CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4401 CVE-2019-14347 425 2019-08-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unprivileged users (editor or developer) to create an administrator account via admin/user/add, as demonstrated by a Python PoC script.
4402 CVE-2019-14328 352 CSRF 2019-07-28 2019-08-05
6.8
None Remote Medium Not required Partial Partial Partial
The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section.
4403 CVE-2019-14304 352 CSRF 2020-01-10 2020-02-25
6.8
None Remote Medium Not required Partial Partial Partial
Ricoh SP C250DN 1.06 devices allow CSRF.
4404 CVE-2019-14296 119 DoS Overflow 2019-07-27 2019-08-11
6.8
None Remote Medium Not required Partial Partial Partial
canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a denial of service (SEGV or buffer overflow, and application crash) or possibly have unspecified other impact via a crafted UPX packed file.
4405 CVE-2019-14267 787 Overflow 2019-07-29 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because data associated with startxref and %%EOF is mishandled.
4406 CVE-2019-14266 89 Sql 2019-07-25 2019-07-29
6.5
None Remote Low ??? Partial Partial Partial
OpenSNS v6.1.0 allows SQL Injection via the index.php?s=/ucenter/Config/ uid parameter because of the getNeedQueryData function in Application/Common/Model/UserModel.class.php.
4407 CVE-2019-14253 306 Bypass 2019-09-18 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in servletcontroller in the secure portal in Publisure 2.1.2. One can bypass authentication and perform a query on PHP forms within the /AdminDir folder that should be restricted.
4408 CVE-2019-14252 434 2019-09-18 2019-09-18
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in the secure portal in Publisure 2.1.2. Once successfully authenticated as an administrator, one is able to inject arbitrary PHP code by using the adminCons.php form. The code is then stored in the E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from the adminCons.php view (i.e., the rogue PHP file can be hidden).
4409 CVE-2019-14216 352 CSRF 2019-08-14 2019-08-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress. wp-admin/admin.php?page=wp-svg-icons-custom-set mishandles Custom Icon uploads. CSRF leads to upload of a ZIP archive containing a .php file.
4410 CVE-2019-14206 22 Dir. Trav. 2019-07-21 2020-08-24
6.4
None Remote Low Not required None Partial Partial
An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.
4411 CVE-2019-14197 125 2019-07-31 2019-08-02
6.4
None Remote Low Not required Partial None Partial
An issue was discovered in Das U-Boot through 2019.07. There is a read of out-of-bounds data at nfs_read_reply.
4412 CVE-2019-14119 367 Mem. Corr. 2020-09-08 2020-09-11
6.9
None Local Medium Not required Complete Complete Complete
u'While processing SMCInvoke asynchronous message header, message count is modified leading to a TOCTOU race condition and lead to memory corruption' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ6018, Kamorta, MDM9205, MDM9607, Nicobar, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDM670, SDM710, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
4413 CVE-2019-14104 125 2020-04-16 2020-04-21
6.6
None Local Low Not required Complete None Complete
Slab-out-of-bounds access can occur if the context pointer is invalid due to lack of null check on pointer before accessing it in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Mobile in APQ8053, SC8180X, SDX55, SM8150
4414 CVE-2019-14081 125 2020-03-05 2020-03-06
6.6
None Local Low Not required Complete None Complete
Buffer Over-read when WLAN module gets a WMI message for SAR limits with invalid number of limits to be enforced in Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in APQ8098, IPQ8074, MSM8998, QCA8081, QCN7605, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM8150, SXR1130
4415 CVE-2019-14072 416 2020-03-05 2020-03-06
6.9
None Local Medium Not required Complete Complete Complete
Unhandled paging request is observed due to dereferencing an already freed object because of race condition between sparse free and sparse bind ioctls which access the same physical entry in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8096AU, APQ8098, MDM9607, MSM8909W, MSM8939, MSM8953, MSM8996AU, Nicobar, QCS405, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
4416 CVE-2019-14071 Bypass 2020-03-05 2020-08-24
6.9
None Local Medium Not required Complete Complete Complete
Compromised reset handler may bypass access control due to AC config is being reset if debug path is enabled to collect secure or non-secure ram dumps in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8017, APQ8053, APQ8096, APQ8096AU, IPQ6018, MDM9205, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130
4417 CVE-2019-14070 416 2020-04-16 2020-04-22
6.9
None Local Medium Not required Complete Complete Complete
Possible use after free issue in pcm volume controls due to race condition exist in private data used in mixer controls in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
4418 CVE-2019-13989 787 Overflow 2019-07-19 2020-09-14
6.8
None Remote Medium Not required Partial Partial Partial
dpic 2019.06.20 has a Stack-based Buffer Overflow in the wfloat() function in main.c.
