CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2019-7581 770 2019-02-07 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
The parseSWF_ACTIONRECORD function in util/parser.c in libming through 0.4.8 allows remote attackers to have unspecified impact via a crafted swf file that triggers a memory allocation failure, a different vulnerability than CVE-2018-7876.
302 CVE-2019-7580 94 Exec Code 2019-02-07 2019-02-08
6.5
None Remote Low ??? Partial Partial Partial
ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection.
303 CVE-2019-7578 125 2019-02-07 2021-11-30
5.8
None Remote Medium Not required Partial None Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c.
304 CVE-2019-7577 125 2019-02-07 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.
305 CVE-2019-7576 125 2019-02-07 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside the wNumCoef loop).
306 CVE-2019-7575 787 Overflow 2019-02-07 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.
307 CVE-2019-7574 125 2019-02-07 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.
308 CVE-2019-7573 125 2019-02-07 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the wNumCoef loop).
309 CVE-2019-7572 125 2019-02-07 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.
310 CVE-2019-7570 352 CSRF 2019-02-07 2019-02-07
5.8
None Remote Medium Not required None Partial Partial
A CSRF vulnerability was found in PbootCMS v1.3.6 that can delete users via an admin.php/User/del/ucode/ URI.
311 CVE-2019-7569 352 CSRF 2019-02-07 2019-02-07
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in DOYO (aka doyocms) 2.3(20140425 update). There is a CSRF vulnerability that can add a super administrator account via admin.php?c=a_adminuser&a=add&run=1.
312 CVE-2019-7568 89 Sql 2019-02-07 2019-02-07
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in baijiacms V4 that can result in time-based blind SQL injection to get data via the cate parameter in an index.php?act=index request.
313 CVE-2019-7567 79 XSS 2019-02-07 2019-02-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Waimai Super Cms 20150505. admin.php?m=Member&a=adminaddsave has XSS via the username or password parameter.
314 CVE-2019-7566 352 CSRF 2019-02-07 2019-02-07
6.8
None Remote Medium Not required Partial Partial Partial
CSZ CMS 1.1.8 has CSRF via admin/users/new/add.
315 CVE-2019-7560 416 2019-02-07 2019-02-07
4.3
None Remote Medium Not required None None Partial
In parser/btorsmt2.c in Boolector 3.0.0, opening a specially crafted input file leads to a use after free in get_failed_assumptions or btor_delete.
316 CVE-2019-7559 787 2019-02-07 2019-02-08
4.3
None Remote Medium Not required None None Partial
In btor2parser/btor2parser.c in Boolector Btor2Tools before 2019-01-15, opening a specially crafted input file leads to an out of bounds write in pusht_bfr.
317 CVE-2019-7550 209 2019-02-12 2020-08-24
5.0
None Remote Low Not required Partial None None
In JForum 2.1.8, an unauthenticated, remote attacker can enumerate whether a user exists by using the "create user" function. If a register/check/username?username= request corresponds to a username that exists, then an "is already in use" error is produced. NOTE: this product is discontinued.
318 CVE-2019-7548 89 Sql 2019-02-06 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
319 CVE-2019-7547 79 XSS 2019-02-06 2019-02-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in SIDU 6.0. Because the database name is not strictly filtered, the attacker can insert a name containing an XSS Payload, leading to stored XSS.
320 CVE-2019-7546 79 XSS 2019-02-06 2019-02-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in SIDU 6.0. The dbs parameter of the conn.php page has a reflected Cross-site Scripting (XSS) vulnerability.
321 CVE-2019-7545 79 XSS 2019-02-06 2019-02-08
3.5
None Remote Medium ??? None Partial None
In DbNinja 3.2.7, the Add Host function of the Manage Hosts pages has a Stored Cross-site Scripting (XSS) vulnerability in the User Name field.
322 CVE-2019-7544 79 XSS 2019-02-06 2019-02-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MyWebSQL 3.7. The Add User function of the User Manager pages has a Stored Cross-site Scripting (XSS) vulnerability in the User Name Field.
323 CVE-2019-7543 79 XSS 2019-02-06 2019-02-07
4.3
None Remote Medium Not required None Partial None
In KindEditor 4.1.11, the php/demo.php content1 parameter has a reflected Cross-site Scripting (XSS) vulnerability.
324 CVE-2019-7535 200 +Info 2019-02-07 2019-02-08
5.0
None Remote Low Not required Partial None None
index.php in Gurock TestRail 5.3.0.3603 returns potentially sensitive information for an invalid request, as demonstrated by full path disclosure and the identification of PHP as the backend technology.
325 CVE-2019-7413 79 XSS 2019-02-05 2019-05-13
4.3
None Remote Medium Not required None Partial None
In the Parallax Scroll (aka adamrob-parallax-scroll) plugin before 2.1 for WordPress, includes/adamrob-parralax-shortcode.php allows XSS via the title text. ("parallax" has a spelling change within the PHP filename.)
326 CVE-2019-7412 20 2019-02-05 2019-04-12
7.5
None Remote Low Not required Partial Partial Partial
The PS PHPCaptcha WP plugin before v1.2.0 for WordPress mishandles sanitization of input values.
327 CVE-2019-7403 22 Dir. Trav. 2019-02-05 2020-08-24
5.5
None Remote Low ??? None Partial Partial
An issue was discovered in PHPMyWind 5.5. It allows remote attackers to delete arbitrary folders via an admin/database_backup.php?action=import&dopost=deldir&tbname=../ URI.
328 CVE-2019-7402 352 XSS CSRF 2019-02-05 2020-08-24
4.3
None Remote Medium Not required None Partial None
An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfg_qqcode parameter. This can be exploited via CSRF.
