Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
BULLETIN (SB19-280)
VULNERABILITY SUMMARY FOR THE WEEK OF
SEPTEMBER 30, 2019
Bulletin (SB19-280)
Vulnerability Summary for the Week of
September 30, 2019
Cybernetic GI Security Bulletin provides a summary of new vulnerabilities that have been recorded by the
National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past
week. The Department of Homeland Security (DHS) National Cybersecurity and Communications
Integration Center (NCCIC) / United States Computer Emergency Readiness Team, is sponsored by The NVD.
For modified or updated entries, please visit the NVD, which contains historical vulnerability information .
The vulnerabilities are based on the CVE vulnerability naming standard and determined by the Common
Vulnerability Scoring System (CVSS) standard. They are organized according to severity, by the division of
high, medium and low severities correspond to the following scores :
High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 .
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9 .
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9 .
Entries may include additional information provided by organizations and efforts sponsored by Cybernetic
GI. This data may include identifying information, values, definitions, and related links. The patch
information is provided to users when available. Please note that some of the information in the bulletin is
compiled from external, open source reports and is not a direct result of Cybernetic GI analysis .
The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute
of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the
vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated
vulnerability entries, which include CVSS scores once they are available .
High Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
adobe -- coldfusion
ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Command Injection via Vulnerable component vulnerability. Successful exploitation could lead to Arbitrary code execution in the context of the current user.
2019-09-27
10.0
CVE-2019-8073 CONFIRM
adobe -- coldfusion
ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Path Traversal vulnerability. Successful exploitation could lead to Access Control Bypass in the context of the current user.
2019-09-27
10.0
CVE-2019-8074 CONFIRM
corsair -- link
The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default. This allows unprivileged users to take control of the service and execute commands in the context of NT AUTHORITY\SYSTEM, leading to total system takeover, a similar issue to CVE-2018-12441.
2019-09-27
7.2
CVE-2018-19592 MISC MISC
dlink -- dhp-1565_firmware
Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise.
2019-09-27
10.0
CVE-2019-16920 MISC
exim -- exim
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
2019-09-27
7.5
CVE-2019-16928 FEDORA FEDORA BUGTRAQ UBUNTU DEBIAN
google -- android
In the Bluetooth stack, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113575306
2019-09-27
7.2
CVE-2019-9259 MISC
google -- android
In sensorservice, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-119501435
2019-09-27
7.2
CVE-2019-9266 MISC
google -- android
In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112663384
2019-09-27
7.5
CVE-2019-9301 MISC
High Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android
In libstagefright, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128431761
2019-09-27
7.1
CVE-2019-9348 MISC
google -- android
In libstagefright, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-124330204
2019-09-27
7.1
CVE-2019-9349 MISC
google -- android
In Bluetooth, there is a possible deserialization error due to missing string validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109838537
2019-09-27
7.5
CVE-2019-9365 MISC
google -- android
In libvpx, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-132783254
2019-09-27
7.1
CVE-2019-9371 MISC
google -- android
In libskia, there is a possible crash due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-132782448
2019-09-27
7.1
CVE-2019-9372 MISC
google -- android
In libstagefright, there is a possible resource exhaustion due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-124329638
2019-09-27
7.1
CVE-2019-9379 MISC
google -- android
In LockPatternUtils, there is a possible escalation of privilege due to an improper permissions check. This could lead to local bypass of the Lockguard with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120568007
2019-09-27
7.2
CVE-2019-9384 MISC
google -- android
In libstagefright, there is a possible resource exhaustion due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111450210
2019-09-27
7.1
CVE-2019-9418 MISC
High Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android
In libttspico, there is a possible OOB write due to a heap buffer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-79593569
2019-09-27
7.5
CVE-2019-9459 MISC
govicture -- pc530_firmware
Victure PC530 devices allow unauthenticated TELNET access as root.
2019-10-01
10.0
CVE-2019-15940 MISC MISC
idcos -- cloudboot
CloudBoot through 2019-03-08 allows SQL Injection via a crafted Status field in JSON data to the api/osinstall/v1/device/getNumByStatus URI.
2019-09-30
7.5
CVE-2019-16999 MISC
ilch -- ilch_cms
Ilch 2.1.22 allows remote code execution because php is listed under "Allowed files" on the index.php/admin/media/settings/index page.
2019-09-30
9.0
CVE-2019-17046 MISC
jetbrains -- ktor
JetBrains Ktor framework before 1.2.0-rc does not sanitize the username provided by the user for the LDAP protocol, leading to command injection.
2019-10-02
7.5
CVE-2019-12736 CONFIRM
jetbrains -- teamcity
An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could execute any command on the server machine. The issue was fixed in TeamCity 2018.2.5 and 2019.1.
2019-10-02
9.0
CVE-2019-15036 CONFIRM
linux -- linux_kernel
In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.
2019-09-30
7.8
CVE-2019-16994 MISC MISC
linux -- linux_kernel
In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d.
2019-09-30
7.8
CVE-2019-16995 MISC MISC MISC
mozilla -- firefox
Mozilla developers and community members reported memory safety bugs present in Firefox 68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69.
2019-09-27
7.5
CVE-2019-11734 MISC CONFIRM
mozilla -- firefox
Mozilla developers and community members reported memory safety bugs present in Firefox 68 and Firefox ESR 68. Some of these bugs showed evidence of memory corruption and we
2019-09-27
7.5
CVE-2019-11735 SUSE
High Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
SUSE MISC CONFIRM CONFIRM
mozilla -- firefox
Mozilla developers and community members reported memory safety bugs present in Firefox 68, Firefox ESR 68, and Firefox 60.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
2019-09-27
7.5
CVE-2019-11740 SUSE SUSE SUSE SUSE MISC CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
mozilla -- firefox
It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
2019-09-27
9.3
CVE-2019-11752 SUSE SUSE SUSE SUSE MISC CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
plataformatec -- simple_form
Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.
