CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
551 CVE-2019-16769 79 XSS 2019-12-05 2020-01-17
3.5
None Remote Medium ??? None Partial None
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
552 CVE-2019-16768 209 +Info 2019-12-05 2019-12-17
4.0
None Remote Low ??? Partial None None
In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.
553 CVE-2019-16753 347 2019-12-04 2019-12-27
5.0
None Remote Low Not required Partial None None
An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. The content to be signed is composed of a representation of strings, rather than being composed of their binary representations. This is a weak signature scheme design that would allow the reuse of signatures in some cases (or even the reuse of signatures, intended for one type of message, for another type). This also affects Private Instant Verified Transactions (PIVX) through 3.4.0.
554 CVE-2019-16752 352 2019-12-04 2020-01-15
4.3
None Remote Medium Not required Partial None None
An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. It is possible to force wallets to send HTTP requests to arbitrary locations, both on the local network and on the internet. This is a serious threat to user privacy, since it can possibly leak their IP address and the fact that they are using the product. This also affects Dash Core through 0.14.0.3 and Private Instant Verified Transactions (PIVX) through 3.4.0.
555 CVE-2019-16737 78 Exec Code 2019-12-13 2019-12-18
10.0
None Remote Low Not required Complete Complete Complete
The processCommandSetMac() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user.
556 CVE-2019-16736 787 DoS Overflow 2019-12-13 2019-12-18
10.0
None Remote Low Not required Complete Complete Complete
A stack-based buffer overflow in processCommandUploadSnapshot in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to cause denial of service or run arbitrary code as the root user.
557 CVE-2019-16735 787 DoS Overflow 2019-12-13 2019-12-18
10.0
None Remote Low Not required Complete Complete Complete
A stack-based buffer overflow in processCommandUploadLog in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to cause denial of service or run arbitrary code as the root user.
558 CVE-2019-16734 798 Exec Code 2019-12-13 2019-12-18
10.0
None Remote Low Not required Complete Complete Complete
Use of default credentials for the TELNET server in Petwant PF-103 firmware 4.3.2.50 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user.
559 CVE-2019-16733 78 Exec Code 2019-12-13 2019-12-18
10.0
None Remote Low Not required Complete Complete Complete
processCommandSetUid() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user.
560 CVE-2019-16732 347 2019-12-13 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Unencrypted HTTP communications for firmware upgrades in Petalk AI and PF-103 allow man-in-the-middle attackers to run arbitrary code as the root user.
561 CVE-2019-16731 306 2019-12-13 2020-08-24
5.0
None Remote Low Not required None Partial None
The udpServerSys service in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to initiate firmware upgrades and alter device settings.
562 CVE-2019-16730 20 Exec Code 2019-12-13 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
processCommandUpgrade() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user.
563 CVE-2019-16674 319 2019-12-06 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Authentication Information used in a cookie is predictable and can lead to admin password compromise when captured on the network.
564 CVE-2019-16673 522 2019-12-06 2019-12-10
4.0
None Remote Low ??? Partial None None
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Passwords are stored in cleartext and can be read by anyone with access to the device.
565 CVE-2019-16672 311 2019-12-06 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Sensitive Credentials data is transmitted in cleartext.
566 CVE-2019-16671 400 2019-12-06 2019-12-12
6.8
None Remote Low ??? None None Complete
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption.
567 CVE-2019-16670 307 2019-12-06 2019-12-12
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. The Authentication mechanism has no brute-force prevention.
568 CVE-2019-16576 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account token or credentials stored in Jenkins.
569 CVE-2019-16575 352 CSRF 2019-12-17 2019-12-18
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account token or credentials stored in Jenkins.
570 CVE-2019-16574 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
571 CVE-2019-16573 352 CSRF 2019-12-17 2019-12-18
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
572 CVE-2019-16572 522 2019-12-17 2019-12-18
2.1
None Local Low Not required Partial None None
Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
573 CVE-2019-16571 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.
574 CVE-2019-16570 352 CSRF 2019-12-17 2019-12-18
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers to connect to an attacker-specified web server.
575 CVE-2019-16569 352 CSRF 2019-12-17 2019-12-31
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.
576 CVE-2019-16568 319 2019-12-17 2019-12-18
5.0
None Remote Low Not required Partial None None
Jenkins SCTMExecutor Plugin 2.2 and earlier transmits previously configured service credentials in plain text as part of the global configuration, as well as individual jobs' configurations.
577 CVE-2019-16567 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
578 CVE-2019-16566 862 2019-12-17 2020-10-05
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
579 CVE-2019-16565 352 CSRF 2019-12-17 2019-12-18
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
580 CVE-2019-16564 79 XSS 2019-12-17 2019-12-18
3.5
None Remote Medium ??? None Partial None
Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.
581 CVE-2019-16563 79 XSS 2019-12-17 2019-12-18
3.5
None Remote Medium ??? None Partial None
Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.
582 CVE-2019-16562 79 XSS 2019-12-17 2021-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.
583 CVE-2019-16561 295 2019-12-17 2019-12-18
5.5
None Remote Low ??? Partial Partial None
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM.
584 CVE-2019-16560 352 CSRF 2019-12-17 2020-01-03
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.
585 CVE-2019-16559 276 2019-12-17 2020-01-03
5.5
None Remote Low ??? Partial Partial None
A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.
586 CVE-2019-16558 295 2019-12-17 2020-01-03
6.4
None Remote Low Not required Partial Partial None
Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM.
587 CVE-2019-16557 522 2019-12-17 2020-01-03
4.0
None Remote Low ??? Partial None None
Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
588 CVE-2019-16556 522 2019-12-17 2020-01-03
4.0
None Remote Low ??? Partial None None
Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
589 CVE-2019-16555 400 2019-12-17 2020-01-03
4.0
None Remote Low ??? None None Partial
A user-supplied regular expression in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier was processed in a way that wasn't interruptible, allowing attackers to have Jenkins evaluate a regular expression without the ability to interrupt this process.
590 CVE-2019-16554 276 2019-12-17 2020-01-03
4.0
None Remote Low ??? None None Partial
A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression.
591 CVE-2019-16553 352 CSRF 2019-12-17 2020-01-03
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers to have Jenkins evaluate a computationally expensive regular expression.
592 CVE-2019-16552 276 2019-12-17 2020-01-03
5.5
None Remote Low ??? Partial Partial None
A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on the Jenkins master.
593 CVE-2019-16551 352 CSRF 2019-12-17 2020-01-03
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials.
594 CVE-2019-16550 352 CSRF 2019-12-17 2020-01-03
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.
595 CVE-2019-16549 611 2019-12-17 2020-01-03
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.
596 CVE-2019-16535 125 2019-12-30 2020-01-03
7.5
None Remote Low Not required Partial Partial Partial
In all versions of ClickHouse before 19.14, an OOB read, OOB write and integer underflow in decompression algorithms can be used to achieve RCE or DoS via native protocol.
597 CVE-2019-16465 125 2019-12-19 2021-09-08
5.0
None Remote Low Not required Partial None None
Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
598 CVE-2019-16464 416 Exec Code 2019-12-19 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
599 CVE-2019-16463 119 Exec Code Overflow 2019-12-19 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .
600 CVE-2019-16462 Exec Code 2019-12-19 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have a buffer error vulnerability. Successful exploitation could lead to arbitrary code execution .
Total number of vulnerabilities : 1577   Page : 1 2 3 4 5 6 7 8 9 10 11 12 (This Page)13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.