CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In July 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1020019 79 XSS 2019-07-29 2019-07-31
4.3
None Remote Medium Not required None Partial None
invenio-previewer before 1.0.0a12 allows XSS.
2 CVE-2019-1020018 20 2019-07-29 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via an email link.
3 CVE-2019-1020017 284 2019-07-29 2019-10-09
5.0
None Remote Low Not required None Partial None
Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP.
4 CVE-2019-1020016 601 2019-07-29 2019-08-01
5.8
None Remote Medium Not required Partial Partial None
ASH-AIO before 2.0.0.3 allows an open redirect.
5 CVE-2019-1020015 20 2019-07-29 2019-08-05
5.0
None Remote Low Not required None Partial None
graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT.
6 CVE-2019-1020014 415 2019-07-29 2019-08-19
2.1
None Local Low Not required Partial None None
docker-credential-helpers before 0.6.3 has a double free in the List functions.
7 CVE-2019-1020013 287 2019-07-29 2019-08-01
5.0
None Remote Low Not required Partial None None
parse-server before 3.6.0 allows account enumeration.
8 CVE-2019-1020012 444 2019-07-29 2019-08-02
5.0
None Remote Low Not required None None Partial
parse-server before 3.4.1 allows DoS after any POST to a volatile class.
9 CVE-2019-1020011 20 2019-07-29 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority.
10 CVE-2019-1020010 79 XSS 2019-07-29 2019-09-05
4.3
None Remote Medium Not required None Partial None
Misskey before 10.102.4 allows hijacking a user's token.
11 CVE-2019-1020009 255 2019-07-29 2019-07-31
5.0
None Remote Low Not required Partial None None
Fleet before 2.1.2 allows exposure of SMTP credentials.
12 CVE-2019-1020008 79 XSS 2019-07-29 2019-07-31
4.3
None Remote Medium Not required None Partial None
stacktable.js before 1.0.4 allows XSS.
13 CVE-2019-1020007 79 XSS 2019-07-29 2019-07-30
3.5
None Remote Medium Single system None Partial None
Dependency-Track before 3.5.1 allows XSS.
14 CVE-2019-1020006 74 2019-07-29 2019-08-01
5.8
None Remote Medium Not required Partial Partial None
invenio-app before 1.1.1 allows host header injection.
15 CVE-2019-1020005 79 XSS 2019-07-29 2019-08-01
3.5
None Remote Medium Single system None Partial None
invenio-communities before 1.0.0a20 allows XSS.
16 CVE-2019-1020004 320 2019-07-29 2019-08-01
5.0
None Remote Low Not required None Partial None
Tridactyl before 1.16.0 allows fake key events.
17 CVE-2019-1020003 79 XSS 2019-07-29 2019-08-01
3.5
None Remote Medium Single system None Partial None
invenio-records before 1.2.2 allows XSS.
18 CVE-2019-1020002 200 +Info 2019-07-29 2019-07-31
5.0
None Remote Low Not required Partial None None
Pterodactyl before 0.7.14 with 2FA allows credential sniffing.
19 CVE-2019-1020001 21 2019-07-29 2019-08-01
5.0
None Remote Low Not required Partial None None
yard before 0.9.20 allows path traversal.
20 CVE-2019-1010319 665 2019-07-11 2019-07-16
4.3
None Remote Medium Not required None None Partial
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseWave64HeaderConfig (wave64.c:211). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe.
21 CVE-2019-1010318 2019-07-11 2019-07-11
0.0
None ??? ??? ??? ??? ??? ???
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: WavpackSetConfiguration64 (pack_utils.c:198). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4.
22 CVE-2019-1010317 665 2019-07-11 2019-07-16
4.3
None Remote Medium Not required None None Partial
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.
23 CVE-2019-1010316 284 2019-07-11 2019-07-14
4.6
None Local Low Not required Partial Partial Partial
pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. The impact is: False locking impression when run in a non-X11 session. The fixed version is: 0.4.
