CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2019-14788 22 Exec Code Dir. Trav. 2019-08-15 2019-08-22
6.5
None Remote Low ??? Partial Partial Partial
wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value.
352 CVE-2019-14787 79 XSS 2019-08-09 2019-08-22
3.5
None Remote Medium ??? None Partial None
The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.
353 CVE-2019-14786 94 2019-08-15 2021-07-21
4.0
None Remote Low ??? None Partial None
The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter.
354 CVE-2019-14785 79 XSS 2019-08-09 2019-08-15
3.5
None Remote Medium ??? None Partial None
The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter.
355 CVE-2019-14784 79 XSS 2019-08-15 2019-08-20
4.3
None Remote Medium Not required None Partial None
The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.
356 CVE-2019-14783 2019-08-08 2020-08-24
2.1
None Local Low Not required None Partial None
On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, FotaAgent allows a malicious application to create privileged files. The Samsung ID is SVE-2019-14764.
357 CVE-2019-14778 416 2019-08-29 2020-08-18
6.8
None Remote Medium Not required Partial Partial Partial
The mkv::virtual_segment_c::seek method of demux/mkv/virtual_segment.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.
358 CVE-2019-14777 416 2019-08-29 2020-08-18
6.8
None Remote Medium Not required Partial Partial Partial
The Control function of demux/mkv/mkv.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.
359 CVE-2019-14776 125 2019-08-29 2020-08-18
6.8
None Remote Medium Not required Partial Partial Partial
A heap-based buffer over-read exists in DemuxInit() in demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 via a crafted .mkv file.
360 CVE-2019-14774 79 XSS 2019-08-08 2019-08-30
4.3
None Remote Medium Not required None Partial None
The woo-variation-swatches (aka Variation Swatches for WooCommerce) plugin 1.0.61 for WordPress allows XSS via the wp-admin/admin.php?page=woo-variation-swatches-settings tab parameter.
361 CVE-2019-14773 2019-08-08 2020-08-24
6.4
None Remote Low Not required None Partial Partial
admin/includes/class.actions.snippet.php in the "Woody ad snippets" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion.
362 CVE-2019-14772 79 XSS 2019-08-08 2019-08-13
4.3
None Remote Medium Not required None Partial None
verdaccio before 3.12.0 allows XSS.
363 CVE-2019-14771 20 Exec Code 2019-08-08 2019-08-19
9.3
None Remote Medium Not required Complete Complete Complete
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, potentially allowing non-configuration scripts to be uploaded to the server. (This attack is mitigated by the attacker needing the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.)
364 CVE-2019-14770 79 XSS 2019-08-08 2019-08-16
4.3
None Remote Medium Not required None Partial None
In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions to create administrative menu links, such as by creating a content type or layout. Such permissions are usually restricted to trusted or administrative users.)
365 CVE-2019-14769 79 XSS 2019-08-08 2019-08-15
4.3
None Remote Medium Not required None Partial None
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.)
366 CVE-2019-14763 189 2019-08-07 2021-07-21
4.9
None Local Low Not required None None Complete
In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid.
367 CVE-2019-14755 434 2019-08-15 2019-08-20
6.5
None Remote Low ??? Partial Partial Partial
The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type.
368 CVE-2019-14754 89 Sql 2019-08-08 2019-08-14
7.5
None Remote Low Not required Partial Partial Partial
Open-School 3.0, and Community Edition 2.3, allows SQL Injection via the index.php?r=students/students/document id parameter.
369 CVE-2019-14751 22 Dir. Trav. 2019-08-22 2020-03-27
5.0
None Remote Low Not required None Partial None
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
370 CVE-2019-14750 79 XSS 2019-08-07 2019-08-14
4.3
None Remote Medium Not required None Partial None
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.
371 CVE-2019-14749 1236 2019-08-07 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.
372 CVE-2019-14748 79 XSS 2019-08-07 2019-08-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.
373 CVE-2019-14747 79 XSS 2019-08-07 2019-08-12
4.3
None Remote Medium Not required None Partial None
DWSurvey through 2019-07-22 has stored XSS via the design/my-survey-design!copySurvey.action surveyName parameter.
374 CVE-2019-14746 94 2019-08-07 2019-08-14
7.5
None Remote Low Not required Partial Partial Partial
A issue was discovered in KuaiFanCMS 5.0. It allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request.
375 CVE-2019-14745 77 Exec Code 2019-08-07 2019-10-08
6.8
None Remote Medium Not required Partial Partial Partial
In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.
376 CVE-2019-14744 78 Exec Code 2019-08-07 2020-08-24
5.1
None Remote High Not required Partial Partial Partial
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
377 CVE-2019-14743 732 2019-08-07 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITY\SYSTEM access.
378 CVE-2019-14734 787 Overflow 2019-08-07 2021-01-14
6.8
None Remote Medium Not required Partial Partial Partial
AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::load() in mtk.cpp.
