The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-13381 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2019-13380 | KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault. | MEDIUM | Jul 10, 2019 | n/a |
| CVE-2019-13379 | On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device\'s web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults&src=RA reset and using the default credentials to get in. | HIGH | Jul 15, 2019 | n/a |
| CVE-2019-13377 | The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery. | Medium | Aug 28, 2019 | n/a |
| CVE-2019-13376 | phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS | MEDIUM | Sep 27, 2019 | n/a |
| CVE-2019-13375 | A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 in PayAction.class.php with the index.php/Pay/passcodeAuth parameter passcode. The vulnerability does not need any authentication. | HIGH | Jul 9, 2019 | n/a |
| CVE-2019-13374 | A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the index.php/Pay/passcodeAuth passcode parameter. | MEDIUM | Jul 9, 2019 | n/a |
| CVE-2019-13373 | An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. Input does not get validated and arbitrary SQL statements can be executed in the database via the /web/Public/Conn.php parameter dbSQL. | HIGH | Jul 9, 2019 | n/a |
| CVE-2019-13372 | /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie\'s username field allows eval injection, and an empty password bypasses authentication. | HIGH | Jul 12, 2019 | n/a |
| CVE-2019-13370 | index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator. | MEDIUM | Jul 9, 2019 | n/a |
| CVE-2019-13369 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2019-13368 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2019-13367 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2019-13364 | admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF. | MEDIUM | Sep 13, 2019 | n/a |
| CVE-2019-13363 | admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF. | MEDIUM | Sep 13, 2019 | n/a |
| CVE-2019-13362 | Codedoc v3.2 has a stack-based buffer overflow in add_variable in codedoc.c, related to codedoc_strlcpy. | MEDIUM | Jul 9, 2019 | n/a |
| CVE-2019-13361 | Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an attacker on the same Wi-Fi network. | LOW | Sep 6, 2019 | n/a |
| CVE-2019-13360 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username. | HIGH | Jul 18, 2019 | n/a |
| CVE-2019-13359 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user. | HIGH | Jul 18, 2019 | n/a |
| CVE-2019-13358 | lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format. | Medium | Jul 11, 2019 | n/a |
| CVE-2019-13357 | In Total Defense Anti-virus 9.0.0.773, resource acquisition from the untrusted search path C:\\ used by caschelp.exe allows local attackers to hijack ccGUIFrm.dll, which leads to code execution. SYSTEM-level code execution can be achieved when the ccSchedulerSVC service runs the affected executable. | MEDIUM | Sep 24, 2019 | n/a |
| CVE-2019-13356 | In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\\TotalDefense\\Consumer\\ISS\\9\\bd\\TDUpdate2\\ used by AMRT.exe allows local attackers to hijack bdcore.dll, which leads to privilege escalation when the AMRT service loads the DLL. | MEDIUM | Sep 24, 2019 | n/a |
| CVE-2019-13355 | In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\\TotalDefense\\Consumer\\ISS\\9\\ used by ccschedulersvc.exe allows local attackers to hijack dotnetproxy.exe, which leads to privilege escalation when the ccSchedulerSVC service runs the executable. | MEDIUM | Sep 24, 2019 | n/a |
| CVE-2019-13354 | The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6. | HIGH | Jul 10, 2019 | n/a |
| CVE-2019-13352 | WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic secret for generating support PINs for the \'forgot password\' feature. By knowing this static secret and the corresponding algorithm for calculating support PINs, an attacker can reset the ADMIN password and thus gain remote access. | HIGH | Jul 15, 2019 | n/a |
| CVE-2019-13351 | posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a \"double file descriptor close\" issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor. | MEDIUM | Jul 11, 2019 | n/a |
| CVE-2019-13349 | In Knowage through 6.1.1, an authenticated user that accesses the users page will obtain all user password hashes. | MEDIUM | Sep 6, 2019 | n/a |
| CVE-2019-13348 | In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases. | MEDIUM | Aug 29, 2019 | n/a |
| CVE-2019-13347 | An issue was discovered in the SAML Single Sign On (SSO) plugin for several Atlassian products affecting versions 3.1.0 through 3.2.2 for Jira and Confluence, versions 2.4.0 through 3.0.3 for Bitbucket, and versions 2.4.0 through 2.5.2 for Bamboo. It allows locally disabled users to reactivate their accounts just by browsing the affected Jira/Confluence/Bitbucket/Bamboo instance, even when the applicable configuration option of the plugin has been disabled (Reactivate inactive users). Exploiting this vulnerability requires an attacker to be authorized by the identity provider and requires that the plugin\'s configuration option User Update Method have the Update from SAML Attributes value. | MEDIUM | Dec 13, 2019 | n/a |
| CVE-2019-13346 | In MyT 1.5.1, the User[username] parameter has XSS. | MEDIUM | Jul 18, 2019 | n/a |
| CVE-2019-13345 | The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter. | Medium | Jul 15, 2019 | n/a |
| CVE-2019-13344 | An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter. | MEDIUM | Jul 8, 2019 | n/a |
| CVE-2019-13343 | Butor Portal before 1.0.27 is affected by a Path Traversal vulnerability leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. WhiteLabelingServlet is responsible for this vulnerability. It does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl?t=../../...&h= substring followed by a filename. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2019-13341 | In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user\'s cookie. | LOW | Jul 7, 2019 | n/a |
| CVE-2019-13340 | In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user\'s cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186. | LOW | Jul 7, 2019 | n/a |
| CVE-2019-13339 | In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user\'s cookie. | LOW | Jul 7, 2019 | n/a |
| CVE-2019-13338 | In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. In other words, the password hash can be retrieved even though it is not a publicly available field. | MEDIUM | Jul 16, 2019 | n/a |
| CVE-2019-13337 | In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required. | MEDIUM | Jul 16, 2019 | n/a |
| CVE-2019-13336 | The dbell Wi-Fi Smart Video Doorbell DB01-S Gen 1 allows remote attackers to launch commands with no authentication verification via TCP port 81, because the loginuse and loginpass parameters to openlock.cgi can have arbitrary values. NOTE: the vendor\'s position is that this product reached end of life in 2016. | HIGH | Oct 18, 2019 | n/a |
| CVE-2019-13335 | SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF. | HIGH | Oct 8, 2019 | n/a |
| CVE-2019-13334 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8774. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-13333 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8773. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-13332 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of templates in XFA forms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9149. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2019-13331 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8838. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2019-13330 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPG files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8742. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2019-13329 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of TIF files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8695. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2019-13328 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of fields within Acroform objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8913. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2019-13327 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of fields within Acroform objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8888. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2019-13326 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of fields within Acroform objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8864. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2019-13325 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.909. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of EPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8922. | MEDIUM | Oct 9, 2019 | n/a |
