CVEs from 2019
Total
3,161
critical
critical 238
high
high 484
medium
medium 485
low
low 95
% Critical
7.5%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-19356 | unknown | — | 1.5 | 5y ago | Netis WF2419 devices contains an unspecified vulnerability that allows an attacker to perform remote code execution as root through the router's web management page. | |||
| CVE-2019-0859 | unknown | — | 1.5 | 5y ago | Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel mode. | |||
| CVE-2019-1367 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability in how the scripting engine handles objects in memory. Successful exploitation allows for remote code execution in the context o… | |||
| CVE-2019-0797 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kern… | |||
| CVE-2019-13608 | unknown | — | 1.5 | 5y ago | Citrix StoreFront Server contains an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information. | |||
| CVE-2019-6223 | unknown | — | 1.5 | 5y ago | Apple iOS and macOS Group FaceTime contains an unspecified vulnerability where the call initiator can cause the recipient's Apple device to answer unknowingly or without user interaction. | |||
| CVE-2019-10758 | unknown | — | 1.5 | 7y ago | mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. | |||
| CVE-2019-0193 | unknown | — | 1.5 | 7y ago | The optional Apache Solr module DataImportHandler contains a code injection vulnerability. | |||
| CVE-2019-12928 | unknown | — | 1.0 | — | The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosu… | |||
| CVE-2019-8375 | unknown | — | 1.0 | — | The UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.90 and WebKitGTK+ through 2.22.6 and other products, does not prevent the script dialog size from exceeding the web view size, whi… | |||
| CVE-2019-9162 | unknown | — | 1.0 | — | In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and w… | |||
| CVE-2019-7304 | unknown | — | 1.0 | — | Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37… | |||
| CVE-2019-2025 | unknown | — | 1.0 | — | In binder_thread_read of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges n… | |||
| CVE-2019-19241 | unknown | — | 1.0 | — | In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and n… | |||
| CVE-2019-6110 | unknown | — | 1.0 | — | In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI c… | |||
| CVE-2019-1999 | unknown | — | 1.0 | — | In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privi… | |||
| CVE-2019-7303 | unknown | — | 1.0 | — | A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to ma… | |||
| CVE-2019-6215 | unknown | — | 1.0 | — | A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing malic… | |||
| CVE-2019-15793 | unknown | — | 1.0 | — | In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the l… | |||
| CVE-2019-15791 | unknown | — | 1.0 | — | In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem wit… | |||
| CVE-2019-15792 | unknown | — | 1.0 | — | In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resu… | |||
| CVE-2019-10475 | unknown | — | 1.0 | 4y ago | Jenkins build-metrics Plugin reflected cross-site scripting vulnerability | |||
| CVE-2019-11932 | unknown | — | 1.0 | 4y ago | android-gif-drawable Double Free vulnerability | |||
| CVE-2019-10349 | unknown | — | 1.0 | 4y ago | Jenkins Dependency Graph Viewer Plugin contains Cross-site Scripting | |||
| CVE-2019-6588 | unknown | — | 1.0 | 4y ago | Liferay Portal Allows Cross-Site Scripting (XSS) via the SimpleCaptcha API | |||
| CVE-2019-0186 | unknown | — | 1.0 | 4y ago | Cross-site Scripting in Apache Pluto Chatroom demo | |||
| CVE-2019-1003002 | unknown | — | 1.0 | 4y ago | Jenkins Pipeline Declarative Plugin sandbox bypass vulnerability | |||
| CVE-2019-1003001 | unknown | — | 1.0 | 4y ago | Jenkins Groovy Plugin sandbox bypass vulnerability | |||
| CVE-2019-1003000 | unknown | — | 1.0 | 4y ago | Protection Mechanism Failure in Jenkins Script Security Plugin | |||
| CVE-2019-6804 | unknown | — | 1.0 | 4y ago | Rundeck Community Edition vulnerable to Cross-site Scripting | |||
| CVE-2019-1003005 | unknown | — | 1.0 | 4y ago | Sandbox Bypass in Script Security Plugin | |||
| CVE-2019-0230 | unknown | — | 1.0 | 5y ago | Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts | |||
| CVE-2019-17554 | unknown | — | 1.0 | 6y ago | Improper Restriction of XML External Entity Reference in Apache Olingo | |||
| CVE-2019-13236 | unknown | — | 1.0 | 7y ago | XSS issues in the management interface | |||
