CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
801 CVE-2018-1947 79 XSS 2019-02-21 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153427.
802 CVE-2018-1946 326 2019-02-21 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. IBM X-Force ID: 153388.
803 CVE-2018-1945 20 2019-02-21 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 153387.
804 CVE-2018-1944 798 2019-02-21 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 153386.
805 CVE-2018-1895 79 XSS 2019-02-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152159.
806 CVE-2018-1801 611 2019-02-04 2019-10-09
5.0
None Remote Low Not required None None Partial
IBM App Connect V11.0.0.0 through V11.0.0.1, IBM Integration Bus V10.0.0.0 through V10.0.0.13, IBM Integration Bus V9.0.0.0 through V9.0.0.10, and WebSphere Message Broker V8.0.0.0 through V8.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to consume memory resources. IBM X-Force ID: 149639.
807 CVE-2018-1775 200 +Info 2019-02-27 2019-10-09
4.0
None Remote Low ??? Partial None None
IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 7.5 through 8.2 could allow an authenticated user to download arbitrary files from the operating system. IBM X-Force ID: 148757.
808 CVE-2018-1727 611 2019-02-15 2019-10-09
6.4
None Remote Low Not required Partial None Partial
IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147630.
809 CVE-2018-1701 Exec Code 2019-02-15 2019-10-09
6.0
None Remote Medium ??? Partial Partial Partial
IBM InfoSphere Information Server 11.7 could allow an authenciated user under specialized conditions to inject commands into the installation process that would execute on the WebSphere Application Server. IBM X-Force ID: 145970.
810 CVE-2018-1675 200 +Info 2019-02-04 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 could expose password hashes in stored in system memory on target systems that are configured to use TADDM. IBM X-Force ID: 145110.
811 CVE-2018-1666 2019-02-07 2020-08-24
4.0
None Remote Low ??? None Partial None
IBM DataPower Gateway 2018.4.1.0, 7.6.0.0 through 7.6.0.11, 7.5.2.0 through 7.5.2.18, 7.5.1.0 through 7.5.1.18, 7.5.0.0 through 7.5.0.19, and 7.7.0.0 through 7.7.1.3 could allow an authenticated user to inject arbitrary messages that would be displayed on the UI. IBM X-Force ID: 144892.
812 CVE-2018-1352 134 Exec Code 2019-02-08 2019-02-08
7.5
None Remote Low Not required Partial Partial Partial
A format string vulnerability in Fortinet FortiOS 5.6.0 allows attacker to execute unauthorized code or commands via the SSH username variable.
813 CVE-2018-1340 311 2019-02-07 2019-10-03
5.0
None Remote Low Not required Partial None None
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.
814 CVE-2018-1296 200 +Info 2019-02-07 2019-02-21
5.0
None Remote Low Not required Partial None None
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
815 CVE-2018-0722 22 Dir. Trav. 2019-02-01 2019-02-12
5.0
None Remote Low Not required Partial None None
Path Traversal vulnerability in Photo Station versions: 5.7.2 and earlier in QTS 4.3.4, 5.4.4 and earlier in QTS 4.3.3, 5.2.8 and earlier in QTS 4.2.6 could allow remote attackers to access sensitive information on the device.
816 CVE-2018-0696 640 2019-02-13 2019-02-22
3.5
None Remote Medium ??? Partial None None
OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors.
817 CVE-2017-18362 89 Exec Code Sql 2019-02-05 2019-02-22
7.5
None Remote Low Not required Partial Partial Partial
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.
818 CVE-2017-18361 835 DoS 2019-02-01 2019-10-03
5.0
None Remote Low Not required None None Partial
In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
819 CVE-2017-1695 326 2019-02-15 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177.
820 CVE-2017-1202 74 Exec Code 2019-02-05 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 123677.
821 CVE-2017-1200 295 2019-02-05 2019-10-09
4.3
None Remote Medium Not required Partial None None
IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) does not validate, or incorrectly validates, a certificate.This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. IBM X-Force ID: 123675.
822 CVE-2017-1198 532 2019-02-05 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 123673.
823 CVE-2017-1177 200 +Info 2019-02-05 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM BigFix Compliance 1.7 through 1.9.91 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 123429.
824 CVE-2017-0938 20 DoS 2019-02-12 2020-02-13
5.0
None Remote Low Not required None None Partial
Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.
825 CVE-2016-1000282 77 2019-02-05 2019-02-06
7.5
None Remote Low Not required Partial Partial Partial
Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection.
826 CVE-2016-1000271 89 Sql 2019-02-04 2019-02-22
7.5
None Remote Low Not required Partial Partial Partial
Joomla extension DT Register version before 3.1.12 (Joomla 3.x) / 2.8.18 (Joomla 2.5) contains an SQL injection in "/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events". This attack appears to be exploitable if the attacker can reach the web server.
827 CVE-2016-10742 601 2019-02-17 2020-11-21
5.8
None Remote Medium Not required Partial Partial None
Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.
828 CVE-2016-10741 362 DoS 2019-02-01 2019-04-18
4.7
None Local Medium Not required None None Complete
In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure.
829 CVE-2015-9282 79 XSS 2019-02-06 2019-06-11
4.3
None Remote Medium Not required None Partial None
The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerable to XSS via legend data or tooltip data. When a chart is included in a Grafana dashboard, this vulnerability could allow an attacker to gain remote unauthenticated access to the dashboard.
830 CVE-2015-4617 22 Dir. Trav. 2019-02-15 2019-02-19
5.0
None Remote Low Not required None Partial None
Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpload.php and MapPinIconSave.php allows path traversal when specifying file names creating files outside of the upload directory.
831 CVE-2015-4615 89 Sql 2019-02-15 2019-02-19
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in Easy2map-photos WordPress Plugin v1.09 allows SQL Injection via unsanitized mapTemplateName, mapName, mapSettingsXML, parentCSSXML, photoCSSXML, mapCSSXML, mapHTML,mapID variables
832 CVE-2014-10079 200 +Info 2019-02-23 2019-03-18
5.0
None Remote Low Not required Partial None None
In Vembu StoreGrid 4.4.x, the front page of the server web interface leaks the private IP address in the "ipaddress" hidden form value of the HTML source code, which is disclosed because of incorrect processing of an index.php/ trailing slash.
833 CVE-2014-10078 79 XSS 2019-02-23 2019-03-18
4.3
None Remote Medium Not required None Partial None
Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregsuccess.php, interface/registerreseller/onlineregfailure.php, interface/registerclient/onlineregfailure.php, and interface/registercustomer/onlineregfailure.php.
834 CVE-2013-7469 326 2019-02-21 2019-02-21
5.0
None Remote Low Not required Partial None None
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
835 CVE-2013-5654 284 2019-02-15 2019-02-21
9.4
None Remote Low Not required Complete Complete None
Vulnerability in YingZhi Python Programming Language v1.9 allows arbitrary anonymous uploads to the phone's storage
836 CVE-2013-2565 22 Dir. Trav. 2019-02-15 2019-04-15
5.0
None Remote Low Not required Partial None None
A vulnerability in Mambo CMS v4.6.5 where the scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php discloses the root path of the webserver.
837 CVE-2013-2516 77 2019-02-15 2019-02-19
9.3
None Remote Medium Not required Complete Complete Complete
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.
838 CVE-2009-5155 19 DoS 2019-02-26 2021-06-29
5.0
None Remote Low Not required None None Partial
In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
839 CVE-2009-5154 798 2019-02-09 2019-02-13
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. There is a default password of meinsm for the admin account.
Total number of vulnerabilities : 839   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.