The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-13377 | The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery. | MEDIUM | Aug 28, 2019 | -- (VxWorks 7) |
| CVE-2019-15149 | ** DISPUTED ** core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with hypothetical other factors, i.e., an affected use case within a library caller, and a bug in the message receiver policy code that led to reliance on this extra protection mechanism. | MEDIUM | Aug 30, 2019 | -- (VxWorks 7) |
| CVE-2019-15148 | GoPro GPMF-parser 1.2.2 has an out-of-bounds write in OpenMP4Source in demo/GPMF_mp4reader.c. | MEDIUM | Aug 22, 2019 | -- (VxWorks 7) |
| CVE-2019-15147 | GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c. | MEDIUM | Aug 22, 2019 | -- (VxWorks 7) |
| CVE-2019-15146 | GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c. | MEDIUM | Aug 22, 2019 | -- (VxWorks 7) |
| CVE-2019-15145 | DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h. | MEDIUM | Aug 30, 2019 | -- (VxWorks 7) |
| CVE-2019-15144 | In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h. | MEDIUM | Aug 30, 2019 | -- (VxWorks 7) |
| CVE-2019-15143 | In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp. | MEDIUM | Aug 30, 2019 | -- (VxWorks 7) |
| CVE-2019-15142 | In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file. | MEDIUM | Aug 30, 2019 | -- (VxWorks 7) |
| CVE-2019-15141 | WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597. | MEDIUM | Aug 23, 2019 | -- (VxWorks 7) |
| CVE-2019-15140 | coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c. | MEDIUM | Aug 28, 2019 | -- (VxWorks 7) |
| CVE-2019-15139 | The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472. | MEDIUM | Aug 28, 2019 | -- (VxWorks 7) |
| CVE-2019-15137 | The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network. | MEDIUM | Aug 29, 2019 | -- (VxWorks 7) |
| CVE-2019-15136 | The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition. | MEDIUM | Aug 29, 2019 | -- (VxWorks 7) |
| CVE-2019-15135 | The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability information on a Data Distribution Service (DDS) network. | MEDIUM | Aug 29, 2019 | -- (VxWorks 7) |
| CVE-2019-15129 | The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates\' files in the photo folder on the website by specifying a \"user id\" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_name] URI. | MEDIUM | Aug 30, 2019 | -- (VxWorks 7) |
| CVE-2019-15133 | In GIFLIB before2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero. | MEDIUM | Aug 29, 2019 | -- (VxWorks 7) |
| CVE-2019-15132 | Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the \"Login name or password is incorrect\" and \"No permissions for system access\" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. | MEDIUM | Aug 29, 2019 | -- (VxWorks 7) |
| CVE-2019-14937 | REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user\'s login sessionid from the database, and then re-login into REDCap to compromise all data. | MEDIUM | Aug 27, 2019 | -- (VxWorks 7) |
| CVE-2019-8063 | Creative Cloud Desktop Application 4.6.1 and earlier versions have an insecure transmission of sensitive data vulnerability. Successful exploitation could lead to information leakage. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2019-7957 | Creative Cloud Desktop Application versions 4.6.1 and earlier have a security bypass vulnerability. Successful exploitation could lead to denial of service. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2019-15120 | The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode. | MEDIUM | Aug 16, 2019 | -- (VxWorks 7) |
| CVE-2019-15119 | lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user. | MEDIUM | Aug 23, 2019 | -- (VxWorks 7) |
| CVE-2019-15118 | check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion. | MEDIUM | Aug 28, 2019 | -- (VxWorks 7) |
| CVE-2019-15117 | parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access. | MEDIUM | Aug 28, 2019 | -- (VxWorks 7) |
| CVE-2019-15116 | The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging. | MEDIUM | Aug 23, 2019 | -- (VxWorks 7) |
| CVE-2019-15115 | The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF. | MEDIUM | Aug 22, 2019 | -- (VxWorks 7) |
| CVE-2019-15114 | The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2019-15113 | The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2019-15095 | DWSurvey through2019-07-22 has reflected XSS via the design/qu-multi-fillblank!answers.action surveyId parameter. | MEDIUM | Aug 26, 2019 | -- (VxWorks 7) |
| CVE-2019-15090 | An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read. | MEDIUM | Aug 29, 2019 | -- (VxWorks 7) |
| CVE-2019-14923 | EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field. | MEDIUM | Aug 27, 2019 | -- (VxWorks 7) |
| CVE-2019-10081 | HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with \"H2PushResource\", could lead to an overwrite of memory in the pushing request\'s pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. | MEDIUM | Aug 30, 2019 | -- (VxWorks 7) |
| CVE-2018-20974 | The js-jobs plugin before 1.0.7 for WordPress has CSRF. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2018-20972 | The companion-auto-update plugin before 3.2.1 for WordPress has CSRF. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2018-20971 | The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2017-18547 | The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2017-18546 | The jayj-quicktag plugin before 1.3.2 for WordPress has CSRF. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2017-18545 | The invite-anyone plugin before 1.3.16 for WordPress has incorrect escaping of untrusted Dashboard and front-end input. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2017-18544 | The invite-anyone plugin before 1.3.16 for WordPress has admin-panel CSRF. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2017-18542 | The zendesk-help-center plugin before 1.0.5 for WordPress has multiple XSS issues. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2017-18541 | The xo-security plugin before 1.5.3 for WordPress has XSS. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2015-9322 | The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2019-9013 | An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3. | MEDIUM | Aug 30, 2019 | -- (VxWorks 7) |
| CVE-2019-15062 | An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application\'s own settings pages, this mechanism is bypassed.) | MEDIUM | Aug 28, 2019 | -- (VxWorks 7) |
| CVE-2019-14800 | The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1 URI. | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2019-14790 | The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter, | MEDIUM | Aug 21, 2019 | -- (VxWorks 7) |
| CVE-2019-14789 | The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter. | MEDIUM | Aug 20, 2019 | -- (VxWorks 7) |
| CVE-2019-14788 | wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value. | MEDIUM | Aug 22, 2019 | -- (VxWorks 7) |
| CVE-2019-14786 | The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter. | MEDIUM | Aug 23, 2019 | -- (VxWorks 7) |
