CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2019-7737 352 CSRF 2019-02-11 2019-02-12
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF vulnerability was found in Verydows v2.0 that can add an admin account via index.php?m=backend&c=admin&a=add&step=submit.
252 CVE-2019-7736 425 Bypass 2019-02-11 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
D-Link DIR-600M C1 3.04 devices allow authentication bypass via a direct request to the wan.htm page. NOTE: this may overlap CVE-2019-13101.
253 CVE-2019-7733 190 Overflow 2019-02-11 2020-05-15
5.0
None Remote Low Not required None None Partial
In Live555 0.95, there is a buffer overflow via a large integer in a Content-Length HTTP header because handleRequestBytes has an unrestricted memmove.
254 CVE-2019-7732 401 2019-02-11 2020-08-24
5.0
None Remote Low Not required None None Partial
In Live555 0.95, a setup packet can cause a memory leak leading to DoS because, when there are multiple instances of a single field (username, realm, nonce, uri, or response), only the last instance can ever be freed.
255 CVE-2019-7731 94 Exec Code 2019-02-11 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an attacker writes shell code into the database, and executes the Backup Database function with a .php filename for the backup's archive file.
256 CVE-2019-7730 352 CSRF 2019-02-11 2019-02-12
4.9
None Remote Medium ??? None Partial Partial
MyWebSQL 3.7 has a Cross-site request forgery (CSRF) vulnerability for deleting a database via the /?q=wrkfrm&type=databases URI.
257 CVE-2019-7729 732 2019-02-22 2020-08-24
2.1
None Local Low Not required Partial None None
An issue was discovered in the Bosch Smart Camera App before 1.3.1 for Android. Due to setting of insecure permissions, a malicious app could potentially succeed in retrieving video clips or still images that have been cached for clip sharing. (The Bosch Smart Home App is not affected. iOS Apps are not affected.)
258 CVE-2019-7728 295 2019-02-22 2019-02-22
5.1
None Remote High Not required Partial Partial Partial
An issue was discovered in the Bosch Smart Camera App before 1.3.1 for Android. Due to improperly implemented TLS certificate checks, a malicious actor could potentially succeed in executing a man-in-the-middle attack for some connections. (The Bosch Smart Home App is not affected. iOS Apps are not affected.)
259 CVE-2019-7722 611 DoS 2019-02-11 2019-02-21
6.8
None Remote Medium Not required Partial Partial Partial
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
260 CVE-2019-7721 434 2019-02-11 2019-02-11
5.0
None Remote Low Not required None Partial None
lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files via the index.php?action=save name and editordata parameters.
261 CVE-2019-7720 94 2019-02-11 2019-02-13
7.5
None Remote Low Not required Partial Partial Partial
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request.
262 CVE-2019-7719 94 2019-02-11 2019-02-11
7.5
None Remote Low Not required Partial Partial Partial
Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request.
263 CVE-2019-7718 362 Exec Code 2019-02-11 2019-02-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=<?php and admin/databack/bakup_tables.php?2=file_put_contents URIs because app/system/databack/admin/index.class.php creates bakup_tables.php temporarily.
264 CVE-2019-7704 770 2019-02-10 2020-08-24
4.3
None Remote Medium Not required None None Partial
wasm::WasmBinaryBuilder::readUserSection in wasm-binary.cpp in Binaryen 1.38.22 triggers an attempt at excessive memory allocation, as demonstrated by wasm-merge and wasm-opt.
265 CVE-2019-7703 416 2019-02-10 2020-06-08
4.3
None Remote Medium Not required None None Partial
In Binaryen 1.38.22, there is a use-after-free problem in wasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp. Remote attackers could leverage this vulnerability to cause a denial-of-service via a wasm file, as demonstrated by wasm-merge.
266 CVE-2019-7702 476 2019-02-10 2020-06-08
4.3
None Remote Medium Not required None None Partial
A NULL pointer dereference was discovered in wasm::SExpressionWasmBuilder::parseExpression in wasm-s-parser.cpp in Binaryen 1.38.22. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-as.
