CVEs from 2019
Total
3,175
critical
critical 231
high
high 484
medium
medium 483
low
low 94
% Critical
7.3%
% with KEV
3.7%
% with exploit
7.9%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-6444 | unknown | — | 1.0 | — | An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd. | |||
| CVE-2019-8937 | unknown | — | 1.0 | — | HotelDruid 2.3.0 has XSS affecting the nsextt, cambia1, mese_fine, origine, and anno parameters in creaprezzi.php, tabella3.php, personalizza.php, and visualizza_tabelle.php. | |||
| CVE-2019-17671 | unknown | — | 1.0 | — | In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. | |||
| CVE-2019-9834 | unknown | — | 1.0 | — | The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-s… | |||
| CVE-2019-6110 | unknown | — | 1.0 | — | In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI c… | |||
| CVE-2019-15126 | unknown | — | 1.0 | — | ||||
| CVE-2019-19241 | unknown | — | 1.0 | — | In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and n… | |||
| CVE-2019-15793 | unknown | — | 1.0 | — | In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the l… | |||
| CVE-2019-15791 | unknown | — | 1.0 | — | In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem wit… | |||
| CVE-2019-6442 | unknown | — | 1.0 | — | An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can write one byte out of bounds in ntpd via a malformed config request, related to config_remotely in ntp_config.c, yyparse … | |||
| CVE-2019-6443 | unknown | — | 1.0 | — | An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd. | |||
| CVE-2019-16223 | unknown | — | 1.0 | — | WordPress before 5.2.3 allows XSS in post previews by authenticated users. | |||
| CVE-2019-17624 | unknown | — | 1.0 | — | ||||
| CVE-2019-9162 | unknown | — | 1.0 | — | In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and w… | |||
| CVE-2019-7304 | unknown | — | 1.0 | — | Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37… | |||
| CVE-2019-6215 | unknown | — | 1.0 | — | A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing malic… | |||
| CVE-2019-9193 | unknown | — | 1.0 | — | ||||
| CVE-2019-15792 | unknown | — | 1.0 | — | In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resu… | |||
| CVE-2019-14267 | unknown | — | 1.0 | — | PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because data associated with startxref and %%EOF is mishandled. | |||
| CVE-2019-18862 | unknown | — | 1.0 | — | maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode. | |||
| CVE-2019-9858 | unknown | — | 1.0 | — | Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image m… | |||
| CVE-2019-12928 | unknown | — | 1.0 | — | The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosu… | |||
| CVE-2019-6445 | unknown | — | 1.0 | — | An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can cause a NULL pointer dereference and ntpd crash in ntp_control.c, related to ctl_getitem. | |||
| CVE-2019-8375 | unknown | — | 1.0 | — | The UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.90 and WebKitGTK+ through 2.22.6 and other products, does not prevent the script dialog size from exceeding the web view size, whi… | |||
| CVE-2019-1999 | unknown | — | 1.0 | — | In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privi… | |||
| CVE-2019-2721 | unknown | — | 1.0 | — | Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.28 and prior to 6.0.6. Easily exploitable vuln… | |||
| CVE-2019-12922 | unknown | — | 1.0 | 4y ago | A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page. | |||
| CVE-2019-9553 | unknown | — | 1.0 | 4y ago | Bolt Cross-site Scripting via the slug, teaser or title parameters | |||
| CVE-2019-10475 | unknown | — | 1.0 | 4y ago | Jenkins build-metrics Plugin reflected cross-site scripting vulnerability | |||
| CVE-2019-15715 | unknown | — | 1.0 | 4y ago | MantisBT Remote Code Execution | |||
| CVE-2019-11932 | unknown | — | 1.0 | 4y ago | android-gif-drawable Double Free vulnerability | |||