24 CVE-2019-1010315 369 2019-07-11 2019-07-16
4.3
None Remote Medium Not required None None Partial
WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc.
25 CVE-2019-1010314 79 XSS 2019-07-11 2019-07-12
4.3
None Remote Medium Not required None Partial None
Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page.
26 CVE-2019-1010312 DoS 2019-07-12 2019-07-12
0.0
None ??? ??? ??? ??? ??? ???
Tildeslash Monit Version 5.25.2 and earlier is affected by: Buffer Over-read. The impact is: Disclosure of memory contents in an HTTP response, and Denial of Service. The component is: In function Util_urlDecode() on lines 1553 -1563 in Monit/src/util.c, a crafted POST parameter can cause the buffer index to increment to a value greater than the length of the buffer. The attack vector is: An authenticated remote attacker can exploit the vulnerability by sending a HTTP POST request that contains a maliciously crafted body parameter. The fixed version is: Version 5.25.3 and later.
27 CVE-2019-1010311 XSS 2019-07-12 2019-07-12
0.0
None ??? ??? ??? ??? ??? ???
Tildeslash Monit Version 5.25.2 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Execute javascript in a victim s browser; disable all monitoring for a particular host or service. The component is: In function do_viewlog() on line 910 in Monit/src/http/cervlet.c, an attacker controlled log file is copied into an HTTP response without any HTML escaping. The attack vector is: An authenticated remote attacker can exploit the vulnerability over a network. The fixed version is: Version 5.25.3 and later.
28 CVE-2019-1010310 255 2019-07-12 2019-07-18
3.5
None Remote Medium Single system None Partial None
GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1.
29 CVE-2019-1010309 Exec Code Dir. Trav. 2019-07-12 2019-07-12
0.0
None ??? ??? ??? ??? ??? ???
pacman prior to version 5.1.3 is affected by: Directory Traversal. The impact is: arbitrary file placement potentially leading to arbitrary root code execution. The component is: installing a remote package via a specified URL "pacman -U <url>". The problem was located in function curl_download_internal in lib/libalpm/dload.c line 535. The attack vector is: the victim must install a remote package via a specified URL from a malicious server (or a network MitM if downloading over HTTP). The fixed version is: 5.1.3 via commit 9702703633bec2c007730006de2aeec8587dfc84.
30 CVE-2019-1010308 284 2019-07-15 2019-07-22
5.0
None Remote Low Not required Partial None None
Aquaverde GmbH Aquarius CMS prior to version 4.1.1 is affected by: Incorrect Access Control. The impact is: The access to the log file is not restricted. It contains sensitive information like passwords etc. The component is: log file. The attack vector is: open the file.
31 CVE-2019-1010307 79 XSS 2019-07-15 2019-07-18
3.5
None Remote Medium Single system None Partial None
GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the "Link Tickets" feature, 3- a request to the endpoint fetches js and executes it.
32 CVE-2019-1010306 77 Exec Code 2019-07-15 2019-07-30
7.5
None Remote Low Not required Partial Partial Partial
Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact is: A remote attacker can execute arbitrary commands by sending a crafted request to the server. The component is: Message handler & request validator. The attack vector is: Remote unauthenticated. The fixed version is: after commit 5267b455caeb2e055cccf0d2b6a22727c111f5c3.
33 CVE-2019-1010305 119 Overflow 2019-07-15 2019-08-23
4.3
None Remote Medium Not required Partial None None
libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d.
34 CVE-2019-1010304 284 2019-07-15 2019-07-30
5.0
None Remote Low Not required Partial None None
Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1.
35 CVE-2019-1010302 284 DoS 2019-07-15 2019-08-13
4.3
None Remote Medium Not required None None Partial
jhead 3.03 is affected by: Incorrect Access Control. The impact is: Denial of service. The component is: iptc.c Line 122 show_IPTC(). The attack vector is: the victim must open a specially crafted JPEG file.
