CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2019-17214 79 XSS Bypass 2019-10-06 2020-08-24
5.0
None Remote Low Not required None Partial None
The WebARX plugin 1.3.0 for WordPress allows firewall bypass by appending &cc=1 to a URI.
352 CVE-2019-17213 79 XSS 2019-10-06 2019-10-08
4.3
None Remote Medium Not required None Partial None
The WebARX plugin 1.3.0 for WordPress has unauthenticated stored XSS via the URI or the X-Forwarded-For HTTP header.
353 CVE-2019-17207 79 XSS 2019-10-18 2019-10-21
3.5
None Remote Medium ??? None Partial None
A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action.
354 CVE-2019-17206 502 2019-10-05 2019-12-09
7.5
None Remote Low Not required Partial Partial Partial
Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts.
355 CVE-2019-17205 79 XSS 2019-10-05 2019-10-08
4.3
None Remote Medium Not required None Partial None
TeamPass 2.1.27.36 allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed.
356 CVE-2019-17204 79 XSS 2019-10-05 2019-10-08
3.5
None Remote Medium ??? None Partial None
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted Knowledge Base label and adding any available item.
357 CVE-2019-17203 79 XSS 2019-10-05 2019-10-08
3.5
None Remote Medium ??? None Partial None
TeamPass 2.1.27.36 allows Stored XSS at the Search page by setting a crafted password for an item in any folder.
358 CVE-2019-17199 22 Dir. Trav. 2019-10-05 2019-10-10
5.0
None Remote Low Not required Partial None None
www/getfile.php in WPO WebPageTest 19.04 on Windows allows Directory Traversal (for reading arbitrary files) because of an unanchored regular expression, as demonstrated by the a.jpg\.. substring.
359 CVE-2019-17197 89 Sql 2019-10-05 2019-10-08
7.5
None Remote Low Not required Partial Partial Partial
OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc.
360 CVE-2019-17195 755 Bypass 2019-10-15 2021-11-18
6.8
None Remote Medium Not required Partial Partial Partial
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
361 CVE-2019-17192 20 DoS 2019-10-05 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** The WebRTC component in the Signal Private Messenger application through 4.47.7 for Android processes videoconferencing RTP packets before a callee chooses to answer a call, which might make it easier for remote attackers to cause a denial of service or possibly have unspecified other impact via malformed packets. NOTE: the vendor plans to continue this behavior for performance reasons unless a WebRTC design change occurs.
362 CVE-2019-17191 20 2019-10-05 2021-07-21
5.0
None Remote Low Not required Partial None None
The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered, without callee user interaction, via a connect message. The existence of the call is noticeable to the callee; however, the audio channel may be open before the callee can block eavesdropping.
363 CVE-2019-17189 79 XSS 2019-10-22 2019-10-22
3.5
None Remote Medium ??? None Partial None
totemodata 3.0.0_b936 has XSS via a folder name.
364 CVE-2019-17188 434 Bypass 2019-10-04 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
An unrestricted file upload vulnerability was discovered in catalog/productinfo/imageupload in Fecshop FecMall 2.3.4. An attacker can bypass a front-end restriction and upload PHP code to the webserver, by providing image data and the image/jpeg content type, with a .php extension. This occurs because the code relies on the getimagesize function.
365 CVE-2019-17187 22 Dir. Trav. 2019-10-08 2019-10-11
5.0
None Remote Low Not required Partial None None
/var/WEB-GUI/cgi-bin/downloadfile.cgi on FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication Directory Traversal for reading arbitrary files.
366 CVE-2019-17186 20 Exec Code 2019-10-08 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
/var/WEB-GUI/cgi-bin/telnet.cgi on FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication remote code execution.
367 CVE-2019-17184 +Priv 2019-10-04 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
Xerox AtlaLink B8045/B8055/B8065/B8075/B8090 C8030/C8035/C8045/C8055/C8070 printers with software before 101.00x.089.22600 allow an attacker to gain privileges.
368 CVE-2019-17183 772 2019-10-04 2019-10-09
5.0
None Remote Low Not required None None Partial
Foxit Reader before 9.7 allows an Access Violation and crash if insufficient memory exists.
