CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
8301 CVE-2019-9868 522 2019-03-21 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The SMTP password is displayed to an administrator.
8302 CVE-2019-9867 522 2019-03-21 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The proxy server password is displayed to an administrator.
8303 CVE-2019-9866 200 +Info 2019-05-29 2019-09-09
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.7.7 and 11.8.x before 11.8.3. It allows Information Disclosure.
8304 CVE-2019-9864 20 2019-03-28 2019-03-28
4.0
None Remote Low ??? None Partial None
PHP Scripts Mall Amazon Affiliate Store 2.1.6 allows Parameter Tampering of the payment amount.
8305 CVE-2019-9861 310 2019-05-14 2019-05-17
4.8
None Local Network Low Not required Partial Partial None
Due to the use of an insecure RFID technology (MIFARE Classic), ABUS proximity chip keys (RFID tokens) of the ABUS Secvest FUAA50000 wireless alarm system can easily be cloned and used to deactivate the alarm system in an unauthorized way.
8306 CVE-2019-9857 401 DoS 2019-03-21 2020-08-24
4.9
None Local Low Not required None None Complete
In the Linux kernel through 5.0.2, the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(), which will cause a memory leak (aka refcount leak). Finally, this will cause a denial of service.
8307 CVE-2019-9849 200 +Info 2019-07-17 2019-08-15
4.0
None Remote Low ??? Partial None None
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
8308 CVE-2019-9846 89 Sql +Info 2019-06-28 2019-07-05
4.0
None Remote Low ??? Partial None None
RockOA 1.8.7 allows remote attackers to obtain sensitive information because the webmain/webmainAction.php publictreestore method constructs a SQL WHERE clause unsafely by using the pidfields and idfields parameters, aka background SQL injection.
8309 CVE-2019-9844 79 XSS 2019-04-09 2019-04-15
4.3
None Remote Medium Not required None Partial None
simple-markdown.js in Khan Academy simple-markdown before 0.4.4 allows XSS via a data: or vbscript: URI.
8310 CVE-2019-9841 79 XSS 2019-04-19 2019-04-22
4.3
None Remote Medium Not required None Partial None
Vesta Control Panel 0.9.8-23 allows XSS via a crafted URL.
8311 CVE-2019-9839 79 XSS 2019-06-03 2019-06-04
4.3
None Remote Medium Not required None Partial None
VFront 0.99.5 has Reflected XSS via the admin/menu_registri.php descrizione_g parameter or the admin/sync_reg_tab.php azzera parameter.
8312 CVE-2019-9838 79 XSS 2019-06-03 2019-06-04
4.3
None Remote Medium Not required None Partial None
VFront 0.99.5 has stored XSS via the admin/sync_reg_tab.php azzera parameter, which is mishandled during admin/error_log.php rendering.
8313 CVE-2019-9834 79 XSS 2019-03-15 2019-08-14
4.3
None Remote Medium Not required None Partial None
** DISPUTED ** The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot.
8314 CVE-2019-9816 843 Bypass 2019-07-23 2020-08-24
4.3
None Remote Medium Not required None Partial None
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supported releases.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
8315 CVE-2019-9807 20 2019-04-26 2019-04-29
4.3
None Remote Medium Not required None Partial None
When arbitrary text is sent over an FTP connection and a page reload is initiated, it is possible to create a modal alert message with this text as the content. This could potentially be used for social engineering attacks. This vulnerability affects Firefox < 66.
8316 CVE-2019-9793 119 Overflow 2019-04-26 2019-05-13
4.3
None Remote Medium Not required None Partial None
A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. This vulnerability could allow an attacker to create an arbitrary value in compiled JavaScript, for which the range analysis will infer a fully controlled, incorrect range in circumstances where users have explicitly disabled Spectre mitigations. *Note: Spectre mitigations are currently enabled for all users by default settings.*. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.
8317 CVE-2019-9765 79 XSS 2019-03-14 2019-03-14
4.3
None Remote Medium Not required None Partial None
In Blog_mini 1.0, XSS exists via the author name of a comment reply in the app/main/views.py articleDetails() function, related to app/templates/_article_comments.html.
8318 CVE-2019-9763 79 XSS 2019-06-19 2019-10-29
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Openfind Mail2000 6.0 and 7.0 Webmail. XSS can occur via an '<object data="data:text/html' substring in an e-mail message (The vendor subsequently patched this).
8319 CVE-2019-9755 191 Exec Code Overflow 2019-06-05 2020-07-27
4.4
None Local Medium Not required Partial Partial Partial
An integer underflow issue exists in ntfs-3g 2017.3.23. A local attacker could potentially exploit this by running /bin/ntfs-3g with specially crafted arguments from a specially crafted directory to cause a heap buffer overflow, resulting in a crash or the ability to execute arbitrary code. In installations where /bin/ntfs-3g is a setuid-root binary, this could lead to a local escalation of privileges.
8320 CVE-2019-9754 787 2019-03-13 2019-03-14
4.3
None Remote Medium Not required None None Partial
An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 1 byte out of bounds write in the end_macro function in tccpp.c.
8321 CVE-2019-9753 200 +Info 2019-06-03 2019-10-09
4.0
None Remote Low ??? Partial None None
An issue was discovered in Open Ticket Request System (OTRS) 7.x before 7.0.5. An attacker who is logged into OTRS as an agent or a customer user can use the search result screens to disclose information from invalid system entities. Following is the list of affected entities: Custom Pages, FAQ Articles, Service Catalogue Items, ITSM Configuration Items.
