| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
251 |
CVE-2019-17431 |
352 |
|
CSRF |
2019-10-10 |
2019-10-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability. |
|
252 |
CVE-2019-17430 |
79 |
|
XSS |
2019-10-10 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter. |
|
253 |
CVE-2019-17429 |
89 |
|
Sql |
2019-10-10 |
2019-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter. |
|
254 |
CVE-2019-17427 |
79 |
|
XSS |
2019-10-09 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. |
|
255 |
CVE-2019-17419 |
89 |
|
Sql |
2019-10-09 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter. |
|
256 |
CVE-2019-17418 |
89 |
|
Sql |
2019-10-09 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997. |
|
257 |
CVE-2019-17402 |
120 |
|
|
2019-10-09 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size. |
|
258 |
CVE-2019-17399 |
22 |
|
Dir. Trav. |
2019-10-09 |
2019-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Shack Forms Pro extension before 4.0.32 for Joomla! allows path traversal via a file attachment. |
|
259 |
CVE-2019-17385 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The animate-it plugin before 2.3.5 for WordPress has XSS. |
|
260 |
CVE-2019-17384 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The animate-it plugin before 2.3.4 for WordPress has XSS. |
|
261 |
CVE-2019-17380 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528). |
|
262 |
CVE-2019-17379 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527). |
|
263 |
CVE-2019-17378 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526). |
|
264 |
CVE-2019-17377 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524). |
|
265 |
CVE-2019-17376 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521). |
|
266 |
CVE-2019-17375 |
613 |
|
|
2019-10-09 |
2019-10-11 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517). |
|
267 |
CVE-2019-17371 |
772 |
|
|
2019-10-09 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
libpng 1.6.37 has memory leaks in png_malloc_warn and png_create_info_struct. |
|
268 |
CVE-2019-17370 |
20 |
|
Exec Code |
2019-10-09 |
2019-10-11 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheckFile_deal.php blocks "into outfile" in a SELECT statement, but does not block the "into/**/outfile" manipulation. Therefore, the attacker can create a .php file. |
|
269 |
CVE-2019-17368 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from parameter. |
|
270 |
CVE-2019-17365 |
276 |
|
|
2019-10-09 |
2019-10-11 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable. |
|
271 |
CVE-2019-17351 |
400 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7. |
|
272 |
CVE-2019-17350 |
835 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a compare-and-exchange operation. |
|
273 |
CVE-2019-17349 |
835 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a LoadExcl or StoreExcl operation. |
|
274 |
CVE-2019-17348 |
20 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service because of an incompatibility between Process Context Identifiers (PCID) and shadow-pagetable switching. |
|
275 |
CVE-2019-17347 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels). |
|
276 |
CVE-2019-17346 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because of an incompatibility between Process Context Identifiers (PCID) and TLB flushes. |
|
277 |
CVE-2019-17345 |
20 |
|
DoS |
2019-10-07 |
2019-10-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandling of failed IOMMU operations causes a bug check during the cleanup of a crashed guest. |
|
278 |
CVE-2019-17344 |
20 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service by leveraging a long-running operation that exists to support restartability of PTE updates. |
|
279 |
CVE-2019-17343 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging incorrect use of the HVM physmap concept for PV domains. |
|
280 |
CVE-2019-17342 |
362 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a race condition that arose when XENMEM_exchange was introduced. |
|
281 |
CVE-2019-17341 |
362 |
|
DoS +Priv |
2019-10-07 |
2019-10-11 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a page-writability race condition during addition of a passed-through PCI device. |
|
282 |
CVE-2019-17340 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
|
An issue was discovered in Xen through 4.11.x allowing x86 guest OS users to cause a denial of service or gain privileges because grant-table transfer requests are mishandled. |
|
283 |
CVE-2019-17319 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user. |
|
284 |
CVE-2019-17318 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user. |
|
285 |
CVE-2019-17317 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user. |
|
286 |
CVE-2019-17316 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user. |
|
287 |
CVE-2019-17315 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user. |
|
288 |
CVE-2019-17314 |
22 |
|
Dir. Trav. |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user. |
|
289 |
CVE-2019-17313 |
22 |
|
Dir. Trav. |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user. |
|
290 |
CVE-2019-17312 |
22 |
|
Dir. Trav. |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user. |
|
291 |
CVE-2019-17311 |
22 |
|
Dir. Trav. |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user. |
|
292 |
CVE-2019-17310 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user. |
|
293 |
CVE-2019-17309 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user. |
|
294 |
CVE-2019-17308 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user. |
|
295 |
CVE-2019-17307 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user. |
|
296 |
CVE-2019-17306 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user. |
|
297 |
CVE-2019-17305 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user. |
|
298 |
CVE-2019-17304 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user. |
|
299 |
CVE-2019-17303 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user. |
|
300 |
CVE-2019-17302 |
20 |
|
|
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user. |
