The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-13100 | The Send Anywhere application 9.4.18 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user via /data/data/com.estmob.android.sendanywhere/shared_prefs/sendanywhere_device.xml. | MEDIUM | Jul 29, 2019 | n/a |
| CVE-2019-13099 | The Momo application 2.1.9 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user and a user\'s access token via Logcat. | MEDIUM | Jul 26, 2019 | n/a |
| CVE-2019-13098 | The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications. | MEDIUM | Jul 24, 2019 | n/a |
| CVE-2019-13097 | The application API of Cat Runner Decorate Home version 2.8.0 for Android does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. Attackers can manipulate users\' score parameters exchanged between client and server. | MEDIUM | Jul 26, 2019 | n/a |
| CVE-2019-13096 | TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/shared_prefs/<wallet-name>.xml to gain unauthorized access. | MEDIUM | Jul 26, 2019 | n/a |
| CVE-2019-13086 | core/MY_Security.php in CSZ CMS 1.2.2 before2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter. | HIGH | Jul 3, 2019 | n/a |
| CVE-2019-13085 | XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000030ecfa. | MEDIUM | Jul 3, 2019 | n/a |
| CVE-2019-13084 | XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000026b739. | MEDIUM | Jul 3, 2019 | n/a |
| CVE-2019-13083 | XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000384e2a. | MEDIUM | Jul 3, 2019 | n/a |
| CVE-2019-13082 | Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir.$newDir. | HIGH | Jul 3, 2019 | n/a |
| CVE-2019-13081 | Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user\'s browser. | LOW | Nov 7, 2019 | n/a |
| CVE-2019-13080 | Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator\'s browser. | LOW | Nov 7, 2019 | n/a |
| CVE-2019-13079 | Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The affected parameter is TYPE_NAME. | MEDIUM | Nov 7, 2019 | n/a |
| CVE-2019-13078 | Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The affected parameter is sort_column. | MEDIUM | Nov 7, 2019 | n/a |
| CVE-2019-13077 | Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter) that allows an attacker to create a malicious link in order to attack authenticated users. | MEDIUM | Nov 7, 2019 | n/a |
| CVE-2019-13076 | Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and affected parameters are order[0][column] and order[0][dir]. | MEDIUM | Nov 7, 2019 | n/a |
| CVE-2019-13075 | Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser\'s language via vectors involving an IFRAME element, because text in that language is included in the title attribute of a LINK element for a non-HTML page. This is related to a behavior of Firefox before 68. | MEDIUM | Jul 8, 2019 | n/a |
| CVE-2019-13074 | A vulnerability in the FTP daemon on MikroTik routers through 6.44.3 could allow remote attackers to exhaust all available memory, causing the device to reboot because of uncontrolled resource management. | HIGH | Jul 10, 2019 | n/a |
| CVE-2019-13072 | Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page. | MEDIUM | Jul 1, 2019 | n/a |
| CVE-2019-13071 | CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user into visiting an attacker controlled web page. | MEDIUM | Jul 17, 2019 | n/a |
| CVE-2019-13070 | A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim. | LOW | Jul 10, 2019 | n/a |
| CVE-2019-13069 | extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service. | HIGH | Aug 26, 2019 | n/a |
| CVE-2019-13068 | public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field). | MEDIUM | Jul 3, 2019 | n/a |
| CVE-2019-13067 | njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. This issue occurs after the fix for CVE-2019-12207 is in place. | HIGH | Jun 29, 2019 | n/a |
| CVE-2019-13066 | Sahi Pro 8.0.0 has a script manager arena located at _s_/dyn/pro/DBReports with many different areas that are vulnerable to reflected XSS, by updating a script\'s Script Name, Suite Name, Base URL, Android, iOS, Scripts Run, Origin Machine, or Comment field. The sql parameter can be used to trigger reflected XSS. | MEDIUM | Oct 29, 2019 | n/a |
| CVE-2019-13063 | Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to include any victim files on the system via the script parameter on the Script_view page. This will result in file disclosure (i.e., being able to pull any file from the remote victim application). This can be used to steal and obtain sensitive config and other files. This can result in complete compromise of the application. The script parameter is vulnerable to directory traversal and both local and remote file inclusion. | MEDIUM | Sep 23, 2019 | n/a |
| CVE-2019-13057 | An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.) | LOW | Jul 26, 2019 | n/a |