| CVE-2019-13235 | unknown | — | 1.0 | 7y ago | XSS in login form | |||
| CVE-2019-13237 | unknown | — | 1.0 | 7y ago | Local file inclusion allows unauthorized access to internal resources in Alkacon OpenCms | |||
| CVE-2019-13234 | unknown | — | 1.0 | 7y ago | XSS in search engine | |||
| CVE-2019-11269 | unknown | — | 1.0 | 7y ago | Open Redirect in Spring Security OAuth | |||
| CVE-2019-0221 | unknown | — | 1.0 | 7y ago | The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by… | |||
| CVE-2019-3799 | unknown | — | 1.0 | 7y ago | Path Traversal in Spring Cloud Config | |||
| CVE-2019-0227 | unknown | — | 1.0 | 7y ago | Server Side Request Forgery in Apache Axis | |||
| CVE-2019-0232 | unknown | — | 1.0 | 7y ago | When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a b… | |||
| CVE-2019-3778 | unknown | — | 1.0 | 7y ago | spring-security-oauth and spring-security-oauth2 Open Redirect vulnerability | |||
| CVE-2019-5873 | unknown | — | — | — | Insufficient policy validation in navigation in Google Chrome on iOS prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-5875 | unknown | — | — | — | Insufficient data validation in downloads in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-5876 | unknown | — | — | — | Use after free in media in Google Chrome on Android prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5877 | unknown | — | — | — | Out of bounds memory access in JavaScript in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5878 | unknown | — | — | — | Use after free in V8 in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5880 | unknown | — | — | — | Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-5881 | unknown | — | — | — | Out of bounds read in SwiftShader in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-10649 | unknown | — | — | — | In ImageMagick 7.0.8-36 Q16, there is a memory leak in the function SVGKeyValuePairs of coders/svg.c, which allows an attacker to cause a denial of service via a crafted image file. | |||
| CVE-2019-12589 | unknown | — | — | — | In Firejail before 0.9.60, seccomp filters are writable inside the jail, leading to a lack of intended seccomp restrictions for a process that is joined to the jail after a filter has been modified b… | |||
| CVE-2019-14380 | unknown | — | — | — | libopenmpt before 0.4.5 allows a crash during playback due to an out-of-bounds read in XM and MT2 files. | |||
| CVE-2019-14381 | unknown | — | — | — | libopenmpt before 0.4.3 allows a crash due to a NULL pointer dereference when doing a portamento from an OPL instrument to an empty instrument note map slot. | |||
| CVE-2019-7285 | unknown | — | — | — | A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.2, tvOS 12.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.11. Processing malicious… | |||
| CVE-2019-3462 | unknown | — | — | — | Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code executio… | |||
| CVE-2019-14861 | unknown | — | — | — | All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS reco… | |||
| CVE-2019-6234 | unknown | — | — | — | A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing ma… | |||
| CVE-2019-5020 | unknown | — | — | — | An exploitable denial of service vulnerability exists in the object lookup functionality of Yara 3.8.1. A specially crafted binary file can cause a negative value to be read to satisfy an assert, res… | |||
| CVE-2019-19648 | unknown | — | — | — | In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, re… | |||
| CVE-2019-5841 | unknown | — | — | — | Out of bounds memory access in JavaScript in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-20367 | unknown | — | — | — | nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab). | |||
| CVE-2019-13664 | unknown | — | — | — | Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-13663 | unknown | — | — | — | IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-13668 | unknown | — | — | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-13671 | unknown | — | — | — | UI spoofing in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||
| CVE-2019-13673 | unknown | — | — | — | Insufficient data validation in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-13685 | unknown | — | — | — | Use after free in sharing view in Google Chrome prior to 77.0.3865.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13659 | unknown | — | — | — | IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-9815 | unknown | — | — | — | If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications … | |||
