CVEs from 2019
Total
3,161
critical
critical 238
high
high 484
medium
medium 485
low
low 95
% Critical
7.5%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-16391 | unknown | — | — | — | SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrir… | |||
| CVE-2019-17075 | unknown | — | — | — | An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack va… | |||
| CVE-2019-16229 | unknown | — | — | — | drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes thi… | |||
| CVE-2019-15918 | unknown | — | — | — | An issue was discovered in the Linux kernel before 5.0.10. SMB2_negotiate in fs/cifs/smb2pdu.c has an out-of-bounds read because data structures are incompletely updated after a change from smb30 to … | |||
| CVE-2019-15222 | unknown | — | — | — | An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver. | |||
| CVE-2019-15220 | unknown | — | — | — | An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. | |||
| CVE-2019-15239 | unknown | — | — | — | In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability … | |||
| CVE-2019-16392 | unknown | — | — | — | SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages. | |||
| CVE-2019-15117 | unknown | — | — | — | parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access. | |||
| CVE-2019-15098 | unknown | — | — | — | drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor. | |||
| CVE-2019-15219 | unknown | — | — | — | An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. | |||
| CVE-2019-5817 | unknown | — | — | — | Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-19830 | unknown | — | — | — | _core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database. | |||
| CVE-2019-13660 | unknown | — | — | — | UI spoofing in Chromium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof notifications via a crafted HTML page. | |||
| CVE-2019-13663 | unknown | — | — | — | IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-13664 | unknown | — | — | — | Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-13768 | unknown | — | — | — | Use after free in FileAPI in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chrome security severity: High) | |||
| CVE-2019-5784 | unknown | — | — | — | Incorrect handling of deferred code in V8 in Google Chrome prior to 72.0.3626.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-20079 | unknown | — | — | — | The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory. | |||
| CVE-2019-19307 | unknown | — | — | — | An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infinite loop), or possibly cause an out-of-bounds write, by sending a crafted MQTT … | |||
| CVE-2019-12951 | unknown | — | — | — | An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow. | |||
| CVE-2019-13503 | unknown | — | — | — | mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer over-read. | |||
| CVE-2019-2213 | unknown | — | — | — | In binder_free_transaction of binder.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. Us… | |||
| CVE-2019-5866 | unknown | — | — | — | Out of bounds memory access in JavaScript in Google Chrome prior to 75.0.3770.142 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5873 | unknown | — | — | — | Insufficient policy validation in navigation in Google Chrome on iOS prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-5879 | unknown | — | — | — | Insufficient policy enforcement in extensions in Google Chrome prior to 77.0.3865.75 allowed an attacker who convinced a user to install a malicious extension to read local files via a crafted Chrome… | |||
| CVE-2019-5881 | unknown | — | — | — | Out of bounds read in SwiftShader in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-2182 | unknown | — | — | — | In the Android kernel in the kernel MMU code there is a possible execution path leaving some kernel text and rodata pages writable. This could lead to local escalation of privilege with no additional… | |||
| CVE-2019-2181 | unknown | — | — | — | In binder_transaction of binder.c in the Android kernel, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execut… | |||
| CVE-2019-2054 | unknown | — | — | — | In the seccomp implementation prior to kernel version 4.8, there is a possible seccomp bypass due to seccomp policies that allow the use of ptrace. This could lead to local escalation of privilege wi… | |||
| CVE-2019-25136 | unknown | — | — | — | A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and a sandbox escape. This vulnerability affects Firefox < 70. | |||
| CVE-2019-25044 | unknown | — | — | — | The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related… | |||
| CVE-2019-13309 | unknown | — | — | — | ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. | |||
| CVE-2019-15680 | unknown | — | — | — | TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity. | |||
| CVE-2019-20808 | unknown | — | — | — | In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callbac… | |||
| CVE-2019-25045 | unknown | — | — | — | An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46. | |||
| CVE-2019-12435 | unknown | — | — | — | Samba 4.9.x before 4.9.9 and 4.10.x before 4.10.5 has a NULL pointer dereference, leading to Denial of Service. This is related to the AD DC DNS management server (dnsserver) RPC server process. | |||
| CVE-2019-12068 | unknown | — | — | — | In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi … | |||
| CVE-2019-17018 | unknown | — | — | — | When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard. This vulnerability affects Firefox < 72. | |||
| CVE-2019-17021 | unknown | — | — | — | During the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. *Note: this issue only occurs on Windo… | |||
| CVE-2019-11754 | unknown | — | — | — | When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. This vuln… | |||
| CVE-2019-9801 | unknown | — | — | — | Firefox will accept any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems. This should only happe… | |||
| CVE-2019-9815 | unknown | — | — | — | If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications … | |||