2019-09-30
7.5
CVE-2019-16676 CONFIRM MISC MISC
qualcomm -- ipq4019_firmware
Improper validation of read and write index of tx and rx fifo`s before using for data copy from fifo can lead to out-of-bound access. in Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8064, IPQ8074, QCS405, SD 665, SD 675, SD 730, SD 855
2019-09-30
7.2
CVE-2019-10499 CONFIRM
qualcomm -- ipq8074_firmware
Possible buffer overflow issue due to lack of length check when parsing the extended cap IE header length in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD
2019-09-30
10.0
CVE-2019-10539 CONFIRM
High Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130
qualcomm -- ipq8074_firmware
Buffer overflow in WLAN NAN function due to lack of check of count value received in NAN availability attribute in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SXR1130
2019-09-30
10.0
CVE-2019-10540 CONFIRM
qualcomm -- mdm9205_firmware
Usage of hard-coded magic number for calculating heap guard bytes can allow users to corrupt heap blocks without heap algorithm knowledge in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9655, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130
2019-09-30
10.0
CVE-2019-2294 CONFIRM
qualcomm -- mdm9206_firmware
Possible null-pointer dereference can occur while parsing avi clip during copy in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20
2019-09-30
7.8
CVE-2019-10489 CONFIRM
qualcomm -- mdm9607_firmware
Boot image not getting verified by AVB in Snapdragon Auto, Snapdragon Mobile, Snapdragon Wearables in MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 820, SD 820A, SDM439
2019-09-30
7.2
CVE-2019-10492 CONFIRM
High Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
qualcomm -- mdm9650_firmware
Classic buffer overflow vulnerability while playing the specific video whose Decode picture buffer size is more than 16 in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130
2019-09-30
10.0
CVE-2019-2252 CONFIRM
qualcomm -- msm8909w_firmware
Device record of the pairing device used after free during ACL disconnection in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016
2019-09-30
10.0
CVE-2019-10509 CONFIRM
qualcomm -- msm8909w_firmware
Lack of check of address range received from firmware response allows modem to respond arbitrary pages into its address range which can compromise HLOS in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM660, SDX20, SDX24
2019-09-30
10.0
CVE-2019-10538 CONFIRM
qualcomm -- qcs405_firmware
BT process died and BT toggled due to null pointer dereference when invalid vendor pass through command sent from remote in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile, Snapdragon Voice & Music in QCS405, QCS605, SD 636, SD 675, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660
2019-09-30
8.5
CVE-2019-10510 CONFIRM
rsyslog -- rsyslog
contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows out-of-bounds access because the level length is mishandled.
2019-09-30
7.5
CVE-2019-17040 MISC
salesagility -- suitecrm
SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.
2019-10-02
7.5
CVE-2019-14454 CONFIRM CONFIRM
High Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
tcpdump -- tcpdump
The FRF.16 parser in tcpdump before 4.9.3 has a buffer over-read in print-fr.c:mfr_print().
2019-10-03
7.5
CVE-2018-14468 MISC CONFIRM
tcpdump -- tcpdump
The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file().
2019-10-03
7.5
CVE-2018-14879 MISC CONFIRM
tcpdump -- tcpdump
The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6_print_lshdr().
2019-10-03
7.5
CVE-2018-14880 MISC CONFIRM
tcpdump -- tcpdump
The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_capabilities_print() (BGP_CAPCODE_RESTART).
2019-10-03
7.5
CVE-2018-14881 MISC CONFIRM
tcpdump -- tcpdump
The ICMPv6 parser in tcpdump before 4.9.3 has a buffer over-read in print-icmp6.c.
2019-10-03
7.5
CVE-2018-14882 MISC CONFIRM
tcpdump -- tcpdump
The IEEE 802.11 parser in tcpdump before 4.9.3 has a buffer over-read in print-802_11.c for the Mesh Flags subfield.
2019-10-03
7.5
CVE-2018-16227 MISC CONFIRM
tcpdump -- tcpdump
The HNCP parser in tcpdump before 4.9.3 has a buffer over-read in print-hncp.c:print_prefix().
2019-10-03
7.5
CVE-2018-16228 MISC CONFIRM
tcpdump -- tcpdump
The DCCP parser in tcpdump before 4.9.3 has a buffer over-read in print-dccp.c:dccp_print_option().
2019-10-03
7.5
CVE-2018-16229 MISC CONFIRM
tcpdump -- tcpdump
The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_attr_print() (MP_REACH_NLRI).
2019-10-03
7.5
CVE-2018-16230 MISC CONFIRM
tcpdump -- tcpdump
The SMB parser in tcpdump before 4.9.3 has buffer over-reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE and \PIPE\LANMAN.
2019-10-03
7.5
CVE-2018-16451
High Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
MISC CONFIRM
tcpdump -- tcpdump
lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 lacks certain bounds checks.
2019-10-03
7.5
CVE-2019-15166 MISC CONFIRM
umbraco -- umbraco
In Umbraco 7.3.8, there is SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter.
2019-10-02
7.5
CVE-2019-13957 MISC MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
adobe -- coldfusion ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Security bypass vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
2019-09-27 5.0 CVE-2019-8072 CONFIRM
adobe -- flash_player Adobe Flash Player version 32.0.0.192 and earlier versions have a Same Origin Policy Bypass vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
2019-09-27 5.0 CVE-2019-8075 CONFIRM
dell -- emc_integrated_data_protection_appliance_firmware
Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a password storage vulnerability in the ACM component. A remote authenticated malicious user with root privileges may potentially use a support tool to decrypt encrypted passwords stored locally on the system to use it to access other components using the privileges of the compromised user.
2019-09-27 4.0 CVE-2019-3736 CONFIRM
dell -- emc_integrated_data_protection_appliance_firmware
Dell EMC Integrated Data Protection Appliance versions prior to 2.3 do not limit the number of authentication attempts to the ACM API. An authenticated remote user may exploit this vulnerability to launch a brute-force authentication attack in order to gain access to the system.
2019-09-27 6.5 CVE-2019-3746 CONFIRM
ebrigade -- ebrigade eBrigade before 5.0 has evenement_ical.php evenement SQL Injection.
2019-09-30 6.5 CVE-2019-16743 MISC MISC
ebrigade -- ebrigade eBrigade before 5.0 has evenements.php cid SQL Injection. 2019-09-30 6.5 CVE-2019-16744 MISC MISC
ebrigade -- ebrigade eBrigade before 5.0 has evenement_choice.php chxCal SQL Injection.
