LiveActive security incident?Get immediate response
CVE archive

November 2019

Browse CVE records published in November 2019, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1281 matching CVEs · Page 3 of 26.

Low · CVSS 3.3

CVE-2019-5640: Rapid7 Nexpose Information Disclosure after logout

Rapid7 Nexpose versions prior to 6.6.114 suffer from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the inspect element browser feature to remove the login panel and view the details available in the last webpage visited by previous user

Published Nov 22, 2021 · Updated Sep 17, 2024

High · CVSS 7.3

CVE-2019-17331: TIBCO EBX Add-on For Data Exchange Cross-Site Scripting Vulnerabilities

The Data Exchange Web Interface component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions up to and including 3.20.13, version 4.1.0.

Published Nov 12, 2019 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2019-15071: Openfind MAIL2000 Webmail Pre-Auth Cross-Site Scripting

The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.

Published Nov 20, 2019 · Updated Sep 17, 2024

High · CVSS 7.5

CVE-2019-20925: Denial of service via malformed network packet

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.

Published Nov 24, 2020 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2019-15004: The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before...

The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.

Published Nov 7, 2019 · Updated Sep 16, 2024

Critical · CVSS 10

CVE-2019-5644: C4G BLIS Improper Access Control

Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may alter several facets of a user account, including promoting any user to an administrator.

Published Nov 6, 2019 · Updated Sep 16, 2024

Medium · CVSS 6.5

CVE-2019-2393: Crash while joining collections with $lookup

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15.

Published Nov 23, 2020 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2019-15003: The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before...

The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via authorization bypass. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.

Published Nov 7, 2019 · Updated Sep 16, 2024

Medium · CVSS 4.5

CVE-2019-11287: RabbitMQ Web Management Plugin DoS via heap overflow

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Published Nov 22, 2019 · Updated Sep 16, 2024

High · CVSS 7.3

CVE-2019-17332: TIBCO EBX Add-on For Digital Asset Manager Cross-Site Scripting Vulnerabilities

The Digital Asset Manager Web Interface component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions up to and including 3.20.13, versions 4.1.0, 4.2.0, 4.2.1, and 4.2.2.

Published Nov 12, 2019 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2019-15005: The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user...

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.

Published Nov 8, 2019 · Updated Sep 16, 2024

Medium · CVSS 6.5

CVE-2019-20924: Invariant in IndexBoundsBuilder

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2.

Published Nov 23, 2020 · Updated Sep 16, 2024

High · CVSS 8.8

CVE-2019-17330: TIBCO EBX Exposes Multiple Cross-Site Scripting Vulnerabilities

The Web server component of TIBCO Software Inc.'s TIBCO EBX contains multiple vulnerabilities that theoretically allow authenticated users to perform stored cross-site scripting (XSS) attacks, and unauthenticated users to perform reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions up to and including 5.8.1.fixR, versions 5.9.3, 5.9.4, 5.9.5, and 5.9.6.

Published Nov 12, 2019 · Updated Sep 16, 2024

High · CVSS 8

CVE-2019-4561: IBM Security Identity Manager 6.0.0 could allow a remote attacker to execute arbitrary code on the system,...

IBM Security Identity Manager 6.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 166456.

Published Nov 20, 2019 · Updated Sep 16, 2024

Medium · CVSS 6.1

CVE-2019-4215: IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to hijack the clicking action of...

IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 159186.

Published Nov 22, 2019 · Updated Sep 16, 2024

Medium · CVSS 6.1

CVE-2019-4581: IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scripting.

IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 167239.

Published Nov 9, 2019 · Updated Sep 16, 2024

Medium · CVSS 5.3

CVE-2019-5643: C4G BLIS Improper Access Control

Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may enumerate the user names and facility names in use on a particular installation.

Published Nov 6, 2019 · Updated Sep 16, 2024

Medium · CVSS 6.5

CVE-2019-2392: $mod can result in undefined behavior

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.

Published Nov 23, 2020 · Updated Sep 16, 2024

Medium · CVSS 6.1

CVE-2019-4450: IBM i 7.2, 7.3, and 7.4 for i is vulnerable to cross-site scripting.

IBM i 7.2, 7.3, and 7.4 for i is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163492.

Published Nov 9, 2019 · Updated Sep 16, 2024

Medium · CVSS 6.5

CVE-2019-20923: Crash while handling internal Javascript exception types

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7.

Published Nov 23, 2020 · Updated Sep 16, 2024

High · CVSS 7.5

CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit

With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).

Published Nov 26, 2019 · Updated Sep 16, 2024

Medium · CVSS 5.4

CVE-2019-4454: IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scripting.

IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163618.

Published Nov 9, 2019 · Updated Sep 16, 2024

Medium · CVSS 4

CVE-2019-25156: dstar2018 Agency search.php cross site scripting

A vulnerability classified as problematic was found in dstar2018 Agency up to 61. Affected by this vulnerability is an unknown functionality of the file search.php. The manipulation of the argument QSType/QuickSearch leads to cross site scripting. The attack can be launched remotely. The patch is named 975b56953efabb434519d9feefcc53685fb8d0ab. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-244495.

Published Nov 7, 2023 · Updated Sep 4, 2024