369 CVE-2019-17181 120 Overflow 2019-10-28 2019-11-01
10.0
None Remote Low Not required Complete Complete Complete
A remote SEH buffer overflow has been discovered in IntraSrv 1.0 (2007-06-03). An attacker may send a crafted HTTP GET or HEAD request that can result in a compromise of the hosting system.
370 CVE-2019-17180 22 DoS Dir. Trav. 2019-10-04 2020-01-16
7.2
None Local Low Not required Complete Complete Complete
Valve Steam Client before 2019-09-12 allows placing or appending partially controlled filesystem content, as demonstrated by file modifications on Windows in the context of NT AUTHORITY\SYSTEM. This could lead to denial of service, elevation of privilege, or unspecified other impact.
371 CVE-2019-17179 79 XSS 2019-10-04 2019-10-21
4.3
None Remote Medium Not required None Partial None
4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, fixed in version 5.0.2.1
372 CVE-2019-17178 772 2019-10-04 2021-07-21
5.0
None Remote Low Not required None None Partial
HuffmanTree_makeFromFrequencies in lodepng.c in LodePNG through 2019-09-28, as used in WinPR in FreeRDP and other products, has a memory leak because a supplied realloc pointer (i.e., the first argument to realloc) is also used for a realloc return value.
373 CVE-2019-17177 772 2019-10-04 2021-07-21
5.0
None Remote Low Not required None None Partial
libfreerdp/codec/region.c in FreeRDP through 1.1.x and 2.x through 2.0.0-rc4 has memory leaks because a supplied realloc pointer (i.e., the first argument to realloc) is also used for a realloc return value.
374 CVE-2019-17176 79 XSS 2019-10-11 2019-10-16
4.3
None Remote Medium Not required None Partial None
Genesys PureEngage Digital (eServices) 8.1.x allows XSS via HtmlChatPanel.jsp or HtmlChatFrameSet.jsp (ActionColor, ClientNickNameColor, Email, email, or email_address parameter).
375 CVE-2019-17175 22 Dir. Trav. 2019-10-04 2019-10-08
5.0
None Remote Low Not required Partial None None
joyplus-cms 1.6.0 allows manager/admin_pic.php?rootpath= absolute path traversal.
376 CVE-2019-17145 787 Exec Code 2019-10-25 2019-10-28
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9276.
377 CVE-2019-17144 787 Exec Code 2019-10-25 2019-10-28
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DWG files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9274.
378 CVE-2019-17143 416 Exec Code 2019-10-25 2019-10-28
4.3
None Remote Medium Not required Partial None None
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9273.
379 CVE-2019-17142 416 Exec Code 2019-10-25 2019-10-28
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of script within a Keystroke action of a listbox field. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9081.
380 CVE-2019-17141 416 Exec Code 2019-10-25 2019-10-28
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of script within a Calculate action of a text field. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9044.
381 CVE-2019-17140 416 Exec Code 2019-10-25 2019-10-28
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the OnFocus event. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9091.
382 CVE-2019-17139 787 Exec Code 2019-10-25 2019-10-28
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of Javascript in the HTML2PDF plugin. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8692.
383 CVE-2019-17138 125 Exec Code 2019-10-25 2019-10-28
4.3
None Remote Medium Not required Partial None None
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.909. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion from JPEG to EPS. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8809.
384 CVE-2019-17134 287 Bypass 2019-10-08 2019-11-06
6.4
None Remote Low Not required Partial Partial None
Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
385 CVE-2019-17133 120 Overflow 2019-10-04 2021-06-14
7.5
None Remote Low Not required Partial Partial Partial
In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.
386 CVE-2019-17132 20 2019-10-04 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
vBulletin through 5.5.4 mishandles custom avatars.
387 CVE-2019-17131 1021 2019-10-04 2019-10-11
4.3
None Remote Medium Not required None Partial None
vBulletin before 5.5.4 allows clickjacking.
388 CVE-2019-17130 552 2019-10-04 2019-10-10
6.4
None Remote Low Not required Partial Partial None
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
389 CVE-2019-17128 89 Sql 2019-10-09 2019-10-11
5.0
None Remote Low Not required Partial None None
Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection (Boolean Based Blind) in the redirect parameters and parameter name of the login page through a GET request. The injection allows an attacker to read sensitive information from the database used by the application.
