The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2019-14973 | _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash. | Medium | Aug 25, 2019 | n/a |
CVE-2019-14970 | A vulnerability in mkv::event_thread_t in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer overflow via a crafted .mkv file. | MEDIUM | Aug 29, 2019 | n/a |
CVE-2019-14969 | Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\\Netwrix Auditor\\Logs\\ActiveDirectory\\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\\SYSTEM with the help of Symbolic Links. | MEDIUM | Aug 21, 2019 | n/a |
CVE-2019-14968 | An issue was discovered in imcat 4.9. There is SQL Injection via the index.php order parameter in a mod=faqs action. | HIGH | Aug 15, 2019 | n/a |
CVE-2019-14967 | An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability. | MEDIUM | Aug 15, 2019 | n/a |
CVE-2019-14966 | An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection. | MEDIUM | Aug 16, 2019 | n/a |
CVE-2019-14965 | An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists. | HIGH | Aug 16, 2019 | n/a |
CVE-2019-14961 | JetBrains Upsource before 2019.1.1412 was not properly escaping HTML tags in a code block comments, leading to XSS. | MEDIUM | Oct 2, 2019 | n/a |
CVE-2019-14960 | JetBrains Rider before 2019.1.2 was using an unsigned JetBrains.Rider.Unity.Editor.Plugin.Repacked.dll file. | MEDIUM | Oct 8, 2019 | n/a |
CVE-2019-14959 | JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection. | MEDIUM | Oct 4, 2019 | n/a |
CVE-2019-14958 | JetBrains PyCharm before 2019.2 was allocating a buffer of unknown size for one of the connection processes. In a very specific situation, it could lead to a remote invocation of an OOM error message because of Uncontrolled Memory Allocation. | MEDIUM | Oct 8, 2019 | n/a |
CVE-2019-14957 | The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository. | MEDIUM | Oct 8, 2019 | n/a |
CVE-2019-14956 | JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names. | MEDIUM | Oct 3, 2019 | n/a |
CVE-2019-14955 | In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented. | MEDIUM | Oct 8, 2019 | n/a |
CVE-2019-14954 | JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection. | MEDIUM | Oct 8, 2019 | n/a |
CVE-2019-14953 | JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser. | MEDIUM | Oct 2, 2019 | n/a |
CVE-2019-14952 | JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles. | MEDIUM | Oct 2, 2019 | n/a |
CVE-2019-14951 | The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile. | MEDIUM | Aug 21, 2019 | n/a |
CVE-2019-14950 | The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page. | MEDIUM | Aug 15, 2019 | n/a |
CVE-2019-14949 | The wp-database-backup plugin before 5.1.2 for WordPress has XSS. | MEDIUM | Aug 21, 2019 | n/a |
CVE-2019-14948 | The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure. | LOW | Aug 21, 2019 | n/a |
CVE-2019-14947 | The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade. | LOW | Aug 14, 2019 | n/a |
CVE-2019-14946 | The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations. | LOW | Aug 14, 2019 | n/a |
CVE-2019-14945 | The ultimate-member plugin before 2.0.54 for WordPress has XSS. | LOW | Aug 14, 2019 | n/a |
CVE-2019-14944 | An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution. | -- | Apr 17, 2023 | n/a |
CVE-2019-14943 | An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials. | HIGH | Sep 4, 2019 | n/a |
CVE-2019-14942 | An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Cookies for GitLab Pages (which have access control) could be sent over cleartext HTTP. | -- | Apr 17, 2023 | n/a |
CVE-2019-14941 | SHAREit through 4.0.6.177 does not check the body length from the received packet header (which is used to allocate memory for the next set of data). This could lead to a system denial of service due to uncontrolled memory allocation. | HIGH | Apr 30, 2020 | n/a |
CVE-2019-14940 | In Storage Performance Development Kit (SPDK) before 19.07, a user of a vhost can cause a crash if the target is sent invalid input. | MEDIUM | Aug 21, 2019 | n/a |
CVE-2019-14939 | An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default. | LOW | Aug 22, 2019 | n/a |
CVE-2019-14937 | REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user\'s login sessionid from the database, and then re-login into REDCap to compromise all data. | MEDIUM | Aug 27, 2019 | n/a |
