CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2019(Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-16892 400 DoS Bypass 2019-09-25 2019-10-01
7.1
None Remote Medium Not required None None Complete
In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).
2 CVE-2019-16884 863 Bypass 2019-09-25 2019-10-07
5.0
None Remote Low Not required None Partial None
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.
3 CVE-2019-16723 639 Bypass 2019-09-23 2019-09-23
4.0
None Remote Low Single system Partial None None
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.
4 CVE-2019-16722 20 Exec Code Bypass 2019-09-23 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation.
5 CVE-2019-16378 290 Bypass 2019-09-17 2019-09-17
7.5
None Remote Low Not required Partial Partial Partial
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be relevant to the origin of an e-mail message.
6 CVE-2019-16371 522 Bypass 2019-09-16 2019-09-17
5.8
None Remote Medium Not required Partial Partial None
LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted web site that captures the credentials for a victim's account on a previously visited web site, because do_popupregister can be bypassed via clickjacking.
7 CVE-2019-16318 434 Bypass 2019-09-14 2019-09-17
6.5
None Remote Low Single system Partial Partial Partial
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
8 CVE-2019-16190 287 Bypass 2019-09-09 2019-09-11
7.5
None Remote Low Not required Partial Partial Partial
SharePort Web Access on D-Link DIR-868L REVB through 2.03, DIR-885L REVA through 1.20, and DIR-895L REVA through 1.21 devices allows Authentication Bypass, as demonstrated by a direct request to folder_view.php or category_view.php.
9 CVE-2019-16098 269 Exec Code Bypass 2019-09-11 2019-09-13
7.2
None Local Low Not required Complete Complete Complete
The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.
10 CVE-2019-15941 863 Bypass 2019-09-25 2019-10-01
7.5
None Remote Low Not required Partial Partial Partial
OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.
11 CVE-2019-15813 94 Exec Code Bypass 2019-09-04 2019-09-04
6.5
None Remote Low Single system Partial Partial Partial
Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.
12 CVE-2019-15732 200 Bypass +Info 2019-09-16 2019-09-18
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 12.2 through 12.2.1. The project import API could be used to bypass project visibility restrictions.
13 CVE-2019-15730 918 Bypass 2019-09-16 2019-09-18
5.0
None Remote Low Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 8.14 through 12.2.1. The Jira integration contains a SSRF vulnerability as a result of a bypass of the current protection mechanisms against this type of attack, which would allow sending requests to any resources accessible in the local network by the GitLab server.
14 CVE-2019-15723 732 Bypass 2019-09-16 2019-09-18
5.0
None Remote Low Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1. Merge requests created by email could be used to bypass push rules in certain situations.
15 CVE-2019-15088 704 Bypass 2019-09-20 2019-09-20
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in PRiSE adAS 1.7.0. Password hashes are compared using the equality operator. Thus, under specific circumstances, it is possible to bypass login authentication.
16 CVE-2019-15069 287 +Priv Bypass 2019-09-25 2019-09-26
7.5
None Remote Low Not required Partial Partial Partial
An unsafe authentication interface was discovered in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 . An attacker can bypass authentication without modifying device file and gain web page management privilege.
17 CVE-2019-15067 287 +Priv Bypass 2019-09-25 2019-10-01
10.0
None Remote Low Not required Complete Complete Complete
An authentication bypass vulnerability discovered in Smart Battery A2-25DE, a multifunctional portable charger, firmware version ?<= SECFS-2013-10-16-13:42:58-629c30ee-60c68be6. An attacker can bypass authentication and gain privilege by modifying the login page.
18 CVE-2019-14998 352 Bypass CSRF 2019-09-11 2019-09-16
4.3
None Remote Medium Not required None Partial None
The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.
19 CVE-2019-14817 264 Exec Code Bypass 2019-09-03 2019-09-09
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
20 CVE-2019-14813 264 Exec Code Bypass 2019-09-06 2019-09-09
7.5
None Remote Low Not required Partial Partial Partial
A flaw was found in ghostscript, versions 9.x before 9.28, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
21 CVE-2019-14811 264 Exec Code Bypass 2019-09-03 2019-09-09
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
22 CVE-2019-14253 863 Bypass 2019-09-18 2019-09-18
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in servletcontroller in the secure portal in Publisure 2.1.2. One can bypass authentication and perform a query on PHP forms within the /AdminDir folder that should be restricted.
23 CVE-2019-13953 287 Bypass 2019-09-06 2019-09-06
8.3
None Local Network Low Not required Complete Complete Complete
An exploitable authentication bypass vulnerability exists in the Bluetooth Low Energy (BLE) authentication module of YI M1 Mirrorless Camera V3.2-cn. An attacker can send a set of BLE commands to trigger this vulnerability, resulting in sensitive data leakage (e.g., personal photos). An attacker can also control the camera to record or take a picture after bypassing authentication.
24 CVE-2019-13190 287 Bypass 2019-09-05 2019-09-06
5.0
None Remote Low Not required None None Partial
In Knowage through 6.1.1, the sign up page does not invalidate a valid CAPTCHA token. This allows for CAPTCHA bypass in the signup page.
25 CVE-2019-13188 284 Bypass 2019-09-05 2019-09-05
5.0
None Remote Low Not required Partial None None
In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application.
