CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2019-17674 79 XSS 2019-10-17 2020-01-08
3.5
None Remote Medium ??? None Partial None
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
102 CVE-2019-17673 20 2019-10-17 2021-07-21
5.0
None Remote Low Not required None Partial None
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
103 CVE-2019-17672 79 XSS 2019-10-17 2020-01-08
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
104 CVE-2019-17671 200 +Info 2019-10-17 2019-11-05
5.0
None Remote Low Not required Partial None None
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
105 CVE-2019-17670 918 2019-10-17 2020-09-11
7.5
None Remote Low Not required Partial Partial Partial
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
106 CVE-2019-17669 918 2019-10-17 2019-11-05
7.5
None Remote Low Not required Partial Partial Partial
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
107 CVE-2019-17668 20 2019-10-17 2021-07-21
4.4
None Local Medium Not required Partial Partial Partial
Samsung Galaxy S10 and Note10 devices allow unlock operations via unregistered fingerprints in certain situations involving a third-party screen protector.
108 CVE-2019-17667 79 XSS 2019-10-17 2020-01-10
3.5
None Remote Medium ??? None Partial None
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
109 CVE-2019-17666 120 Overflow 2019-10-17 2019-10-24
8.3
None Local Network Low Not required Complete Complete Complete
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
110 CVE-2019-17665 426 2019-10-16 2021-07-21
4.4
None Local Medium Not required Partial Partial Partial
NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it loads jansi.dll from the current working directory.
111 CVE-2019-17664 426 Exec Code 2019-10-16 2019-10-21
4.4
None Local Medium Not required Partial Partial Partial
NSA Ghidra through 9.0.4 uses a potentially untrusted search path. When executing Ghidra from a given path, the Java process working directory is set to this path. Then, when launching the Python interpreter via the "Ghidra Codebrowser > Window > Python" option, Ghidra will try to execute the cmd.exe program from this working directory.
112 CVE-2019-17663 79 XSS 2019-10-16 2021-04-22
4.3
None Remote Medium Not required None Partial None
D-Link DIR-866L 1.03B04 devices allow XSS via HtmlResponseMessage in the device common gateway interface, leading to common injection.
113 CVE-2019-17662 22 Dir. Trav. 2019-10-16 2020-08-24
5.0
None Remote Low Not required Partial None None
ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.
114 CVE-2019-17660 79 XSS 2019-10-16 2019-10-17
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO.
115 CVE-2019-17631 269 2019-10-17 2020-10-16
6.4
None Remote Low Not required None Partial Partial
From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks.
116 CVE-2019-17630 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen.
117 CVE-2019-17629 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen.
118 CVE-2019-17627 287 2019-10-16 2019-10-18
3.3
None Local Network Low Not required Partial None None
The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This affects the Yale ZEN-R lock and unspecified other locks.
119 CVE-2019-17626 91 Exec Code 2019-10-16 2020-07-27
7.5
None Remote Low Not required Partial Partial Partial
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
120 CVE-2019-17625 79 Exec Code XSS 2019-10-16 2019-10-16
8.5
None Remote Medium ??? Complete Complete Complete
There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such as an exec of OS commands within the onerror attribute of an IMG element.
121 CVE-2019-17624 787 DoS Overflow 2019-10-16 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
"" In X.Org X Server 1.20.4, there is a stack-based buffer overflow in the function XQueryKeymap. For example, by sending ct.c_char 1000 times, an attacker can cause a denial of service (application crash) or possibly have unspecified other impact. Note: It is disputed if the X.Org X Server is involved or if there is a stack overflow.
122 CVE-2019-17613 94 Exec Code CSRF 2019-10-15 2019-10-18
7.5
None Remote Low Not required Partial Partial Partial
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter.
123 CVE-2019-17612 89 Sql 2019-10-15 2019-10-17
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
124 CVE-2019-17611 79 XSS 2019-10-16 2019-10-18
4.3
None Remote Medium Not required None Partial None
HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter.
125 CVE-2019-17610 79 XSS 2019-10-16 2019-10-18
4.3
None Remote Medium Not required None Partial None
HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.
126 CVE-2019-17609 79 XSS 2019-10-16 2019-10-18
4.3
None Remote Medium Not required None Partial None
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.