267 CVE-2019-7701 125 2019-02-10 2020-06-08
4.3
None Remote Medium Not required None None Partial
A heap-based buffer over-read was discovered in wasm::SExpressionParser::skipWhitespace() in wasm-s-parser.cpp in Binaryen 1.38.22. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm2js.
268 CVE-2019-7700 125 2019-02-10 2020-06-08
4.3
None Remote Medium Not required None None Partial
A heap-based buffer over-read was discovered in wasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp in Binaryen 1.38.22. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-merge.
269 CVE-2019-7699 125 DoS 2019-02-10 2020-08-24
4.3
None Remote Medium Not required None None Partial
A heap-based buffer over-read occurs in AP4_BitStream::WriteBytes in Codecs/Ap4BitStream.cpp in Bento4 v1.5.1-627. Remote attackers could leverage this vulnerability to cause an exception via crafted mp4 input, which leads to a denial of service.
270 CVE-2019-7698 770 2019-02-10 2020-08-24
4.3
None Remote Medium Not required None None Partial
An issue was discovered in AP4_Array<AP4_CttsTableEntry>::EnsureCapacity in Core/Ap4Array.h in Bento4 1.5.1-627. Crafted MP4 input triggers an attempt at excessive memory allocation, as demonstrated by mp42hls, a related issue to CVE-2018-20095.
271 CVE-2019-7697 617 DoS 2019-02-10 2020-08-24
4.3
None Remote Medium Not required None None Partial
An issue was discovered in Bento4 v1.5.1-627. There is an assertion failure in AP4_AtomListWriter::Action in Core/Ap4Atom.cpp, leading to a denial of service (program crash), as demonstrated by mp42hls.
272 CVE-2019-7693 79 XSS 2019-02-10 2019-02-12
4.3
None Remote Medium Not required None Partial None
Axios Italia Axios RE 1.7.0/7.0.0 devices have XSS via the RELogOff.aspx Error_Parameters parameter. In some situations, the XSS would be on the family.axioscloud.it cloud service; however, the vendor also supports "Sissi in Rete (con server)" for offline operation.
273 CVE-2019-7692 94 Exec Code 2019-02-10 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
install/install.php in CIM 0.9.3 allows remote attackers to execute arbitrary PHP code via a crafted prefix value because of configuration file mishandling in the N=83 case, as demonstrated by a call to the PHP fputs function that creates a .php file in the public folder.
274 CVE-2019-7684 434 2019-02-09 2019-02-22
10.0
None Remote Low Not required Complete Complete Complete
inxedu through 2018-12-24 has a vulnerability that can lead to the upload of a malicious JSP file. The vulnerable code location is com.inxedu.os.common.controller.VideoUploadController#gok4 (com/inxedu/os/common/controller/VideoUploadController.java). The attacker uses the /video/uploadvideo fileType parameter to change the list of acceptable extensions from jpg,gif,png,jpeg to jpg,gif,png,jsp,jpeg.
275 CVE-2019-7678 22 Dir. Trav. 2019-02-09 2019-02-12
7.5
None Remote Low Not required Partial Partial Partial
A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888.
276 CVE-2019-7677 79 XSS 2019-02-09 2019-02-11
4.3
None Remote Medium Not required None Partial None
XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888.
277 CVE-2019-7676 521 2019-02-09 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account.
278 CVE-2019-7675 319 2019-02-09 2020-08-24
5.0
None Remote Low Not required Partial None None
An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. The default management application is delivered over cleartext HTTP with Basic Authentication, as demonstrated by the /admin/index.html URI.
279 CVE-2019-7674 521 2019-02-09 2020-08-24
5.0
None Remote Low Not required None Partial None
An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. /admin/access accepts a request to set the "aaaaa" password, considered insecure for some use cases, from a user.
280 CVE-2019-7673 200 +Info 2019-02-09 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. Administrator Credentials are stored in the 13-character DES hash format.
281 CVE-2019-7665 125 DoS 2019-02-09 2021-11-30
4.3
None Remote Medium Not required None None Partial
In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.