CVE-2019-14936 | Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive Information Disclosure (Username and Password Hash). | MEDIUM | Sep 25, 2019 | n/a |
CVE-2019-14935 | 3CX Phone 15 on Windows has insecure permissions on the \"%PROGRAMDATA%\\3CXPhone for Windows\\PhoneApp\" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link. | MEDIUM | Aug 27, 2019 | n/a |
CVE-2019-14934 | An issue was discovered in PDFResurrect before 0.18. pdf_load_pages_kids in pdf.c doesn\'t validate a certain size value, which leads to a malloc failure and out-of-bounds write. | MEDIUM | Aug 20, 2019 | n/a |
CVE-2019-14933 | Bagisto 0.1.5 allows CSRF under /admin URIs. | MEDIUM | Aug 14, 2019 | n/a |
CVE-2019-14932 | The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates\' information on the website via a modified selApp variable to personalData/resumeDetail.cfm. This includes personal information and other sensitive data. | MEDIUM | Aug 21, 2019 | n/a |
CVE-2019-14931 | An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU\'s system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data. | HIGH | Oct 30, 2019 | n/a |
CVE-2019-14930 | An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Undocumented hard-coded user passwords for root, ineaadmin, mitsadmin, and maint could allow an attacker to gain unauthorised access to the RTU. (Also, the accounts ineaadmin and mitsadmin are able to escalate privileges to root without supplying a password due to insecure entries in /etc/sudoers on the RTU.) | HIGH | Oct 30, 2019 | n/a |
CVE-2019-14929 | An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service. | MEDIUM | Oct 30, 2019 | n/a |
CVE-2019-14928 | An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A number of stored cross-site script (XSS) vulnerabilities allow an attacker to inject malicious code directly into the application. An example input variable vulnerable to stored XSS is SerialInitialModemString in the index.php page. | LOW | Oct 30, 2019 | n/a |
CVE-2019-14927 | An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote configuration download vulnerability allows an attacker to download the smartRTU\'s configuration file (which contains data such as usernames, passwords, and other sensitive RTU data). | MEDIUM | Oct 30, 2019 | n/a |
CVE-2019-14926 | An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites. | HIGH | Oct 30, 2019 | n/a |
CVE-2019-14925 | An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A world-readable /usr/smartrtu/init/settings.xml configuration file on the file system allows an attacker to read sensitive configuration settings such as usernames, passwords, and other sensitive RTU data due to insecure permission assignment. | MEDIUM | Oct 30, 2019 | n/a |
CVE-2019-14924 | An issue was discovered in GCDWebServer before 3.5.3. The method moveItem in the GCDWebUploader class checks the FileExtension of newAbsolutePath but not oldAbsolutePath. By leveraging this vulnerability, an adversary can make an inaccessible file be available (the credential of the app, for instance). | MEDIUM | Aug 19, 2019 | n/a |
CVE-2019-14923 | EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field. | MEDIUM | Aug 27, 2019 | n/a |
CVE-2019-14920 | Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an authenticated attacker to gain root execution privileges over the device via a hidden etc_ro/web/adm/system_command.asp shell feature. | HIGH | Jan 9, 2020 | n/a |
CVE-2019-14919 | An exposed Telnet Service on the Billion Smart Energy Router SG600R2 with firmware v3.02.rc6 allows a local network attacker to authenticate via hardcoded credentials into a shell, gaining root execution privileges over the device. | HIGH | Jan 9, 2020 | n/a |
CVE-2019-14918 | XSS in the DHCP lease-status table in Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an attacker to inject arbitrary HTML/JavaScript code to achieve client-side code execution via crafted DHCP request packets to etc_ro/web/internet/dhcpcliinfo.asp. | LOW | Jan 9, 2020 | n/a |
CVE-2019-14916 | An issue was discovered in PRiSE adAS 1.7.0. A file\'s format is not properly checked, leading to an unrestricted file upload. | MEDIUM | Sep 27, 2019 | n/a |
CVE-2019-14915 | An issue was discovered in PRiSE adAS 1.7.0. Certificate data are not properly escaped. This leads to XSS when submitting a rogue certificate. | MEDIUM | Sep 23, 2019 | n/a |