329 CVE-2019-7401 787 DoS Overflow 2019-02-08 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
NGINX Unit before 1.7.1 might allow an attacker to cause a heap-based buffer overflow in the router process with a specially crafted request. This may result in a denial of service (router process crash) or possibly have unspecified other impact.
330 CVE-2019-7400 79 XSS 2019-02-05 2019-04-01
4.3
None Remote Medium Not required None Partial None
Rukovoditel before 2.4.1 allows XSS.
331 CVE-2019-7399 346 2019-02-17 2020-08-24
5.8
None Remote Medium Not required Partial Partial None
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
332 CVE-2019-7398 401 2019-02-05 2021-04-28
5.0
None Remote Low Not required None None Partial
In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
333 CVE-2019-7397 401 2019-02-05 2021-04-28
5.0
None Remote Low Not required None None Partial
In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
334 CVE-2019-7396 401 2019-02-05 2021-04-28
5.0
None Remote Low Not required None None Partial
In ImageMagick before 7.0.8-25, a memory leak exists in ReadSIXELImage in coders/sixel.c.
335 CVE-2019-7395 401 2019-02-05 2021-04-28
5.0
None Remote Low Not required None None Partial
In ImageMagick before 7.0.8-25, a memory leak exists in WritePSDChannel in coders/psd.c.
336 CVE-2019-7392 287 +Priv 2019-02-26 2021-04-12
6.4
None Remote Low Not required Partial Partial None
An improper authentication vulnerability in CA Privileged Access Manager 3.x Web-UI jk-manager and jk-status allows a remote attacker to gain sensitive information or alter configuration.
337 CVE-2019-7390 306 2019-02-05 2020-08-24
5.0
None Remote Low Not required None Partial None
An issue was discovered in /bin/goahead on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to hijack the DNS service configuration of all clients in the WLAN, without authentication, via the SetWanSettings HNAP API.
338 CVE-2019-7389 306 2019-02-05 2020-08-24
7.8
None Remote Low Not required None None Complete
An issue was discovered in /bin/goahead on D-Link DIR-823G devices with the firmware 1.02B03. There is incorrect access control allowing remote attackers to reset the router without authentication via the SetFactoryDefault HNAP API. Consequently, an attacker can achieve a denial-of-service attack without authentication.
339 CVE-2019-7388 200 +Info 2019-02-05 2020-08-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in /bin/goahead on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to get sensitive information (such as MAC address) about all clients in the WLAN via the GetClientInfo HNAP API. Consequently, an attacker can achieve information disclosure without authentication.
340 CVE-2019-7387 22 Dir. Trav. File Inclusion 2019-02-04 2019-05-08
4.0
None Remote Low ??? Partial None None
A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal via the name parameter.
341 CVE-2019-7352 79 Exec Code XSS 2019-02-04 2019-02-04
4.3
None Remote Medium Not required None Partial None
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'state' (aka Run State) (state.php) does no input validation to the value supplied to the 'New State' (aka newState) field, allowing an attacker to execute HTML or JavaScript code.
342 CVE-2019-7351 74 2019-02-04 2019-02-04
4.3
None Remote Medium Not required None Partial None
Log Injection exists in ZoneMinder through 1.32.3, as an attacker can entice the victim to visit a specially crafted link, which in turn will inject a custom Log message provided by the attacker in the 'log' view page, as demonstrated by the message=User%20'admin'%20Logged%20in value.
343 CVE-2019-7350 384 2019-02-04 2019-02-05
4.9
None Remote Medium ??? Partial Partial None
Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. This occurs because a set of multiple cookies (between 3 and 5) is being generated when a user successfully logs in, and these sets overlap for successive logins.
344 CVE-2019-7349 79 Exec Code XSS 2019-02-04 2019-02-05
4.3
None Remote Medium Not required None Partial None
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitor[V4LCapturesPerFrame]' parameter value in the view monitor (monitor.php) because proper filtration is omitted.
345 CVE-2019-7348 79 Exec Code XSS 2019-02-04 2019-02-05
4.3
None Remote Medium Not required None Partial None
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'username' parameter value in the view user (user.php) because proper filtration is omitted.
346 CVE-2019-7347 367 2019-02-04 2020-08-24
6.0
None Remote Medium ??? Partial Partial Partial
A Time-of-check Time-of-use (TOCTOU) Race Condition exists in ZoneMinder through 1.32.3 as a session remains active for an authenticated user even after deletion from the users table. This allows a nonexistent user to access and modify records (add/delete Monitors, Users, etc.).
347 CVE-2019-7346 352 CSRF 2019-02-04 2019-02-05
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRF check fails, a callback function is called displaying a "Try again" button, which allows resending the failed request, making the CSRF attack successful.
348 CVE-2019-7345 79 Exec Code XSS 2019-02-04 2019-02-05
3.5
None Remote Medium ??? None Partial None
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'options' (options.php) does no input validation for the WEB_TITLE, HOME_URL, HOME_CONTENT, or WEB_CONSOLE_BANNER value, allowing an attacker to execute HTML or JavaScript code. This relates to functions.php.
349 CVE-2019-7344 79 Exec Code XSS 2019-02-04 2019-02-05
4.3
None Remote Medium Not required None Partial None
Reflected XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'filter' as it insecurely prints the 'filter[Name]' (aka Filter name) value on the web page without applying any proper filtration.
350 CVE-2019-7343 79 Exec Code XSS 2019-02-04 2019-02-05
4.3
None Remote Medium Not required None Partial None
Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitor[Method]' parameter value in the view monitor (monitor.php) because proper filtration is omitted.
Total number of vulnerabilities : 839   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11 12 13 14 15 16 17
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.