2019-09-30 6.5 CVE-2019-16745 MISC MISC
emlog -- emlog emlog through 6.0.0beta allows remote authenticated users to delete arbitrary files via admin/template.php?action=del&tpl=../ directory traversal.
2019-10-01 5.5 CVE-2019-17073 MISC
esafenet -- cdg CDG through 2017-01-01 allows downloadDocument.jsp?command=download&pathAndName= directory traversal.
2019-09-30 5.0 CVE-2017-18636 MISC
evernote -- evernote Evernote before 7.13 GA on macOS allows code execution because the com.apple.quarantine attribute is not used for
2019-09-30 6.8 CVE-2019-17051
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
attachment files, as demonstrated by a one-click attack involving a drag-and-drop operation on a crafted Terminal file.
MISC MISC
flower_project -- flower Flower 0.9.3 has XSS via the name parameter in an @app.task call.
2019-09-27 4.3 CVE-2019-16925 MISC
flower_project -- flower Flower 0.9.3 has XSS via a crafted worker name. 2019-09-27 4.3 CVE-2019-16926 MISC
foxitsoftware -- foxit_reader
Foxit Reader 9.6.0.25114 and earlier has two unique RecursiveCall bugs involving 3 functions exhausting available stack memory because of Uncontrolled Recursion in the V8 JavaScript engine (issue 1 of 2).
2019-09-30 5.0 CVE-2019-13123 CONFIRM
foxitsoftware -- foxit_reader
Foxit Reader 9.6.0.25114 and earlier has two unique RecursiveCall bugs involving 3 functions exhausting available stack memory because of Uncontrolled Recursion in the V8 JavaScript engine (issue 2 of 2).
2019-09-30 5.0 CVE-2019-13124 CONFIRM
gfi -- kerio_control A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI.
2019-09-30 4.3 CVE-2019-16414 MISC MISC MISC MISC
glyphandcog -- xpdf Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the TextPage::findGaps function in TextOutputDev.cc, a different vulnerability than CVE-2019-9877.
2019-09-27 4.3 CVE-2019-16927 MISC
golang -- go Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
2019-09-30 5.0 CVE-2019-16276 CONFIRM MISC
google -- android In Platform, there is a possible bypass of user interaction requirements due to missing permission checks. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-73884967
2019-09-27 4.6 CVE-2018-9425 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113164693
2019-09-27 6.8 CVE-2019-2055 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118386824
2019-09-27 6.8 CVE-2019-2059 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112709994
2019-09-27 4.3 CVE-2019-2060 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112610994
2019-09-27 6.8 CVE-2019-2061 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117660045
2019-09-27 6.8 CVE-2019-2062 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in the media server with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116019594
2019-09-27 6.8 CVE-2019-2063 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116469592
2019-09-27 6.8 CVE-2019-2064 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118143575
2019-09-27 6.8 CVE-2019-2065 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117100617
2019-09-27 6.8 CVE-2019-2066 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116114402
2019-09-27 6.8 CVE-2019-2067 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117099943
2019-09-27 6.8 CVE-2019-2068 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117832864
2019-09-27 6.8 CVE-2019-2069 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117883804
2019-09-27 6.8 CVE-2019-2070 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117216549
2019-09-27 6.8 CVE-2019-2071 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116117112
2019-09-27 6.8 CVE-2019-2072 MISC
google -- android In libxaac there is a possible out of bounds write to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117100484
2019-09-27 6.8 CVE-2019-2073 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116617847
2019-09-27 6.8 CVE-2019-2074 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115908308
2019-09-27 6.8 CVE-2019-2075 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115907334
2019-09-27 6.8 CVE-2019-2076 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-114745929
2019-09-27 6.8 CVE-2019-2077 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-114749542
2019-09-27 6.8 CVE-2019-2078 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115509210
2019-09-27 4.3 CVE-2019-2079 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118619159
2019-09-27 6.8 CVE-2019-2080 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116473261
2019-09-27 6.8 CVE-2019-2081 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117495103
2019-09-27 6.8 CVE-2019-2082 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117495362
2019-09-27 6.8 CVE-2019-2083 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117494734
2019-09-27 6.8 CVE-2019-2084 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117496180
2019-09-27 6.8 CVE-2019-2085 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-114735603
2019-09-27 6.8 CVE-2019-2086 MISC
google -- android In libxaac, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118149009
2019-09-27 6.8 CVE-2019-2087 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118494320
2019-09-27 4.3 CVE-2019-2138 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117610049
2019-09-27 4.3 CVE-2019-2139 MISC
google -- android In libxaac, there is a possible information disclosure due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112705708
2019-09-27 4.3 CVE-2019-2140 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112705155
2019-09-27 6.8 CVE-2019-2141 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112768568
2019-09-27 4.3 CVE-2019-2142 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-114746174
2019-09-27 4.3 CVE-2019-2143 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112856493
2019-09-27 4.3 CVE-2019-2144 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112858430
2019-09-27 4.3 CVE-2019-2145 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112859714
2019-09-27 4.3 CVE-2019-2146 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116474108
2019-09-27 4.3 CVE-2019-2147 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113508105
2019-09-27 4.3 CVE-2019-2148 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113262406
2019-09-27 4.3 CVE-2019-2149 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117935831
2019-09-27 4.3 CVE-2019-2150 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117495174
2019-09-27 4.3 CVE-2019-2151 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118145923
2019-09-27 4.3 CVE-2019-2152 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112611181
2019-09-27 4.3 CVE-2019-2153 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117610057
2019-09-27 4.3 CVE-2019-2154 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117655547
2019-09-27 4.3 CVE-2019-2155 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112552816
2019-09-27 4.3 CVE-2019-2156 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112611363
2019-09-27 4.3 CVE-2019-2157 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118766492
2019-09-27 4.3 CVE-2019-2158 MISC
google -- android In libxaac there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112707186
2019-09-27 6.8 CVE-2019-2159 MISC
google -- android In libxaac there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112715795
2019-09-27 4.3 CVE-2019-2160 MISC
google -- android In libxaac there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112553431
2019-09-27 4.3 CVE-2019-2161 MISC
google -- android In libxaac there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112713720
2019-09-27 4.3 CVE-2019-2162 MISC
google -- android In libxaac there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118138797
2019-09-27 4.3 CVE-2019-2163 MISC
google -- android In libxaac there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113263695
2019-09-27 4.3 CVE-2019-2164 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libxaac there is a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112712154
2019-09-27 4.3 CVE-2019-2165 MISC
google -- android In libxaac there is a possible information disclosure due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117661478
2019-09-27 4.3 CVE-2019-2166 MISC