4419 CVE-2019-13984 434 2019-07-19 2019-07-22
6.8
None Remote Medium Not required Partial Partial Partial
Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR Anti-Virus Test File.
4420 CVE-2019-13980 434 Exec Code 2019-07-19 2019-07-22
6.8
None Remote Medium Not required Partial Partial Partial
In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx.
4421 CVE-2019-13979 434 Exec Code 2019-07-19 2019-07-22
6.8
None Remote Medium Not required Partial Partial Partial
In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution.
4422 CVE-2019-13978 89 Sql 2019-07-19 2019-07-27
6.5
None Remote Low ??? Partial Partial Partial
Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request.
4423 CVE-2019-13974 352 CSRF 2019-07-19 2019-07-19
6.8
None Remote Medium Not required Partial Partial Partial
LayerBB 1.1.3 allows conversations.php/cmd/new CSRF.
4424 CVE-2019-13969 89 Sql 2019-07-19 2019-07-19
6.5
None Remote Low ??? Partial Partial Partial
Metinfo 6.x allows SQL Injection via the id parameter in an admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1 request.
4425 CVE-2019-13961 352 CSRF 2019-07-18 2019-07-19
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.
4426 CVE-2019-13954 770 2019-07-26 2020-08-24
6.8
None Remote Low ??? None None Complete
Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to memory exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system. Malicious code cannot be injected.
4427 CVE-2019-13949 352 CSRF 2019-07-18 2019-07-19
6.8
None Remote Medium Not required Partial Partial Partial
SyGuestBook A5 Version 1.2 has no CSRF protection mechanism, as demonstrated by CSRF for an index.php?c=Administrator&a=update admin password change.
4428 CVE-2019-13932 20 2019-12-12 2019-12-19
6.4
None Remote Low Not required Partial Partial None
A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web application requests could be manipulated, causing the the application to behave in unexpected ways for legitimate users. Successful exploitation does not require for an attacker to be authenticated. A successful attack could allow the import of scripts or generation of malicious links. This could allow the attacker to read or modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known.
4429 CVE-2019-13767 787 2020-01-10 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in media picker in Google Chrome prior to 79.0.3945.88 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
4430 CVE-2019-13764 843 2019-12-10 2019-12-16
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4431 CVE-2019-13747 787 2019-12-10 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Uninitialized data in rendering in Google Chrome on Android prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4432 CVE-2019-13741 79 XSS Bypass 2019-12-10 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient validation of untrusted input in Blink in Google Chrome prior to 79.0.3945.79 allowed a local attacker to bypass same origin policy via crafted clipboard content.
4433 CVE-2019-13736 787 Overflow 2019-12-10 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in PDFium in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
4434 CVE-2019-13735 787 Exec Code 2019-12-10 2019-12-16
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
4435 CVE-2019-13734 787 2019-12-10 2020-08-06
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4436 CVE-2019-13732 787 2019-12-10 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free in WebAudio in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4437 CVE-2019-13730 843 2019-12-10 2019-12-16
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4438 CVE-2019-13729 787 2019-12-10 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4439 CVE-2019-13728 787 2019-12-10 2019-12-16
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4440 CVE-2019-13727 281 Bypass 2019-12-10 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient policy enforcement in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
4441 CVE-2019-13726 119 Exec Code Overflow 2019-12-10 2019-12-16
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in password manager in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
4442 CVE-2019-13725 416 Exec Code 2019-12-10 2019-12-16
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free in Bluetooth in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
4443 CVE-2019-13724 787 Mem. Corr. 2019-11-25 2019-11-30
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds memory access in WebBluetooth in Google Chrome prior to 78.0.3904.108 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
4444 CVE-2019-13723 787 2019-11-25 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in WebBluetooth in Google Chrome prior to 78.0.3904.108 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
4445 CVE-2019-13721 787 2019-11-25 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in PDFium in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4446 CVE-2019-13720 787 2019-11-25 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4447 CVE-2019-13706 787 Mem. Corr. 2019-11-25 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds memory access in PDFium in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
4448 CVE-2019-13702 269 2019-11-25 2020-01-13
6.8
None Remote Medium Not required Partial Partial Partial
Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed a local attacker to perform privilege escalation via a crafted executable.
4449 CVE-2019-13700 787 Mem. Corr. 2019-11-25 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds memory access in the gamepad API in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
4450 CVE-2019-13699 416 2019-11-25 2020-01-13
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.