Lista CVE - 2019 / Luglio
Visualizzazione 401 - 500 di 1618 CVE per Luglio 2019 (Pagina 5 di 17)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2019-11020 | 2019-07-09 | Lack of authentication in file-viewing components in DDRT Dashcom Live 2019-05-09 allows anyone to remotely access all claim details by visiting easily guessable dashboard/uploads/claim_files/claim_id_ URLs. |
| CVE-2019-8920 | 2019-07-09 | iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. |
| CVE-2019-3949 | 2019-07-09 | Arlo Basestation firmware 1.12.0.1_27940 and prior firmware contain a networking misconfiguration that allows access to restricted network interfaces. This could allow an attacker to upload or download arbitrary files and... |
| CVE-2019-3950 | 2019-07-09 | Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to. |
| CVE-2019-13461 | 2019-07-09 | In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during... |
| CVE-2019-13142 | 2019-07-09 | The RzSurroundVADStreamingService (RzSurroundVADStreamingService.exe) in Razer Surround 1.1.63.0 runs as the SYSTEM user using an executable located in %PROGRAMDATA%\Razer\Synapse\Devices\Razer Surround\Driver\. The DACL on this folder allows any user to overwrite contents... |
| CVE-2019-13146 | 2019-07-09 | The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return... |
| CVE-2019-13070 | 2019-07-09 | A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting... |
| CVE-2019-13464 | 2019-07-09 | An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots... |
| CVE-2019-11991 | 2019-07-09 | HPE has identified a vulnerability in HPE 3PAR Service Processor (SP) version 4.1 through 4.4. HPE 3PAR Service Processor (SP) version 4.1 through 4.4 has a remote information disclosure vulnerability... |
| CVE-2019-13280 | 2019-07-09 | TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains a stack-based buffer overflow while returning an error message to the user about failure to resolve a hostname during a... |
| CVE-2019-13338 | 2019-07-09 | In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata.... |
| CVE-2019-13337 | 2019-07-09 | In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is... |
| CVE-2019-9147 | 2019-07-09 | Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation... |
| CVE-2019-13277 | 2019-07-09 | TRENDnet TEW-827DRU with firmware up to and including 2.04B03 allows an unauthenticated attacker to execute setup wizard functionality, giving this attacker the ability to change configuration values, potentially leading to... |
| CVE-2019-11512 | 2019-07-09 | Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5. |
| CVE-2019-13380 | 2019-07-09 | KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault. |
| CVE-2019-9148 | 2019-07-09 | Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. Keys that are obviously invalid are not... |
| CVE-2019-9149 | 2019-07-09 | Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign (and encrypt) arbitrary... |
| CVE-2019-9150 | 2019-07-09 | Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the... |
| CVE-2019-13470 | 2019-07-09 | MatrixSSL before 4.2.1 has an out-of-bounds read during ASN.1 handling. |
| CVE-2019-13472 | 2019-07-09 | PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file. |
| CVE-2019-13475 | 2019-07-09 | In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. Based on... |
| CVE-2019-13478 | 2019-07-09 | The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions. |
| CVE-2018-14550 | 2019-07-10 | An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png. |
| CVE-2019-13132 | 2019-07-10 | In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled,... |
| CVE-2018-12622 | 2019-07-10 | An issue was discovered in Eventum 3.5.0. htdocs/ajax/update.php has XSS via the field_name parameter. |
| CVE-2018-12623 | 2019-07-10 | An issue was discovered in Eventum 3.5.0. htdocs/switch.php has XSS via the current_page parameter. |
| CVE-2018-12625 | 2019-07-10 | An issue was discovered in Eventum 3.5.0. /htdocs/validate.php has XSS via the values parameter. |
| CVE-2018-12626 | 2019-07-10 | An issue was discovered in Eventum 3.5.0. /htdocs/popup.php has XSS via the cat parameter. |
| CVE-2018-12627 | 2019-07-10 | An issue was discovered in Eventum 3.5.0. /htdocs/list.php has XSS via the show_notification_list_issues or show_authorized_issues parameter. |
| CVE-2018-12628 | 2019-07-10 | An issue was discovered in Eventum 3.5.0. CSRF in htdocs/manage/users.php allows creating another user with admin privileges. |
| CVE-2019-10120 | 2019-07-10 | On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout,... |