| CVE-2019-13659 | unknown | — | — | — | IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-10650 | unknown | — | — | — | In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure vi… | |||
| CVE-2019-1010299 | unknown | — | — | — | The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log fil… | |||
| CVE-2019-15237 | unknown | — | — | 1mo ago | Roundcube Webmail vulnerabilities | |||
| CVE-2019-3826 | unknown | — | — | 3y ago | A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prome… | |||
| CVE-2019-19040 | unknown | — | — | 4y ago | Reflected Cross site scripting (XSS) in kairosdb | |||
| CVE-2019-25075 | unknown | — | — | 4y ago | Path Traversal in Gravitee API Management | |||
| CVE-2019-17352 | unknown | — | — | 4y ago | JFinal file validation vulnerability | |||
| CVE-2019-10169 | unknown | — | — | 4y ago | Keycloak code execution via UMA policy abuse | |||
| CVE-2019-17560 | unknown | — | — | 4y ago | Improper Certificate Validation in Apache Netbeans | |||
| CVE-2019-19899 | unknown | — | — | 4y ago | Pebble Templates Improper Input Validation vulnerability | |||
| CVE-2019-20366 | unknown | — | — | 4y ago | XSS in Ignite Realtime Openfire via isTrustStore | |||
| CVE-2019-17598 | unknown | — | — | 4y ago | Play Framework Inadequate Encryption Strength vulnerability | |||
| CVE-2019-10406 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2019-10428 | unknown | — | — | 4y ago | Jenkins Aqua Security Scanner Plugin showed plain text password in configuration form | |||
| CVE-2019-10430 | unknown | — | — | 4y ago | Jenkins NeuVector Vulnerability Scanner Plugin stored credentials in plain text | |||
| CVE-2019-10407 | unknown | — | — | 4y ago | Project Inheritance Plugin showed secret environment variables defined in Mask Passwords Plugin | |||
| CVE-2019-10426 | unknown | — | — | 4y ago | Jenkins Gem Publisher Plugin stores credentials as plaintext | |||
| CVE-2019-10427 | unknown | — | — | 4y ago | Jenkins Aqua MicroScanner Plugin showed plain text credential in configuration form | |||
| CVE-2019-10402 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2019-10405 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2019-10403 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2019-10401 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2019-10404 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2019-0195 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Apache Tapestry | |||
| CVE-2019-12401 | unknown | — | — | 4y ago | Apache Solr vulnerable to XML Bomb | |||
| CVE-2019-1010206 | unknown | — | — | 4y ago | kevinsawicki/http-request Missing certificate validation | |||
| CVE-2019-10330 | unknown | — | — | 4y ago | Improper handling of untrusted branches in Gitea Jenkins Plugin | |||
| CVE-2019-10324 | unknown | — | — | 4y ago | Cross-site request forgery vulnerability in Jenkins Artifactory Plugin | |||
| CVE-2019-10326 | unknown | — | — | 4y ago | Jenkins Warnings NG Plugin cross-site request forgery vulnerability | |||
| CVE-2019-10329 | unknown | — | — | 4y ago | Plaintext password storage in Jenkins InfluxDB Plugin | |||
| CVE-2019-10325 | unknown | — | — | 4y ago | Jenkins Warnings NG Plugin Cross-site scripting vulnerability | |||
| CVE-2019-10328 | unknown | — | — | 4y ago | Unsafe entry in Script Security list of approved signatures in Pipeline Remote Loader Plugin | |||
| CVE-2019-10327 | unknown | — | — | 4y ago | XML External Entity processing vulnerability in Pipeline Maven Integration Jenkins Plugin | |||
| CVE-2019-10321 | unknown | — | — | 4y ago | Jenkins Artifactory Plugin cross-site request forgery vulnerability | |||
| CVE-2019-10323 | unknown | — | — | 4y ago | Jenkins Artifactory Plugin missing permission check | |||
| CVE-2019-10322 | unknown | — | — | 4y ago | Jenkins Artifactory Plugin missing permission check | |||
| CVE-2019-11818 | unknown | — | — | 4y ago | Alkacon OpenCMS XSS via New User module | |||
| CVE-2019-0233 | unknown | — | — | 4y ago | Improper Preservation of Permissions in Apache Struts | |||
| CVE-2019-17564 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Apache Dubbo | |||
| CVE-2019-17561 | unknown | — | — | 4y ago | Improper Verification of Cryptographic Signature in Apache Netbeans | |||
| CVE-2019-20526 | unknown | — | — | 4y ago | Ignite Realtime Openfire allows Cross-site Scripting | |||
| CVE-2019-20525 | unknown | — | — | 4y ago | Ignite Realtime Openfire allows Cross-site Scripting | |||
| CVE-2019-20528 | unknown | — | — | 4y ago | Ignite Realtime Openfire allows Cross-site Scripting | |||
| CVE-2019-14888 | unknown | — | — | 4y ago | Undertow vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2019-14837 | unknown | — | — | 4y ago | keycloak vulnerable to unauthorized login via mail server setup | |||
| CVE-2019-6035 | unknown | — | — | 4y ago | Athenz vulnerable to Open Redirect | |||
| CVE-2019-16576 | unknown | — | — | 4y ago | Improper Authorization in Jenkins Alauda Kubernetes Suport Plugin | |||
| CVE-2019-16575 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Jenkins Alauda Kubernetes Suport Plugin | |||
| CVE-2019-16574 | unknown | — | — | 4y ago | Jenkins Alauda DevOps Pipeline Plugin allows attackers with Overall/Read permission to capture credentials stored in Jenkins | |||
| CVE-2019-16572 | unknown | — | — | 4y ago | Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file | |||
| CVE-2019-16569 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Mantis Plugin | |||
| CVE-2019-16573 | unknown | — | — | 4y ago | Jenkins Alauda DevOps Pipeline Plugin vulnerable to cross-site request forgery | |||
| CVE-2019-16563 | unknown | — | — | 4y ago | Cross site scripting in Jenkins Mission Control Plugin | |||
| CVE-2019-16567 | unknown | — | — | 4y ago | Jenkins Team Concert Plugin missing permission check | |||
| CVE-2019-16564 | unknown | — | — | 4y ago | Jenkins Pipeline Aggregator View Plugin stored XSS vulnerability | |||
| CVE-2019-16571 | unknown | — | — | 4y ago | Jenkins RapidDeploy Plugin missing permission check |