| CVE-2019-13056 | An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator\'s e-mail and password because of the lack of CSRF protection. | MEDIUM | Jul 3, 2019 | n/a |
| CVE-2019-13055 | Certain Logitech Unifying devices allow attackers to dump AES keys and addresses, leading to the capability of live decryption of Radio Frequency transmissions, as demonstrated by an attack against a Logitech K360 keyboard. | LOW | Jul 8, 2019 | n/a |
| CVE-2019-13054 | The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z. | LOW | Jul 8, 2019 | n/a |
| CVE-2019-13053 | Logitech Unifying devices allow keystroke injection, bypassing encryption. The attacker must press a \"magic\" key combination while sniffing cryptographic data from a Radio Frequency transmission. NOTE: this issue exists because of an incomplete fix for CVE-2016-10761. | LOW | Jul 8, 2019 | n/a |
| CVE-2019-13052 | Logitech Unifying devices allow live decryption if the pairing of a keyboard to a receiver is sniffed. | LOW | Jul 8, 2019 | n/a |
| CVE-2019-13051 | Pi-Hole 4.3 allows Command Injection. | MEDIUM | Oct 11, 2019 | n/a |
| CVE-2019-13050 | Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack. | MEDIUM | Jun 29, 2019 | n/a |
| CVE-2019-13049 | An integer wrap in kernel/sys/syscall.c in ToaruOS 1.10.10 allows users to map arbitrary kernel pages into userland process space via TOARU_SYS_FUNC_MMAP, leading to escalation of privileges. | HIGH | Jul 1, 2019 | n/a |
| CVE-2019-13048 | kernel/sys/syscall.c in ToaruOS through 1.10.9 allows a denial of service upon a critical error in certain sys_sbrk allocation patterns (involving PAGE_SIZE, and a value less than PAGE_SIZE). | MEDIUM | Jul 1, 2019 | n/a |
| CVE-2019-13047 | kernel/sys/syscall.c in ToaruOS through 1.10.9 has incorrect access control in sys_sysfunc case 9 for TOARU_SYS_FUNC_SETHEAP, allowing arbitrary kernel pages to be mapped into user land, leading to root access. | HIGH | Jul 1, 2019 | n/a |
| CVE-2019-13046 | linker/linker.c in ToaruOS through 1.10.9 has insecure LD_LIBRARY_PATH handling in setuid applications. | HIGH | Jul 1, 2019 | n/a |
| CVE-2019-13045 | Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free when sending SASL login to the server. | MEDIUM | Jun 29, 2019 | n/a |
| CVE-2019-13044 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | HIGH | Jun 29, 2019 | n/a |
| CVE-2019-13038 | mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL. | MEDIUM | Jul 3, 2019 | n/a |
| CVE-2019-13035 | Artica Pandora FMS 7.0 NG before 735 suffers from local privilege escalation due to improper permissions on C:\\PandoraFMS and its sub-folders, allowing standard users to create new files. Moreover, the Apache service httpd.exe will try to execute cmd.exe from C:\\PandoraFMS (the current directory) as NT AUTHORITY\\SYSTEM upon web requests to the portal. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\\SYSTEM. | HIGH | Jul 3, 2019 | n/a |
| CVE-2019-13033 | In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by looking at the process list when a data upload is being performed. This license can be used to upload data to a central Lynis server. Although no data can be extracted by knowing the license key, it may be possible to upload the data of additional scans. | LOW | Jun 18, 2020 | n/a |
| CVE-2019-13032 | An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL pointer dereference occurs in GetRelativePathToNcx() or GetRelativePathsToXhtmlDocuments() when a NULL pointer is passed to xc::XMLUri::isValidURI(). This affects third-party software (not Sigil) that uses FlightCrew as a library. | MEDIUM | Jul 5, 2019 | n/a |
| CVE-2019-13031 | LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a \"deny all\" rule. | MEDIUM | Jul 5, 2019 | n/a |
| CVE-2019-13030 | eQ-3 Homematic CCU3 AddOn \'Mediola NEO Server for Homematic CCU3\' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details. This is related to improper access control for addons configuration pages and a missing check in rc.d/97NeoServer. | MEDIUM | Aug 28, 2019 | n/a |
| CVE-2019-13029 | Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user\'s web browser. | LOW | Jul 24, 2019 | n/a |
| CVE-2019-13028 | An incorrect implementation of a local web server in eID client (Windows version before 3.1.2, Linux version before 3.0.3) allows remote attackers to execute arbitrary code (.cgi, .pl, or .php) or delete arbitrary files via a crafted HTML page. This is a product from the Ministry of Interior of the Slovak Republic. | MEDIUM | Jul 5, 2019 | n/a |
| CVE-2019-13027 | Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter. | HIGH | Jul 15, 2019 | n/a |
| CVE-2019-13026 | OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary. | HIGH | Aug 7, 2019 | n/a |