| CVE-2019-10119 | 2019-07-10 | eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid... |
| CVE-2019-10121 | 2019-07-10 | eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.15 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via the user... |
| CVE-2019-10122 | 2019-07-10 | eQ-3 HomeMatic CCU2 devices before 2.41.9 and CCU3 devices before 3.43.16 have buffer overflows in the ReGa ise GmbH HTTP-Server 2.0 component, aka HMCCU-179. This may lead to remote code... |
| CVE-2019-12723 | 2019-07-10 | An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user. |
| CVE-2018-14494 | 2019-07-10 | Vivotek FD8136 devices allow Remote Command Injection, related to BusyBox and wget. NOTE: the vendor sent a clarification on 2019-09-17 explaining that, although this CVE was first populated in July... |
| CVE-2018-14495 | 2019-07-10 | Vivotek FD8136 devices allow Remote Command Injection, aka "another command injection vulnerability in our target device," a different issue than CVE-2018-14494. NOTE: The vendor has disputed this as a vulnerability... |
| CVE-2018-14496 | 2019-07-10 | Vivotek FD8136 devices allow remote memory corruption and remote code execution because of a stack-based buffer overflow, related to sprintf, vlocal_buff_4326, and set_getparam.cgi. NOTE: The vendor has disputed this as... |
| CVE-2018-20851 | 2019-07-10 | Helpy before 2.2.0 allows agents to edit admins. |
| CVE-2019-13396 | 2019-07-10 | FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit POST request because of an include_once in system_handle_form_submit in modules/system/system.module. |
| CVE-2019-13071 | 2019-07-10 | CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by... |
| CVE-2019-13240 | 2019-07-10 | An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours... |
| CVE-2019-13225 | 2019-07-10 | A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby,... |
| CVE-2019-13224 | 2019-07-10 | A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The... |
| CVE-2019-12724 | 2019-07-10 | An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI. It allows a stored XSS attack via the $_POST['name'] parameter. |
| CVE-2018-17147 | 2019-07-10 | Nagios XI before 5.5.4 has XSS in the auto login admin management page. |
| CVE-2019-10653 | 2019-07-10 | An issue was discovered in Hsycms V1.1. There is a SQL injection vulnerability via a /news/*.html page. |
| CVE-2017-12652 | 2019-07-10 | libpng before 1.6.32 does not properly check the length of chunks against the user limit. |
| CVE-2017-6217 | 2019-07-10 | paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution |
| CVE-2018-14831 | 2019-07-10 | An arbitrary file read vulnerability in DamiCMS v6.0.0 allows remote authenticated administrators to read any files in the server via a crafted /admin.php?s=Tpl/Add/id/ URI. |
| CVE-2017-7189 | 2019-07-10 | main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has... |
| CVE-2018-19493 | 2019-07-10 | An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is a persistent XSS vulnerability in the environment pages... |
| CVE-2019-12467 | 2019-07-10 | MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed... |
| CVE-2018-19494 | 2019-07-10 | An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is an incorrect access vulnerability that allows an unauthorized... |
| CVE-2018-19495 | 2019-07-10 | An issue was discovered in GitLab Community and Enterprise Edition before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is an SSRF vulnerability in the Prometheus integration. |
| CVE-2018-19496 | 2019-07-10 | An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is an incorrect access control vulnerability that... |
| CVE-2019-12468 | 2019-07-10 | An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. |
| CVE-2018-19577 | 2019-07-10 | Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an incorrect access control vulnerability that displays to an unauthorized user... |
| CVE-2018-19573 | 2019-07-10 | GitLab CE/EE, versions 10.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via Mermaid. |
| CVE-2018-19570 | 2019-07-10 | GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags. |
| CVE-2019-12466 | 2019-07-10 | Wikimedia MediaWiki through 1.32.1 allows CSRF. |
| CVE-2018-19572 | 2019-07-10 | GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This... |
| CVE-2018-10531 | 2019-07-10 | An issue was discovered in the America's Army Proving Grounds platform for the Unreal Engine. With a false packet sent via UDP, the application server responds with several bytes, giving... |