26 CVE-2019-12662 347 Exec Code Bypass 2019-09-25 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software could allow an authenticated, local attacker with valid administrator or privilege level 15 credentials to load a virtual service image and bypass signature verification on an affected device. The vulnerability is due to improper signature verification during the installation of an Open Virtual Appliance (OVA) image. An authenticated, local attacker could exploit this vulnerability and load a malicious, unsigned OVA image on an affected device. A successful exploit could allow an attacker to perform code execution on a crafted software OVA image.
27 CVE-2019-12633 20 Bypass 2019-09-04 2019-10-09
5.0
None Remote Low Not required None Partial None
A vulnerability in Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. The vulnerability is due to improper validation of user-supplied input on the affected system. An attacker could exploit this vulnerability by sending the user of the web application a crafted request. If the request is processed, the attacker could access the system and perform unauthorized actions.
28 CVE-2019-12632 20 Bypass 2019-09-04 2019-10-09
5.0
None Remote Low Not required None Partial None
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on an affected system. The vulnerability exists because the affected system does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a user of the web application. A successful exploit could allow the attacker to access the system and perform unauthorized actions.
29 CVE-2019-11738 276 Bypass 2019-09-27 2019-10-05
6.8
None Remote Medium Not required Partial Partial Partial
If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
30 CVE-2019-11380 284 Bypass 2019-09-05 2019-09-06
5.0
None Remote Low Not required Partial None None
The master-password feature in the ES File Explorer File Manager application 4.2.0.1.3 for Android can be bypassed via a com.estrongs.android.pop.ftp.ESFtpShortcut intent, leading to remote FTP access to the entirety of local storage.
31 CVE-2019-11210 20 Exec Code Bypass 2019-09-18 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
The server component of TIBCO Software Inc.'s TIBCO Enterprise Runtime for R - Server Edition, and TIBCO Spotfire Analytics Platform for AWS Marketplace contains a vulnerability that theoretically allows an unauthenticated user to bypass access controls and remotely execute code using the operating system account hosting the affected component. This issue affects: TIBCO Enterprise Runtime for R - Server Edition versions 1.2.0 and below, and TIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.4.0 and 10.5.0.
32 CVE-2019-10418 269 Bypass 2019-09-25 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.
33 CVE-2019-10417 269 Bypass 2019-09-25 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.
34 CVE-2019-10400 20 Exec Code Bypass 2019-09-12 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts.
35 CVE-2019-10399 20 Exec Code Bypass 2019-09-12 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts.
36 CVE-2019-10394 20 Exec Code Bypass 2019-09-12 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts.
37 CVE-2019-10393 20 Exec Code Bypass 2019-09-12 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts.
38 CVE-2019-10256 287 Bypass 2019-09-10 2019-09-16
7.5
None Remote Low Not required Partial Partial Partial
An authentication bypass vulnerability in VIVOTEK IPCam versions prior to 0x13a was found.
39 CVE-2019-9854 284 Dir. Trav. Bypass 2019-09-06 2019-09-09
7.5
None Remote Low Not required Partial Partial Partial
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.
40 CVE-2019-9853 116 Bypass 2019-09-27 2019-10-06
6.8
None Remote Medium Not required Partial Partial Partial
LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.
41 CVE-2019-9463 269 Bypass 2019-09-27 2019-10-03
4.4
None Local Medium Not required Partial Partial Partial
In Platform, there is a possible bypass of user interaction requirements due to background app interception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113584607
42 CVE-2019-9443 264 Bypass 2019-09-06 2019-09-09
4.6
None Local Low Not required Partial Partial Partial
In the Android kernel in the vl53L0 driver there is a possible out of bounds write due to a permissions bypass. This could lead to local escalation of privilege due to a set_fs() call without restoring the previous limit with System execution privileges needed. User interaction is not needed for exploitation.
43 CVE-2019-9436 264 Bypass 2019-09-06 2019-09-09
4.6
None Local Low Not required Partial Partial Partial
In the Android kernel in the bootloader there is a possible secure boot bypass. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation.
44 CVE-2019-9407 732 Bypass 2019-09-27 2019-10-03
4.6
None Local Low Not required Partial Partial Partial
In notification management of the service manager, there is a possible permissions bypass. This could lead to local escalation of privilege by preventing user notification, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112434609
45 CVE-2019-9384 732 Bypass 2019-09-27 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
In LockPatternUtils, there is a possible escalation of privilege due to an improper permissions check. This could lead to local bypass of the Lockguard with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120568007
46 CVE-2019-9378 732 Bypass 2019-09-27 2019-10-03
4.6
None Local Low Not required Partial Partial Partial
In the Activity Manager service, there is a possible permission bypass due to incorrect permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-124539196
47 CVE-2019-9377 862 Bypass 2019-09-27 2019-10-07
2.1
None Local Low Not required Partial None None
In FingerprintService, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to a local information disclosure of metadata about the biometrics of another user on the device with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599663
48 CVE-2019-9374 732 Bypass 2019-09-27 2019-10-04
4.6
None Local Low Not required Partial Partial Partial
In CompanionDeviceManager, there is a possible bypass of user interaction requirements due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-129476618
49 CVE-2019-9364 732 Bypass 2019-09-27 2019-10-02
2.1
None Local Low Not required Partial None None
In AudioService, there is a possible trigger of background user audio due to a permissions bypass. This could lead to local information disclosure by playing the background user's audio with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-73364631
50 CVE-2019-9351 862 Bypass 2019-09-27 2019-10-02
2.1
None Local Low Not required Partial None None
In SyncStatusObserver, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to local limited information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599864
Total number of vulnerabilities : 72   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.