google -- android In libxaac there is a possible information disclosure due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118615501
2019-09-27 4.3 CVE-2019-2167 MISC
google -- android In libxaac there is a possible information disclosure due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118492594
2019-09-27 4.3 CVE-2019-2168 MISC
google -- android In libxaac there is a possible information disclosure due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118492282
2019-09-27 4.3 CVE-2019-2169 MISC
google -- android In libxaac there is a possible information disclosure due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118615735
2019-09-27 4.3 CVE-2019-2170 MISC
google -- android In libxaac there is a possible information disclosure due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113035224
2019-09-27 4.3 CVE-2019-2172 MISC
google -- android In the Easel driver, there is possible memory corruption due to race conditions. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112309571
2019-09-27 6.9 CVE-2019-2188 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In the Easel driver, there is possible memory corruption due to race conditions. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112312381
2019-09-27 6.9 CVE-2019-2189 MISC
google -- android In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122675483
2019-09-27 5.0 CVE-2019-9232 MISC
google -- android In wpa_supplicant_8, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122529021
2019-09-27 5.0 CVE-2019-9233 MISC
google -- android In wpa_supplicant_8, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122465453
2019-09-27 5.0 CVE-2019-9234 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-121325979
2019-09-27 4.3 CVE-2019-9237 MISC
google -- android In the NFC stack, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-121267042
2019-09-27 6.9 CVE-2019-9238 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-121036603
2019-09-27 5.0 CVE-2019-9241 MISC
google -- android In AAC Codec, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120426166
2019-09-27 4.3 CVE-2019-9247 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120276962
2019-09-27 5.0 CVE-2019-9250 MISC
google -- android In libavc there is a possible out of bounds read due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-73339042
2019-09-27 4.3 CVE-2019-9252 MISC
google -- android In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109769728
2019-09-27 4.9 CVE-2019-9253 MISC
google -- android In libmediaextractor there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111921829
2019-09-27 6.8 CVE-2019-9256 MISC
google -- android In Bluetooth, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113572342
2019-09-27 4.6 CVE-2019-9257 MISC
google -- android In wifilogd, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113655028
2019-09-27 4.6 CVE-2019-9258 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113495295
2019-09-27 5.0 CVE-2019-9260 MISC
google -- android In libxaac there is a possible out of bounds read due to missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116774214
2019-09-27 4.3 CVE-2019-9261 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In MPEG4Extractor, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution in the media extractor with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111792351
2019-09-27 6.8 CVE-2019-9262 MISC
google -- android In libxaac there is a possible out of bounds read due to missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116774502
2019-09-27 4.3 CVE-2019-9264 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-37994606
2019-09-27 5.0 CVE-2019-9265 MISC
google -- android In System Settings, there is a possible permissions bypass due to a cached Linux user ID. This could lead to a local permissions bypass with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-36899497
2019-09-27 4.4 CVE-2019-9269 MISC
google -- android In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774
2019-09-27 6.8 CVE-2019-9278 MISC
google -- android In the wifi hotspot service, there is a possible denial of service due to a null pointer dereference. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-110476382
2019-09-27 5.0 CVE-2019-9279 MISC
google -- android In GoogleContactsSyncAdapter, there is a possible path traversal due to improper input sanitization. This could lead to a bypass of user interaction requirements with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-32748076
2019-09-27 5.0 CVE-2019-9281 MISC
google -- android In skia, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113211371
2019-09-27 4.3 CVE-2019-9282 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In AAC Codec, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112663564
2019-09-27 4.3 CVE-2019-9283 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure, with no additional privileges required. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111850706
2019-09-27 5.0 CVE-2019-9284 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111215315
2019-09-27 5.0 CVE-2019-9285 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111213909
2019-09-27 5.0 CVE-2019-9286 MISC
google -- android In libhidcommand_jni, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege in the USB service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111363077
2019-09-27 4.6 CVE-2019-9288 MISC
google -- android In tzdata there is possible memory corruption due to a mismatch between allocation and deallocation functions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113039724
2019-09-27 4.6 CVE-2019-9290 MISC
google -- android In Bluetooth, there is a possible remote code execution due to an improper memory allocation. This could lead to remote code execution in Bluetooth with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112159179
2019-09-27 6.8 CVE-2019-9291 MISC
google -- android In libstagefright, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117661116
2019-09-27 4.3 CVE-2019-9293 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libstagefright, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111764444
2019-09-27 4.3 CVE-2019-9294 MISC
google -- android In com.android.apps.tag, there is a possible bypass of user interaction requirements due to a missing permission check. This could lead to a to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-36885811
2019-09-27 4.6 CVE-2019-9295 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112890242
2019-09-27 6.8 CVE-2019-9297 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112892194
2019-09-27 6.8 CVE-2019-9298 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112663886
2019-09-27 6.8 CVE-2019-9299 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112661610
2019-09-27 6.8 CVE-2019-9300 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112661356
2019-09-27 6.8 CVE-2019-9302 MISC
google -- android In libFDK, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112661057
2019-09-27 6.8 CVE-2019-9303 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libMpegTPDec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112662270
2019-09-27 6.8 CVE-2019-9304 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112661835
2019-09-27 6.8 CVE-2019-9305 MISC
google -- android In libMpegTPDec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112661348
2019-09-27 6.8 CVE-2019-9306 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112661893
2019-09-27 6.8 CVE-2019-9307 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112661742
2019-09-27 6.8 CVE-2019-9308 MISC
google -- android In NFC, there is a possible out of bounds write due to a missing bounds check. This could lead to a to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117985575
2019-09-27 4.4 CVE-2019-9309 MISC
google -- android In libFDK, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112891546
2019-09-27 6.8 CVE-2019-9310 MISC
google -- android In Bluetooth, there is a possible crash due to an integer overflow. This could lead to remote denial of service on incoming calls with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-79431031
2019-09-27 5.0 CVE-2019-9311 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libstagefright, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112005441