| CVE-2018-19576 | 2019-07-10 | GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make... |
| CVE-2019-12473 | 2019-07-10 | Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and... |
| CVE-2019-12471 | 2019-07-10 | Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in... |
| CVE-2018-19575 | 2019-07-10 | GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to... |
| CVE-2019-12472 | 2019-07-10 | An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed... |
| CVE-2018-19569 | 2019-07-10 | GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an authorization vulnerability that allows access to the web-UI as a... |
| CVE-2019-12474 | 2019-07-10 | Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2... |
| CVE-2018-19574 | 2019-07-10 | GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page. |
| CVE-2018-19571 | 2019-07-10 | GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks. |
| CVE-2019-12469 | 2019-07-10 | MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
| CVE-2018-19580 | 2019-07-10 | All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not send an email to the old email address when an email address change is made. |
| CVE-2019-12470 | 2019-07-10 | Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. |
| CVE-2019-13276 | 2019-07-10 | TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains a stack-based buffer overflow in the ssi binary. The overflow allows an unauthenticated user to execute arbitrary code by providing... |
| CVE-2019-13278 | 2019-07-10 | TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains multiple command injections when processing user input for the setup wizard, allowing an unauthenticated user to run arbitrary commands on... |
| CVE-2019-13279 | 2019-07-10 | TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains multiple stack-based buffer overflows when processing user input for the setup wizard, allowing an unauthenticated user to execute arbitrary code.... |
| CVE-2019-13122 | 2019-07-10 | A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML... |
| CVE-2018-19583 | 2019-07-10 | GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the... |
| CVE-2018-19582 | 2019-07-10 | GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request... |
| CVE-2018-19581 | 2019-07-10 | GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure object reference vulnerability that allows a Guest user to... |
| CVE-2018-19584 | 2019-07-10 | GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view... |
| CVE-2018-19579 | 2019-07-10 | GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. This is fixed in 11.5.1. |
| CVE-2018-19578 | 2019-07-10 | GitLab EE, version 11.5 before 11.5.1, is vulnerable to an insecure object reference issue that permits a user with Reporter privileges to view the Jaeger Tracing Operations page. |
| CVE-2018-11734 | 2019-07-10 | In e107 v2.1.7, output without filtering results in XSS. |
| CVE-2019-1873 | 2019-07-10 | Cisco ASA and FTD Software Cryptographic TLS and SSL Driver Denial of Service Vulnerability |
| CVE-2019-5220 | 2019-07-10 | There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker could do a certain operation on certain step... |
| CVE-2019-5221 | 2019-07-10 | There is a path traversal vulnerability on Huawei Share. The software does not properly validate the path, an attacker could crafted a file path when transporting file through Huawei Share,... |
| CVE-2019-10966 | 2019-07-10 | In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could... |
| CVE-2019-11650 | 2019-07-10 | A potential Man in the Middle attack (MITM) was found in NetIQ Advanced Authentication Framework versions prior to 6.0. |
| CVE-2019-0281 | 2019-07-10 | SAPUI5 and OpenUI5, before versions 1.38.39, 1.44.39, 1.52.25, 1.60.6 and 1.63.0, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
| CVE-2019-0318 | 2019-07-10 | Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted. |
| CVE-2019-0319 | 2019-07-10 | The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead... |
| CVE-2019-0321 | 2019-07-10 | ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
| CVE-2019-0322 | 2019-07-10 | SAP Commerce Cloud (previously known as SAP Hybris Commerce), (HY_COM, versions 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), allows an attacker to prevent legitimate users from accessing a service, either... |
| CVE-2019-0325 | 2019-07-10 | SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under... |
| CVE-2019-0326 | 2019-07-10 | SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Enterprise), versions 4.1, 4.2, 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |