The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-14787 | The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter. | LOW | Aug 22, 2019 |
| CVE-2019-14786 | The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter. | MEDIUM | Aug 23, 2019 |
| CVE-2019-14785 | The \"CP Contact Form with PayPal\" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter. | LOW | Aug 15, 2019 |
| CVE-2019-14784 | The \"CP Contact Form with PayPal\" plugin before 1.2.98 for WordPress has XSS in CSS edition. | MEDIUM | Aug 20, 2019 |
| CVE-2019-14783 | On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, FotaAgent allows a malicious application to create privileged files. The Samsung ID is SVE-2019-14764. | LOW | Aug 16, 2019 |
| CVE-2019-14782 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.856 through 0.9.8.864 allows an attacker to get a victim\'s session file name from the /tmp directory, and the victim\'s token value from /usr/local/cwpsrv/logs/access_log, then use them to make a request to extract the victim\'s password (for the OS and phpMyAdmin) via an attacker account. | MEDIUM | Dec 19, 2019 |
| CVE-2019-14778 | The mkv::virtual_segment_c::seek method of demux/mkv/virtual_segment.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free. | MEDIUM | Aug 29, 2019 |
| CVE-2019-14777 | The Control function of demux/mkv/mkv.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free. | MEDIUM | Aug 29, 2019 |
| CVE-2019-14776 | A heap-based buffer over-read exists in DemuxInit() in demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 via a crafted .mkv file. | MEDIUM | Aug 29, 2019 |
| CVE-2019-14774 | The woo-variation-swatches (aka Variation Swatches for WooCommerce) plugin 1.0.61 for WordPress allows XSS via the wp-admin/admin.php?page=woo-variation-swatches-settings tab parameter. | MEDIUM | Aug 30, 2019 |
| CVE-2019-14773 | admin/includes/class.actions.snippet.php in the \"Woody ad snippets\" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion. | MEDIUM | Aug 14, 2019 |
| CVE-2019-14772 | verdaccio before 3.12.0 allows XSS. | MEDIUM | Aug 13, 2019 |
| CVE-2019-14771 | Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, potentially allowing non-configuration scripts to be uploaded to the server. (This attack is mitigated by the attacker needing the \"Synchronize, import, and export configuration\" permission, a permission that only trusted administrators should be given. Other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.) | HIGH | Aug 19, 2019 |
| CVE-2019-14770 | In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions to create administrative menu links, such as by creating a content type or layout. Such permissions are usually restricted to trusted or administrative users.) | MEDIUM | Aug 16, 2019 |
| CVE-2019-14769 | Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn\'t sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.) | MEDIUM | Aug 15, 2019 |
| CVE-2019-14768 | An Arbitrary File Upload issue in the file browser of DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to deploy a new WebApp WAR file to the Tomcat server via Path Traversal, allowing remote code execution with SYSTEM privileges. | HIGH | Jan 29, 2020 |
| CVE-2019-14767 | In DIMO YellowBox CRM before 6.3.4, Path Traversal in images/Apparence (dossier=../) and servletrecuperefichier (document=../) allows an unauthenticated user to download arbitrary files from the server. | MEDIUM | Jan 28, 2020 |
| CVE-2019-14766 | Path Traversal in the file browser of DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to browse the server filesystem. | MEDIUM | Jan 28, 2020 |
| CVE-2019-14765 | Incorrect Access Control in AfficheExplorateurParam() in DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to use administrative controllers. | MEDIUM | Jan 29, 2020 |
| CVE-2019-14763 | In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid. | MEDIUM | Aug 8, 2019 |
| CVE-2019-14761 | An issue was discovered in KaiOS 2.5. The pre-installed Note application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Note application. At a bare minimum, this allows an attacker to take control over the Note application\'s UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application. | LOW | Sep 17, 2020 |
| CVE-2019-14760 | An issue was discovered in KaiOS 2.5. The pre-installed Recorder application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Recorder application. At a bare minimum, this allows an attacker to take control over the Recorder application\'s UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application. | LOW | Sep 17, 2020 |
| CVE-2019-14759 | An issue was discovered in KaiOS 1.0, 2.5, and 2.5.1. The pre-installed Radio application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Radio application. At a bare minimum, this allows an attacker to take control over the Radio application\'s UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application. | LOW | Sep 17, 2020 |
