CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2019-8954 20 Exec Code 2019-02-20 2019-02-21
6.5
None Remote Low ??? Partial Partial Partial
In Indexhibit 2.1.5, remote attackers can execute arbitrary code via the v parameter (in conjunction with the id parameter) in a upd_jxcode=true action to the ndxzstudio/?a=system URI.
152 CVE-2019-8953 79 XSS 2019-02-20 2019-03-14
4.3
None Remote Medium Not required None Partial None
The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php.
153 CVE-2019-8950 798 2019-02-20 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
154 CVE-2019-8948 74 2019-02-20 2019-02-21
7.5
None Remote Low Not required Partial Partial Partial
PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
155 CVE-2019-8944 200 +Info 2019-02-20 2021-07-21
4.0
None Remote Low ??? Partial None None
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
156 CVE-2019-8943 22 Dir. Trav. 2019-02-20 2021-02-23
4.0
None Remote Low ??? None Partial None
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
157 CVE-2019-8942 94 Exec Code 2019-02-20 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
158 CVE-2019-8939 79 XSS 2019-02-19 2019-02-27
4.3
None Remote Medium Not required None Partial None
data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page.
159 CVE-2019-8935 79 XSS 2019-02-19 2019-02-19
3.5
None Remote Medium ??? None Partial None
Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter.
160 CVE-2019-8933 434 2019-02-19 2019-02-20
6.5
None Remote Low ??? Partial Partial Partial
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php.
161 CVE-2019-8919 326 2019-02-18 2021-07-21
5.0
None Remote Low Not required Partial None None
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
162 CVE-2019-8917 Exec Code 2019-02-18 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user.
163 CVE-2019-8912 416 2019-02-18 2021-06-02
7.2
None Local Low Not required Complete Complete Complete
In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.
164 CVE-2019-8911 79 XSS 2019-02-18 2019-02-19
4.3
None Remote Medium Not required None Partial None
An issue was discovered in WTCMS 1.0. It has stored XSS via the third text box (for the website statistics code).
165 CVE-2019-8910 352 CSRF 2019-02-18 2019-02-19
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in WTCMS 1.0. It allows index.php?g=admin&m=setting&a=site_post CSRF.
166 CVE-2019-8909 400 DoS 2019-02-18 2019-02-19
5.0
None Remote Low Not required None None Partial
An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.
167 CVE-2019-8908 94 Exec Code 2019-02-18 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header.
168 CVE-2019-8907 787 DoS 2019-02-18 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.
169 CVE-2019-8906 125 2019-02-18 2021-12-09
3.6
None Local Low Not required Partial None Partial
do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.
170 CVE-2019-8905 125 2019-02-18 2021-12-09
3.6
None Local Low Not required Partial None Partial
do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.
171 CVE-2019-8904 125 2019-02-18 2019-03-26
6.8
None Remote Medium Not required Partial Partial Partial
do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.
172 CVE-2019-8903 22 Dir. Trav. 2019-02-18 2020-03-18
5.0
None Remote Low Not required Partial None None
index.js in Total.js Platform before 3.2.3 allows path traversal.
173 CVE-2019-8902 352 CSRF 2019-02-18 2019-02-19
4.9
None Remote Medium ??? None Partial Partial
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.
174 CVE-2019-8436 79 XSS 2019-02-18 2019-02-19
3.5
None Remote Medium ??? None Partial None
imcat 4.5 has Stored XSS via the root/run/adm.php fm[instop][note] parameter.
175 CVE-2019-8435 79 XSS 2019-02-18 2019-02-20
3.5
None Remote Medium ??? None Partial None
admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header.
176 CVE-2019-8434 79 XSS 2019-02-18 2019-02-19
4.3
None Remote Medium Not required None Partial None
In CmsEasy 7.0, there is XSS via the ckplayer.php autoplay parameter.
177 CVE-2019-8433 434 2019-02-18 2019-02-20
5.0
None Remote Low Not required None Partial None
JTBC(PHP) 3.0.1.8 allows Arbitrary File Upload via the console/#/console/file/manage.php?type=list URI, as demonstrated by a .php file.
178 CVE-2019-8432 79 XSS 2019-02-18 2019-02-19
4.3
None Remote Medium Not required None Partial None
In CmsEasy 7.0, there is XSS via the ckplayer.php url parameter.
