CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2201 CVE-2019-14319 319 2019-09-04 2020-08-24
3.3
None Local Network Low Not required Partial None None
The TikTok (formerly Musical.ly) application 12.2.0 for Android and iOS performs unencrypted transmission of images, videos, and likes. This allows an attacker to extract private sensitive information by sniffing network traffic.
2202 CVE-2019-14298 79 XSS 2019-07-27 2019-07-29
3.5
None Remote Medium ??? None Partial None
Veeam ONE Reporter 9.5.0.3201 allows XSS via a crafted Description(config) field to addDashboard or editDashboard in CommonDataHandlerReadOnly.ashx.
2203 CVE-2019-14297 79 XSS 2019-07-27 2019-07-29
3.5
None Remote Medium ??? None Partial None
Veeam ONE Reporter 9.5.0.3201 allows XSS via the Add/Edit Widget with a crafted Caption field to setDashboardWidget in CommonDataHandlerReadOnly.ashx.
2204 CVE-2019-14272 79 XSS 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.
2205 CVE-2019-14221 79 XSS 2019-08-08 2019-08-27
3.5
None Remote Medium ??? None Partial None
1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishandled during a Run Report operation.
2206 CVE-2019-14101 125 2020-07-30 2020-07-31
3.6
None Local Low Not required Partial None Partial
Out of bounds read can happen in diag event set mask command handler when user provided length in the command request is less than expected length in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8096, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCN7605, QCS404, QCS405, QCS605, QM215, Rennell, SA415M, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130
2207 CVE-2019-14053 125 2020-06-02 2020-06-03
3.6
None Local Low Not required Partial None Partial
When attempting to create a new XFRM policy, a stack out-of-bounds read will occur if the user provides a template where the mode is set to a value that does not resolve to a valid XFRM mode in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, QCA4531, QCN7605, QCS605, QM215, SA415M, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
2208 CVE-2019-14043 125 2020-06-02 2020-06-03
3.6
None Local Low Not required Partial None Partial
Out of bound read in Fingerprint application due to requested data is being used without length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in Kamorta, MDM9150, MDM9205, MDM9650, MSM8998, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
2209 CVE-2019-14042 125 2020-06-02 2020-06-03
3.6
None Local Low Not required Partial None Partial
Out of bound read in in fingerprint application due to requested data assigned to a local buffer without length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in Kamorta, MDM9205, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
2210 CVE-2019-14039 125 2020-06-02 2020-06-04
3.6
None Local Low Not required Partial None Partial
Out of bound read in adm call back function due to incorrect boundary check for payload in command response in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8053, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, QCS605, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM670, SDM710, SDM845, SDX20, SDX24
2211 CVE-2019-14038 125 2020-06-02 2020-06-04
3.6
None Local Low Not required Partial None Partial
Buffer over-read in ADSP parse function due to lack of check for availability of sufficient data payload received in command response in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8053, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, QCS605, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM670, SDM710, SDM845, SDX20, SDX24
2212 CVE-2019-13991 2019-07-19 2020-08-24
3.3
None Local Network Low Not required None Partial None
Embedded systems based on Arduino before Rev3 allow remote attackers to send data to LEDs (directly connected to GPIO pins) via a laser, because of LED photosensitivity.
2213 CVE-2019-13977 79 XSS 2019-07-19 2019-07-27
3.5
None Remote Medium ??? None Partial None
index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&idx=create&userid=0&bgrp=y, tg=delegat, tg=site&idx=create, tg=site&item=4, tg=admdir&idx=mdb&id=1, tg=notes&idx=Create, tg=admfaqs&idx=Add, or tg=admoc&idx=addoc&item=.
2214 CVE-2019-13950 79 XSS 2019-07-18 2019-07-19
3.5
None Remote Medium ??? None Partial None
index.php?c=admin&a=index in SyGuestBook A5 Version 1.2 has stored XSS via a reply to a comment.
2215 CVE-2019-13948 79 XSS 2019-07-18 2019-07-19
3.5
None Remote Medium ??? None Partial None
SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData function in include/functions.php does not properly block XSS payloads, as demonstrated by a crafted use of the onerror attribute of an IMG element.
2216 CVE-2019-13936 79 XSS 2019-11-27 2019-12-05
3.5
None Remote Medium ??? None Partial None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a persistent XSS vulnerability. This issue affects: Siemens AG Polarion All versions < 19.2.
2217 CVE-2019-13935 79 XSS 2019-11-27 2019-12-05
3.5
None Remote Medium ??? None Partial None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a reflected XSS vulnerability. This issue affects: Siemens AG Polarion All versions < 19.2.
2218 CVE-2019-13934 79 XSS 2019-11-27 2019-12-05
3.5
None Remote Medium ??? None Partial None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a reflected XSS vulnerability. This issue affects: Siemens AG Polarion All versions < 19.2.
2219 CVE-2019-13931 79 XSS 2019-12-12 2019-12-19
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow for an an attacker to craft the input in a form that is not expected, causing the application to behave in unexpected ways for legitimate users. Successful exploitation requires for an attacker to be authenticated to the web interface. A successful attack could cause the application to have unexpected behavior. This could allow the attacker to modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known.
