CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-20202 763 2019-12-31 2020-01-06
4.3
None Remote Medium Not required None None Partial
An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_char_content() tries to use realloc on a block that was not allocated, leading to an invalid free and segmentation fault.
2 CVE-2019-20201 91 2019-12-31 2021-07-21
4.3
None Remote Medium Not required None None Partial
An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_* functions mishandle XML entities, leading to an infinite loop in which memory allocations occur.
3 CVE-2019-20200 125 2019-12-31 2020-01-06
4.3
None Remote Medium Not required None None Partial
An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_decode, while parsing crafted a XML file, performs incorrect memory handling, leading to a heap-based buffer over-read in the "normalize line endings" feature.
4 CVE-2019-20199 125 2019-12-31 2020-08-24
4.3
None Remote Medium Not required None None Partial
An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_decode, while parsing a crafted XML file, performs incorrect memory handling, leading to NULL pointer dereference while running strlen() on a NULL pointer.
5 CVE-2019-20198 674 2019-12-31 2020-08-24
4.3
None Remote Medium Not required None None Partial
An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_ent_ok() mishandles recursion, leading to stack consumption for a crafted XML file.
6 CVE-2019-20197 78 Exec Code 2019-12-31 2020-01-07
9.0
None Remote Low ??? Complete Complete Complete
In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.
7 CVE-2019-20176 400 2019-12-31 2020-02-08
5.0
None Remote Low Not required None None Partial
In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the listdir function in ls.c.
8 CVE-2019-20175 754 2019-12-31 2020-01-15
5.0
None Remote Low Not required None None Partial
** DISPUTED ** An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert."
9 CVE-2019-20172 119 Overflow +Priv 2019-12-31 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
Kernel/VM/MemoryManager.cpp in SerenityOS before 2019-12-30 does not reject syscalls with pointers into the kernel-only virtual address space, which allows local users to gain privileges by overwriting a return address that was found on the kernel stack.
10 CVE-2019-20171 772 2019-12-31 2021-07-21
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There are memory leaks in metx_New in isomedia/box_code_base.c and abst_Read in isomedia/box_code_adobe.c.
11 CVE-2019-20170 763 2019-12-31 2020-01-20
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is an invalid pointer dereference in the function GF_IPMPX_AUTH_Delete() in odf/ipmpx_code.c.
12 CVE-2019-20169 416 2019-12-31 2020-01-02
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a use-after-free in the function trak_Read() in isomedia/box_code_base.c.
13 CVE-2019-20168 416 2019-12-31 2020-01-02
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a use-after-free in the function gf_isom_box_dump_ex() in isomedia/box_funcs.c.
14 CVE-2019-20167 476 2019-12-31 2020-01-02
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function senc_Parse() in isomedia/box_code_drm.c.
15 CVE-2019-20166 476 2019-12-31 2020-01-02
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_isom_dump() in isomedia/box_dump.c.
16 CVE-2019-20165 476 2019-12-31 2020-01-20
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function ilst_item_Read() in isomedia/box_code_apple.c.
17 CVE-2019-20164 476 2019-12-31 2020-01-02
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_isom_box_del() in isomedia/box_funcs.c.
18 CVE-2019-20163 476 2019-12-31 2020-01-20
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_odf_avc_cfg_write_bs() in odf/descriptors.c.
19 CVE-2019-20162 787 Overflow 2019-12-31 2020-01-20
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c.
20 CVE-2019-20161 787 Overflow 2019-12-31 2020-01-20
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function ReadGF_IPMPX_WatermarkingInit() in odf/ipmpx_code.c.
21 CVE-2019-20160 787 Overflow 2019-12-31 2020-01-02
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a stack-based buffer overflow in the function av1_parse_tile_group() in media_tools/av_parsers.c.
22 CVE-2019-20159 772 2019-12-31 2021-07-21
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a memory leak in dinf_New() in isomedia/box_code_base.c.
23 CVE-2019-20149 668 2019-12-30 2020-08-24
5.0
None Remote Low Not required None Partial None
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
24 CVE-2019-20141 79 XSS 2019-12-30 2020-02-05
4.3
None Remote Medium Not required None Partial None
An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter.
25 CVE-2019-20140 787 Overflow 2019-12-30 2020-01-07
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in libsixel 1.8.4. There is a heap-based buffer overflow in the function gif_out_code at fromgif.c.
26 CVE-2019-20139 79 XSS 2019-12-30 2020-01-03
3.5
None Remote Medium ??? None Partial None
In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.
27 CVE-2019-20138 326 2019-12-30 2021-07-21
5.0
None Remote Low Not required Partial None None
The HTTP Authentication library before 2019-12-27 for Nim has weak password hashing because the default algorithm for libsodium's crypto_pwhash_str is not used.
28 CVE-2019-20096 401 DoS 2019-12-30 2020-08-24
4.9
None Local Low Not required None None Complete
In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b.
29 CVE-2019-20095 772 DoS 2019-12-30 2021-07-21
4.9
None Local Low Not required None None Complete
mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service.