2019-09-27 4.3 CVE-2019-9313 MISC
google -- android In libavc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112329563
2019-09-27 4.3 CVE-2019-9314 MISC
google -- android In libhevc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112326216
2019-09-27 4.3 CVE-2019-9315 MISC
google -- android In libstagefright, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112052432
2019-09-27 4.3 CVE-2019-9316 MISC
google -- android In libstagefright, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112052258
2019-09-27 4.3 CVE-2019-9317 MISC
google -- android In libhevc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111764725
2019-09-27 4.3 CVE-2019-9318 MISC
google -- android In libavc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111762100
2019-09-27 4.3 CVE-2019-9319 MISC
google -- android In libavc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111761624
2019-09-27 4.3 CVE-2019-9320 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libavc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111208713
2019-09-27 4.3 CVE-2019-9321 MISC
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111128067
2019-09-27 4.3 CVE-2019-9322 MISC
google -- android In the Wallpaper Manager service, there is a possible information disclosure due to a missing permission check. Any application can access wallpaper image with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-30770233
2019-09-27 5.0 CVE-2019-9323 MISC
google -- android In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112001302
2019-09-27 4.3 CVE-2019-9325 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111215173
2019-09-27 5.0 CVE-2019-9326 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112050583
2019-09-27 5.0 CVE-2019-9327 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure, with no additional privileges required. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111895000
2019-09-27 5.0 CVE-2019-9328 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to uninitialized data. This could lead to remote information disclosure, with no additional privileges required. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112917952
2019-09-27 5.0 CVE-2019-9329 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111214739
2019-09-27 5.0 CVE-2019-9330 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112272279
2019-09-27 5.0 CVE-2019-9331 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-78286500
2019-09-27 5.0 CVE-2019-9332 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109753657
2019-09-27 5.0 CVE-2019-9333 MISC
google -- android In libhevc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112859934
2019-09-27 4.3 CVE-2019-9334 MISC
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112328051
2019-09-27 4.3 CVE-2019-9335 MISC
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112326322
2019-09-27 4.3 CVE-2019-9336 MISC
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112204376
2019-09-27 4.3 CVE-2019-9337 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111762686
2019-09-27 4.3 CVE-2019-9338 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111214770
2019-09-27 5.0 CVE-2019-9341 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111214470
2019-09-27 5.0 CVE-2019-9342 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112050983
2019-09-27 5.0 CVE-2019-9343 MISC
google -- android In libstagefright, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128433933
2019-09-27 6.8 CVE-2019-9346 MISC
google -- android In Keymaster, there is a possible EoP due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-129562815
2019-09-27 4.6 CVE-2019-9350 MISC
google -- android In libstagefright, there is a possible resource exhaustion due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-124253062
2019-09-27 4.3 CVE-2019-9352 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-123024201
2019-09-27 4.3 CVE-2019-9353 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In NFC server, there's a possible out of bounds read due to a missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-118148142
2019-09-27 4.3 CVE-2019-9354 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115903122
2019-09-27 5.0 CVE-2019-9355 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112662995
2019-09-27 6.8 CVE-2019-9357 MISC
google -- android In NFC, there is a possible out of bounds write due to a missing bounds check. This could lead to a to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120156401
2019-09-27 4.4 CVE-2019-9358 MISC
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111407302
2019-09-27 4.3 CVE-2019-9359 MISC
google -- android In the TEE, there's a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120610663
2019-09-27 4.9 CVE-2019-9360 MISC
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111762807
2019-09-27 4.3 CVE-2019-9361 MISC
google -- android In libSACdec, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120426980
2019-09-27 4.3 CVE-2019-9362 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In Bluetooth, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-123584306
2019-09-27 6.8 CVE-2019-9363 MISC
google -- android In libSBRdec there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112052062
2019-09-27 4.3 CVE-2019-9366 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112106425
2019-09-27 5.0 CVE-2019-9367 MISC
google -- android In sonivox, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-133880046
2019-09-27 4.3 CVE-2019-9370 MISC
google -- android In CompanionDeviceManager, there is a possible bypass of user interaction requirements due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-129476618
2019-09-27 4.6 CVE-2019-9374 MISC
google -- android In hostapd, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-129344244
2019-09-27 6.9 CVE-2019-9375 MISC
google -- android In the Accounts package, there is a possible crash due to improper input validation. This could lead to permanent local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-129287265
2019-09-27 4.9 CVE-2019-9376 MISC
google -- android In the Activity Manager service, there is a possible permission bypass due to incorrect permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-124539196
2019-09-27 4.6 CVE-2019-9378 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In the settings UI, there is a possible spoofing vulnerability due to a missing permission check. This could lead to a user mistakenly changing permission settings with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-123700098
2019-09-27 4.3 CVE-2019-9380 MISC
google -- android In netd, there is a possible out of bounds read due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122677612
2019-09-27 5.0 CVE-2019-9381 MISC
google -- android In libeffects, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120874654
2019-09-27 6.8 CVE-2019-9382 MISC
google -- android In libxaac, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120452956
2019-09-27 4.3 CVE-2019-9385 MISC
google -- android In NFC server, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege in the system server with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122361874
2019-09-27 6.9 CVE-2019-9386 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117569833
2019-09-27 5.0 CVE-2019-9387 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure in the Bluetooth service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117567437
2019-09-27 5.0 CVE-2019-9388 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117567058
2019-09-27 5.0 CVE-2019-9389 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-117551475
2019-09-27 5.0 CVE-2019-9390 MISC
google -- android In libxaac, there is a possible out of bounds read due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111050781
2019-09-27 4.3 CVE-2019-9391 MISC
google -- android In Bluetooth, there is possible controlled termination due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116357965
2019-09-27 5.0 CVE-2019-9393 MISC
google -- android In Bluetooth, there is possible controlled termination due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116351796
2019-09-27 5.0 CVE-2019-9394 MISC
google -- android In Bluetooth, there is possible controlled termination due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-116267405
