CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1401 CVE-2018-11751 295 2019-12-16 2020-04-07
4.8
None Local Network Low Not required None Partial Partial
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0.
1402 CVE-2018-10389 134 DoS Exec Code 2019-12-23 2020-01-03
7.5
None Remote Low Not required Partial Partial Partial
Format string vulnerability in the logMess function in TFTP Server MT 1.65 and earlier allows remote attackers to perform a denial of service or execute arbitrary code via format string sequences in a TFTP error packet.
1403 CVE-2018-10388 134 DoS Exec Code 2019-12-23 2020-01-03
7.5
None Remote Low Not required Partial Partial Partial
Format string vulnerability in the logMess function in TFTP Server SP 1.66 and earlier allows remote attackers to perform a denial of service or execute arbitrary code via format string sequences in a TFTP error packet.
1404 CVE-2018-10387 787 DoS Exec Code Overflow 2019-12-23 2020-01-03
7.5
None Remote Low Not required Partial Partial Partial
Heap-based overflow vulnerability in TFTP Server SP 1.66 and earlier allows remote attackers to perform a denial of service or possibly execute arbitrary code via a long TFTP error packet, a different vulnerability than CVE-2008-2161.
1405 CVE-2018-7859 79 Exec Code XSS 2019-12-30 2020-01-06
4.3
None Remote Medium Not required None Partial None
A security vulnerability in D-Link DGS-1510-series switches with firmware 1.20.011, 1.30.007, 1.31.B003 and older that may allow a remote attacker to inject malicious scripts in the device and execute commands via browser that is configuring the unit.
1406 CVE-2018-7282 89 Sql 2019-12-06 2019-12-18
7.5
None Remote Low Not required Partial Partial Partial
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
1407 CVE-2018-1934 352 CSRF 2019-12-20 2019-12-27
6.8
None Remote Medium Not required Partial Partial Partial
IBM Cognos Business Intelligence 10.2.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 153179.
1408 CVE-2018-1682 200 +Info 2019-12-30 2020-01-03
5.0
None Remote Low Not required Partial None None
IBM Watson Studio Local 1.2.3 could disclose sensitive information over the network that an attacked could use in further attacks against the system. IBM X-Force ID: 145238.
1409 CVE-2018-1311 416 2019-12-18 2021-05-28
6.8
None Remote Medium Not required Partial Partial Partial
The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
1410 CVE-2018-0730 77 Exec Code 2019-12-04 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
This command injection vulnerability in File Station allows attackers to execute commands on the affected device. To fix the vulnerability, QNAP recommend updating QTS to their latest versions.
1411 CVE-2018-0729 77 Exec Code 2019-12-04 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
This command injection vulnerability in Music Station allows attackers to execute commands on the affected device. To fix the vulnerability, QNAP recommend updating Music Station to their latest versions.
1412 CVE-2018-0728 269 2019-12-04 2019-12-09
5.0
None Remote Low Not required Partial None None
This improper access control vulnerability in Helpdesk allows attackers to access the system logs. To fix the vulnerability, QNAP recommend updating QTS and Helpdesk to their latest versions.
1413 CVE-2017-18640 776 2019-12-12 2021-10-08
5.0
None Remote Low Not required None None Partial
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
1414 CVE-2017-18107 352 CSRF 2019-12-17 2019-12-27
4.0
None Remote High Not required None Partial Partial
Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by default.
1415 CVE-2017-16778 863 2019-12-24 2020-01-08
2.1
None Local Low Not required None Partial None
An access control weakness in the DTMF tone receiver of Fermax Outdoor Panel allows physical attackers to inject a Dual-Tone-Multi-Frequency (DTMF) tone to invoke an access grant that would allow physical access to a restricted floor/level. By design, only a residential unit owner may allow such an access grant. However, due to incorrect access control, an attacker could inject it via the speaker unit to perform an access grant to gain unauthorized access, as demonstrated by a loud DTMF tone representing '1' and a long '#' (697 Hz and 1209 Hz, followed by 941 Hz and 1477 Hz).
1416 CVE-2016-1000229 79 XSS 2019-12-20 2019-12-31
4.3
None Remote Medium Not required None Partial None
swagger-ui has XSS in key names
1417 CVE-2016-1000108 601 2019-12-10 2019-12-16
5.8
None Remote Medium Not required Partial Partial None
yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
1418 CVE-2016-1000107 601 2019-12-10 2019-12-19
5.8
None Remote Medium Not required Partial Partial None
inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
1419 CVE-2016-1000104 20 Bypass 2019-12-03 2020-02-03
6.5
None Remote Low ??? Partial Partial Partial
A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07.
1420 CVE-2016-1000029 79 XSS 2019-12-27 2019-12-31
3.5
None Remote Medium ??? None Partial None
Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would potentially impact other admins (Tenable IDs 5218 and 5269).
1421 CVE-2016-1000028 79 XSS 2019-12-27 2019-12-31
3.5
None Remote Medium ??? None Partial None
Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would only potentially impact other admins. (Tenable ID 5198).
