CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2019-14690 787 Overflow 2019-08-06 2021-01-14
6.8
None Remote Medium Not required Partial Partial Partial
AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp.
402 CVE-2019-14687 426 2019-08-20 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
A DLL hijacking vulnerability exists in Trend Micro Password Manager 5.0 in which, if exploited, would allow an attacker to load an arbitrary unsigned DLL into the signed service's process. This process is very similar, yet not identical to CVE-2019-14684.
403 CVE-2019-14686 426 2019-08-21 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
A DLL hijacking vulnerability exists in the Trend Micro Security's 2019 consumer family of products (v15) Folder Shield component and the standalone Trend Micro Ransom Buster (1.0) tool in which, if exploited, would allow an attacker to load a malicious DLL, leading to elevated privileges.
404 CVE-2019-14685 428 2019-08-21 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
A local privilege escalation vulnerability exists in Trend Micro Security 2019 (v15.0) in which, if exploited, would allow an attacker to manipulate a specific product feature to load a malicious service.
405 CVE-2019-14684 426 2019-08-20 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
A DLL hijacking vulnerability exists in Trend Micro Password Manager 5.0 in which, if exploited, would allow an attacker to load an arbitrary unsigned DLL into the signed service's process. This process is very similar, yet not identical to CVE-2019-14687.
406 CVE-2019-14683 352 CSRF 2019-08-08 2019-08-22
4.9
None Remote Medium ??? None Partial Partial
The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.
407 CVE-2019-14682 352 CSRF 2019-08-08 2019-08-22
4.3
None Remote Medium Not required None Partial None
The acf-better-search (aka ACF: Better Search) plugin before 3.3.1 for WordPress allows wp-admin/options-general.php?page=acfbs_admin_page CSRF.
408 CVE-2019-14681 352 CSRF 2019-08-08 2019-08-20
6.8
None Remote Medium Not required Partial Partial Partial
The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=daf_settings&daf_remove=true CSRF.
409 CVE-2019-14680 352 CSRF 2019-08-08 2019-08-21
3.5
None Remote Medium ??? None Partial None
The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.
410 CVE-2019-14679 352 CSRF 2019-08-08 2019-08-19
4.3
None Remote Medium Not required None Partial None
core/views/arprice_import_export.php in the ARPrice Lite plugin 2.2 for WordPress allows wp-admin/admin.php?page=arplite_import_export CSRF.
411 CVE-2019-14672 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field. The JavaScript code is executed upon an error condition during a visit to the account show page.
412 CVE-2019-14671 200 +Info 2019-08-05 2021-07-21
2.1
None Local Low Not required Partial None None
Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and import/create/fints.
413 CVE-2019-14670 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill creation.
414 CVE-2019-14669 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the asset account name. The JavaScript code is executed during a visit to the audit account statistics page.
415 CVE-2019-14668 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field. The JavaScript code is executed during deletion of a transaction link.
416 CVE-2019-14667 79 Exec Code XSS 2019-08-05 2020-12-16
4.3
None Remote Medium Not required None Partial None
Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action.
417 CVE-2019-14665 787 Overflow 2019-08-05 2020-08-24
4.3
None Remote Medium Not required None None Partial
Brandy 1.20.1 has a heap-based buffer overflow in define_array in variables.c via crafted BASIC source code.
418 CVE-2019-14664 319 Bypass 2019-08-05 2022-01-01
4.3
None Remote Medium Not required Partial None None
In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, he unknowingly leaks the plaintext of the encrypted message part(s) back to the attacker. This attack variant bypasses protection mechanisms implemented after the "EFAIL" attacks.
419 CVE-2019-14663 787 Overflow 2019-08-05 2020-08-24
4.3
None Remote Medium Not required None None Partial
Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fileio.c via crafted BASIC source code.
420 CVE-2019-14662 787 Overflow 2019-08-05 2020-08-24
4.3
None Remote Medium Not required None None Partial
Brandy 1.20.1 has a stack-based buffer overflow in fileio_openout in fileio.c via crafted BASIC source code.
421 CVE-2019-14654 Exec Code 2019-08-05 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.
422 CVE-2019-14653 79 XSS 2019-08-03 2019-08-05
4.3
None Remote Medium Not required None Partial None
pandao Editor.md 1.5.0 allows XSS via an attribute of an ABBR or SUP element.
423 CVE-2019-14551 352 Exec Code 2019-08-03 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
Das Q before 2019-08-02 allows web sites to execute arbitrary code on client machines, as demonstrated by a cross-origin /install request with an attacker-controlled releaseUrl, which triggers download and execution of code within a ZIP archive.
424 CVE-2019-14550 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit Dashboard button, thus helping him steal victims' cookies (hence compromising their accounts).