2019-09-27 5.0 CVE-2019-9395 MISC
google -- android In Bluetooth, there is possible controlled termination due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115747155
2019-09-27 5.0 CVE-2019-9396 MISC
google -- android In Bluetooth, there is possible controlled termination due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115747410
2019-09-27 5.0 CVE-2019-9397 MISC
google -- android In Bluetooth, there is possible controlled termination due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115745406
2019-09-27 5.0 CVE-2019-9398 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android The Print Service is susceptible to man in the middle attacks due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115635664
2019-09-27 4.3 CVE-2019-9399 MISC
google -- android In Bluetooth, there is a possible null pointer dereference due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115509589
2019-09-27 5.0 CVE-2019-9400 MISC
google -- android In Bluetooth, there is possible controlled termination due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115375248
2019-09-27 5.0 CVE-2019-9401 MISC
google -- android In Bluetooth, there is possible controlled termination due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115372550
2019-09-27 5.0 CVE-2019-9402 MISC
google -- android In cn-cbor, there is a possible out of bounds read due to improper casting. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113512324
2019-09-27 4.3 CVE-2019-9403 MISC
google -- android In Bluetooth, there is possible controlled termination due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112923309
2019-09-27 5.0 CVE-2019-9404 MISC
google -- android In libAACdec, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112890225
2019-09-27 6.8 CVE-2019-9405 MISC
google -- android In libhevc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112552517
2019-09-27 4.3 CVE-2019-9406 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In notification management of the service manager, there is a possible permissions bypass. This could lead to local escalation of privilege by preventing user notification, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112434609
2019-09-27 4.6 CVE-2019-9407 MISC
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112380157
2019-09-27 4.3 CVE-2019-9408 MISC
google -- android In libhevc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112272091
2019-09-27 4.3 CVE-2019-9409 MISC
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112204443
2019-09-27 4.3 CVE-2019-9410 MISC
google -- android In libavc there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112204845
2019-09-27 4.3 CVE-2019-9411 MISC
google -- android In libSBRdec there is a possible out of bounds read due to incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112006096
2019-09-27 4.3 CVE-2019-9412 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111935831
2019-09-27 5.0 CVE-2019-9413 MISC
google -- android In wpa_supplicant, there is a possible man in the middle vulnerability due to improper input validation of the basicConstraints field of intermediary certificates. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111893041
2019-09-27 4.3 CVE-2019-9414 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In libstagefright there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111805098
2019-09-27 4.3 CVE-2019-9415 MISC
google -- android In libstagefright there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111804142
2019-09-27 4.3 CVE-2019-9416 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111407544
2019-09-27 5.0 CVE-2019-9419 MISC
google -- android In libhevc, there is a possible out of bounds read due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111272481
2019-09-27 4.3 CVE-2019-9420 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111214766
2019-09-27 5.0 CVE-2019-9422 MISC
google -- android In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges required. User interaction is not required for exploitation. Product: AndroidVersions: Android-10Android ID: A-110986616
2019-09-27 4.6 CVE-2019-9423 MISC
google -- android In the Screen Lock, there is a possible information disclosure due to an unusual root cause. In certain circumstances, the setting to hide the unlock pattern can be ignored. Product: AndroidVersions: Android-10Android ID: A-110941092
2019-09-27 4.3 CVE-2019-9424 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-110846194
2019-09-27 5.0 CVE-2019-9425 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In the Framework, it is possible to set up BROWSEABLE intents to take over certain URLs. This could lead to remote information disclosure of sensitive URLs with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-110150807
2019-09-27 4.3 CVE-2019-9428 MISC
google -- android In profman, there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-110035108
2019-09-27 4.6 CVE-2019-9429 MISC
google -- android In Bluetooth, there is a possible null pointer dereference due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109838296
2019-09-27 5.0 CVE-2019-9430 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a use after free. This could lead to remote information disclosure with heap information written to the log with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109755179
2019-09-27 4.0 CVE-2019-9431 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to improper input validation. This could lead to remote information disclosure in the Bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80546108
2019-09-27 5.0 CVE-2019-9432 MISC
google -- android In libvpx, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354
2019-09-27 4.3 CVE-2019-9433 MISC
google -- android In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with heap information written to the log with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80432895
2019-09-27 4.0 CVE-2019-9434 MISC
google -- android In mediaserver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-62535446
2019-09-27 4.6 CVE-2019-9460 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
google -- android In Bluetooth, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-91544774
2019-09-27 5.0 CVE-2019-9462 MISC
google -- android In Platform, there is a possible bypass of user interaction requirements due to background app interception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113584607
2019-09-27 4.4 CVE-2019-9463 MISC
ibm -- daeja_viewone IBM Daeja ViewONE Virtual 5.0 through 5.0.6 could expose internal parameters to ViewONE clients that could be used in further attacks against the system. IBM X-Force ID: 159521.
2019-10-01 5.0 CVE-2019-4246 XF CONFIRM
ibm -- security_directory_server
IBM Security Directory Server 6.4.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 165178.
2019-10-02 5.0 CVE-2019-4520 XF CONFIRM
ibm -- security_directory_server
IBM Security Directory Server 6.4.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 165660.
2019-10-02 5.8 CVE-2019-4538 XF CONFIRM
ibm -- security_directory_server
IBM Security Directory Server 6.4.0 does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. IBM X-Force ID: 165812.
2019-10-02 5.5 CVE-2019-4539 XF CONFIRM
ibm -- security_directory_server
IBM Security Directory Server 6.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 165815.
2019-10-02 4.3 CVE-2019-4542 XF CONFIRM
ibm -- security_directory_server
IBM Security Directory Server 6.4.0 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 165951.
2019-10-02 5.0 CVE-2019-4549 XF CONFIRM
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
ibm -- security_guardium IBM Security Guardium 9.0, 9.5, and 10.6 are vulnerable to a privilege escalation which could allow an authenticated user to change the accessmgr password. IBM X-Force ID: 162768.
2019-10-03 6.5 CVE-2019-4422 XF CONFIRM
ibm -- sterling_file_gateway
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 displays sensitive information in HTTP requests which could be used in further attacks against the system. IBM X-Force ID: 160503.
2019-09-30 5.0 CVE-2019-4280 XF CONFIRM
ibm -- sterling_file_gateway
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 162769.