1422 CVE-2015-8313 203 2019-12-20 2020-01-09
4.3
None Remote Medium Not required Partial None None
GnuTLS incorrectly validates the first byte of padding in CBC modes
1423 CVE-2015-7892 787 Overflow 2019-12-09 2019-12-10
4.6
None Local Low Not required Partial Partial Partial
Stack-based buffer overflow in the m2m1shot_compat_ioctl32 function in the Samsung m2m1shot driver framework, as used in Samsung S6 Edge, allows local users to have unspecified impact via a large data.buf_out.num_planes value in an ioctl call.
1424 CVE-2015-7542 319 2019-12-03 2020-02-03
5.0
None Remote Low Not required Partial None None
A vulnerability exists in libgwenhywfar through 4.12.0 due to the usage of outdated bundled CA certificates.
1425 CVE-2015-5595 352 DoS CSRF 2019-12-31 2020-01-07
4.3
None Remote Medium Not required None None Partial
Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption).
1426 CVE-2015-5593 79 XSS 2019-12-31 2020-01-07
4.3
None Remote Medium Not required None Partial None
The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags, which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in "<<script></script>script>payload<script></script></script>", or in an image tag, with the payload as the onerror event.
1427 CVE-2015-5592 79 XSS 2019-12-31 2020-01-07
4.3
None Remote Medium Not required None Partial None
Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allows remote attackers to conduct cross-site scripting (XSS) attacks.
1428 CVE-2015-5591 89 Exec Code Sql 2019-12-31 2020-01-06
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in Zenphoto before 1.4.9 allow remote administrators to execute arbitrary SQL commands.
1429 CVE-2015-5290 119 DoS Overflow 2019-12-26 2020-02-03
5.0
None Remote Low Not required None None Partial
A Denial of Service vulnerability exists in ircd-ratbox 3.0.9 in the MONITOR Command Handler.
1430 CVE-2015-3425 79 XSS 2019-12-09 2019-12-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.
1431 CVE-2015-3424 89 Exec Code Sql 2019-12-09 2019-12-11
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
1432 CVE-2015-1853 DoS 2019-12-09 2019-12-17
4.0
None Remote Low ??? None None Partial
chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.
1433 CVE-2015-0841 193 DoS 2019-12-09 2019-12-11
5.0
None Remote Low Not required None None Partial
Off-by-one error in the readBuf function in listener.cpp in libcapsinetwork and monopd before 0.9.8, allows remote attackers to cause a denial of service (crash) via a long line.
1434 CVE-2014-9356 22 Dir. Trav. Bypass 2019-12-02 2019-12-11
8.5
None Remote Low Not required None Complete Partial
Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.
1435 CVE-2014-8650 287 2019-12-15 2019-12-19
7.5
None Remote Low Not required Partial Partial Partial
python-requests-Kerberos through 0.5 does not handle mutual authentication
1436 CVE-2014-8561 835 2019-12-15 2019-12-19
4.3
None Remote Medium Not required None None Partial
imagemagick 6.8.9.6 has remote DOS via infinite loop
1437 CVE-2014-8179 20 Bypass 2019-12-17 2019-12-21
5.0
None Remote Low Not required None Partial None
Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation.
1438 CVE-2014-8178 20 2019-12-17 2019-12-30
1.9
None Local Medium Not required None Partial None
Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands.
1439 CVE-2014-7257 89 Sql 2019-12-11 2019-12-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
1440 CVE-2014-6420 79 XSS 2019-12-27 2020-01-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Livefyre LiveComments 3.0 allows remote attackers to inject arbitrary web script or HTML via the name of an uploaded picture.
1441 CVE-2014-5289 20 Exec Code Overflow 2019-12-27 2019-12-31
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in Senkas Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a POST request.
1442 CVE-2014-4913 79 XSS 2019-12-15 2019-12-19
4.3
None Remote Medium Not required None Partial None
ZF2014-03 has a potential cross site scripting vector in multiple view helpers
1443 CVE-2014-4592 79 XSS 2019-12-27 2019-12-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter.
1444 CVE-2014-4567 79 XSS 2019-12-27 2020-01-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in comments/videowhisper2/r_logout.php in the Video Comments Webcam Recorder plugin 1.55, as downloaded before 20140116 for WordPress allows remote attackers to inject arbitrary web script or HTML via the message parameter.
1445 CVE-2014-4559 79 XSS 2019-12-27 2020-01-06
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) api_key, (2) payment_page_url, (3) merchant_id, (4) api_url, or (5) currency parameter.
1446 CVE-2014-4558 79 XSS 2019-12-27 2020-01-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter.
1447 CVE-2014-4550 79 XSS 2019-12-27 2019-12-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter.
1448 CVE-2014-4548 79 XSS 2019-12-27 2020-01-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in tinymce/popup.php in the Ruven Toolkit plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the popup parameter.
1449 CVE-2014-4544 79 XSS 2019-12-27 2020-01-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Podcast Channels plugin 0.20 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the Filename parameter to getid3/demos/demo.write.php.
1450 CVE-2014-4539 79 XSS 2019-12-27 2020-01-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php.
Total number of vulnerabilities : 1577   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 (This Page)30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.