36 CVE-2019-1010301 119 DoS Overflow 2019-07-15 2019-08-12
4.3
None Remote Medium Not required None None Partial
jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file.
37 CVE-2019-1010300 119 Overflow 2019-07-15 2019-07-22
5.0
None Remote Low Not required None None Partial
mz-automation libiec61850 1.3.2 1.3.1 1.3.0 is affected by: Buffer Overflow. The impact is: Software crash. The component is: server_example_complex_array. The attack vector is: Send a specific MMS protocol packet.
38 CVE-2019-1010299 200 +Info 2019-07-15 2019-10-09
5.0
None Remote Low Not required Partial None None
The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d.
39 CVE-2019-1010298 119 Exec Code Overflow 2019-07-15 2019-07-16
10.0
None Remote Low Not required Complete Complete Complete
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in the context of TEE core (kernel). The component is: optee_os. The fixed version is: 3.4.0 and later.
40 CVE-2019-1010297 119 Exec Code Overflow 2019-07-15 2019-07-16
10.0
None Remote Low Not required Complete Complete Complete
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Execution of code in TEE core (kernel) context. The component is: optee_os. The fixed version is: 3.4.0 and later.
41 CVE-2019-1010296 119 Exec Code Overflow 2019-07-15 2019-07-16
10.0
None Remote Low Not required Complete Complete Complete
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in context of TEE core (kernel). The component is: optee_os. The fixed version is: 3.4.0 and later.
42 CVE-2019-1010295 119 Overflow Mem. Corr. 2019-07-15 2019-07-16
7.5
None Remote Low Not required Partial Partial Partial
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Memory corruption and disclosure of memory content. The component is: optee_os. The fixed version is: 3.4.0 and later.
43 CVE-2019-1010294 189 2019-07-15 2019-07-16
5.0
None Remote Low Not required Partial None None
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Rounding error. The impact is: Potentially leaking code and/or data from previous Trusted Application. The component is: optee_os. The fixed version is: 3.4.0 and later.
44 CVE-2019-1010293 20 Mem. Corr. 2019-07-15 2019-07-16
7.5
None Remote Low Not required Partial Partial Partial
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Boundary crossing. The impact is: Memory corruption of the TEE itself. The component is: optee_os. The fixed version is: 3.4.0 and later.
45 CVE-2019-1010292 119 Overflow Mem. Corr. 2019-07-16 2019-07-22
7.5
None Remote Low Not required Partial Partial Partial
Linaro/OP-TEE OP-TEE Prior to version v3.4.0 is affected by: Boundary checks. The impact is: This could lead to corruption of any memory which the TA can access. The component is: optee_os. The fixed version is: v3.4.0.
46 CVE-2019-1010290 601 2019-07-16 2019-07-19
5.8
None Remote Medium Not required Partial Partial None
Babel: Multilingual site Babel All is affected by: Open Redirection. The impact is: Redirection to any URL, which is supplied to redirect.php in a "newurl" parameter. The component is: redirect.php. The attack vector is: The victim must open a link created by an attacker. Attacker may use any legitimate site using Babel to redirect user to a URL of his/her choosing.
47 CVE-2019-1010287 79 Exec Code XSS 2019-07-17 2019-07-22
4.3
None Remote Medium Not required None Partial None
Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a "redirect" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url.
48 CVE-2019-1010283 200 +Info 2019-07-17 2019-10-09
5.0
None Remote Low Not required Partial None None
Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later.
49 CVE-2019-1010279 347 DoS Bypass 2019-07-18 2019-08-01
5.0
None Remote Low Not required None None Partial
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65fb142b738a186b). The attack vector is: An attacker can trigger the vulnerability by a specifically crafted network TCP session. The fixed version is: 4.1.3.
50 CVE-2019-1010275 295 2019-07-17 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2.
Total number of vulnerabilities : 1630   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.