2019-09-30 5.0 CVE-2019-4423 XF CONFIRM
ibm -- websphere_application_server
IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950.
2019-09-30 6.5 CVE-2019-4304 XF CONFIRM
ibm -- websphere_application_server
IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951.
2019-09-30 5.0 CVE-2019-4305 XF CONFIRM
ibm -- websphere_application_server
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.
2019-10-03 5.0 CVE-2019-4441 XF CONFIRM
ibm -- websphere_extreme_scale
IBM WebSphere eXtreme Scale 8.6 Admin Console could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 158102.
2019-09-30 5.8 CVE-2019-4109 XF CONFIRM
jenkins -- ldap_email Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
2019-10-01 5.0 CVE-2019-10434 MLIST CONFIRM
jenkins -- sourcegear_vault
Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
2019-10-01 5.0 CVE-2019-10435 MLIST CONFIRM
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
jetbrains -- teamcity An issue was discovered in JetBrains TeamCity 2018.2.4. It had several XSS vulnerabilities on the settings pages. The issues were fixed in TeamCity 2019.1.
2019-10-02 4.3 CVE-2019-15037 CONFIRM
jetbrains -- teamcity An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2018.2.5 and 2019.1.
2019-10-01 6.8 CVE-2019-15039 CONFIRM
jetbrains -- youtrack JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.
2019-10-01 4.3 CVE-2019-14952 CONFIRM
jetbrains -- youtrack JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser.
2019-10-01 4.3 CVE-2019-14953 MISC
jetbrains -- youtrack JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.
2019-10-02 4.0 CVE-2019-14956 CONFIRM
jetbrains -- youtrack JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.
2019-10-02 6.8 CVE-2019-15040 MISC
jetbrains -- youtrack In JetBrains YouTrack through 2019.2.56594, stored XSS was found on the issue page.
2019-10-02 4.3 CVE-2019-16171 MISC
libreoffice -- libreoffice LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.
2019-09-27 6.8 CVE-2019-9853 MLIST CONFIRM
metinfo -- metinfo In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/product/admin/product_admin.class.php via the admin/?n=product&c=product_admin&a=dopara&app_type=shop id parameter.
2019-09-30 6.5 CVE-2019-16996 MISC
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
metinfo -- metinfo In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php via the admin/?n=language&c=language_general&a=doExportPack appno parameter.
2019-09-30 6.5 CVE-2019-16997 MISC
mozilla -- firefox When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2.
2019-09-27 5.0 CVE-2019-11733 SUSE SUSE MISC CONFIRM
mozilla -- firefox The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the updates directory, allowing for the replacement of local files, including the Maintenance Service executable, which is run with privileged access. Additionally, there was a race condition during checks for junctions and symbolic links by the Maintenance Service, allowing for potential local file and directory manipulation to be undetected in some circumstances. This allows for potential privilege escalation by a user with unprivileged local access. <br>*Note: These attacks requires local system access and only affects Windows. Other operating systems are not affected.*. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
2019-09-27 4.4 CVE-2019-11736 SUSE SUSE MISC MISC CONFIRM CONFIRM
mozilla -- firefox If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69.
2019-09-27 5.0 CVE-2019-11737 MISC CONFIRM
mozilla -- firefox If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
2019-09-27 6.8 CVE-2019-11738 SUSE SUSE MISC CONFIRM CONFIRM
mozilla -- firefox A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user's Firefox configuration. These two sites will now be isolated into their own process and not allowed to be loaded in a standard content process. This vulnerability affects Firefox < 69.
2019-09-27 4.3 CVE-2019-11741 MISC CONFIRM
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
mozilla -- firefox A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
2019-09-27 4.3 CVE-2019-11742 SUSE SUSE SUSE SUSE MISC CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
mozilla -- firefox Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side-channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
2019-09-27 4.3 CVE-2019-11743 SUSE SUSE SUSE SUSE MISC MISC CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
mozilla -- firefox Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
2019-09-27 4.3 CVE-2019-11744 SUSE SUSE SUSE SUSE MISC CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
mozilla -- firefox A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
2019-09-27 6.8 CVE-2019-11746 SUSE SUSE SUSE SUSE MISC CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
mozilla -- firefox The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre-loaded HSTS setting. After that visit the site's HSTS setting will be restored. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
2019-09-27 4.3 CVE-2019-11747 SUSE SUSE MISC CONFIRM CONFIRM
mozilla -- firefox WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
2019-09-27 4.3 CVE-2019-11748 SUSE SUSE MISC CONFIRM CONFIRM
mozilla -- firefox A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification. This allows for the potential fingerprinting of users. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
2019-09-27 4.3 CVE-2019-11749 SUSE SUSE MISC CONFIRM CONFIRM
mozilla -- firefox A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
2019-09-27 4.3 CVE-2019-11750 SUSE SUSE MISC CONFIRM CONFIRM
mozilla -- firefox Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder. <br>*Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
2019-09-27 6.8 CVE-2019-11751 SUSE SUSE MISC CONFIRM CONFIRM
mozilla -- firefox The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service is manipulated to update this unprotected location and the updated maintenance service in the unprotected location has been altered, the altered maintenance service can run with elevated privileges during the update process due to a lack of integrity checks. This
2019-09-27 4.6 CVE-2019-11753 SUSE SUSE MISC CONFIRM CONFIRM CONFIRM
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
allows for privilege escalation if the executable has been replaced locally. <br>*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.*. This vulnerability affects Firefox < 69, Firefox ESR < 60.9, and Firefox ESR < 68.1.
mozilla -- firefox When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. This vulnerability affects Firefox < 69.0.1.
2019-09-27 4.3 CVE-2019-11754 MISC CONFIRM
mozilla -- thunderbird Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 68.1 and Thunderbird < 60.9.
2019-09-27 4.3 CVE-2019-11739 SUSE SUSE MISC CONFIRM CONFIRM
mozilla -- thunderbird A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted message. Previous versions had only suppressed showing a digital signature for messages with an outer multipart/signed layer. This vulnerability affects Thunderbird < 68.1.1.
2019-09-27 5.0 CVE-2019-11755 SUSE SUSE MISC CONFIRM
netdisco -- netdisco Insufficient sanitization during device search in Netdisco 2.042010 allows for reflected XSS via manipulation of a URL parameter.
