CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2019-14245 639 2019-08-21 2020-08-24
5.5
None Remote Low ??? None Partial Partial
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account.
502 CVE-2019-14235 674 2019-08-02 2020-08-24
5.0
None Remote Low Not required None None Partial
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
503 CVE-2019-14234 89 Sql 2019-08-09 2019-08-28
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
504 CVE-2019-14233 400 2019-08-02 2020-08-24
5.0
None Remote Low Not required None None Partial
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
505 CVE-2019-14232 400 2019-08-02 2020-08-24
5.0
None Remote Low Not required None None Partial
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
506 CVE-2019-14221 79 XSS 2019-08-08 2019-08-27
3.5
None Remote Medium ??? None Partial None
1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishandled during a Run Report operation.
507 CVE-2019-14216 352 CSRF 2019-08-14 2019-08-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress. wp-admin/admin.php?page=wp-svg-icons-custom-set mishandles Custom Icon uploads. CSRF leads to upload of a ZIP archive containing a .php file.
508 CVE-2019-13608 611 2019-08-29 2019-09-04
5.0
None Remote Low Not required Partial None None
Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
509 CVE-2019-13599 200 +Info 2019-08-21 2021-07-21
5.0
None Remote Low Not required Partial None None
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times.
510 CVE-2019-13578 89 Exec Code Sql 2019-08-15 2019-08-22
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/payments/class-payments-query.php.
511 CVE-2019-13572 89 Sql 2019-08-01 2019-08-13
7.5
None Remote Low Not required Partial Partial Partial
The Adenion Blog2Social plugin through 5.5.0 for WordPress allows SQL Injection.
512 CVE-2019-13526 287 Exec Code Bypass 2019-08-30 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code.
513 CVE-2019-13520 787 Exec Code Overflow 2019-08-20 2020-10-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple buffer overflow issues have been identified in Alpha5 Smart Loader: All versions prior to 4.2. An attacker could use specially crafted project files to overflow the buffer and execute code under the privileges of the application.
514 CVE-2019-13516 352 CSRF 2019-08-15 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect.
515 CVE-2019-13515 532 2019-08-15 2019-10-09
4.0
None Remote Low ??? Partial None None
OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information.
516 CVE-2019-13514 416 Exec Code 2019-08-15 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application.
517 CVE-2019-13513 125 Exec Code 2019-08-15 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger multiple out-of-bounds read vulnerabilities, which may allow information disclosure, remote code execution, or crash of the application.
518 CVE-2019-13512 125 2019-08-15 2019-10-09
4.3
None Remote Medium Not required Partial None None
Fuji Electric FRENIC Loader 3.5.0.0 and prior is vulnerable to an out-of-bounds read vulnerability, which may allow an attacker to read limited information from the device.
519 CVE-2019-13511 416 2019-08-15 2021-10-28
4.3
None Remote Medium Not required Partial None None
Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain an INFORMATION EXPOSURE CWE-200. A maliciously crafted Arena file opened by an unsuspecting user may result in the limited exposure of information related to the targeted workstation.
520 CVE-2019-13510 416 Exec Code 2019-08-15 2020-08-04
6.8
None Remote Medium Not required Partial Partial Partial
Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain a USE AFTER FREE CWE-416. A maliciously crafted Arena file opened by an unsuspecting user may result in the application crashing or the execution of arbitrary code.
521 CVE-2019-13486 787 Overflow 2019-08-27 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
In Xymon through 4.3.28, a stack-based buffer overflow exists in the status-log viewer component because of   expansion in svcstatus.c.
522 CVE-2019-13485 787 Overflow 2019-08-27 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
In Xymon through 4.3.28, a stack-based buffer overflow vulnerability exists in the history viewer component via a long hostname or service parameter to history.c.
523 CVE-2019-13484 119 Overflow 2019-08-27 2019-08-28
7.5
None Remote Low Not required Partial Partial Partial
In Xymon through 4.3.28, a buffer overflow exists in the status-log viewer CGI because of   expansion in appfeed.c.
524 CVE-2019-13477 352 CSRF 2019-08-21 2019-08-27
4.3
None Remote Medium Not required None Partial None
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.
525 CVE-2019-13476 79 XSS 2019-08-21 2019-08-27
3.5
None Remote Medium ??? None Partial None
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.
526 CVE-2019-13462 89 Sql 2019-08-12 2019-08-15
6.4
None Remote Low Not required Partial Partial None
Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.
527 CVE-2019-13458 2019-08-21 2020-09-23
4.0
None Remote Low ??? Partial None None
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords.
528 CVE-2019-13455 787 Overflow 2019-08-27 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
In Xymon through 4.3.28, a stack-based buffer overflow vulnerability exists in the alert acknowledgment CGI tool because of   expansion in acknowledge.c.
529 CVE-2019-13452 119 Overflow 2019-08-27 2019-08-28
7.5
None Remote Low Not required Partial Partial Partial
In Xymon through 4.3.28, a buffer overflow vulnerability exists in reportlog.c.
