CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2019-17368 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from parameter.
252 CVE-2019-17367 352 CSRF 2019-10-18 2019-10-22
6.8
None Remote Medium Not required Partial Partial Partial
OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
253 CVE-2019-17366 2019-10-09 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
Citrix Application Delivery Management (ADM) 12.1 before build 54.13 has Incorrect Access Control.
254 CVE-2019-17365 276 2019-10-09 2019-10-23
4.6
None Local Low Not required Partial Partial Partial
Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable.
255 CVE-2019-17362 125 DoS 2019-10-09 2019-11-09
6.4
None Remote Low Not required Partial None Partial
In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.
256 CVE-2019-17359 770 2019-10-08 2021-01-20
5.0
None Remote Low Not required None None Partial
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
257 CVE-2019-17356 326 2019-10-15 2021-07-21
3.3
None Local Network Low Not required Partial None None
The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network.
258 CVE-2019-17355 532 2019-10-15 2019-10-18
5.0
None Remote Low Not required Partial None None
In the Orbitz application 19.31.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
259 CVE-2019-17354 306 2019-10-09 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
wan.htm page on Zyxel NBG-418N v2 with firmware version V1.00(AARP.9)C0 can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify data fields of the page.
260 CVE-2019-17353 306 2019-10-09 2021-04-23
6.4
None Remote Low Not required Partial Partial None
An issue discovered on D-Link DIR-615 devices with firmware version 20.05 and 20.07. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page.
261 CVE-2019-17352 434 Bypass 2019-10-08 2019-10-15
5.0
None Remote Low Not required None Partial None
In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vulnerability that can bypass the isSafeFile() function: one can upload any type of file. For example, a .jsp file may be stored and almost immediately deleted, but this deletion step does not occur for certain exceptions.
262 CVE-2019-17351 770 DoS 2019-10-08 2020-08-24
4.9
None Local Low Not required None None Complete
An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.
263 CVE-2019-17350 835 DoS 2019-10-08 2019-10-26
4.9
None Local Low Not required None None Complete
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a compare-and-exchange operation.
264 CVE-2019-17349 835 DoS 2019-10-08 2019-10-26
4.9
None Local Low Not required None None Complete
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a LoadExcl or StoreExcl operation.
265 CVE-2019-17348 20 DoS 2019-10-08 2019-10-25
4.9
None Local Low Not required None None Complete
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service because of an incompatibility between Process Context Identifiers (PCID) and shadow-pagetable switching.
266 CVE-2019-17347 20 DoS +Priv 2019-10-08 2019-10-25
4.6
None Local Low Not required Partial Partial Partial
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels).
267 CVE-2019-17346 20 DoS +Priv 2019-10-08 2019-10-25
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because of an incompatibility between Process Context Identifiers (PCID) and TLB flushes.
268 CVE-2019-17345 20 DoS 2019-10-08 2021-07-21
4.9
None Local Low Not required None None Complete
An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandling of failed IOMMU operations causes a bug check during the cleanup of a crashed guest.
269 CVE-2019-17344 20 DoS 2019-10-08 2021-07-21
4.9
None Local Low Not required None None Complete
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service by leveraging a long-running operation that exists to support restartability of PTE updates.
270 CVE-2019-17343 20 DoS +Priv 2019-10-08 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging incorrect use of the HVM physmap concept for PV domains.
271 CVE-2019-17342 362 DoS +Priv 2019-10-08 2019-10-25
4.4
None Local Medium Not required Partial Partial Partial
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a race condition that arose when XENMEM_exchange was introduced.
272 CVE-2019-17341 362 DoS +Priv 2019-10-08 2019-10-25
6.9
None Local Medium Not required Complete Complete Complete
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a page-writability race condition during addition of a passed-through PCI device.
273 CVE-2019-17340 20 DoS +Priv 2019-10-08 2021-07-21
6.1
None Local Low Not required Partial Partial Complete
An issue was discovered in Xen through 4.11.x allowing x86 guest OS users to cause a denial of service or gain privileges because grant-table transfer requests are mishandled.
274 CVE-2019-17326 2019-10-30 2021-11-03
4.3
None Remote Medium Not required None Partial None
ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker to arbitrary file deletion by issuing a HTTP GET request with a specially crafted parameter. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.
275 CVE-2019-17325 434 2019-10-30 2019-11-01
4.3
None Remote Medium Not required Partial None None
ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker to upload arbitrary local file via the ActiveX method in RexViewerCtrl30.ocx. That could lead to disclosure of sensitive information. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.
276 CVE-2019-17324 22 Dir. Trav. 2019-10-30 2019-11-01
4.3
None Remote Medium Not required None Partial None
ClipSoft REXPERT 1.0.0.527 and earlier version allows directory traversal by issuing a special HTTP POST request with ../ characters. This could lead to create malicious HTML file, because they can inject a content with crafted template. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.
277 CVE-2019-17323 91 2019-10-30 2019-11-01
6.8
None Remote Medium Not required Partial Partial Partial
ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation and execution via report print function of rexpert viewer with modified XML document. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.
278 CVE-2019-17322 22 Dir. Trav. 2019-10-30 2021-11-03
4.3
None Remote Medium Not required None Partial None
ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation via a POST request with the parameter set to the file path to be written. This can be an executable file that is written to in the arbitrary directory. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.
279 CVE-2019-17321 200 +Info 2019-10-30 2019-11-01
5.0
None Remote Low Not required Partial None None
ClipSoft REXPERT 1.0.0.527 and earlier version have an information disclosure issue. When requesting web page associated with session, could leak username via session file path of HTTP response data. No authentication is required.
280 CVE-2019-17320 120 Exec Code Overflow 2019-10-10 2019-10-16
7.5
None Remote Low Not required Partial Partial Partial
NetSarang XFTP Client 6.0149 and earlier version contains a buffer overflow vulnerability caused by improper boundary checks when copying file name from an attacker controlled FTP server. That leads attacker to execute arbitrary code by sending a crafted filename.
281 CVE-2019-17319 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user.
282 CVE-2019-17318 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user.
283 CVE-2019-17317 915 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user.
284 CVE-2019-17316 915 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.
285 CVE-2019-17315 915 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.
286 CVE-2019-17314 22 Dir. Trav. 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user.
287 CVE-2019-17313 22 Dir. Trav. 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user.
288 CVE-2019-17312 22 Dir. Trav. 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user.
289 CVE-2019-17311 22 Dir. Trav. 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user.
290 CVE-2019-17310 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user.
291 CVE-2019-17309 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user.
292 CVE-2019-17308 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user.
293 CVE-2019-17307 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user.
294 CVE-2019-17306 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user.
295 CVE-2019-17305 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user.
296 CVE-2019-17304 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user.
297 CVE-2019-17303 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.
298 CVE-2019-17302 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user.
299 CVE-2019-17301 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user.
300 CVE-2019-17300 94 2019-10-07 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user.
Total number of vulnerabilities : 1567   Page : 1 2 3 4 5 6 (This Page)7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.