| CVE-2019-16173 | unknown | — | 1.0 | 4y ago | Cross-site Scripting in LimeSurvey | |||
| CVE-2019-16172 | unknown | — | 1.0 | 4y ago | Cross-site Scripting in LimeSurvey | |||
| CVE-2019-15954 | unknown | — | 1.0 | 4y ago | Total.js CMS RCE Vulnerability | |||
| CVE-2019-14470 | unknown | — | 1.0 | 4y ago | Cosenary Instagram-PHP-API contains reflected XSS vulnerability | |||
| CVE-2019-14322 | unknown | — | 1.0 | 4y ago | Pallets Werkzeug vulnerable to Path Traversal | |||
| CVE-2019-10349 | unknown | — | 1.0 | 4y ago | Jenkins Dependency Graph Viewer Plugin contains Cross-site Scripting | |||
| CVE-2019-13068 | unknown | — | 1.0 | 4y ago | Grafana Cross-site Scripting vulnerability | |||
| CVE-2019-12799 | unknown | — | 1.0 | 4y ago | Shopware Insecure Deserialization Vulnerability | |||
| CVE-2019-12616 | unknown | — | 1.0 | 4y ago | phpMyAdmin CSRF Vulnerability | |||
| CVE-2019-6588 | unknown | — | 1.0 | 4y ago | Liferay Portal Allows Cross-Site Scripting (XSS) via the SimpleCaptcha API | |||
| CVE-2019-0186 | unknown | — | 1.0 | 4y ago | Cross-site Scripting in Apache Pluto Chatroom demo | |||
| CVE-2019-10226 | unknown | — | 1.0 | 4y ago | Fat Free CRM Cross-site Scripting vulnerability | |||
| CVE-2019-9648 | unknown | — | 1.0 | 4y ago | CoreFTP Directory Traversal | |||
| CVE-2019-10867 | unknown | — | 1.0 | 4y ago | Pimcore Unserialize Remote Code Execution | |||
| CVE-2019-9194 | unknown | — | 1.0 | 4y ago | elFinder command injection vulnerability in the PHP connector | |||
| CVE-2019-0568 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2019-0567 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2019-0539 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2019-1003002 | unknown | — | 1.0 | 4y ago | Jenkins Pipeline Declarative Plugin sandbox bypass vulnerability | |||
| CVE-2019-1003001 | unknown | — | 1.0 | 4y ago | Jenkins Groovy Plugin sandbox bypass vulnerability | |||
| CVE-2019-1003000 | unknown | — | 1.0 | 4y ago | Protection Mechanism Failure in Jenkins Script Security Plugin | |||
| CVE-2019-10874 | unknown | — | 1.0 | 4y ago | Bolt Cross Site Request Forgery (CSRF) | |||
| CVE-2019-6804 | unknown | — | 1.0 | 4y ago | Rundeck Community Edition vulnerable to Cross-site Scripting | |||
| CVE-2019-3810 | unknown | — | 1.0 | 4y ago | Moodle XSS Vulnerability | |||
| CVE-2019-1003005 | unknown | — | 1.0 | 4y ago | Sandbox Bypass in Script Security Plugin | |||
| CVE-2019-11229 | unknown | — | 1.0 | 4y ago | Gitea Remote Code Execution in github.com/go-gitea/gitea | |||
| CVE-2019-19609 | unknown | — | 1.0 | 5y ago | Command Injection in strapi | |||
| CVE-2019-0230 | unknown | — | 1.0 | 5y ago | Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts | |||
| CVE-2019-19208 | unknown | — | 1.0 | 5y ago | Code injection in codiad | |||
| CVE-2019-16405 | unknown | — | 1.0 | 5y ago | Improper Input Validation in Centreon Web | |||
| CVE-2019-17554 | unknown | — | 1.0 | 6y ago | Improper Restriction of XML External Entity Reference in Apache Olingo | |||
| CVE-2019-19576 | unknown | — | 1.0 | 7y ago | Remote code execution in verot/class.upload.php | |||
| CVE-2019-18818 | unknown | — | 1.0 | 7y ago | Strapi allows unauthenticated attacker to reset admin password without valid reset token | |||
| CVE-2019-16328 | unknown | — | 1.0 | 7y ago | In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings. | |||
| CVE-2019-12562 | unknown | — | 1.0 | 7y ago | Stored Cross-Site Scripting vulnerability in admin component of DotNetNuke | |||
| CVE-2019-13236 | unknown | — | 1.0 | 7y ago | XSS issues in the management interface | |||
| CVE-2019-13235 | unknown | — | 1.0 | 7y ago | XSS in login form | |||
| CVE-2019-13237 | unknown | — | 1.0 | 7y ago | Local file inclusion allows unauthorized access to internal resources in Alkacon OpenCms | |||
| CVE-2019-13234 | unknown | — | 1.0 | 7y ago | XSS in search engine | |||
