CVEs from 2019
Total
3,165
critical
critical 231
high
high 484
medium
medium 483
low
low 94
% Critical
7.3%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-5829 | critical | — | 9.5 | — | Integer overflow in download manager in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |||
| CVE-2019-5836 | critical | — | 9.5 | — | Heap buffer overflow in ANGLE in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13767 | critical | — | 9.5 | — | Use after free in media picker in Google Chrome prior to 79.0.3945.88 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5840 | critical | — | 9.5 | — | Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.3770.80 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2019-11701 | critical | — | 9.5 | — | The default webcal: protocol handler will load a web site vulnerable to cross-site scripting (XSS) attacks. This default was left in place as a legacy feature and has now been removed. *Note: this is… | |||
| CVE-2019-11714 | critical | — | 9.5 | — | Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances. This vulnerability affects Firefox < 68. | |||
| CVE-2019-17025 | critical | — | 9.5 | — | Mozilla developers reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |||
| CVE-2019-5837 | critical | — | 9.5 | — | Resource size information leakage in Blink in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-9821 | critical | — | 9.5 | — | A use-after-free vulnerability can occur in AssertWorkerThread due to a race condition with shared workers. This results in a potentially exploitable crash. This vulnerability affects Firefox < 67. | |||
| CVE-2019-13736 | critical | — | 9.5 | — | Integer overflow in PDFium in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-5762 | critical | — | 9.5 | — | Inappropriate memory management when caching in PDFium in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. | |||
| CVE-2019-5757 | critical | — | 9.5 | — | An incorrect object type assumption in SVG in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. | |||
| CVE-2019-13726 | critical | — | 9.5 | — | Buffer overflow in password manager in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | |||
| CVE-2019-11721 | critical | — | 9.5 | — | The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confus… | |||
| CVE-2019-13749 | critical | — | 9.5 | — | Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-9814 | critical | — | 9.5 | — | Mozilla developers and community members reported memory safety bugs present in Firefox 66. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of… | |||
| CVE-2019-5809 | critical | — | 9.5 | — | Use after free in file chooser in Google Chrome prior to 74.0.3729.108 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. | |||
| CVE-2019-11765 | critical | — | 9.5 | — | A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process… | |||
| CVE-2019-5761 | critical | — | 9.5 | — | Incorrect object lifecycle management in SwiftShader in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-3860 | critical | — | 9.5 | — | An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial … | |||
| CVE-2019-7221 | critical | — | 9.5 | — | The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. | |||
| CVE-2019-19880 | critical | — | 9.5 | — | exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled. | |||
| CVE-2019-13917 | critical | — | 9.5 | — | Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $lo… | |||
| CVE-2019-5819 | critical | — | 9.5 | — | Insufficient data validation in developer tools in Google Chrome on OS X prior to 74.0.3729.108 allowed a local attacker to execute arbitrary code via a crafted string copied to clipboard. | |||
| CVE-2019-5835 | critical | — | 9.5 | — | Object lifecycle issue in SwiftShader in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |||
| CVE-2019-15846 | critical | — | 9.5 | — | Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. | |||
| CVE-2019-19926 | critical | — | 9.5 | — | multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplet… | |||
| CVE-2019-17000 | critical | — | 9.5 | — | An object tag with a data URI did not correctly inherit the document's Content Security Policy. This allowed a CSP bypass in a cross-origin frame if the document's policy explicitly allowed data: URI… | |||
| CVE-2019-13739 | critical | — | 9.5 | — | Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-5763 | critical | — | 9.5 | — | Failure to check error conditions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13756 | critical | — | 9.5 | — | Incorrect security UI in printing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2019-5756 | critical | — | 9.5 | — | Inappropriate memory management when caching in PDFium in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. | |||
