CVEs from 2019
Total
3,165
critical
critical 231
high
high 484
medium
medium 483
low
low 94
% Critical
7.3%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-11762 | critical | — | 9.5 | 7y ago | If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulner… | |||
| CVE-2019-11729 | critical | — | 9.5 | 7y ago | Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8… | |||
| CVE-2019-11719 | critical | — | 9.5 | 7y ago | When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to inf… | |||
| CVE-2019-11727 | critical | — | 9.5 | 7y ago | A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in Certificat… | |||
| CVE-2019-11715 | critical | — | 9.5 | 7y ago | Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability aff… | |||
| CVE-2019-9811 | critical | — | 9.5 | 7y ago | As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This v… | |||
| CVE-2019-11730 | critical | — | 9.5 | 7y ago | A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. … | |||
| CVE-2019-11717 | critical | — | 9.5 | 7y ago | A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vuln… | |||
| CVE-2019-11713 | critical | — | 9.5 | 7y ago | A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.… | |||
| CVE-2019-11712 | critical | — | 9.5 | 7y ago | POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) a… | |||
| CVE-2019-11711 | critical | — | 9.5 | 7y ago | When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page… | |||
| CVE-2019-11709 | critical | — | 9.5 | 7y ago | Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enoug… | |||
| CVE-2019-9797 | critical | — | 9.5 | 7y ago | Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a can… | |||
| CVE-2019-11693 | critical | — | 9.5 | 7y ago | The bufferdata function in WebGL is vulnerable to a buffer overflow with specific graphics drivers on Linux. This could result in malicious content freezing a tab or triggering a potentially exploita… | |||
| CVE-2019-9817 | critical | — | 9.5 | 7y ago | Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerabi… | |||
| CVE-2019-11692 | critical | — | 9.5 | 7y ago | A use-after-free vulnerability can occur when listeners are removed from the event listener manager while still in use, resulting in a potentially exploitable crash. This vulnerability affects Thunde… | |||
| CVE-2019-9820 | critical | — | 9.5 | 7y ago | A use-after-free vulnerability can occur in the chrome event handler when it is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.… | |||
| CVE-2019-9800 | critical | — | 9.5 | 7y ago | Mozilla developers and community members reported memory safety bugs present in Firefox 66, Firefox ESR 60.6, and Thunderbird 60.6. Some of these bugs showed evidence of memory corruption and we pres… | |||
| CVE-2019-11698 | critical | — | 9.5 | 7y ago | If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's b… | |||
| CVE-2019-9819 | critical | — | 9.5 | 7y ago | A vulnerability where a JavaScript compartment mismatch can occur while working with the fetch API, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefo… | |||
| CVE-2019-11691 | critical | — | 9.5 | 7y ago | A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially explo… | |||
| CVE-2019-5798 | critical | — | 9.5 | 7y ago | Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. | |||
| CVE-2019-10245 | critical | — | 9.5 | 7y ago | RHSA-2019:1238: java-1.8.0-ibm security update (Critical) | |||
| CVE-2019-2449 | critical | — | 9.5 | 7y ago | RHSA-2019:1238: java-1.8.0-ibm security update (Critical) | |||
| CVE-2019-2422 | critical | — | 9.5 | 7y ago | RHSA-2019:1238: java-1.8.0-ibm security update (Critical) | |||
| CVE-2019-9795 | critical | — | 9.5 | 7y ago | A vulnerability where type-confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by malicious JavaScript to trigger a potentially exploitable crash. This vulnerability affe… | |||
| CVE-2019-9796 | critical | — | 9.5 | 7y ago | A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is lat… | |||
| CVE-2019-9788 | critical | — | 9.5 | 7y ago | Mozilla developers and community members reported memory safety bugs present in Firefox 65, Firefox ESR 60.5, and Thunderbird 60.5. Some of these bugs showed evidence of memory corruption and we pres… | |||
| CVE-2019-9793 | critical | — | 9.5 | 7y ago | A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. This vulnerability could allow an attacker to create… | |||
| CVE-2019-9790 | critical | — | 9.5 | 7y ago | A use-after-free vulnerability can occur when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use. This results in a potentially e… | |||
| CVE-2019-14197 | critical | 9.1 | 9.1 | 7y ago | An issue was discovered in Das U-Boot through 2019.07. There is a read of out-of-bounds data at nfs_read_reply. | |||