8322 CVE-2019-9741 93 2019-03-13 2021-03-22
4.3
None Remote Medium Not required None Partial None
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
8323 CVE-2019-9740 93 2019-03-13 2021-02-04
4.3
None Remote Medium Not required None Partial None
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
8324 CVE-2019-9738 79 XSS 2019-03-13 2019-03-13
4.3
None Remote Medium Not required None Partial None
jimmykuu Gopher 2.0 has DOM-based XSS via vectors involving the '<EMBED SRC="data:image/svg+xml' substring.
8325 CVE-2019-9737 79 XSS 2019-03-13 2020-01-06
4.3
None Remote Medium Not required None Partial None
Editor.md 1.5.0 has DOM-based XSS via vectors involving the '<EMBED SRC="data:image/svg+xml' substring.
8326 CVE-2019-9736 79 XSS 2019-03-13 2019-03-13
4.3
None Remote Medium Not required None Partial None
DOM-based XSS exists in 1024Tools Markdown 1.0 via vectors involving the '<EMBED SRC="data:image/svg+xml' substring.
8327 CVE-2019-9735 755 2019-03-13 2020-08-24
4.0
None Remote Low ??? None None Partial
An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)
8328 CVE-2019-9725 79 XSS 2019-03-12 2019-03-13
4.3
None Remote Medium Not required None Partial None
The Web manager (aka Commander) on Korenix JetPort 5601 and 5601f devices has Persistent XSS via the Port Alias field under Serial Setting.
8329 CVE-2019-9721 125 DoS 2019-03-12 2021-01-04
4.3
None Remote Medium Not required None None Partial
A denial of service in the subtitle decoder in FFmpeg 3.2 and 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
8330 CVE-2019-9718 125 DoS 2019-03-12 2021-01-04
4.3
None Remote Medium Not required None None Partial
In FFmpeg 3.2 and 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
8331 CVE-2019-9714 79 XSS 2019-03-12 2019-03-15
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS.
8332 CVE-2019-9712 79 XSS 2019-03-12 2019-03-15
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS.
8333 CVE-2019-9711 79 XSS 2019-03-12 2019-03-15
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS.
8334 CVE-2019-9708 2019-05-07 2020-08-24
4.0
None Remote Low ??? None None Partial
An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can suspend the system user (root), causing all users to be locked out from the system.
8335 CVE-2019-9703 +Priv 2019-07-01 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels.
8336 CVE-2019-9702 +Priv 2019-07-01 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels.
8337 CVE-2019-9697 200 +Info 2019-08-30 2019-09-05
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in the Management Center (MC) REST API 2.0, 2.1, and 2.2 prior to 2.2.2.1 allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access.
8338 CVE-2019-9696 79 XSS Bypass 2019-04-09 2019-04-10
4.3
None Remote Medium Not required None Partial None
Symantec VIP Enterprise Gateway (all versions) may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy.
8339 CVE-2019-9694 +Priv 2019-04-10 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
Symantec Endpoint Encryption prior to SEE 11.2.1 MP1 may be susceptible to a Privilege Escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.
8340 CVE-2019-9692 434 2019-03-11 2019-04-02
4.0
None Remote Low ??? None Partial None
class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
8341 CVE-2019-9669 79 XSS 2019-04-25 2019-04-26
4.3
None Remote Medium Not required None Partial None
The Wordfence plugin 7.2.3 for WordPress allows XSS via a unique attack vector.
8342 CVE-2019-9657 522 2019-07-11 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control, a different issue than CVE-2018-19588. This occurs because of incorrect protection of VPN certificates (used for initiating a VPN session to the Alarm.com infrastructure) on the local camera device.
8343 CVE-2019-9650 79 XSS 2019-03-11 2019-03-26
4.3
None Remote Medium Not required None Partial None
An XSS issue was discovered in upcoming_events.php in the Upcoming Events plugin before 1.33 for MyBB via a crafted name for an event.
8344 CVE-2019-9647 79 XSS 2019-06-05 2019-06-06
4.3
None Remote Medium Not required None Partial None
Gila CMS 1.9.1 has XSS.
8345 CVE-2019-9646 79 XSS 2019-03-10 2019-03-12
4.3
None Remote Medium Not required None Partial None
The Contact Form Email plugin before 1.2.66 for WordPress allows wp-admin/admin.php item XSS, related to cp_admin_int_edition.inc.php in the "custom edition area."
8346 CVE-2019-9644 79 XSS 2019-03-12 2019-04-12
4.3
None Remote Medium Not required None Partial None
An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer's error messages can include the content of any invalid JavaScript that was encountered.
8347 CVE-2019-9635 476 DoS 2019-04-24 2019-04-26
4.3
None Remote Medium Not required None None Partial
NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file.
8348 CVE-2019-9633 20 DoS 2019-03-08 2019-03-14
4.3
None Remote Medium Not required None None Partial
gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).
8349 CVE-2019-9622 22 Dir. Trav. 2019-03-07 2019-03-08
4.0
None Remote Low ??? Partial None None
eBrigade through 4.5 allows Arbitrary File Download via ../ directory traversal in the showfile.php file parameter, as demonstrated by reading the user-data/save/backup.sql file.
8350 CVE-2019-9611 22 Dir. Trav. 2019-03-06 2019-03-07
4.0
None Remote Low ??? None Partial None
An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter, to write arbitrary content (in the file_content parameter) into an arbitrary file (specified by the file_name parameter). This is related to the save function in TemplateController.java.
Total number of vulnerabilities : 36084   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 (This Page)168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.