| CVE-2019-5806 | critical | — | 9.5 | — | Integer overflow in ANGLE in Google Chrome on Windows prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5758 | critical | — | 9.5 | — | Incorrect object lifecycle management in Blink in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5808 | critical | — | 9.5 | — | Use after free in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13755 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to disable extensions via a crafted HTML page. | |||
| CVE-2019-5811 | critical | — | 9.5 | — | Incorrect handling of CORS in ServiceWorker in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||
| CVE-2019-3862 | critical | — | 9.5 | — | An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a… | |||
| CVE-2019-5822 | critical | — | 9.5 | — | Inappropriate implementation in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||
| CVE-2019-5776 | critical | — | 9.5 | — | Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |||
| CVE-2019-5778 | critical | — | 9.5 | — | A missing case for handling special schemes in permission request checks in Extensions in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension… | |||
| CVE-2019-9956 | critical | — | 9.5 | — | In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted i… | |||
| CVE-2019-11695 | critical | — | 9.5 | — | A custom cursor defined by scripting on a site can position itself over the addressbar to spoof the actual cursor when it should not be allowed outside of the primary web content area. This could be … | |||
| CVE-2019-3858 | critical | — | 9.5 | — | An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause… | |||
| CVE-2019-13735 | critical | — | 9.5 | — | Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | |||
| CVE-2019-13758 | critical | — | 9.5 | — | Insufficient policy enforcement in navigation in Google Chrome on Android prior to 79.0.3945.79 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2019-11710 | critical | — | 9.5 | — | Mozilla developers and community members reported memory safety bugs present in Firefox 67. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of… | |||
| CVE-2019-5839 | critical | — | 9.5 | — | Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80 allowed a remote attacker who convinced a user to input a URL to bypass website URL validation via a crafted URL. | |||
| CVE-2019-5767 | critical | — | 9.5 | — | Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/s… | |||
| CVE-2019-5775 | critical | — | 9.5 | — | Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |||
| CVE-2019-13737 | critical | — | 9.5 | — | Insufficient policy enforcement in autocomplete in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML pag… | |||
| CVE-2019-11697 | critical | — | 9.5 | — | If the ALT and "a" keys are pressed when users receive an extension installation prompt, the extension will be installed without the install prompt delay that keeps the prompt visible in order for us… | |||
| CVE-2019-18511 | critical | — | 9.5 | — | multiple issues in thunderbird | |||
| CVE-2019-17013 | critical | — | 9.5 | — | Mozilla developers reported memory safety bugs present in Firefox 70. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |||
| CVE-2019-9805 | critical | — | 9.5 | — | A latent vulnerability exists in the Prio library where data may be read from uninitialized memory for some functions, leading to potential memory corruption. This vulnerability affects Firefox < 66. | |||
| CVE-2019-17002 | critical | — | 9.5 | — | If upgrade-insecure-requests was specified in the Content Security Policy, and a link was dragged and dropped from that page, the link was not upgraded to https. This vulnerability affects Firefox < … | |||
| CVE-2019-13748 | critical | — | 9.5 | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML p… | |||
| CVE-2019-5838 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions API in Google Chrome prior to 75.0.3770.80 allowed an attacker who convinced a user to install a malicious extension to bypass restrictions on file URIs … | |||
| CVE-2019-13728 | critical | — | 9.5 | — | Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5814 | critical | — | 9.5 | — | Insufficient policy enforcement in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-5766 | critical | — | 9.5 | — | Incorrect handling of origin taint checking in Canvas in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-5820 | critical | — | 9.5 | — | Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-13742 | critical | — | 9.5 | — | Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |||
| CVE-2019-5828 | critical | — | 9.5 | — | Object lifecycle issue in ServiceWorker in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |||
| CVE-2019-5823 | critical | — | 9.5 | — | Insufficient policy enforcement in service workers in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2019-5439 | critical | — | 9.5 | — | arbitrary code execution in vlc | |||
