CVE Details

Security vulnerability feeds by http://www.cvedetails.com

CVE-2019-1020018

29 July 2019, 12:00 am

Discourse before v2.4.0.beta2 lacks a confirmation screen when logging in via an email link. (CVSS:7.5) (Last Update:2019-08-01)

CVE-2019-1020006

29 July 2019, 12:00 am

invenio-app before 1.1.1 allows host header injection. (CVSS:5.8) (Last Update:2019-08-01)

CVE-2019-1020005

29 July 2019, 12:00 am

invenio-communities before 1.0.0a20 allows XSS. (CVSS:3.5) (Last Update:2019-08-01)

CVE-2019-1020008

29 July 2019, 12:00 am

stacktable.js before 1.0.4 allows XSS. (CVSS:4.3) (Last Update:2019-07-31)

CVE-2019-1020007

29 July 2019, 12:00 am

Dependency-Track before 3.5.1 allows XSS. (CVSS:3.5) (Last Update:2019-07-30)

CVE-2019-1020001

29 July 2019, 12:00 am

yard before 0.9.20 allows path traversal. (CVSS:5.0) (Last Update:2019-08-01)

CVE-2019-1020009

29 July 2019, 12:00 am

Fleet before 2.1.2 allows exposure of SMTP credentials. (CVSS:5.0) (Last Update:2019-07-31)

CVE-2019-1020012

29 July 2019, 12:00 am

parse-server before 3.4.1 allows DoS after any POST to a volatile class. (CVSS:5.0) (Last Update:2019-08-02)

CVE-2019-1020011

29 July 2019, 12:00 am

SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority. (CVSS:6.5) (Last Update:2019-08-05)

CVE-2019-1020014

29 July 2019, 12:00 am

docker-credential-helpers before 0.6.3 has a double free in the List functions. (CVSS:2.1) (Last Update:2019-08-19)

CVE-2019-1020013

29 July 2019, 12:00 am

parse-server before 3.6.0 allows account enumeration. (CVSS:5.0) (Last Update:2019-08-01)

CVE-2019-1020015

29 July 2019, 12:00 am

graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT. (CVSS:5.0) (Last Update:2019-08-05)

CVE-2019-1020016

29 July 2019, 12:00 am

ASH-AIO before 2.0.0.3 allows an open redirect. (CVSS:5.8) (Last Update:2019-08-01)

CVE-2019-1020017

29 July 2019, 12:00 am

Discourse before v2.4.0.beta2 lacks a confirmation screen when logging in via a user-api OTP. (CVSS:5.0) (Last Update:2019-08-01)

CVE-2019-1020003

29 July 2019, 12:00 am

invenio-records before 1.2.2 allows XSS. (CVSS:3.5) (Last Update:2019-08-01)

CVE-2019-1020010

29 July 2019, 12:00 am

Misskey before 10.102.4 allows hijacking a user’s token. (CVSS:4.3) (Last Update:2019-08-05)

CVE-2019-1020002

29 July 2019, 12:00 am

Pterodactyl before 0.7.14 with 2FA allows credential sniffing. (CVSS:5.0) (Last Update:2019-07-31)

CVE-2019-1020004

29 July 2019, 12:00 am

Tridactyl before 1.16.0 allows fake key events. (CVSS:5.0) (Last Update:2019-08-01)

CVE-2019-1020019

29 July 2019, 12:00 am

invenio-previewer before 1.0.0a12 allows XSS. (CVSS:4.3) (Last Update:2019-07-31)

CVE-2019-1010308

15 July 2019, 12:00 am

Aquaverde GmbH Aquarius CMS prior to version 4.1.1 is affected by: Incorrect Access Control. The impact is: The access to the log file is not restricted. It contains sensitive information like passwords etc. The component is: log file. The attack vector is: open the file. (CVSS:5.0) (Last Update:2019-07-22)

CVE-2019-1010309

12 July 2019, 12:00 am

pacman prior to version 5.1.3 is affected by: Directory Traversal. The impact is: arbitrary file placement potentially leading to arbitrary root code execution. The component is: installing a remote package via a specified URL “pacman -U “. The problem was located in function curl_download_internal in lib/libalpm/dload.c line 535. The attack vector is: the victim must install a remote package via a specified URL from a malicious server (or a network MitM if downloading over HTTP). The fixed version is: 5.1.3 via commit 9702703633bec2c007730006de2aeec8587dfc84. (CVSS:0.0) (Last Update:2019-07-12)

CVE-2019-1010311

12 July 2019, 12:00 am

Tildeslash Monit Version 5.25.2 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Execute javascript in a victim s browser; disable all monitoring for a particular host or service. The component is: In function do_viewlog() on line 910 in Monit/src/http/cervlet.c, an attacker controlled log file is copied into an HTTP response without any HTML escaping. The attack vector is: An authenticated remote attacker can exploit the vulnerability over a network. The fixed version is: Version 5.25.3 and later. (CVSS:0.0) (Last Update:2019-07-12)

CVE-2019-1010310

12 July 2019, 12:00 am

GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1. (CVSS:3.5) (Last Update:2019-07-18)

CVE-2019-1010312

12 July 2019, 12:00 am

Tildeslash Monit Version 5.25.2 and earlier is affected by: Buffer Over-read. The impact is: Disclosure of memory contents in an HTTP response, and Denial of Service. The component is: In function Util_urlDecode() on lines 1553 -1563 in Monit/src/util.c, a crafted POST parameter can cause the buffer index to increment to a value greater than the length of the buffer. The attack vector is: An authenticated remote attacker can exploit the vulnerability by sending a HTTP POST request that contains a maliciously crafted body parameter. The fixed version is: Version 5.25.3 and later. (CVSS:0.0) (Last Update:2019-07-12)

CVE-2019-1010314

11 July 2019, 12:00 am

Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim’s browser, when the vulnerable repo page is loaded. The component is: repository’s description. The attack vector is: victim must navigate to public and affected repo page. (CVSS:4.3) (Last Update:2019-07-12)

CVE-2019-1010315

11 July 2019, 12:00 am

WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc. (CVSS:4.3) (Last Update:2019-07-16)

CVE-2019-1010316

11 July 2019, 12:00 am

pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. The impact is: False locking impression when run in a non-X11 session. The fixed version is: 0.4. (CVSS:4.6) (Last Update:2019-07-14)

CVE-2019-1010317

11 July 2019, 12:00 am

WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b. (CVSS:4.3) (Last Update:2019-07-16)

CVE-2019-1010318

11 July 2019, 12:00 am

WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: WavpackSetConfiguration64 (pack_utils.c:198). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4. (CVSS:0.0) (Last Update:2019-07-11)

CVE-2019-1010319

11 July 2019, 12:00 am

WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseWave64HeaderConfig (wave64.c:211). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe. (CVSS:4.3) (Last Update:2019-07-16)