CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2019-17452 476 2019-10-10 2019-10-11
4.3
None Remote Medium Not required None None Partial
Bento4 1.5.1.0 has a NULL pointer dereference in AP4_DescriptorListInspector::Action in Core/Ap4Descriptor.h, related to AP4_IodsAtom::InspectFields in Core/Ap4IodsAtom.cpp, as demonstrated by mp4dump.
202 CVE-2019-17451 190 Overflow 2019-10-10 2020-11-02
4.3
None Remote Medium Not required None None Partial
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.
203 CVE-2019-17450 674 DoS 2019-10-10 2020-11-02
4.3
None Remote Medium Not required None None Partial
find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.
204 CVE-2019-17449 426 +Priv 2019-10-10 2019-10-24
4.6
None Local Low Not required Partial Partial Partial
** DISPUTED ** Avira Software Updater before 2.0.6.21094 allows a DLL side-loading attack. NOTE: The vendor thinks that this vulnerability is invalid because exploiting it would require at least administrator privileges and would gain only SYSTEM privileges.
205 CVE-2019-17436 2019-10-16 2020-08-24
6.6
None Local Low Not required None Complete Complete
A Local Privilege Escalation vulnerability exists in GlobalProtect Agent for Linux and Mac OS X version 5.0.4 and earlier and version 4.1.12 and earlier, that can allow non-root users to overwrite root files on the file system.
206 CVE-2019-17435 2019-10-16 2020-08-24
2.1
None Local Low Not required None Partial None
A Local Privilege Escalation vulnerability exists in the GlobalProtect Agent for Windows 5.0.3 and earlier, and GlobalProtect Agent for Windows 4.1.12 and earlier, in which the auto-update feature can allow for modification of a GlobalProtect Agent MSI installer package on disk before installation.
207 CVE-2019-17434 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium ??? None Partial None
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
208 CVE-2019-17433 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium ??? None Partial None
z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the "Operation log" screen.
209 CVE-2019-17432 352 XSS CSRF 2019-10-10 2020-08-24
4.3
None Remote Medium Not required None Partial None
An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/admin/general.config/edit CSRF vulnerability, as demonstrated by resultant XSS via the row[name] parameter.
210 CVE-2019-17431 352 CSRF 2019-10-10 2019-10-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability.
211 CVE-2019-17430 79 XSS 2019-10-10 2019-11-14
4.3
None Remote Medium Not required None Partial None
EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter.
212 CVE-2019-17429 89 Sql 2019-10-10 2019-10-11
7.5
None Remote Low Not required Partial Partial Partial
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter.
213 CVE-2019-17427 79 XSS 2019-10-10 2019-11-19
4.3
None Remote Medium Not required None Partial None
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.
214 CVE-2019-17426 20 Bypass 2019-10-10 2021-07-21
6.4
None Remote Low Not required Partial Partial None
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
215 CVE-2019-17424 787 DoS Exec Code Overflow 2019-10-22 2019-11-18
6.8
None Remote Medium Not required Partial Partial Partial
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
216 CVE-2019-17420 20 2019-10-10 2021-07-21
5.0
None Remote Low Not required None Partial None
In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an HTTP protocol parsing error causes the http_header signature to not alert on a response with a single \r\n ending.
217 CVE-2019-17419 89 Sql 2019-10-10 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter.
218 CVE-2019-17418 89 Sql 2019-10-10 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997.
219 CVE-2019-17417 79 XSS 2019-10-10 2019-10-11
3.5
None Remote Medium ??? None Partial None
PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p=/Single/index/mcode/1 and Pboot/?contact/ URIs.
220 CVE-2019-17415 120 Exec Code Overflow 2019-10-09 2019-11-18
7.5
None Remote Low Not required Partial Partial Partial
A Structured Exception Handler (SEH) based buffer overflow in File Sharing Wizard 1.5.0 26-8-2008 allows remote unauthenticated attackers to execute arbitrary code via the HTTP DELETE method, a similar issue to CVE-2019-16724 and CVE-2010-2331.
221 CVE-2019-17414 20 DoS 2019-10-09 2021-07-21
5.0
None Remote Low Not required None None Partial
tinylcy Vino through 2017-12-15 allows remote attackers to cause a denial of service ("vn_get_string error: Resource temporarily unavailable" error and daemon crash) via a long URL.
222 CVE-2019-17409 79 XSS 2019-10-21 2019-10-21
4.3
None Remote Medium Not required None Partial None
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
223 CVE-2019-17408 20 Exec Code Bypass 2019-10-14 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.
224 CVE-2019-17402 120 2019-10-09 2019-10-21
4.3
None Remote Medium Not required None None Partial
Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.