390 CVE-2019-17124 276 2019-10-09 2019-10-15
10.0
None Remote Low Not required Complete Complete Complete
Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.
391 CVE-2019-17121 79 XSS 2019-10-04 2019-10-08
3.5
None Remote Medium ??? None Partial None
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
392 CVE-2019-17120 79 XSS 2019-10-17 2019-10-31
4.3
None Remote Medium Not required None Partial None
A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/adm_usrs.jsp. The usr parameter is vulnerable: the reflected cross-site scripting occurs immediately after the user is created. The malicious script is stored and will be executed whenever /WiKIDAdmin/adm_usrs.jsp is visited.
393 CVE-2019-17119 89 Exec Code Sql 2019-10-17 2019-10-22
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in Logs.jsp in WiKID 2FA Enterprise Server through 4.2.0-b2053 allow authenticated users to execute arbitrary SQL commands via the source or subString parameter.
394 CVE-2019-17118 352 CSRF 2019-10-17 2019-10-22
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF issue in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows a remote attacker to trick an authenticated user into performing unintended actions such as (1) create or delete admin users; (2) create or delete groups; or (3) create, delete, enable, or disable normal users or devices.
395 CVE-2019-17117 89 Exec Code Sql 2019-10-17 2019-10-22
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in processPref.jsp in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows an authenticated user to execute arbitrary SQL commands via the processPref.jsp key parameter.
396 CVE-2019-17116 79 XSS 2019-10-17 2019-10-22
4.3
None Remote Medium Not required None Partial None
A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/groups.jsp. The groupName parameter is vulnerable: the reflected cross-site scripting occurs immediately after the group is created. The malicious script is stored and will be executed again whenever /WiKIDAdmin/groups.jsp is visited.
397 CVE-2019-17115 79 XSS 2019-10-17 2019-10-22
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML that is triggered when Logs.jsp is visited. The rendered_message column is retrieved and displayed, unsanitized, on Logs.jsp. A remote attack can populate the rendered_message column with malicious values via: (1) H parameter to /wikid/servlet/com.wikidsystems.server.GetDomainHash (2) S parameter to: - /wikid/DomainData - /wikid/PreRegisterLookup - /wikid/PreRegister - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S - /servlet/com.wikidsystems.server.InitDevice2S - /servlet/com.wikidsystems.server.InitDevice3S - /servlet/com.wikidsystems.server.InitDevice4S - /wikid/servlet/com.wikidsystems.server.InitDevice4AES - /wikid/servlet/com.wikidsystems.server.InitDevice5AES (3) a parameter to: - /wikid/PreRegisterLookup - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S - /servlet/com.wikidsystems.server.InitDevice2S - /servlet/com.wikidsystems.server.InitDevice3S - /servlet/com.wikidsystems.server.InitDevice4S - /wikid/servlet/com.wikidsystems.server.InitDevice4AES - /wikid/servlet/com.wikidsystems.server.InitDevice5AES.
398 CVE-2019-17114 79 XSS 2019-10-17 2019-10-22
4.3
None Remote Medium Not required None Partial None
A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allows remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/userPreregistration.jsp. The preRegistrationData parameter is vulnerable: a reflected cross-site scripting occurs immediately after a .csv file is uploaded. The malicious script is stored and can be executed again when the List Pre-Registration functionality is used.
399 CVE-2019-17113 120 Overflow 2019-10-04 2020-08-02
7.5
None Remote Low Not required Partial Partial Partial
In libopenmpt before 0.3.19 and 0.4.x before 0.4.9, ModPlug_InstrumentName and ModPlug_SampleName in libopenmpt_modplug.c do not restrict the lengths of libmodplug output-buffer strings in the C API, leading to a buffer overflow.
400 CVE-2019-17112 552 2019-10-09 2019-11-20
4.0
None Remote Low ??? Partial None None
An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user ("Operator" access level) to access the configuration file of the mail server (except for the password).
Total number of vulnerabilities : 1567   Page : 1 2 3 4 5 6 7 8 (This Page)9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.