| CVE-2019-5810 | critical | — | 9.5 | — | Information leak in autofill in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-17001 | critical | — | 9.5 | — | A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-… | |||
| CVE-2019-5813 | critical | — | 9.5 | — | Use after free in V8 in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-9799 | critical | — | 9.5 | — | Insufficient bounds checking of data during inter-process communication might allow a compromised content process to be able to read memory from the parent process under certain conditions. This vuln… | |||
| CVE-2019-13745 | critical | — | 9.5 | — | Insufficient policy enforcement in audio in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-5777 | critical | — | 9.5 | — | Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |||
| CVE-2019-5780 | critical | — | 9.5 | — | Insufficient restrictions on what can be done with Apple Events in Google Chrome on macOS prior to 72.0.3626.81 allowed a local attacker to execute JavaScript via Apple Events. | |||
| CVE-2019-5818 | critical | — | 9.5 | — | Uninitialized data in media in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted video file. | |||
| CVE-2019-5781 | critical | — | 9.5 | — | Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |||
| CVE-2019-13743 | critical | — | 9.5 | — | Incorrect security UI in external protocol handling in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||
| CVE-2019-9806 | critical | — | 9.5 | — | A vulnerability exists during authorization prompting for FTP transaction where successive modal prompts are displayed and cannot be immediately dismissed. This allows for a denial of service (DOS) a… | |||
| CVE-2019-17009 | critical | — | 9.5 | — | When running, the updater service wrote status and log files to an unrestricted location; potentially allowing an unprivileged process to locate and exploit a vulnerability in file handling in the up… | |||
| CVE-2019-13732 | critical | — | 9.5 | — | Use-after-free in WebAudio in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5779 | critical | — | 9.5 | — | Insufficient policy validation in ServiceWorker in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2019-13757 | critical | — | 9.5 | — | Incorrect security UI in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-17014 | critical | — | 9.5 | — | If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects… | |||
| CVE-2019-5815 | critical | — | 9.5 | 4y ago | Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data. | |||
| CVE-2019-17023 | critical | — | 9.5 | 6y ago | After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state,… | |||
| CVE-2019-11756 | critical | — | 9.5 | 6y ago | Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. | |||
| CVE-2019-20503 | critical | — | 9.5 | 6y ago | usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init. | |||
| CVE-2019-17666 | critical | — | 9.5 | 6y ago | rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow. | |||
| CVE-2019-17024 | critical | — | 9.5 | 7y ago | Mozilla developers reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these… | |||
| CVE-2019-17016 | critical | — | 9.5 | 7y ago | When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites re… | |||
| CVE-2019-17017 | critical | — | 9.5 | 7y ago | Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. Thi… | |||
| CVE-2019-17022 | critical | — | 9.5 | 7y ago | When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text … | |||
| CVE-2019-11745 | critical | — | 9.5 | 7y ago | multiple issues in firefox | |||
| CVE-2019-17010 | critical | — | 9.5 | 7y ago | Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash.… | |||
| CVE-2019-17008 | critical | — | 9.5 | 7y ago | When using nested workers, a use-after-free could occur during worker destruction. This resulted in a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3,… | |||
| CVE-2019-17012 | critical | — | 9.5 | 7y ago | Mozilla developers reported memory safety bugs present in Firefox 70 and Firefox ESR 68.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these… | |||
| CVE-2019-17005 | critical | — | 9.5 | 7y ago | The plain text serializer used a fixed-size array for the number of <ol> elements it could process; however it was possible to overflow the static-sized array leading to memory corruption and a poten… | |||
| CVE-2019-17011 | critical | — | 9.5 | 7y ago | Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race condition could cause a use-after-free condition and a potentially exploitable crash. This vulner… | |||
| CVE-2019-11759 | critical | — | 9.5 | 7y ago | An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a c… | |||
| CVE-2019-11762 | critical | — | 9.5 | 7y ago | If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulner… | |||
| CVE-2019-11764 | critical | — | 9.5 | 7y ago | Mozilla developers and community members reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enoug… |