379 CVE-2019-14733 787 Overflow 2019-08-07 2021-02-22
6.8
None Remote Medium Not required Partial Partial Partial
AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::load() in rad.cpp.
380 CVE-2019-14732 787 Overflow 2019-08-07 2021-02-26
6.8
None Remote Medium Not required Partial Partial Partial
AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::load() in a2m.cpp.
381 CVE-2019-14731 79 XSS 2019-08-07 2019-08-15
3.5
None Remote Medium ??? None Partial None
An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vulnerability that leads to the capture of other people's cookies via the Rich Text Box.
382 CVE-2019-14709 522 2019-08-06 2020-08-24
5.0
None Remote Low Not required Partial None None
A cleartext password storage issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. The file in question is /usr/local/ipsca/mipsca.db. If a camera is compromised, the attacker can gain access to passwords and abuse them to compromise further systems.
383 CVE-2019-14708 119 Exec Code Overflow 2019-08-06 2019-08-14
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. A buffer overflow in the action parameter leads to remote code execution in the context of the nobody account.
384 CVE-2019-14707 Exec Code 2019-08-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. The firmware update process is insecure, leading to remote code execution. The attacker can provide arbitrary firmware in a .dat file via a webparam?system&action=set&upgrade URI.
385 CVE-2019-14706 119 DoS Overflow 2019-08-06 2019-08-14
5.0
None Remote Low Not required None None Partial
A denial of service issue in HTTPD was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker without authorization can upload a file to upload.php with a filename longer than 256 bytes. This will be placed in the updownload area. It will not be deleted, because of a buffer overflow in a Bash command string.
386 CVE-2019-14705 287 2019-08-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An Incorrect Access Control issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5 because any valid cookie can be used to make requests as an admin.
387 CVE-2019-14704 918 2019-08-06 2019-08-14
7.5
None Remote Low Not required Partial Partial Partial
An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 via FTP commands following a newline character in the uploadfile field.
388 CVE-2019-14703 352 CSRF 2019-08-06 2019-08-13
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF issue was discovered in webparam?user&action=set&param=add in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 to create an admin account.
389 CVE-2019-14702 89 Sql 2019-08-06 2019-08-13
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. SQL injection vulnerabilities exist in 13 forms that are reachable through HTTPD. An attacker can, for example, create an admin account.
390 CVE-2019-14701 22 DoS Dir. Trav. 2019-08-06 2019-08-13
5.0
None Remote Low Not required None None Partial
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can trigger read operations on an arbitrary file via Path Traversal in the TZ parameter, but cannot retrieve the data that is read. This causes a denial of service if the filename is, for example, /dev/random.
391 CVE-2019-14700 22 Dir. Trav. 2019-08-06 2019-08-13
5.0
None Remote Low Not required Partial None None
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. There is disclosure of the existence of arbitrary files via Path Traversal in HTTPD. This occurs because the filename specified in the TZ parameter is accessed with a substantial delay if that file exists.
392 CVE-2019-14699 78 Exec Code 2019-08-06 2019-08-13
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can exploit OS Command Injection in the filename parameter for remote code execution as root. This occurs in the Mainproc executable file, which can be run from the HTTPD web server.
393 CVE-2019-14698 119 Exec Code Overflow 2019-08-06 2019-08-13
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. In a CGI program running under the HTTPD web server, a buffer overflow in the param parameter leads to remote code execution in the context of the nobody account.
394 CVE-2019-14697 787 2019-08-06 2020-03-14
7.5
None Remote Low Not required Partial Partial Partial
musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.
395 CVE-2019-14696 79 XSS 2019-08-06 2019-08-13
4.3
None Remote Medium Not required None Partial None
Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter.
396 CVE-2019-14695 89 Exec Code Sql 2019-08-06 2019-08-13
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin before 3.45 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via com/libs/Table.php because Subscribers Table ordering is mishandled.
397 CVE-2019-14694 416 DoS 2019-08-28 2021-07-21
4.7
None Local Medium Not required None None Complete
A use-after-free flaw in the sandbox container implemented in cmdguard.sys in Comodo Antivirus 12.0.0.6870 can be triggered due to a race condition when handling IRP_MJ_CLEANUP requests in the minifilter for directory change notifications. This allows an attacker to cause a denial of service (BSOD) when an executable is run inside the container.
398 CVE-2019-14693 611 2019-08-08 2019-10-09
5.5
None Remote Low ??? Partial None Partial
Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
399 CVE-2019-14692 787 Overflow 2019-08-06 2021-02-22
6.8
None Remote Medium Not required Partial Partial Partial
AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in mkj.cpp.
400 CVE-2019-14691 787 Overflow 2019-08-06 2021-01-14
6.8
None Remote Medium Not required Partial Partial Partial
AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in dtm.cpp.
Total number of vulnerabilities : 2004   Page : 1 2 3 4 5 6 7 8 (This Page)9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.