127 CVE-2019-17608 79 XSS 2019-10-16 2019-10-18
4.3
None Remote Medium Not required None Partial None
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
128 CVE-2019-17607 79 XSS 2019-10-16 2019-10-18
4.3
None Remote Medium Not required None Partial None
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
129 CVE-2019-17606 79 XSS 2019-10-23 2019-10-28
4.3
None Remote Medium Not required None Partial None
The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post.
130 CVE-2019-17602 89 Sql 2019-10-15 2021-05-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
131 CVE-2019-17601 787 Exec Code Overflow 2019-10-15 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
In MiniShare 1.4.1, there is a stack-based buffer overflow via an HTTP CONNECT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19862 and CVE-2018-19861. NOTE: this product is discontinued.
132 CVE-2019-17600 352 2019-10-15 2019-11-16
10.0
None Remote Low Not required Complete Complete Complete
Intelbras IWR 1000N 1.6.4 devices allow disclosure of the administrator login name and password because v1/system/user is mishandled.
133 CVE-2019-17596 436 2019-10-24 2021-11-30
5.0
None Remote Low Not required None None Partial
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
134 CVE-2019-17595 125 2019-10-14 2021-02-08
5.8
None Remote Medium Not required Partial None Partial
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
135 CVE-2019-17594 125 2019-10-14 2021-02-10
4.6
None Local Low Not required Partial Partial Partial
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
136 CVE-2019-17593 352 CSRF 2019-10-14 2019-10-16
6.8
None Remote Medium Not required Partial Partial Partial
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
137 CVE-2019-17592 400 DoS 2019-10-14 2022-01-01
5.0
None Remote Low Not required None None Partial
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.
138 CVE-2019-17583 770 DoS 2019-10-14 2020-08-24
5.0
None Remote Low Not required None None Partial
idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of service (resource consumption) via a query for many comments, as demonstrated by the admincp.php?app=comment&perpage= substring followed by a large positive integer.
139 CVE-2019-17581 79 XSS 2019-10-24 2019-10-28
4.3
None Remote Medium Not required None Partial None
tonyy dormsystem through 1.3 allows DOM XSS.
140 CVE-2019-17580 89 Sql 2019-10-14 2019-10-16
7.5
None Remote Low Not required Partial Partial Partial
tonyy dormsystem through 1.3 allows SQL Injection in admin.php.
141 CVE-2019-17579 79 XSS 2019-10-14 2019-10-17
4.3
None Remote Medium Not required None Partial None
SonarSource SonarQube before 7.8 has XSS in project links on account/projects.
142 CVE-2019-17578 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field.
143 CVE-2019-17577 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field.
144 CVE-2019-17576 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field.
145 CVE-2019-17575 94 Exec Code Bypass 2019-10-14 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
A file-rename filter bypass exists in admin/media/rename.php in WBCE CMS 1.4.0 and earlier. This can be exploited by an authenticated user with admin privileges to rename a media filename and extension. (For example: place PHP code in a .jpg file, and then change the file's base name to filename.ph and change the file's extension to p. Because of concatenation, the name is then treated as filename.php.) At the result, remote attackers can execute arbitrary PHP code.
146 CVE-2019-17574 639 2019-10-14 2019-10-18
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").
147 CVE-2019-17553 89 Sql 2019-10-14 2019-10-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.
148 CVE-2019-17552 89 Sql 2019-10-14 2019-10-16
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.
149 CVE-2019-17551 79 XSS 2019-10-31 2019-11-07
4.3
None Remote Medium Not required None Partial None
In Apak Wholesale Floorplanning Finance 6.31.8.3 and 6.31.8.5, an attacker can send an authenticated POST request with a malicious payload to /WFS/agreementView.faces allowing a stored XSS via the mainForm:loanNotesnotes:0:rich_text_editor_note_text parameter in the Notes section. Although versions 6.31.8.3 and 6.31.8.5 are confirmed to be affected, all versions with the vulnerable WYSIWYG editor in the Notes section are likely affected.
150 CVE-2019-17547 416 2019-10-14 2019-10-18
6.8
None Remote Medium Not required Partial Partial Partial
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
Total number of vulnerabilities : 1567   Page : 1 2 3 (This Page)4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.