CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2019-15120 79 XSS 2019-08-16 2019-09-26
4.3
None Remote Medium Not required None Partial None
The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode.
252 CVE-2019-15119 732 2019-08-16 2020-08-24
5.8
None Remote Medium Not required None Partial Partial
lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user.
253 CVE-2019-15118 674 2019-08-16 2020-08-24
4.9
None Local Low Not required None None Complete
check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.
254 CVE-2019-15117 119 Overflow 2019-08-16 2019-09-06
4.6
None Local Low Not required Partial Partial Partial
parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access.
255 CVE-2019-15116 79 XSS 2019-08-16 2021-11-02
4.3
None Remote Medium Not required None Partial None
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.
256 CVE-2019-15115 352 CSRF 2019-08-16 2021-12-06
6.8
None Remote Medium Not required Partial Partial Partial
The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.
257 CVE-2019-15114 352 CSRF 2019-08-16 2019-08-21
6.8
None Remote Medium Not required Partial Partial Partial
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
258 CVE-2019-15113 352 CSRF 2019-08-16 2019-08-21
6.8
None Remote Medium Not required Partial Partial Partial
The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.
259 CVE-2019-15112 79 XSS 2019-08-21 2019-08-23
4.3
None Remote Medium Not required None Partial None
The wp-slimstat plugin before 4.8.1 for WordPress has XSS.
260 CVE-2019-15111 2019-08-21 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
The wp-front-end-profile plugin before 0.2.2 for WordPress has a privilege escalation issue.
261 CVE-2019-15110 79 XSS 2019-08-21 2019-08-21
4.3
None Remote Medium Not required None Partial None
The wp-front-end-profile plugin before 0.2.2 for WordPress has XSS.
262 CVE-2019-15109 79 XSS 2019-08-21 2019-09-04
4.3
None Remote Medium Not required None Partial None
The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter.
263 CVE-2019-15108 79 XSS 2019-08-16 2019-10-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component.
264 CVE-2019-15107 78 2019-08-16 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
265 CVE-2019-15106 306 Exec Code Bypass 2019-08-16 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.
266 CVE-2019-15105 89 Sql 2019-08-16 2019-08-26
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.
267 CVE-2019-15104 89 Sql 2019-08-16 2019-08-26
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.
268 CVE-2019-15099 476 2019-08-16 2019-09-06
7.8
None Remote Low Not required None None Complete
drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.
269 CVE-2019-15098 476 2019-08-16 2019-11-25
4.9
None Local Low Not required None None Complete
drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.
270 CVE-2019-15095 79 XSS 2019-08-16 2019-08-26
4.3
None Remote Medium Not required None Partial None
DWSurvey through 2019-07-22 has reflected XSS via the design/qu-multi-fillblank!answers.action surveyId parameter.
271 CVE-2019-15092 1236 2019-08-23 2020-08-24
6.0
None Remote Medium ??? Partial Partial Partial
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
272 CVE-2019-15091 434 2019-08-16 2019-08-27
7.5
None Remote Low Not required Partial Partial Partial
filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload arbitrary file upload.
273 CVE-2019-15090 125 2019-08-16 2020-05-05
4.6
None Local Low Not required Partial Partial Partial
An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read.
274 CVE-2019-15084 732 2019-08-16 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions. As a result, a local attacker can escalate to SYSTEM.
275 CVE-2019-15082 79 XSS 2019-08-20 2019-08-21
4.3
None Remote Medium Not required None Partial None
The 360-product-rotation plugin before 1.4.8 for WordPress has reflected XSS.
276 CVE-2019-15081 79 XSS 2019-08-15 2019-09-02
3.5
None Remote Medium ??? None Partial None
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
277 CVE-2019-15074 79 Exec Code XSS 2019-08-21 2019-09-04
6.8
None Remote Medium Not required Partial Partial Partial
The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed.
278 CVE-2019-15062 352 Bypass CSRF 2019-08-14 2019-08-28
6.0
None Remote Medium ??? Partial Partial Partial
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)
279 CVE-2019-15060 78 Exec Code 2019-08-22 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
The traceroute function on the TP-Link TL-WR840N v4 router with firmware through 0.9.1 3.16 is vulnerable to remote code execution via a crafted payload in an IP address input field.