179 CVE-2019-8429 89 Sql 2019-02-18 2019-02-19
7.5
None Remote Low Not required Partial Partial Partial
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter.
180 CVE-2019-8428 89 Sql 2019-02-18 2019-02-19
7.5
None Remote Low Not required Partial Partial Partial
ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value.
181 CVE-2019-8427 78 2019-02-18 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.
182 CVE-2019-8426 79 XSS 2019-02-18 2019-02-19
4.3
None Remote Medium Not required None Partial None
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
183 CVE-2019-8425 79 XSS 2019-02-18 2019-02-19
4.3
None Remote Medium Not required None Partial None
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
184 CVE-2019-8424 89 Sql 2019-02-18 2019-02-19
7.5
None Remote Low Not required Partial Partial Partial
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
185 CVE-2019-8423 89 Sql 2019-02-18 2019-02-19
7.5
None Remote Low Not required Partial Partial Partial
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
186 CVE-2019-8422 89 Sql 2019-02-17 2019-02-19
6.5
None Remote Low ??? Partial Partial Partial
A SQL Injection vulnerability exists in PbootCMS v1.3.2 via the description parameter in apps\admin\controller\content\ContentController.php.
187 CVE-2019-8421 89 Sql 2019-02-17 2019-02-20
6.5
None Remote Low ??? Partial Partial Partial
upload/protected/modules/admini/views/post/index.php in BageCMS through 3.1.4 allows SQL Injection via the title or titleAlias parameter.
188 CVE-2019-8419 79 XSS 2019-02-17 2019-02-19
4.3
None Remote Medium Not required None Partial None
VNote 2.2 has XSS via a new text note.
189 CVE-2019-8418 2019-02-17 2020-08-24
4.0
None Remote Low ??? Partial None None
SeaCMS 7.2 mishandles member.php?mod=repsw4 requests.
190 CVE-2019-8413 476 2019-02-17 2019-02-20
4.9
None Local Low Not required None None Complete
On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer dereference in the ioctl interface of the device file /dev/elliptic1 or /dev/elliptic0 causes a system crash via IOCTL 0x4008c575 (aka decimal 1074316661).
191 CVE-2019-8412 22 Dir. Trav. 2019-02-17 2019-02-20
6.5
None Remote Low ??? Partial Partial Partial
FeiFeiCms 4.0.181010 on Windows allows remote attackers to read or delete arbitrary files via index.php?s=Admin-Data-Down-id-..\ or index.php?s=Admin-Data-Del-id-..\ directory traversal.
192 CVE-2019-8411 22 Dir. Trav. 2019-02-17 2019-02-19
6.4
None Remote Low Not required None Partial Partial
admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers to delete arbitrary files via action=del&filename=../ directory traversal.
193 CVE-2019-8410 79 XSS 2019-02-27 2019-02-27
4.3
None Remote Medium Not required None Partial None
Maccms 8.0 allows XSS via the inc/config/cache.php t_key parameter because template/paody/html/vod_type.html mishandles the keywords parameter, and a/tpl/module/db.php only filters the t_name parameter (not t_key).
194 CVE-2019-8408 2019-02-17 2020-08-24
4.0
None Remote Low ??? None Partial None
OneFileCMS 3.6.13 allows remote attackers to modify onefilecms.php by clicking the Copy button twice.
195 CVE-2019-8407 22 Dir. Trav. 2019-02-17 2019-02-19
5.5
None Remote Low ??? Partial Partial None
HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php/language/edit URI.
196 CVE-2019-8400 79 XSS 2019-02-17 2019-02-20
4.3
None Remote Medium Not required None Partial None
ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter.
197 CVE-2019-8398 125 2019-02-17 2019-02-19
4.3
None Remote Medium Not required None None Partial
An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_get_size in H5T.c.
198 CVE-2019-8397 125 2019-02-17 2019-02-19
4.3
None Remote Medium Not required None None Partial
An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_close_real in H5T.c.
199 CVE-2019-8396 119 DoS Overflow 2019-02-17 2019-02-19
4.3
None Remote Medium Not required None None Partial
A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka "Invalid write of size 2."
200 CVE-2019-8395 22 Dir. Trav. 2019-02-17 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
Total number of vulnerabilities : 839   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12 13 14 15 16 17
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.