425 CVE-2019-14549 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible link.
426 CVE-2019-14548 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside the body of the article, thus helping him steal victims' cookies (hence compromising their accounts).
427 CVE-2019-14547 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker could inject the JavaScript inside the filename and send it to users, thus helping him steal victims' cookies (hence compromising their accounts).
428 CVE-2019-14546 79 XSS 2019-08-05 2019-08-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, which fires when the victim replies or forwards the mail, thus helping him steal victims' cookies (hence compromising their accounts).
429 CVE-2019-14544 862 2019-08-02 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
430 CVE-2019-14541 787 Overflow 2019-08-02 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_program_id in cobc/typeck.c via crafted COBOL source code.
431 CVE-2019-14537 843 Bypass 2019-08-07 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.
432 CVE-2019-14535 369 2019-08-29 2020-08-18
6.8
None Remote Medium Not required Partial Partial Partial
A divide-by-zero error exists in the SeekIndex function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1. As a result, an FPE can be triggered via a crafted WMV file.
433 CVE-2019-14534 476 DoS 2019-08-29 2020-08-18
4.3
None Remote Medium Not required None None Partial
In VideoLAN VLC media player 3.0.7.1, there is a NULL pointer dereference at the function SeekPercent of demux/asf/asf.c that will lead to a denial of service attack.
434 CVE-2019-14533 416 2019-08-29 2020-08-18
6.8
None Remote Medium Not required Partial Partial Partial
The Control function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 has a use-after-free.
435 CVE-2019-14532 191 2019-08-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an off-by-one overwrite due to an underflow on tools/hashtools/hfind.cpp while using a bogus hash table.
436 CVE-2019-14531 125 2019-08-02 2019-08-12
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an out of bounds read on iso9660 while parsing System Use Sharing Protocol data in fs/iso9660.c.
437 CVE-2019-14530 22 Dir. Trav. 2019-08-13 2021-07-05
4.0
None Remote Low ??? Partial None None
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
438 CVE-2019-14529 89 Sql 2019-08-02 2019-08-13
7.5
None Remote Low Not required Partial Partial Partial
OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.
439 CVE-2019-14528 787 Overflow 2019-08-02 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in cobc/scanner.l via crafted COBOL source code.
440 CVE-2019-14527 78 Exec Code 2019-08-14 2019-08-27
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. System commands can be executed, via the web interface, after authentication.
441 CVE-2019-14526 352 Bypass CSRF 2019-08-14 2019-08-27
5.8
None Remote Medium Not required Partial Partial None
An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. The web-interface Cross-Site Request Forgery token is stored in a dynamically generated JavaScript file, and therefore can be embedded in third party pages, and re-used against the Nighthawk web interface. This entirely bypasses the intended security benefits of the use of a CSRF-protection token.
442 CVE-2019-14525 200 +Info 2019-08-05 2021-07-21
4.0
None Remote Low ??? Partial None None
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.
443 CVE-2019-14524 787 Overflow 2019-08-02 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Schism Tracker through 20190722. There is a heap-based buffer overflow via a large number of song patterns in fmt_mtm_load_song in fmt/mtm.c, a different vulnerability than CVE-2019-14465.
444 CVE-2019-14523 191 2019-08-02 2021-07-07
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Schism Tracker through 20190722. There is an integer underflow via a large plen in fmt_okt_load_song in the Amiga Oktalyzer parser in fmt/okt.c.
445 CVE-2019-14521 22 Dir. Trav. 2019-08-05 2019-08-13
5.0
None Remote Low Not required None Partial None
The api/admin/logoupload Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter.
446 CVE-2019-14518 79 XSS 2019-08-15 2019-08-21
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Evolution CMS 2.0.x allows XSS via a description and new category location in a template. NOTE: the vendor states that the behavior is consistent with the "access policy in the administration panel."
447 CVE-2019-14517 79 XSS 2019-08-01 2019-08-05
4.3
None Remote Medium Not required None Partial None
pandao Editor.md 1.5.0 allows XSS via the Javascript: string.
448 CVE-2019-14516 295 2019-08-13 2019-08-19
5.8
None Remote Medium Not required Partial Partial None
The mAadhaar application 1.2.7 for Android lacks SSL Certificate Validation, leading to man-in-the-middle attacks against requests for FAQs or Help.
449 CVE-2019-14513 125 2019-08-01 2020-08-24
5.0
None Remote Low Not required None None Partial
Improper bounds checking in Dnsmasq before 2.76 allows an attacker controlled DNS server to send large DNS packets that result in a read operation beyond the buffer allocated for the packet, a different vulnerability than CVE-2017-14491.
450 CVE-2019-14511 306 2019-08-22 2019-09-14
5.0
None Remote Low Not required Partial None None
Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only).
Total number of vulnerabilities : 2004   Page : 1 2 3 4 5 6 7 8 9 (This Page)10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.