2019-14699 78 Exec Code 2019-08-06 2019-08-13
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can exploit OS Command Injection in the filename parameter for remote code execution as root. This occurs in the Mainproc executable file, which can be run from the HTTPD web server.
23 CVE-2019-14684 426 2019-08-20 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
A DLL hijacking vulnerability exists in Trend Micro Password Manager 5.0 in which, if exploited, would allow an attacker to load an arbitrary unsigned DLL into the signed service's process. This process is very similar, yet not identical to CVE-2019-14687.
24 CVE-2019-14527 78 Exec Code 2019-08-14 2019-08-27
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. System commands can be executed, via the web interface, after authentication.
25 CVE-2019-13405 306 2019-08-29 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
A broken access control vulnerability found in Advan VD-1 firmware version 230 leads to insecure ADB service. An attacker can send a POST request to cgibin/AdbSetting.cgi to enable ADB without any authentication then take the compromised device as a relay or to install mining software.
26 CVE-2019-13143 20 2019-08-06 2020-08-24
9.0
None Remote Low Not required Partial Partial Complete
An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. With the user ID, user name, and the lock's MAC address, anyone can unbind the existing owner of the lock, and bind themselves instead. This leads to complete takeover of the lock. The user ID, name, and MAC address are trivially obtained from APIs found within the Android or iOS application. With only the MAC address of the lock, any attacker can transfer ownership of the lock from the current user, over to the attacker's account. Thus rendering the lock completely inaccessible to the current user.
27 CVE-2019-12792 78 2019-08-15 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root.
28 CVE-2019-12791 22 Dir. Trav. 2019-08-15 2019-08-28
9.0
None Remote Low ??? Complete Complete Complete
A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form.
29 CVE-2019-12643 287 Exec Code Bypass +Info 2019-08-28 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices. See the Details section for more information.
30 CVE-2019-12618 269 2019-08-12 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver.
31 CVE-2019-12104 77 2019-08-14 2019-08-19
9.0
None Remote Low ??? Complete Complete Complete
The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by several post-authentication command injection vulnerabilities.
32 CVE-2019-12103 78 2019-08-14 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability.
33 CVE-2019-11581 94 Exec Code 2019-08-09 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
34 CVE-2019-11364 78 2019-08-29 2019-09-03
9.0
None Remote Low ??? Complete Complete Complete
An OS Command Injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to inject arbitrary OS commands via the ServerConf/DataManagement/DiskManager.php FORMNAS_share parameter.
35 CVE-2019-11031 434 2019-08-22 2019-08-30
10.0
None Remote Low Not required Complete Complete Complete
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-update feature of IDVRUpdateService2 in DVRServer.exe. An attacker can upload files with a Setup-Files action, and then execute these files with SYSTEM privileges.
36 CVE-2019-11030 798 Exec Code 2019-08-22 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which a gadget (contained in a serialized object) may be executed with SYSTEM privileges. The attacker must properly encrypt the object; however, the hardcoded keys are available.
37 CVE-2019-9933 119 Overflow 2019-08-28 2019-09-03
10.0
None Remote Low Not required Complete Complete Complete
Various Lexmark products have a Buffer Overflow (issue 3 of 3).
38 CVE-2019-9932 119 Overflow 2019-08-28 2019-09-03
10.0
None Remote Low Not required Complete Complete Complete
Various Lexmark products have a Buffer Overflow (issue 2 of 3).
39 CVE-2019-9930 190 Overflow 2019-08-28 2019-08-29
10.0
None Remote Low Not required Complete Complete Complete
Various Lexmark products have an Integer Overflow.
40 CVE-2019-8060 77 Exec Code 2019-08-20 2021-11-21
10.0
None Remote Low Not required Complete Complete Complete
Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution .
41 CVE-2019-8049 787 Exec Code Overflow 2019-08-20 2021-11-19
10.0
None Remote Low Not required Complete Complete Complete
Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution .
42 CVE-2019-8001 787 Exec Code 2019-08-26 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. Successful exploitation could lead to arbitrary code execution.
43 CVE-2019-7998 787 Exec Code 2019-08-26 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. Successful exploitation could lead to arbitrary code execution.
44 CVE-2019-7997 787 Exec Code 2019-08-26 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. Successful exploitation could lead to arbitrary code execution.
45 CVE-2019-7994 787 Exec Code 2019-08-26 2021-09-08
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. Successful exploitation could lead to arbitrary code execution.
46 CVE-2019-7993 787 Exec Code Overflow 2019-08-26 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution.
47 CVE-2019-7992 787 Exec Code 2019-08-26 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. Successful exploitation could lead to arbitrary code execution.
48 CVE-2019-7990 787 Exec Code Overflow 2019-08-26 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution.
49 CVE-2019-7976 787 Exec Code 2019-08-26 2021-09-08
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability. Successful exploitation could lead to arbitrary code execution.
50 CVE-2019-7975 843 Exec Code 2019-08-26 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution.
Total number of vulnerabilities : 147   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.