30 CVE-2019-20094 787 Overflow 2019-12-30 2020-01-03
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in libsixel 1.8.4. There is a heap-based buffer overflow in the function gif_init_frame at fromgif.c.
31 CVE-2019-20093 476 DoS 2019-12-30 2020-01-26
4.3
None Remote Medium Not required None None Partial
The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file, because of ImageExtractor.cpp.
32 CVE-2019-20092 476 2019-12-30 2020-01-07
4.3
None Remote Medium Not required None None Partial
An issue was discovered in Bento4 1.5.1.0. There is a NULL pointer dereference in AP4_Descriptor::GetTag in mp42ts when called from AP4_EsDescriptor::GetDecoderConfigDescriptor in Ap4EsDescriptor.cpp.
33 CVE-2019-20091 476 2019-12-30 2020-01-07
4.3
None Remote Medium Not required None None Partial
An issue was discovered in Bento4 1.5.1.0. There is a NULL pointer dereference in AP4_Descriptor::GetTag in mp42ts when called from AP4_DecoderConfigDescriptor::GetDecoderSpecificInfoDescriptor in Ap4DecoderConfigDescriptor.cpp.
34 CVE-2019-20090 416 2019-12-30 2020-01-07
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Bento4 1.5.1.0. There is a use-after-free in AP4_Sample::GetOffset in Core/Ap4Sample.h when called from Ap4LinearReader.cpp.
35 CVE-2019-20089 125 2019-12-30 2020-01-07
6.8
None Remote Medium Not required Partial Partial Partial
GoPro GPMF-parser 1.2.3 has an heap-based buffer over-read in GPMF_SeekToSamples in GPMF_parse.c for the size calculation.
36 CVE-2019-20088 125 2019-12-30 2020-01-07
6.8
None Remote Medium Not required Partial Partial Partial
GoPro GPMF-parser 1.2.3 has a heap-based buffer over-read in GetPayload in GPMF_mp4reader.c.
37 CVE-2019-20087 125 2019-12-30 2020-01-08
6.8
None Remote Medium Not required Partial Partial Partial
GoPro GPMF-parser 1.2.3 has a heap-based buffer over-read in GPMF_seekToSamples in GPMF-parse.c for the "matching tags" feature.
38 CVE-2019-20086 125 2019-12-30 2020-01-08
6.8
None Remote Medium Not required Partial Partial Partial
GoPro GPMF-parser 1.2.3 has a heap-based buffer over-read in GPMF_Next in GPMF_parser.c.
39 CVE-2019-20085 22 Dir. Trav. 2019-12-30 2020-04-14
5.0
None Remote Low Not required Partial None None
TVT NVMS-1000 devices allow GET /.. Directory Traversal
40 CVE-2019-20079 416 2019-12-30 2020-10-20
6.8
None Remote Medium Not required Partial Partial Partial
The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.
41 CVE-2019-20076 79 XSS 2019-12-30 2020-01-02
4.3
None Remote Medium Not required None Partial None
On Netis DL4323 devices, XSS exists via the form2Ddns.cgi username parameter (DynDns settings of the Dynamic DNS Configuration).
42 CVE-2019-20075 79 XSS 2019-12-30 2020-01-02
4.3
None Remote Medium Not required None Partial None
On Netis DL4323 devices, pingrtt_v6.html has XSS (Ping6 Diagnostic).
43 CVE-2019-20074 269 2019-12-30 2020-08-24
4.0
None Remote Low ??? Partial None None
On Netis DL4323 devices, any user role can view sensitive information, such as a user password or the FTP password, via the form2saveConf.cgi page.
44 CVE-2019-20073 79 XSS 2019-12-30 2020-01-02
4.3
None Remote Medium Not required None Partial None
On Netis DL4323 devices, XSS exists via the form2userconfig.cgi username parameter (User Account Configuration).
45 CVE-2019-20072 79 XSS 2019-12-30 2020-01-02
4.3
None Remote Medium Not required None Partial None
On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname parameter (Dynamic DNS Configuration).
46 CVE-2019-20071 352 CSRF 2019-12-30 2020-01-02
5.8
None Remote Medium Not required None Partial Partial
On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs.
47 CVE-2019-20070 79 XSS 2019-12-30 2020-01-02
4.3
None Remote Medium Not required None Partial None
On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration).
48 CVE-2019-20063 665 2019-12-29 2020-01-08
6.8
None Remote Medium Not required Partial Partial Partial
hdf/dataobject.c in libmysofa before 0.8 has an uninitialized use of memory, as demonstrated by mysofa2json.
49 CVE-2019-20058 79 XSS 2019-12-29 2020-01-08
4.3
None Remote Medium Not required None Partial None
** DISPUTED ** Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use in production. This is related to CVE-2018-12040.
50 CVE-2019-20057 345 2019-12-29 2020-01-02
4.3
None Remote Medium Not required None Partial None
com.proxyman.NSProxy.HelperTool in Privileged Helper Tool in Proxyman for macOS 1.11.0 and earlier allows an attacker to change the System Proxy and redirect all traffic to an attacker-controlled computer, enabling MITM attacks.
Total number of vulnerabilities : 1577   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.