2220 CVE-2019-13647 79 Exec Code XSS 2019-07-18 2020-12-01
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability.
2221 CVE-2019-13646 79 XSS 2019-07-18 2020-12-01
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability.
2222 CVE-2019-13645 79 Exec Code XSS 2019-07-18 2020-12-01
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability.
2223 CVE-2019-13644 79 Exec Code XSS 2019-07-18 2020-12-01
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability.
2224 CVE-2019-13495 79 XSS 2020-03-31 2020-04-01
3.5
None Remote Medium ??? None Partial None
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.
2225 CVE-2019-13493 79 XSS 2019-07-17 2019-07-18
3.5
None Remote Medium ??? None Partial None
In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. An authenticated unprivileged user can modify the uploaded file extension parameter to inject arbitrary JavaScript.
2226 CVE-2019-13476 79 XSS 2019-08-21 2019-08-27
3.5
None Remote Medium ??? None Partial None
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.
2227 CVE-2019-13416 2019-08-13 2020-10-08
3.5
None Remote Medium ??? Partial None None
Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).
2228 CVE-2019-13415 2019-08-13 2020-10-08
3.5
None Remote Medium ??? Partial None None
Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see.
2229 CVE-2019-13361 287 2019-09-05 2020-09-17
3.3
None Local Network Low Not required None Partial None
Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an attacker on the same Wi-Fi network.
2230 CVE-2019-13341 79 XSS 2019-07-05 2019-07-07
3.5
None Remote Medium ??? None Partial None
In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie.
2231 CVE-2019-13340 79 XSS 2019-07-05 2019-07-07
3.5
None Remote Medium ??? None Partial None
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186.
2232 CVE-2019-13339 79 XSS 2019-07-05 2019-07-07
3.5
None Remote Medium ??? None Partial None
In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie.
2233 CVE-2019-13182 79 XSS 2019-12-16 2019-12-18
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in the web UI of SolarWinds Serv-U FTP Server 15.1.7.
2234 CVE-2019-13161 476 2019-07-12 2019-11-30
3.5
None Remote Medium ??? None None Partial
An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration).
2235 CVE-2019-13103 674 2019-07-29 2020-08-24
3.6
None Local Low Not required None Partial Partial
A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.
2236 CVE-2019-13081 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user's browser.
2237 CVE-2019-13080 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator's browser.
2238 CVE-2019-13070 79 Exec Code XSS 2019-07-09 2019-07-10
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim.
2239 CVE-2019-13057 2019-07-26 2020-08-24
3.5
None Remote Medium ??? Partial None None
An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
2240 CVE-2019-13055 200 +Info 2019-06-29 2019-07-08
3.3
None Local Network Low Not required Partial None None
Certain Logitech Unifying devices allow attackers to dump AES keys and addresses, leading to the capability of live decryption of Radio Frequency transmissions, as demonstrated by an attack against a Logitech K360 keyboard.
2241 CVE-2019-13054 522 Bypass 2019-06-29 2020-08-24
3.3
None Local Network Low Not required None Partial None
The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z.
2242 CVE-2019-13053 Bypass 2019-06-29 2020-08-24
3.3
None Local Network Low Not required None Partial None
Logitech Unifying devices allow keystroke injection, bypassing encryption. The attacker must press a "magic" key combination while sniffing cryptographic data from a Radio Frequency transmission. NOTE: this issue exists because of an incomplete fix for CVE-2016-10761.
2243 CVE-2019-13052 327 2019-06-29 2020-08-24
3.3
None Local Network Low Not required Partial None None
Logitech Unifying devices allow live decryption if the pairing of a keyboard to a receiver is sniffed.
2244 CVE-2019-13029 79 XSS 2019-07-11 2019-07-24
3.5
None Remote Medium ??? None Partial None
Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.
2245 CVE-2019-12954 79 XSS 2020-02-17 2020-02-28
3.5
None Remote Medium ??? None Partial None
SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT.
2246 CVE-2019-12950 79 XSS 2019-08-06 2019-08-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in TeamPass 2.1.27.35. From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload.
2247 CVE-2019-12942 862 2019-09-10 2020-08-24
3.3
None Local Network Low Not required None Partial None
TTLock devices do not properly block guest access in certain situations where the network connection to the cloud is unavailable.
2248 CVE-2019-12863 79 XSS 2020-02-25 2020-08-24
3.5
None Remote Medium ??? None Partial None
SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows Stored HTML Injection by administrators via the Web Console Settings screen.
2249 CVE-2019-12830 79 XSS 2019-06-15 2019-06-20
3.5
None Remote Medium ??? None Partial None
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.
2250 CVE-2019-12754 79 XSS Bypass 2019-08-30 2019-09-03
3.5
None Remote Medium ??? None Partial None
Symantec My VIP portal, previous version which has already been auto updated, was susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users or potentially bypass access controls such as the same-origin policy.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.