CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
601 CVE-2019-15014 78 Exec Code 2019-10-09 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
A command injection vulnerability exists in the Zingbox Inspector versions 1.286 and earlier, that allows for an authenticated user to execute arbitrary system commands in the CLI.
602 CVE-2019-14961 79 XSS 2019-10-01 2019-10-02
4.3
None Remote Medium Not required None Partial None
JetBrains Upsource before 2019.1.1412 was not properly escaping HTML tags in a code block comments, leading to XSS.
603 CVE-2019-14960 426 2019-10-01 2019-10-08
4.6
None Local Low Not required Partial Partial Partial
JetBrains Rider before 2019.1.2 was using an unsigned JetBrains.Rider.Unity.Editor.Plugin.Repacked.dll file.
604 CVE-2019-14959 311 2019-10-02 2021-07-21
4.3
None Remote Medium Not required Partial None None
JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection.
605 CVE-2019-14958 770 2019-10-02 2020-08-24
5.0
None Remote Low Not required None None Partial
JetBrains PyCharm before 2019.2 was allocating a buffer of unknown size for one of the connection processes. In a very specific situation, it could lead to a remote invocation of an OOM error message because of Uncontrolled Memory Allocation.
606 CVE-2019-14957 922 2019-10-01 2019-10-08
5.0
None Remote Low Not required Partial None None
The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.
607 CVE-2019-14956 281 2019-10-02 2019-10-03
4.0
None Remote Low ??? Partial None None
JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.
608 CVE-2019-14955 640 2019-10-01 2019-10-08
5.0
None Remote Low Not required None Partial None
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
609 CVE-2019-14954 311 2019-10-01 2021-07-21
4.3
None Remote Medium Not required Partial None None
JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection.
610 CVE-2019-14953 79 XSS 2019-10-01 2019-10-02
4.3
None Remote Medium Not required None Partial None
JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser.
611 CVE-2019-14952 79 XSS 2019-10-01 2019-10-02
4.3
None Remote Medium Not required None Partial None
JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.
612 CVE-2019-14931 78 Exec Code 2019-10-28 2019-10-30
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data.
613 CVE-2019-14930 798 +Priv 2019-10-28 2019-10-30
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Undocumented hard-coded user passwords for root, ineaadmin, mitsadmin, and maint could allow an attacker to gain unauthorised access to the RTU. (Also, the accounts ineaadmin and mitsadmin are able to escalate privileges to root without supplying a password due to insecure entries in /etc/sudoers on the RTU.)
614 CVE-2019-14929 522 2019-10-28 2019-10-30
5.0
None Remote Low Not required Partial None None
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service.
615 CVE-2019-14928 79 XSS 2019-10-28 2019-10-30
3.5
None Remote Medium ??? None Partial None
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A number of stored cross-site script (XSS) vulnerabilities allow an attacker to inject malicious code directly into the application. An example input variable vulnerable to stored XSS is SerialInitialModemString in the index.php page.
616 CVE-2019-14927 200 +Info 2019-10-28 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote configuration download vulnerability allows an attacker to download the smartRTU's configuration file (which contains data such as usernames, passwords, and other sensitive RTU data).
617 CVE-2019-14926 798 2019-10-28 2019-10-30
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites.
618 CVE-2019-14925 276 2019-10-28 2019-10-30
4.0
None Remote Low ??? Partial None None
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A world-readable /usr/smartrtu/init/settings.xml configuration file on the file system allows an attacker to read sensitive configuration settings such as usernames, passwords, and other sensitive RTU data due to insecure permission assignment.
619 CVE-2019-14858 532 2019-10-14 2019-10-24
2.1
None Local Low Not required Partial None None
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
620 CVE-2019-14846 532 2019-10-08 2021-08-07
2.1
None Local Low Not required Partial None None
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
621 CVE-2019-14845 494 Bypass 2019-10-08 2019-12-11
2.9
None Local Network Medium Not required None Partial None
A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content.
622 CVE-2019-14838 269 2019-10-14 2020-10-13
4.0
None Remote Low ??? None Partial None
A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server
623 CVE-2019-14832 863 2019-10-15 2019-12-11
6.0
None Remote Medium ??? Partial Partial Partial
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
624 CVE-2019-14823 295 2019-10-14 2019-10-25
5.8
None Remote Medium Not required Partial Partial None
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
625 CVE-2019-14810 362 DoS 2019-10-10 2019-10-21
4.3
None Remote Medium Not required None None Partial
A vulnerability has been found in the implementation of the Label Distribution Protocol (LDP) protocol in EOS. Under race conditions, the LDP agent can establish an LDP session with a malicious peer potentially allowing the possibility of a Denial of Service (DoS) attack on route updates and in turn potentially leading to an Out of Memory (OOM) condition that is disruptive to traffic forwarding. Affected EOS versions include: 4.22 release train: 4.22.1F and earlier releases 4.21 release train: 4.21.0F - 4.21.2.3F, 4.21.3F - 4.21.7.1M 4.20 release train: 4.20.14M and earlier releases 4.19 release train: 4.19.12M and earlier releases End of support release trains (4.18 and 4.17)
626 CVE-2019-14808 924 2019-10-09 2021-07-21
4.0
None Remote High Not required Partial Partial None
An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials).
627 CVE-2019-14737 276 2019-10-14 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
Ubisoft Uplay 92.0.0.6280 has Insecure Permissions.