282 CVE-2019-7664 787 DoS Overflow 2019-02-09 2020-08-24
4.3
None Remote Medium Not required None None Partial
In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).
283 CVE-2019-7663 2019-02-09 2020-08-24
4.3
None Remote Medium Not required None None Partial
An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900.
284 CVE-2019-7662 617 DoS 2019-02-09 2020-06-08
7.1
None Remote Medium Not required None None Complete
An assertion failure was discovered in wasm::WasmBinaryBuilder::getType() in wasm-binary.cpp in Binaryen 1.38.22. This allows remote attackers to cause a denial of service (failed assertion and crash) via a crafted wasm file.
285 CVE-2019-7659 787 DoS 2019-02-09 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag.
286 CVE-2019-7653 427 2019-02-09 2021-12-28
7.5
None Remote Low Not required Partial Partial Partial
The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools that can load Python modules from the current working directory, allowing code injection, because "python -m" looks in this directory, as demonstrated by rdf2dot. This issue is specific to use of the debian/scripts directory.
287 CVE-2019-7651 Bypass 2019-02-08 2020-08-24
5.0
None Remote Low Not required None Partial None
EPP.sys in Emsisoft Anti-Malware prior to version 2018.12 allows an attacker to bypass ACLs because Interpreted Device Characteristics lacks FILE_DEVICE_SECURE_OPEN and therefore files and directories "inside" the \\.\EPP device are not properly protected, leading to unintended impersonation or object creation. This vulnerability has been fixed in version 2018.12 and later.
288 CVE-2019-7649 326 2019-02-17 2021-07-21
5.0
None Remote Low Not required Partial None None
global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies on multiple MD5 operations for password hashing.
289 CVE-2019-7648 326 2019-02-08 2020-08-24
5.0
None Remote Low Not required Partial None None
controller/fetchpwd.php and controller/doAction.php in Hotels_Server through 2018-11-05 rely on base64 in an attempt to protect password storage.
290 CVE-2019-7639 863 2019-02-08 2020-08-24
4.3
None Remote Medium Not required Partial None None
An issue was discovered in gsi-openssh-server 7.9p1 on Fedora 29. If PermitPAMUserChange is set to yes in the /etc/gsissh/sshd_config file, logins succeed with a valid username and an incorrect password, even though a failure entry is recorded in the /var/log/messages file.
291 CVE-2019-7638 125 2019-02-08 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Map1toN in video/SDL_pixels.c.
292 CVE-2019-7637 787 Overflow 2019-02-08 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c.
293 CVE-2019-7636 125 2019-02-08 2021-11-30
5.8
None Remote Medium Not required Partial None Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c.
294 CVE-2019-7635 125 2019-02-08 2021-11-30
5.8
None Remote Medium Not required Partial None Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c.
295 CVE-2019-7632 78 2019-02-08 2019-02-08
9.0
None Remote Low ??? Complete Complete Complete
LifeSize Team, Room, Passport, and Networker 220 devices allow Authenticated Remote OS Command Injection, as demonstrated by shell metacharacters in the support/mtusize.php mtu_size parameter. The lifesize default password for the cli account may sometimes be used for authentication.
296 CVE-2019-7629 787 Exec Code Overflow 2019-02-18 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
297 CVE-2019-7628 200 +Info 2019-02-08 2019-02-21
4.3
None Remote Medium Not required Partial None None
Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)
298 CVE-2019-7587 89 Sql 2019-02-07 2019-02-08
7.5
None Remote Low Not required Partial Partial Partial
Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function.
299 CVE-2019-7585 89 Sql 2019-02-07 2019-02-08
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Waimai Super Cms 20150505. web/Lib/Action/PublicAction.class.php allows time-based SQL Injection via the param array parameter to the /index.php?m=public&a=checkemail URI.
300 CVE-2019-7582 770 2019-02-07 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
The readBytes function in util/read.c in libming through 0.4.8 allows remote attackers to have unspecified impact via a crafted swf file that triggers a memory allocation failure.
Total number of vulnerabilities : 839   Page : 1 2 3 4 5 6 (This Page)7 8 9 10 11 12 13 14 15 16 17
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.