VIR Vulnerability Intelligence Relay

CVEs from 2019

3,162 normalized CVEs published or assigned in this year.

Total
3,162
critical
critical 238
high
high 485
medium
medium 485
low
low 94
% Critical
7.5%
% with KEV
3.7%
% with exploit
8.0%

Top vendors

Top products

  • u-boot 20
  • crimson 8
  • active_iq_unified_manager 7
  • weblogic_server 5
  • jdk 5
  • oncommand_workflow_automation 5
  • codeready_linux_builder_eus 4
  • oncommand_insight 4

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2019-25317 unknown 4mo ago Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions
CVE-2019-25225 unknown 9mo ago `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` op…
CVE-2019-25211 unknown 2y ago parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https:/…
CVE-2019-11245 unknown 2y ago In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. I…
CVE-2019-25210 unknown 2y ago Withdrawn Advisory: Helm shows secrets in clear text
CVE-2019-25158 unknown 3y ago Pedroetb TTS-API OS Command Injection
CVE-2019-3826 unknown 3y ago A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prome…
CVE-2019-25155 unknown 3y ago DOMPurify Open Redirect vulnerability
CVE-2019-12291 unknown 3y ago HashiCorp Consul Incorrect Access Control vulnerability in github.com/hashicorp/consul
CVE-2019-25102 unknown 3y ago Regular Expression Denial of Service in simple-markdown
CVE-2019-25103 unknown 3y ago Regular Expression Denial of Service in simple-markdown
CVE-2019-25101 unknown 3y ago Header injection in TurboGears
CVE-2019-25095 unknown 4y ago A vulnerability, which was classified as problematic, was found in kakwa LdapCherry up to 0.x. Affected is an unknown function of the component URL Handler. The manipulation leads to cross site scrip…
CVE-2019-25094 unknown 4y ago typo3-appointments vulnerable to Cross-site Scripting
CVE-2019-25073 unknown 4y ago Path traversal in github.com/goadesign/goa
CVE-2019-25072 unknown 4y ago Uncontrolled resource consumption in github.com/tendermint/tendermint
CVE-2019-25091 unknown 4y ago nsupdate.info has Sensitive Cookie Without 'HttpOnly' Flag
CVE-2019-25088 unknown 4y ago Oxidized Web vulnerable to Cross-site Scripting
CVE-2019-25078 unknown 4y ago A vulnerability classified as problematic was found in pacparser up to 1.3.x. Affected by this vulnerability is the function pacparser_find_proxy of the file src/pacparser.c. The manipulation of the …
CVE-2019-19040 unknown 4y ago Reflected Cross site scripting (XSS) in kairosdb
CVE-2019-25075 unknown 4y ago Path Traversal in Gravitee API Management
CVE-2019-10761 unknown 4y ago vm2 before 3.6.11 vulnerable to sandbox escape
CVE-2019-10800 unknown 4y ago This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.
CVE-2019-17352 unknown 4y ago JFinal file validation vulnerability
CVE-2019-9634 unknown 4y ago DLL injection on Windows in runtime and syscall
CVE-2019-18210 unknown 4y ago Moodle Persistent Cross-site Scripting (XSS)
CVE-2019-10169 unknown 4y ago Keycloak code execution via UMA policy abuse
CVE-2019-17560 unknown 4y ago Improper Certificate Validation in Apache Netbeans
CVE-2019-0976 unknown 4y ago NuGet Package Manager Tampering Vulnerability
CVE-2019-20366 unknown 4y ago XSS in Ignite Realtime Openfire via isTrustStore
CVE-2019-19899 unknown 4y ago Pebble Templates Improper Input Validation vulnerability
CVE-2019-19729 unknown 4y ago bson-objectid contains Improper input validation
CVE-2019-18658 unknown 4y ago Helm Unsafe Link Following in helm.sh/helm
CVE-2019-18817 unknown 4y ago Istio vulnerable to denial of service
CVE-2019-18835 unknown 4y ago Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected…
CVE-2019-8154 unknown 4y ago Magento remote code execution vulnerability
CVE-2019-8149 unknown 4y ago Magento Broken authentication and session managememt
CVE-2019-17598 unknown 4y ago Play Framework Inadequate Encryption Strength vulnerability
CVE-2019-17221 unknown 4y ago PhantomJS Arbitrary File Read
CVE-2019-16904 unknown 4y ago TeamPass Cross-site Scripting (XSS) vulnerability
CVE-2019-10426 unknown 4y ago Jenkins Gem Publisher Plugin stores credentials as plaintext
CVE-2019-10429 unknown 4y ago Jenkins GitLab Logo Plugin stores credentials unencrypted
CVE-2019-10428 unknown 4y ago Jenkins Aqua Security Scanner Plugin showed plain text password in configuration form
CVE-2019-10430 unknown 4y ago Jenkins NeuVector Vulnerability Scanner Plugin stored credentials in plain text
CVE-2019-10406 unknown 4y ago Improper Neutralization of Input During Web Page Generation in Jenkins
CVE-2019-10407 unknown 4y ago Project Inheritance Plugin showed secret environment variables defined in Mask Passwords Plugin