| CVE-2019-14758 | An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed File Manager application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a file via email to the victim that will inject HTML into the File Manager application (assuming the victim chooses to download the email attachment). At a bare minimum, this allows an attacker to take control over the File Manager application\'s UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application. | MEDIUM | Sep 17, 2020 |
| CVE-2019-14757 | An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to import the file). At a bare minimum, this allows an attacker to take control over the Contacts application\'s UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application. | MEDIUM | Sep 17, 2020 |
| CVE-2019-14756 | An issue was discovered in KaiOS 1.0, 2.5, and 2.5.12.5. The pre-installed Email application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a specially crafted email to the victim that will inject HTML into the email application\'s UI as soon as the email is opened. At a bare minimum, this allows an attacker to take control over the Email application\'s UI (e.g., display a malicious prompt to the user asking them to re-enter their email credentials) and also allows an attacker to abuse any of the privileges available to the mobile application. | MEDIUM | Sep 17, 2020 |
| CVE-2019-14755 | The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type. | MEDIUM | Aug 20, 2019 |
| CVE-2019-14754 | Open-School 3.0, and Community Edition 2.3, allows SQL Injection via the index.php?r=students/students/document id parameter. | HIGH | Aug 14, 2019 |
| CVE-2019-14753 | SICK FX0-GPNT00000 and FX0-GENT00000 devices through 3.4.0 have a Buffer Overflow | MEDIUM | Sep 24, 2019 |
| CVE-2019-14752 | SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS. | -- | Oct 2, 2019 |
| CVE-2019-14751 | NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction. | MEDIUM | Aug 29, 2019 |
| CVE-2019-14750 | An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions. | MEDIUM | Aug 14, 2019 |
| CVE-2019-14749 | An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected. | MEDIUM | Aug 14, 2019 |
| CVE-2019-14748 | An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment. | LOW | Aug 14, 2019 |
| CVE-2019-14747 | DWSurvey through2019-07-22 has stored XSS via the design/my-survey-design!copySurvey.action surveyName parameter. | MEDIUM | Aug 12, 2019 |
| CVE-2019-14746 | A issue was discovered in KuaiFanCMS 5.0. It allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request. | HIGH | Aug 14, 2019 |
| CVE-2019-14745 | In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it\'s possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables. | MEDIUM | Aug 14, 2019 |
| CVE-2019-14744 | In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file. | MEDIUM | Aug 15, 2019 |
| CVE-2019-14743 | In Valve Steam Client for Windows through2019-08-07, HKLM\\SOFTWARE\\Wow6432Node\\Valve\\Steam has explicit \"Full control\" for the Users group, which allows local users to gain NT AUTHORITY\\SYSTEM access. | HIGH | Aug 28, 2019 |
| CVE-2019-14737 | Ubisoft Uplay 92.0.0.6280 has Insecure Permissions. | MEDIUM | Oct 17, 2019 |
| CVE-2019-14734 | AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::load() in mtk.cpp. | MEDIUM | Aug 13, 2019 |
| CVE-2019-14733 | AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::load() in rad.cpp. | MEDIUM | Aug 13, 2019 |
| CVE-2019-14732 | AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::load() in a2m.cpp. | MEDIUM | Aug 13, 2019 |
| CVE-2019-14731 | An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vulnerability that leads to the capture of other people\'s cookies via the Rich Text Box. | LOW | Aug 15, 2019 |
| CVE-2019-14730 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete a domain from a victim\'s account via an attacker account. | MEDIUM | Sep 13, 2019 |
| CVE-2019-14729 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete a sub-domain from a victim\'s account via an attacker account. | MEDIUM | Sep 13, 2019 |
| CVE-2019-14728 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to add an e-mail forwarding destination to a victim\'s account via an attacker account. | MEDIUM | Sep 13, 2019 |
| CVE-2019-14727 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail password of a victim account via an attacker account. | MEDIUM | Sep 13, 2019 |
| CVE-2019-14726 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to access and delete DNS records of a victim\'s account via an attacker account. | MEDIUM | Sep 13, 2019 |
| CVE-2019-14725 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail usage value of a victim account via an attacker account. | MEDIUM | Sep 12, 2019 |