2019-09-30 4.3 CVE-2019-15810 MISC MISC
netgear -- srx5308_firmware
NETGEAR SRX5308 4.3.5-3 devices allow SQL Injection, as exploited in the wild in September 2019 to add a new user account.
2019-09-30 5.0 CVE-2019-17049 MISC
nsa -- ghidra NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).
2019-09-28 6.8 CVE-2019-16941 MISC MISC MISC MISC MISC MISC
online_store_system_project -- online_store_system
Vulnerability in Online Store v1.0, The registration form requirements for the member email format can be bypassed
2019-10-01 4.3 CVE-2019-8290 MLIST
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
by posting directly to sent_register.php allowing special characters to be included and an XSS payload to be injected.
MISC MISC
phpbb -- phpbb In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them.
2019-09-30 6.8 CVE-2019-16993 MISC MLIST MISC MISC
python -- python The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
2019-09-27 4.3 CVE-2019-16935 MISC MISC MISC MISC
qualcomm -- mdm9150_firmware
Use after free issue occurs If another instance of open for voice_svc node has been called from application without closing the previous one. in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
2019-09-30 4.6 CVE-2019-10497 CONFIRM
qualcomm -- mdm9150_firmware
Buffer overflow scenario if the client sends more than 5 io_vec requests to the server in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
2019-09-30 4.6 CVE-2019-10498 CONFIRM
qualcomm -- mdm9150_firmware
Possible use after free issue due to improper input validation in volume listener library in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD
2019-09-30 4.6 CVE-2019-10501 CONFIRM
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
qualcomm -- mdm9150_firmware
Lack of check of extscan change results received from firmware can lead to an out of buffer read in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 210/SD 212/SD 205, SD 425, SD 430, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
2019-09-30 4.6 CVE-2019-10507 CONFIRM
qualcomm -- mdm9150_firmware
Lack of input validation for data received from user space can lead to OOB access in WLAN in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 430, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820A, SDX20
2019-09-30 4.6 CVE-2019-10508 CONFIRM
qualcomm -- mdm9150_firmware
Buffer overflow due to improper validation of buffer size while IPA driver processing to perform read operation in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
2019-09-30 4.6 CVE-2019-2333 CONFIRM
qualcomm -- mdm9150_firmware
Buffer overflow when the audio buffer size provided by user is larger than the maximum allowable audio buffer size. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
2019-09-30 4.6 CVE-2019-2341 CONFIRM
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
qualcomm -- mdm9206_firmware
While processing QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY vendor command, driver does not validate the data obtained from the user space which could be invalid and thus leads to an undesired behaviour in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9206, MDM9607, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX24
2019-09-30 4.6 CVE-2019-10506 CONFIRM
qualcomm -- msm8909w_firmware
Possible use-after-free issue due to a race condition while calling camera ioctl concurrently in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, QCS405, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM439, SDX24
2019-09-30 4.4 CVE-2019-2284 CONFIRM
salesagility -- suitecrm SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS. 2019-09-30 4.3 CVE-2019-14752 CONFIRM CONFIRM
salesagility -- suitecrm SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.
2019-09-27 5.0 CVE-2019-16922 MISC
tcpdump -- tcpdump The SMB parser in tcpdump before 4.9.3 has stack exhaustion in smbutil.c:smb_fdata() via recursion.
2019-10-03 5.0 CVE-2018-16452 MISC CONFIRM
thecontrolgroup -- voyager
An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment.
2019-09-30 6.5 CVE-2019-17050 MISC
themeisle -- visualizer A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data.
2019-09-30 5.8 CVE-2019-16932 MISC MISC MISC
whatsapp -- whatsapp An integer overflow in WhatsApp media parsing libraries allows a remote attacker to perform an out-of-bounds write on the heap via specially-crafted EXIF tags in WEBP images.
2019-09-27 6.8 CVE-2019-11927 CONFIRM
Medium Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
This issue affects WhatsApp for Android before version 2.19.143 and WhatsApp for iOS before version 2.19.100.
z.cash -- zcash Zcashd in Zcash before 2.0.7-3 allows discovery of the IP address of a full node that owns a shielded address, related to mishandling of exceptions during deserialization of note plaintexts. This affects anyone who has disclosed their zaddr to a third party.
2019-09-28 5.0 CVE-2019-16930 MISC MISC MISC MISC
Low Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
dell -- emc_integrated_data_protection_appliance_firmware
Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a stored cross-site scripting vulnerability. A remote malicious ACM admin user may potentially exploit this vulnerability to store malicious HTML or JavaScript code in Cloud DR add-on specific field. When victim users access the page through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.
2019-09-27
3.5
CVE-2019-3747 CONFIRM
dolibarr -- dolibarr
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
2019-09-27
3.5
CVE-2019-16685 MISC
dolibarr -- dolibarr Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
2019-09-27
3.5
CVE-2019-16686 MISC
dolibarr -- dolibarr
Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
2019-09-27
3.5
CVE-2019-16687 MISC
dolibarr -- dolibarr
Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)
2019-09-27
3.5
CVE-2019-16688 MISC
google -- android
In WiFi, the RSSI value and SSID information is broadcast as part of android.net.wifi.RSSI_CHANGE and android.net.wifi.STATE_CHANGE intents. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111698366
2019-09-27
2.1
CVE-2018-9581 MISC
google -- android
In LG's LAF component, there is a possible leak of information in a protected disk partition due to a missing bounds check. This could lead to local information disclosure via USB with
2019-09-27
2.1
CVE-2019-2190 MISC
Low Vulnerabilities
Primary Vendor -- Product
Description Published CVSS Score
Source & Patch Info
User execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-68771598
google -- android
In LG's LAF component, there is a possible leak of information in a protected disk partition due to a missing bounds check. This could lead to local information disclosure via USB with User execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-68770980
2019-09-27
2.1
CVE-2019-2191 MISC
google -- android
In NFC, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122323053
2019-09-27
1.9
CVE-2019-9235 MISC
google -- android
In NFC, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122322613
2019-09-27
1.9
CVE-2019-9236 MISC
google -- android
In NFC, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-121263487
2019-09-27
1.9
CVE-2019-9239 MISC