CVE-2019-10427 unknown 4y ago Jenkins Aqua MicroScanner Plugin showed plain text credential in configuration form
CVE-2019-10403 unknown 4y ago Improper Neutralization of Input During Web Page Generation in Jenkins
CVE-2019-10402 unknown 4y ago Improper Neutralization of Input During Web Page Generation in Jenkins
CVE-2019-10405 unknown 4y ago Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
CVE-2019-10401 unknown 4y ago Improper Neutralization of Input During Web Page Generation in Jenkins
CVE-2019-10404 unknown 4y ago Improper Neutralization of Input During Web Page Generation in Jenkins
CVE-2019-7139 unknown 4y ago Magento 2 Community Edition SQLi Vulnerability
CVE-2019-0195 unknown 4y ago Deserialization of Untrusted Data in Apache Tapestry
CVE-2019-1302 unknown 4y ago Elevation of privilege in ASP.NET Core
CVE-2019-16227 unknown 4y ago An issue was discovered in py-lmdb 0.97. For certain values of mn_flags, mdb_cursor_set triggers a memcpy with an invalid write operation within mdb_xcursor_init1. NOTE: this outcome occurs when acce…
CVE-2019-12401 unknown 4y ago Apache Solr vulnerable to XML Bomb
CVE-2019-15484 unknown 4y ago Bolt Cross-site Scripting (XSS) via an image's alt or title field
CVE-2019-15489 unknown 4y ago laracom Cross-site Scripting
CVE-2019-1010206 unknown 4y ago kevinsawicki/http-request Missing certificate validation
CVE-2019-1010199 unknown 4y ago Cross site scripting attack in ServiceStack Framework
CVE-2019-12747 unknown 4y ago TYPO3 Vulnerable to Insecure Deserialization
CVE-2019-12748 unknown 4y ago Typo3 Cross-Site Scripting in Link Handling
CVE-2019-12935 unknown 4y ago Shopware Cross-site Scripting Vulnerability
CVE-2019-1051 unknown 4y ago Chakra Scripting Engine RCE via Out-of-bounds write
CVE-2019-1002 unknown 4y ago ChakraCore RCE via Out-of-bounds write
CVE-2019-1024 unknown 4y ago Chakra Scripting Engine RCE Vulnerability
CVE-2019-1052 unknown 4y ago Chakra Scripting Engine RCE via Out-of-bounds write
CVE-2019-10328 unknown 4y ago Unsafe entry in Script Security list of approved signatures in Pipeline Remote Loader Plugin
CVE-2019-10325 unknown 4y ago Jenkins Warnings NG Plugin Cross-site scripting vulnerability
CVE-2019-10326 unknown 4y ago Jenkins Warnings NG Plugin cross-site request forgery vulnerability
CVE-2019-10329 unknown 4y ago Plaintext password storage in Jenkins InfluxDB Plugin
CVE-2019-10330 unknown 4y ago Improper handling of untrusted branches in Gitea Jenkins Plugin
CVE-2019-10324 unknown 4y ago Cross-site request forgery vulnerability in Jenkins Artifactory Plugin
CVE-2019-10327 unknown 4y ago XML External Entity processing vulnerability in Pipeline Maven Integration Jenkins Plugin
CVE-2019-10323 unknown 4y ago Jenkins Artifactory Plugin missing permission check
CVE-2019-10322 unknown 4y ago Jenkins Artifactory Plugin missing permission check
CVE-2019-10321 unknown 4y ago Jenkins Artifactory Plugin cross-site request forgery vulnerability
CVE-2019-11832 unknown 4y ago TYPO3 Image Processing susceptible to Code Execution
CVE-2019-11818 unknown 4y ago Alkacon OpenCMS XSS via New User module
CVE-2019-7357 unknown 4y ago Subrion CMS CSRF Vulnerability
CVE-2019-0233 unknown 4y ago Improper Preservation of Permissions in Apache Struts
CVE-2019-19326 unknown 4y ago SilverStripe Web Cache Poisoning through HTTPRequestBuilder
CVE-2019-20891 unknown 4y ago WooCommerce Cross-Site Request Forgery (CSRF)
CVE-2019-20390 unknown 4y ago Subrion CMS Cross-Site Request Forgery (CSRF) vulnerability
CVE-2019-20389 unknown 4y ago Subrion CMS XSS
CVE-2019-17564 unknown 4y ago Deserialization of Untrusted Data in Apache Dubbo
CVE-2019-14880 unknown 4y ago Moodle Oauth 2 Insufficiently Protects Against Compromise
CVE-2019-17561 unknown 4y ago Improper Verification of Cryptographic Signature in Apache Netbeans
CVE-2019-15796 unknown 4y ago python-apt Does Not Check Hash Signature
CVE-2019-15795 unknown 4y ago python-apt Flawed Package Integrity Check
CVE-2019-20627 unknown 4y ago AutoUpdater.NET allows XXE
CVE-2019-16108 unknown 4y ago phpBB arbitrary CSS injection
CVE-2019-20527 unknown 4y ago Ignite Realtime Openfire allows Cross-site Scripting
CVE-2019-20526 unknown 4y ago Ignite Realtime Openfire allows Cross-site Scripting
CVE-2019-20525 unknown 4y ago Ignite Realtime Openfire allows Cross-site Scripting
CVE-2019-15539 unknown 4y ago MantisBT XSS when uploading an attachment
CVE-2019-20528 unknown 4y ago Ignite Realtime Openfire allows Cross-site Scripting
CVE-2019-14882 unknown 4y ago Moodle open redirect vulnerability
CVE-2019-14881 unknown 4y ago Moodle XSS Vulnerability