| CVE-2019-16197 | unknown | — | 1.0 | 7y ago | Cross-site scripting in Dolibarr | |||
| CVE-2019-5485 | unknown | — | 1.0 | 7y ago | Command Injection in gitlabhook | |||
| CVE-2019-11269 | unknown | — | 1.0 | 7y ago | Open Redirect in Spring Security OAuth | |||
| CVE-2019-0221 | unknown | — | 1.0 | 7y ago | The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by… | |||
| CVE-2019-3799 | unknown | — | 1.0 | 7y ago | Path Traversal in Spring Cloud Config | |||
| CVE-2019-0227 | unknown | — | 1.0 | 7y ago | Server Side Request Forgery in Apache Axis | |||
| CVE-2019-0232 | unknown | — | 1.0 | 7y ago | When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a b… | |||
| CVE-2019-3778 | unknown | — | 1.0 | 7y ago | spring-security-oauth and spring-security-oauth2 Open Redirect vulnerability | |||
| CVE-2019-5420 | unknown | — | 1.0 | 7y ago | A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can … | |||
| CVE-2019-8903 | unknown | — | 1.0 | 7y ago | Path Traversal in total.js | |||
| CVE-2019-5801 | unknown | — | — | — | Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2019-11323 | unknown | — | — | — | HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys. This is related to an include/types/ssl_sock.h error. | |||
| CVE-2019-6462 | unknown | — | — | — | An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized. | |||
| CVE-2019-18837 | unknown | — | — | — | An issue was discovered in crun before 0.10.5. With a crafted image, it doesn't correctly check whether a target is a symlink, resulting in access to files outside of the container. This occurs in li… | |||
| CVE-2019-11783 | unknown | — | — | — | Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail cha… | |||
| CVE-2019-15784 | unknown | — | — | — | Secure Reliable Transport (SRT) through 1.3.4 has a CSndUList array overflow if there are many SRT connections. | |||
| CVE-2019-9035 | unknown | — | — | — | An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a stack-based buffer over-read in the function ReadNextStructField() in mat5.c. | |||
| CVE-2019-9087 | unknown | — | — | — | HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter. | |||
| CVE-2019-5429 | unknown | — | — | — | Untrusted search path in FileZilla before 3.41.0-rc1 allows an attacker to gain privileges via a malicious 'fzsftp' binary in the user's home directory. | |||
| CVE-2019-11222 | unknown | — | — | — | gf_bin128_parse in utils/os_divers.c in GPAC 0.7.1 has a buffer overflow issue for the crypt feature when encountering a crafted_drm_file.xml file. | |||
| CVE-2019-12094 | unknown | — | — | — | Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI. | |||
| CVE-2019-9706 | unknown | — | — | — | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error. | |||
| CVE-2019-20017 | unknown | — | — | — | A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5 in mat5.c in matio 1.5.17. | |||
| CVE-2019-9029 | unknown | — | — | — | An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is an out-of-bounds read with a SEGV in the function Mat_VarReadNextInfo5() in mat5.c. | |||
| CVE-2019-18388 | unknown | — | — | — | A NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via malformed commands. | |||
| CVE-2019-20020 | unknown | — | — | — | A stack-based buffer over-read was discovered in ReadNextStructField in mat5.c in matio 1.5.17. | |||
| CVE-2019-8308 | unknown | — | — | — | Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file. | |||
| CVE-2019-20018 | unknown | — | — | — | A stack-based buffer over-read was discovered in ReadNextCell in mat5.c in matio 1.5.17. | |||
| CVE-2019-9027 | unknown | — | — | — | An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a heap-based buffer overflow problem in the function ReadNextCell() in mat5.c. | |||
| CVE-2019-9031 | unknown | — | — | — | An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a NULL pointer dereference in the function Mat_VarFree() in mat.c. |