| CVE-2019-8506 | low | — | 5.0 | 4y ago | A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution. | |||
| CVE-2019-8690 | low | — | 3.5 | 7y ago | A logic issue existed in the handling of document loads. This issue was addressed with improved state management. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTun… | |||
| CVE-2019-8689 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3, Safari 12.1.2, iTunes for Windows 12.9.6… | |||
| CVE-2019-8623 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1, Safari 12.1.1, iTunes for Windows 12.9… | |||
| CVE-2019-8671 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for … | |||
| CVE-2019-8672 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3, Safari 12.1.2, iTunes for Windows 12.9.6… | |||
| CVE-2019-8611 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, Safari 12.1.1, iTunes for Windows 12.9.5, iCloud for … | |||
| CVE-2019-8622 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1, Safari 12.1.1, iTunes for Windows 12.9… | |||
| CVE-2019-8558 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.2, tvOS 12.2, watchOS 5.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.1… | |||
| CVE-2019-8518 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.2, tvOS 12.2, watchOS 5.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.1… | |||
| CVE-2019-11358 | low | — | 3.5 | 7y ago | RHSA-2021:4142: pcs security, bug fix, and enhancement update (Low) | |||
| CVE-2019-5882 | low | — | 2.5 | — | Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are expired from the scroll buffer. | |||
| CVE-2019-7653 | low | — | 2.5 | — | The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools that can load Python modules from the current working directory, allowing code injection, because "python -m" looks in th… | |||
| CVE-2019-9621 | unknown | — | 2.5 | 11mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component. | |||
| CVE-2019-16278 | unknown | — | 2.5 | 2y ago | Nostromo nhttpd contains a directory traversal vulnerability in the http_verify() function in a non-chrooted nhttpd server allowing for remote code execution. | |||
| CVE-2019-7256 | unknown | — | 2.5 | 2y ago | Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution. | |||
| CVE-2019-17621 | unknown | — | 2.5 | 3y ago | D-Link DIR-859 router contains a command execution vulnerability in the UPnP endpoint URL, /gena.cgi. Exploitation allows an unauthenticated remote attacker to execute system commands as root by send… | |||
| CVE-2019-20500 | unknown | — | 2.5 | 3y ago | D-Link DWL-2600AP access point contains an authenticated command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?act… | |||
| CVE-2019-8605 | unknown | — | 2.5 | 4y ago | A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges. | |||
| CVE-2019-7194 | unknown | — | 2.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |||
| CVE-2019-5825 | unknown | — | 2.5 | 4y ago | Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |||
| CVE-2019-7195 | unknown | — | 2.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |||
| CVE-2019-7192 | unknown | — | 2.5 | 4y ago | QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. | |||
| CVE-2019-3010 | unknown | — | 2.5 | 4y ago | Oracle Solaris component: XScreenSaver contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2019-18426 | unknown | — | 2.5 | 4y ago | A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. | |||
| CVE-2019-7286 | unknown | — | 2.5 | 4y ago | Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for privilege escalation. | |||
| CVE-2019-1003030 | unknown | — | 2.5 | 4y ago | Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. | |||
| CVE-2019-1003029 | unknown | — | 2.5 | 4y ago | Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. | |||
| CVE-2019-3929 | unknown | — | 2.5 | 4y ago | Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system comma… | |||
| CVE-2019-10068 | unknown | — | 2.5 | 4y ago | Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution. | |||
| CVE-2019-2616 | unknown | — | 2.5 | 4y ago | Oracle BI Publisher, formerly XML Publisher, contains an unspecified vulnerability that allows for various unauthorized actions. Open-source reporting attributes this vulnerability to allowing for au… | |||
| CVE-2019-12989 | unknown | — | 2.5 | 4y ago | Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection. | |||
| CVE-2019-15107 | unknown | — | 2.5 | 4y ago | An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability. | |||
| CVE-2019-12991 | unknown | — | 2.5 | 4y ago | Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance. | |||
| CVE-2019-0841 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |||