280 CVE-2019-15058 125 DoS 2019-08-14 2020-08-24
6.4
None Remote Low Not required Partial None Partial
stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer over-read in stbi__tga_load, leading to Information Disclosure or Denial of Service.
281 CVE-2019-15055 22 Dir. Trav. 2019-08-26 2020-10-06
5.5
None Remote Low ??? None Partial Partial
MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. Attackers can exploit this vulnerability to reset credential storage, which allows them access to the management interface as an administrator without authentication.
282 CVE-2019-15053 79 XSS Bypass 2019-08-14 2019-08-21
6.0
None Remote Medium ??? Partial Partial Partial
The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.
283 CVE-2019-15052 522 2019-08-14 2020-08-24
5.0
None Remote Low Not required Partial None None
The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.
284 CVE-2019-15050 125 2019-08-14 2019-08-19
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffer over-read in the AP4_AvccAtom class at Core/Ap4AvccAtom.cpp.
285 CVE-2019-15049 125 2019-08-14 2019-08-16
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffer over-read in the AP4_Dec3Atom class at Core/Ap4Dec3Atom.cpp.
286 CVE-2019-15048 787 Overflow 2019-08-14 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffer overflow in the AP4_RtpAtom class at Core/Ap4RtpAtom.cpp.
287 CVE-2019-15047 125 2019-08-14 2019-08-16
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffer over-read in the function AP4_BitReader::SkipBits at Core/Ap4Utils.cpp.
288 CVE-2019-15046 200 +Info 2019-08-14 2021-07-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.
289 CVE-2019-15045 200 +Info 2019-08-21 2019-08-30
5.0
None Remote Low Not required Partial None None
** DISPUTED ** AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality.
290 CVE-2019-15028 2019-08-14 2020-08-24
5.0
None Remote Low Not required None Partial None
In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.
291 CVE-2019-15027 78 Exec Code 2019-08-14 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows attackers to execute arbitrary commands as root via shell metacharacters in a filename under /data, because clear_emmc_nomedia_entry in platform/mt6577/external/meta/emmc/meta_clr_emmc.c invokes 'system("/system/bin/rm -r /data/' followed by this filename upon an eMMC clearance from a Meta Mode boot. NOTE: compromise of Fire OS on the Amazon Echo Dot would require a second hypothetical vulnerability that allows creation of the required file under /data.
292 CVE-2019-15026 125 2019-08-30 2020-05-26
5.0
None Remote Low Not required None None Partial
memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.
293 CVE-2019-15025 89 Sql 2019-08-14 2019-08-20
7.5
None Remote Low Not required Partial Partial Partial
The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.
294 CVE-2019-14999 352 CSRF 2019-08-23 2019-08-30
4.3
None Remote Medium Not required None Partial None
The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator.
295 CVE-2019-14993 185 DoS 2019-08-13 2019-08-16
5.0
None Remote Low Not required None None Partial
Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.
296 CVE-2019-14987 79 XSS 2019-08-13 2019-08-15
3.5
None Remote Medium ??? None Partial None
Adive Framework through 2.0.7 is affected by XSS in the Create New Table and Create New Navigation Link functions.
297 CVE-2019-14986 2019-08-13 2020-08-24
9.3
None Remote Medium Not required Complete Complete Complete
eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installed allow administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as "Set root password") are exposed.
298 CVE-2019-14985 287 Exec Code 2019-08-13 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28.
299 CVE-2019-14984 306 Exec Code 2019-08-13 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.
300 CVE-2019-14982 190 Overflow 2019-08-12 2019-08-16
4.3
None Remote Medium Not required None None Partial
In Exiv2 before v0.27.2, there is an integer overflow vulnerability in the WebPImage::getHeaderOffset function in webpimage.cpp. It can lead to a buffer overflow vulnerability and a crash.
Total number of vulnerabilities : 2004   Page : 1 2 3 4 5 6 (This Page)7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.