225 CVE-2019-17401 125 2019-10-09 2019-10-11
2.1
None Local Low Not required None None Partial
** DISPUTED ** libyal liblnk 20191006 has a heap-based buffer over-read in the network_share_name_offset>20 code block of liblnk_location_information_read_data in liblnk_location_information.c, a different issue than CVE-2019-17264. NOTE: the vendor has disputed this as described in the GitHub issue.
226 CVE-2019-17400 918 File Inclusion 2019-10-21 2019-10-23
5.0
None Remote Low Not required Partial None None
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
227 CVE-2019-17399 22 Dir. Trav. 2019-10-09 2019-10-11
7.5
None Remote Low Not required Partial Partial Partial
The Shack Forms Pro extension before 4.0.32 for Joomla! allows path traversal via a file attachment.
228 CVE-2019-17398 532 2019-10-15 2019-10-17
5.0
None Remote Low Not required Partial None None
In the Dark Horse Comics application 1.3.21 for Android, token information (equivalent to the username and password) is stored in the log during authentication, and may be available to attackers via logcat.
229 CVE-2019-17397 532 2019-10-15 2019-10-15
5.0
None Remote Low Not required Partial None None
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
230 CVE-2019-17396 532 2019-10-15 2019-10-18
5.0
None Remote Low Not required Partial None None
In the PowerSchool Mobile application 1.1.8 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
231 CVE-2019-17395 532 2019-10-15 2019-10-17
5.0
None Remote Low Not required Partial None None
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
232 CVE-2019-17394 532 2019-10-15 2019-10-18
5.0
None Remote Low Not required Partial None None
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
233 CVE-2019-17393 522 2019-10-18 2021-07-21
5.0
None Remote Low Not required Partial None None
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and password.
234 CVE-2019-17389 2019-10-09 2020-08-24
7.8
None Remote Low Not required None None Complete
In RIOT 2019.07, the MQTT-SN implementation (asymcute) mishandles errors occurring during a read operation on a UDP socket. The receive loop ends. This allows an attacker (via a large packet) to prevent a RIOT MQTT-SN client from working until the device is restarted.
235 CVE-2019-17386 352 CSRF 2019-10-10 2019-10-15
6.8
None Remote Medium Not required Partial Partial Partial
The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimate.php.
236 CVE-2019-17385 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
The animate-it plugin before 2.3.5 for WordPress has XSS.
237 CVE-2019-17384 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
The animate-it plugin before 2.3.4 for WordPress has XSS.
238 CVE-2019-17383 276 2019-10-09 2019-10-15
7.5
None Remote Low Not required Partial Partial Partial
The netaddr gem before 2.0.4 for Ruby has misconfigured file permissions, such that a gem install may result in 0777 permissions in the target filesystem.
239 CVE-2019-17382 639 Bypass 2019-10-09 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
240 CVE-2019-17380 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).
241 CVE-2019-17379 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
242 CVE-2019-17378 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526).
243 CVE-2019-17377 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).
244 CVE-2019-17376 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521).
245 CVE-2019-17375 613 2019-10-09 2019-10-11
6.5
None Remote Low ??? Partial Partial Partial
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
246 CVE-2019-17373 2019-10-09 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
Certain NETGEAR devices allow unauthenticated access to critical .cgi and .htm pages via a substring ending with .jpg, such as by appending ?x=1.jpg to a URL. This affects MBR1515, MBR1516, DGN2200, DGN2200M, DGND3700, WNR2000v2, WNDR3300, WNDR3400, WNR3500, and WNR834Bv2.
247 CVE-2019-17372 287 2019-10-09 2019-10-18
4.3
None Remote Medium Not required Partial None None
Certain NETGEAR devices allow remote attackers to disable all authentication requirements by visiting genieDisableLanChanged.cgi. The attacker can then, for example, visit MNU_accessPassword_recovered.html to obtain a valid new admin password. This affects AC1450, D8500, DC112A, JNDR3000, LG2200D, R4500, R6200, R6200V2, R6250, R6300, R6300v2, R6400, R6700, R6900P, R6900, R7000P, R7000, R7100LG, R7300, R7900, R8000, R8300, R8500, WGR614v10, WN2500RPv2, WNDR3400v2, WNDR3700v3, WNDR4000, WNDR4500, WNDR4500v2, WNR1000, WNR1000v3, WNR3500L, and WNR3500L.
248 CVE-2019-17371 772 2019-10-09 2021-07-21
4.3
None Remote Medium Not required None None Partial
gif2png 2.5.13 has a memory leak in the writefile function.
249 CVE-2019-17370 20 Exec Code 2019-10-09 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheckFile_deal.php blocks "into outfile" in a SELECT statement, but does not block the "into/**/outfile" manipulation. Therefore, the attacker can create a .php file.
250 CVE-2019-17369 352 CSRF 2019-10-09 2019-10-16
4.3
None Remote Medium Not required None Partial None
OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, leading to creation of a new management group account, as demonstrated by superadmin.
Total number of vulnerabilities : 1567   Page : 1 2 3 4 5 (This Page)6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.