| CVE-2019-9801 | unknown | — | — | — | Firefox will accept any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems. This should only happe… | |||
| CVE-2019-5784 | unknown | — | — | — | Incorrect handling of deferred code in V8 in Google Chrome prior to 72.0.3626.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5804 | unknown | — | — | — | Incorrect command line processing in Chrome in Google Chrome prior to 73.0.3683.75 allowed a local attacker to perform domain spoofing via a crafted domain name. | |||
| CVE-2019-5812 | unknown | — | — | — | Inadequate security UI in iOS UI in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2019-17021 | unknown | — | — | — | During the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. *Note: this issue only occurs on Windo… | |||
| CVE-2019-17018 | unknown | — | — | — | When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard. This vulnerability affects Firefox < 72. | |||
| CVE-2019-13075 | unknown | — | — | — | Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser's language via vectors involving an IFRAME element, because text in that language… | |||
| CVE-2019-5844 | unknown | — | — | — | Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-11751 | unknown | — | — | — | Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used t… | |||
| CVE-2019-5843 | unknown | — | — | — | Out of bounds memory access in JavaScript in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13683 | unknown | — | — | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-3870 | unknown | — | — | — | A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD DC, files are created in a private subdirectory of the insta… | |||
| CVE-2019-3824 | unknown | — | — | — | A flaw was found in the way an LDAP search expression could crash the shared LDAP server process of a samba AD DC in samba before version 4.10. An authenticated user, having read permissions on the L… | |||
| CVE-2019-12436 | unknown | — | — | — | Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to an AD DC LDAP server Denial of Service. This is related to an attacker using the paged search control. The attacker must have dir… | |||
| CVE-2019-13669 | unknown | — | — | — | Incorrect data validation in navigation in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-13670 | unknown | — | — | — | Insufficient data validation in JavaScript in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-18900 | unknown | — | — | — | : Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store use… | |||
| CVE-2019-17133 | unknown | — | — | — | In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow. | |||
| CVE-2019-14383 | unknown | — | — | — | J2B in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs. | |||
| CVE-2019-17351 | unknown | — | — | — | An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource… | |||
| CVE-2019-18683 | unknown | — | — | — | An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 ac… | |||
| CVE-2019-18786 | unknown | — | — | — | In the Linux kernel through 5.3.8, f->fmt.sdr.reserved is uninitialized in rcar_drif_g_fmt_sdr_cap in drivers/media/platform/rcar_drif.c, which could cause a memory disclosure problem. | |||
| CVE-2019-18810 | unknown | — | — | — | A memory leak in the komeda_wb_connector_add() function in drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (mem… | |||
| CVE-2019-18813 | unknown | — | — | — | A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering platfo… | |||
| CVE-2019-18885 | unknown | — | — | — | fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, ak… | |||
| CVE-2019-19036 | unknown | — | — | — | btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero. | |||
| CVE-2019-19049 | unknown | — | — | — | A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel before 5.3.10 allows attackers to cause a denial of service (memory consumption) by triggering of_fdt_un… | |||
| CVE-2019-19050 | unknown | — | — | — | A memory leak in the crypto_reportstat() function in crypto/crypto_user_stat.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering cryp… | |||
| CVE-2019-19061 | unknown | — | — | — | A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka C… | |||
| CVE-2019-19070 | unknown | — | — | — | A memory leak in the spi_gpio_probe() function in drivers/spi/spi-gpio.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering devm_add_a… |