530 CVE-2019-13451 119 Overflow 2019-08-27 2019-08-28
7.5
None Remote Low Not required Partial Partial Partial
In Xymon through 4.3.28, a buffer overflow vulnerability exists in history.c.
531 CVE-2019-13423 2019-08-23 2020-10-08
6.5
None Remote Low ??? Partial Partial Partial
Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an authenticated Kibana user could impersonate as kibanaserver user when providing wrong credentials when all of the following conditions a-c are true: a) Kibana is configured to use Single-Sign-On as authentication method, one of Kerberos, JWT, Proxy, Client certificate. b) The kibanaserver user is configured to use HTTP Basic as the authentication method. c) Search Guard is configured to use an SSO authentication domain and HTTP Basic at the same time
532 CVE-2019-13422 601 2019-08-23 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an attacker can redirect the user to a potentially malicious site upon Kibana login.
533 CVE-2019-13421 200 +Info 2019-08-23 2019-10-09
4.0
None Remote Low ??? Partial None None
Search Guard versions before 23.1 had an issue that an administrative user is able to retrieve bcrypt password hashes of other users configured in the internal user database.
534 CVE-2019-13420 203 2019-08-13 2021-09-14
4.3
None Remote Medium Not required Partial None None
Search Guard versions before 21.0 had an timing side channel issue when using the internal user database.
535 CVE-2019-13419 200 +Info 2019-08-13 2019-10-09
5.0
None Remote Low Not required Partial None None
Search Guard versions before 23.1 had an issue that for aggregations clear text values of anonymised fields were leaked.
536 CVE-2019-13418 129 2019-08-12 2019-10-09
5.0
None Remote Low Not required Partial None None
Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized.
537 CVE-2019-13417 200 +Info 2019-08-12 2019-10-09
5.0
None Remote Low Not required Partial None None
Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.
538 CVE-2019-13416 2019-08-13 2020-10-08
3.5
None Remote Medium ??? Partial None None
Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).
539 CVE-2019-13415 2019-08-13 2020-10-08
3.5
None Remote Medium ??? Partial None None
Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see.
540 CVE-2019-13408 22 Dir. Trav. 2019-08-29 2020-10-08
5.0
None Remote Low Not required Partial None None
A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230. It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication.
541 CVE-2019-13407 79 XSS 2019-08-29 2019-10-09
4.3
None Remote Medium Not required None Partial None
A XSS found in Advan VD-1 firmware versions up to 230. VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly.
542 CVE-2019-13406 306 2019-08-29 2020-08-24
5.0
None Remote Low Not required None Partial None
A broken access control vulnerability found in Advan VD-1 firmware versions up to 230. An attacker can send a POST request to cgibin/ApkUpload.cgi to install arbitrary APK without any authentication.
543 CVE-2019-13405 306 2019-08-29 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
A broken access control vulnerability found in Advan VD-1 firmware version 230 leads to insecure ADB service. An attacker can send a POST request to cgibin/AdbSetting.cgi to enable ADB without any authentication then take the compromised device as a relay or to install mining software.
544 CVE-2019-13377 200 +Info 2019-08-15 2021-07-21
4.3
None Remote Medium Not required Partial None None
The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery.
545 CVE-2019-13348 522 2019-08-28 2020-08-24
4.0
None Remote Low ??? Partial None None
In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases.
546 CVE-2019-13274 79 XSS 2019-08-27 2019-08-28
4.3
None Remote Medium Not required None Partial None
In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CGI script due to insufficient filtering of the db parameter.
547 CVE-2019-13273 787 Overflow 2019-08-27 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
In Xymon through 4.3.28, a buffer overflow vulnerability exists in the csvinfo CGI script. The overflow may be exploited by sending a crafted GET request that triggers an sprintf of the srcdb parameter.
548 CVE-2019-13271 2019-08-27 2020-08-24
5.8
None Local Network Low Not required Partial Partial Partial
Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. They forward ARP requests, which are sent as broadcast packets, between the host and the guest networks. To use this leakage as a direct covert channel, the sender can trivially issue an ARP request to an arbitrary computer on the network. (In general, some routers restrict ARP forwarding only to requests destined for the network's subnet mask, but these routers did not restrict this traffic in any way. Depending on this factor, one must use either the lower 8 bits of the IP address, or the entire 32 bits, as the data payload.)
549 CVE-2019-13270 20 2019-08-27 2019-09-04
5.8
None Local Network Low Not required Partial Partial Partial
Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. In order to transfer data from the host network to the guest network, the sender joins and then leaves an IGMP group. After it leaves, the router (following the IGMP protocol) creates an IGMP Membership Query packet with the Group IP and sends it to both the Host and the Guest networks. The data is transferred within the Group IP field, which is completely controlled by the sender.
550 CVE-2019-13269 20 2019-08-27 2019-09-04
5.8
None Local Network Low Not required Partial Partial Partial
Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field.
Total number of vulnerabilities : 2004   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.