628 CVE-2019-14657 22 Exec Code Dir. Trav. 2019-10-08 2019-10-18
9.0
None Remote Low ??? Complete Complete Complete
Yealink phones through 2019-08-04 have an issue with OpenVPN file upload. They execute tar as root to extract files, but do not validate the extraction directory. Creating a tar file with ../../../../ allows replacement of almost any file on a phone. This leads to password replacement and arbitrary code execution as root.
629 CVE-2019-14656 434 2019-10-08 2019-10-17
9.0
None Remote Low ??? Complete Complete Complete
Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP.
630 CVE-2019-14570 787 DoS Mem. Corr. 2019-10-11 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
Memory corruption in system firmware for Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
631 CVE-2019-14569 119 DoS Overflow 2019-10-11 2019-10-17
4.6
None Local Low Not required Partial Partial Partial
Pointer corruption in system firmware for Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
632 CVE-2019-14510 276 2019-10-11 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)
633 CVE-2019-14454 2019-10-02 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.
634 CVE-2019-14451 434 Exec Code 2019-10-25 2019-10-28
10.0
None Remote Low Not required Complete Complete Complete
RepetierServer.exe in Repetier-Server 0.8 through 0.91 does not properly validate the XML data structure provided when uploading a new printer configuration. When this is combined with CVE-2019-14450, an attacker can upload an "external command" configuration as a printer configuration, and achieve remote code execution. After exploitation, loading of the external command configuration is dependent on a system reboot or service restart.
635 CVE-2019-14450 22 Exec Code Dir. Trav. 2019-10-28 2019-10-31
10.0
None Remote Low Not required Complete Complete Complete
A directory traversal vulnerability was discovered in RepetierServer.exe in Repetier-Server 0.8 through 0.91 that allows for the creation of a user controlled XML file at an unintended location. When this is combined with CVE-2019-14451, an attacker can upload an "external command" configuration as a printer configuration, and achieve remote code execution. After exploitation, loading of the external command configuration is dependent on a system reboot or service restart.
636 CVE-2019-14424 200 +Info File Inclusion 2019-10-17 2021-07-21
4.0
None Remote Low ??? Partial None None
A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to read sensitive files via a simple HTTP Request.
637 CVE-2019-14423 94 Exec Code 2019-10-17 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A Remote Code Execution (RCE) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to execute system commands as root remotely via a simple HTTP request.
638 CVE-2019-14356 200 +Info 2019-10-31 2021-07-21
5.0
None Remote Low Not required Partial None None
** DISPUTED ** On Coldcard MK1 and MK2 devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. On Coldcard MK1 and MK2 devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: At Coinkite, we’ve already mitigated it, even though we feel strongly that it is not a legitimate issue. In our opinion, it is both unproven (might not even work) and also completely impractical—even if it could be made to work perfectly.
639 CVE-2019-14287 755 Bypass 2019-10-17 2021-09-15
9.0
None Remote Low ??? Complete Complete Complete
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
640 CVE-2019-14276 611 2019-10-23 2019-10-30
4.0
None Remote Low ??? Partial None None
WUSTL XNAT 1.7.5.3 allows XXE attacks via a POST request body.
641 CVE-2019-14227 79 XSS 2019-10-14 2019-10-16
4.3
None Remote Medium Not required None Partial None
OX App Suite 7.10.1 and 7.10.2 allows XSS.
642 CVE-2019-14226 281 2019-10-14 2019-10-17
5.5
None Remote Low ??? Partial Partial None
OX App Suite through 7.10.2 has Insecure Permissions.
643 CVE-2019-14225 918 2019-10-14 2019-10-16
5.5
None Remote Low ??? Partial Partial None
OX App Suite 7.10.1 and 7.10.2 allows SSRF.
644 CVE-2019-13957 89 Sql 2019-10-02 2019-10-04
7.5
None Remote Low Not required Partial Partial Partial
In Umbraco 7.3.8, there is SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter.
645 CVE-2019-13929 330 2019-10-10 2020-10-16
4.0
None Remote Low ??? Partial None None
A vulnerability has been identified in SIMATIC IT UADM (All versions < V1.3). An authenticated remote attacker with network access to port 1434/tcp of SIMATIC IT UADM could potentially recover a password that can be used to gain read and write access to the related TeamCenter station. The security vulnerability could be exploited only if the attacker is authenticated. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises the confidentiality of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.
646 CVE-2019-13921 400 2019-10-10 2020-10-16
5.0
None Remote Low Not required None None Partial
A vulnerability has been identified in SIMATIC WinAC RTX (F) 2010 (All versions < SP3 Update 1). Affected versions of the software contain a vulnerability that could allow an unauthenticated attacker to trigger a denial-of-service condition. The vulnerability can be triggered if a large HTTP request is sent to the executing service. The security vulnerability could be exploited by an attacker with network access to the affected systems. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise availability of the service provided by the software.
647 CVE-2019-13658 798 Exec Code 2019-10-02 2021-04-09
7.5
None Remote Low Not required Partial Partial Partial
CA Network Flow Analysis 9.x and 10.0.x have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
648 CVE-2019-13657 798 Exec Code 2019-10-17 2019-10-24
6.5
None Remote Low ??? Partial Partial Partial
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
649 CVE-2019-13653 78 2019-10-24 2019-10-28
10.0
None Remote Low Not required Complete Complete Complete
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow triggerPort OS Command Injection (issue 5 of 5).
650 CVE-2019-13652 78 2019-10-24 2019-10-28
10.0
None Remote Low Not required Complete Complete Complete
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow serviceName OS Command Injection (issue 4 of 5).
Total number of vulnerabilities : 1567   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 (This Page)14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.