# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
251 |
CVE-2019-17493 |
79 |
|
XSS |
2019-10-10 |
2019-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[sample_input] parameter to web/admin/problem/create or web/polygon/problem/update. |
252 |
CVE-2019-17491 |
79 |
|
XSS |
2019-10-10 |
2019-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[description] parameter to web/admin/problem/create or web/polygon/problem/update. |
253 |
CVE-2019-17489 |
79 |
|
XSS |
2019-10-10 |
2019-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[title] parameter to web/polygon/problem/create or web/polygon/problem/update or web/admin/problem/create. |
254 |
CVE-2019-17488 |
79 |
|
XSS |
2019-10-10 |
2019-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header. |
255 |
CVE-2019-17454 |
476 |
|
|
2019-10-10 |
2019-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Bento4 1.5.1.0 has a NULL pointer dereference in AP4_Descriptor::GetTag in Core/Ap4Descriptor.h, related to AP4_StsdAtom::GetSampleDescription in Core/Ap4StsdAtom.cpp, as demonstrated by mp4info. |
256 |
CVE-2019-17453 |
476 |
|
|
2019-10-10 |
2019-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Bento4 1.5.1.0 has a NULL pointer dereference in AP4_DescriptorListWriter::Action in Core/Ap4Descriptor.h, related to AP4_IodsAtom::WriteFields in Core/Ap4IodsAtom.cpp, as demonstrated by mp4encrypt or mp4compact. |
257 |
CVE-2019-17452 |
476 |
|
|
2019-10-10 |
2019-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Bento4 1.5.1.0 has a NULL pointer dereference in AP4_DescriptorListInspector::Action in Core/Ap4Descriptor.h, related to AP4_IodsAtom::InspectFields in Core/Ap4IodsAtom.cpp, as demonstrated by mp4dump. |
258 |
CVE-2019-17451 |
190 |
|
Overflow |
2019-10-10 |
2019-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm. |
259 |
CVE-2019-17450 |
674 |
|
DoS |
2019-10-10 |
2019-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file. |
260 |
CVE-2019-17432 |
352 |
|
XSS CSRF |
2019-10-10 |
2019-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/admin/general.config/edit CSRF vulnerability, as demonstrated by resultant XSS via the row[name] parameter. |
261 |
CVE-2019-17431 |
352 |
|
CSRF |
2019-10-10 |
2019-10-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability. |
262 |
CVE-2019-17430 |
79 |
|
XSS |
2019-10-10 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter. |
263 |
CVE-2019-17429 |
89 |
|
Sql |
2019-10-10 |
2019-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter. |
264 |
CVE-2019-17427 |
79 |
|
XSS |
2019-10-09 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. |
265 |
CVE-2019-17419 |
89 |
|
Sql |
2019-10-09 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter. |
266 |
CVE-2019-17418 |
89 |
|
Sql |
2019-10-09 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997. |
267 |
CVE-2019-17402 |
120 |
|
|
2019-10-09 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size. |
268 |
CVE-2019-17399 |
22 |
|
Dir. Trav. |
2019-10-09 |
2019-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The Shack Forms Pro extension before 4.0.32 for Joomla! allows path traversal via a file attachment. |
269 |
CVE-2019-17397 |
532 |
|
|
2019-10-15 |
2019-10-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat. |
270 |
CVE-2019-17386 |
352 |
|
CSRF |
2019-10-10 |
2019-10-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimate.php. |
271 |
CVE-2019-17385 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The animate-it plugin before 2.3.5 for WordPress has XSS. |
272 |
CVE-2019-17384 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The animate-it plugin before 2.3.4 for WordPress has XSS. |
273 |
CVE-2019-17383 |
276 |
|
|
2019-10-09 |
2019-10-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The netaddr gem before 2.0.4 for Ruby has misconfigured file permissions, such that a gem install may result in 0777 permissions in the target filesystem. |
274 |
CVE-2019-17380 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528). |
275 |
CVE-2019-17379 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527). |
276 |
CVE-2019-17378 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526). |
277 |
CVE-2019-17377 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524). |
278 |
CVE-2019-17376 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521). |
279 |
CVE-2019-17375 |
613 |
|
|
2019-10-09 |
2019-10-11 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517). |
280 |
CVE-2019-17371 |
772 |
|
|
2019-10-09 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
libpng 1.6.37 has memory leaks in png_malloc_warn and png_create_info_struct. |
281 |
CVE-2019-17370 |
20 |
|
Exec Code |
2019-10-09 |
2019-10-11 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheckFile_deal.php blocks "into outfile" in a SELECT statement, but does not block the "into/**/outfile" manipulation. Therefore, the attacker can create a .php file. |
282 |
CVE-2019-17368 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from parameter. |
283 |
CVE-2019-17365 |
276 |
|
|
2019-10-09 |
2019-10-11 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable. |
284 |
CVE-2019-17362 |
125 |
|
DoS |
2019-10-08 |
2019-10-15 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data. |
285 |
CVE-2019-17359 |
770 |
|
|
2019-10-08 |
2019-10-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. |
286 |
CVE-2019-17354 |
287 |
|
|
2019-10-09 |
2019-10-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
wan.htm page on Zyxel NBG-418N v2 with firmware version V1.00(AARP.9)C0 can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify data fields of the page. |
287 |
CVE-2019-17353 |
287 |
|
|
2019-10-09 |
2019-10-15 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
An issue discovered on D-Link DIR-615 devices with firmware version 20.05 and 20.07. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page. |
288 |
CVE-2019-17352 |
434 |
|
Bypass |
2019-10-08 |
2019-10-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vulnerability that can bypass the isSafeFile() function: one can upload any type of file. For example, a .jsp file may be stored and almost immediately deleted, but this deletion step does not occur for certain exceptions. |
289 |
CVE-2019-17351 |
400 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7. |
290 |
CVE-2019-17350 |
835 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a compare-and-exchange operation. |
291 |
CVE-2019-17349 |
835 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a LoadExcl or StoreExcl operation. |
292 |
CVE-2019-17348 |
20 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service because of an incompatibility between Process Context Identifiers (PCID) and shadow-pagetable switching. |
293 |
CVE-2019-17347 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels). |
294 |
CVE-2019-17346 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because of an incompatibility between Process Context Identifiers (PCID) and TLB flushes. |
295 |
CVE-2019-17345 |
20 |
|
DoS |
2019-10-07 |
2019-10-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandling of failed IOMMU operations causes a bug check during the cleanup of a crashed guest. |
296 |
CVE-2019-17344 |
20 |
|
DoS |
2019-10-07 |
2019-10-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service by leveraging a long-running operation that exists to support restartability of PTE updates. |
297 |
CVE-2019-17343 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging incorrect use of the HVM physmap concept for PV domains. |
298 |
CVE-2019-17342 |
362 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a race condition that arose when XENMEM_exchange was introduced. |
299 |
CVE-2019-17341 |
362 |
|
DoS +Priv |
2019-10-07 |
2019-10-11 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a page-writability race condition during addition of a passed-through PCI device. |
300 |
CVE-2019-17340 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
An issue was discovered in Xen through 4.11.x allowing x86 guest OS users to cause a denial of service or gain privileges because grant-table transfer requests are mishandled. |