| CVE-2019-0543 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |||
| CVE-2019-1322 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |||
| CVE-2019-1253 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. | |||
| CVE-2019-1405 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when the Windows UPnP service improperly allows COM object creation. | |||
| CVE-2019-1132 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. | |||
| CVE-2019-1652 | unknown | — | 2.5 | 4y ago | A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges… | |||
| CVE-2019-0752 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer | |||
| CVE-2019-7609 | unknown | — | 2.5 | 5y ago | Kibana contain an arbitrary code execution flaw in the Timelion visualizer. | |||
| CVE-2019-1458 | unknown | — | 2.5 | 5y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP. | |||
| CVE-2019-2725 | unknown | — | 2.5 | 5y ago | Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). | |||
| CVE-2019-9670 | unknown | — | 2.5 | 5y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component. | |||
| CVE-2019-20838 | low | — | 2.5 | 5y ago | RHSA-2021:4373: pcre security update (Low) | |||
| CVE-2019-8394 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization. | |||
| CVE-2019-2215 | unknown | — | 2.5 | 5y ago | Android Kernel contains a use-after-free vulnerability in binder.c that allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-… | |||
| CVE-2019-9978 | unknown | — | 2.5 | 5y ago | WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro. | |||
| CVE-2019-18935 | unknown | — | 2.5 | 5y ago | Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe proce… | |||
| CVE-2019-11539 | unknown | — | 2.5 | 5y ago | Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands. | |||
| CVE-2019-0708 | unknown | — | 2.5 | 5y ago | Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the target system using RDP and send… | |||
| CVE-2019-15949 | unknown | — | 2.5 | 5y ago | Nagios XI contains a remote code execution vulnerability in which a user can modify the check_plugin executable and insert malicious commands to execute as root. | |||
| CVE-2019-20085 | unknown | — | 2.5 | 5y ago | TVT devices utilizing NVMS-1000 software contain a directory traversal vulnerability via GET /.. requests. | |||
| CVE-2019-0541 | unknown | — | 2.5 | 5y ago | Microsoft MSHTML engine contains an improper input validation vulnerability that allows for remote code execution vulnerability. | |||
| CVE-2019-1429 | unknown | — | 2.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user. | |||
| CVE-2019-0604 | unknown | — | 2.5 | 5y ago | Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote code in the context of the SharePoint applica… | |||
| CVE-2019-4716 | unknown | — | 2.5 | 5y ago | IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. | |||
| CVE-2019-15752 | unknown | — | 2.5 | 5y ago | Docker Desktop Community Edition contains a vulnerability that may allow local users to escalate privileges by placing a trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop… | |||
| CVE-2019-0803 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in k… | |||
| CVE-2019-19781 | unknown | — | 2.5 | 5y ago | Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution. | |||
| CVE-2019-1215 | unknown | — | 2.5 | 5y ago | Microsoft Windows contains an unspecified vulnerability due to the way ws2ifsl.sys (Winsock) handles objects in memory, allowing for privilege escalation. Successful exploitation allows an attacker t… | |||
| CVE-2019-0808 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability due to the component failing to properly handle objects in memory. Successful exploitation allows an attacker to run code in kernel mode. | |||
| CVE-2019-3398 | unknown | — | 2.5 | 5y ago | Atlassian Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource that may allow a privileged, remote attacker to write files. Exploitation can… | |||
| CVE-2019-11580 | unknown | — | 2.5 | 5y ago | Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in release builds. | |||
| CVE-2019-1653 | unknown | — | 2.5 | 5y ago | Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers contain improper access controls for URLs. Exploitation could allow an attacker to download the router configuration or detailed diag… | |||
| CVE-2019-3396 | unknown | — | 2.5 | 5y ago | Atlassian Confluence Server and Data Center contain a server-side template injection vulnerability that may allow an attacker to achieve path traversal and remote code execution. | |||
| CVE-2019-0863 | unknown | — | 2.5 | 5y ago | Microsoft Windows Error Reporting (WER) contains a privilege escalation vulnerability due to the way it handles files, allowing for code execution in kernel mode. |