CVEs from 2019
Total
3,161
critical
critical 238
high
high 484
medium
medium 485
low
low 95
% Critical
7.5%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-19703 | unknown | — | — | 6y ago | URL Redirection to Untrusted Site (Open Redirect) in Ktor | |||
| CVE-2019-10911 | unknown | — | — | 6y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with… | |||
| CVE-2019-10912 | unknown | — | — | 6y ago | In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this coul… | |||
| CVE-2019-11325 | unknown | — | — | 6y ago | An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrar… | |||
| CVE-2019-16194 | unknown | — | — | 6y ago | SQL injection in Centreon | |||
| CVE-2019-10172 | unknown | — | — | 6y ago | Improper Restriction of XML External Entity Reference in jackson-mapper-asl | |||
| CVE-2019-17556 | unknown | — | — | 6y ago | Deserialization of Untrusted Data in Apache Olingo | |||
| CVE-2019-17555 | unknown | — | — | 6y ago | Improper input validation in Apache Olingo | |||
| CVE-2019-12422 | unknown | — | — | 6y ago | Improper input validation in Apache Shiro | |||
| CVE-2019-10782 | unknown | — | — | 6y ago | XML external entity (XXE) processing ('external-parameter-entities' feature was not fully disabled)) | |||
| CVE-2019-20174 | unknown | — | — | 6y ago | auth0-lock vulnerable to XSS via unsanitized placeholder property | |||
| CVE-2019-15607 | unknown | — | — | 6y ago | Cross-Site Scripting in node-red | |||
| CVE-2019-12409 | unknown | — | — | 6y ago | The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use… | |||
| CVE-2019-10770 | unknown | — | — | 6y ago | Default development error handler in Ratpack is vulnerable to HTML content injection (XSS) | |||
| CVE-2019-20399 | unknown | — | — | 7y ago | Observable Discrepancy in libsecp256k1-rs | |||
| CVE-2019-10158 | unknown | — | — | 7y ago | Improper implementation of the session fixation protection in Infinispan | |||
| CVE-2019-19588 | unknown | — | — | 7y ago | The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6. | |||
| CVE-2019-16784 | unknown | — | — | 7y ago | In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a p… | |||
| CVE-2019-18622 | unknown | — | — | 7y ago | An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. | |||
| CVE-2019-10070 | unknown | — | — | 7y ago | Stored XSS in Apache Atlas | |||
| CVE-2019-18857 | unknown | — | — | 7y ago | XSS in enshrined/svg-sanitize due to mishandled script and data values in attributes | |||
| CVE-2019-10219 | unknown | — | — | 7y ago | The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks | |||
| CVE-2019-16789 | unknown | — | — | 7y ago | In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress lead… | |||
| CVE-2019-20008 | unknown | — | — | 7y ago | In Archery before 1.3, inserting an XSS payload into a project name (either by creating a new project or editing an existing one) will result in stored XSS on the vulnerability-scan scheduling page. | |||
| CVE-2019-12418 | unknown | — | — | 7y ago | When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration f… | |||
| CVE-2019-17563 | unknown | — | — | 7y ago | When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The wind… | |||
| CVE-2019-19919 | unknown | — | — | 7y ago | Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allo… | |||
| CVE-2019-16792 | unknown | — | — | 7y ago | Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now c… | |||
| CVE-2019-16786 | unknown | — | — | 7y ago | Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header … | |||
| CVE-2019-16785 | unknown | — | — | 7y ago | Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize… | |||
| CVE-2019-16782 | unknown | — | — | 7y ago | There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack session… | |||
| CVE-2019-19714 | unknown | — | — | 7y ago | Insert tag injection in the Contao login module | |||
| CVE-2019-19712 | unknown | — | — | 7y ago | Information disclosure in the Contao backend | |||
| CVE-2019-19745 | unknown | — | — | 7y ago | Unrestricted file uploads in Contao | |||
| CVE-2019-16778 | unknown | — | — | 7y ago | In TensorFlow before 1.15, a heap buffer overflow in UnsortedSegmentSum can be produced when the Index template argument is int32. In this case data_size and num_segments fields are truncated from in… | |||
| CVE-2019-19771 | unknown | — | — | 7y ago | lodahs is malware | |||
| CVE-2019-16779 | unknown | — | — | 7y ago | In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent req… | |||
| CVE-2019-16774 | unknown | — | — | 7y ago | Object injection in cookie driver in phpfastcache | |||
| CVE-2019-10769 | unknown | — | — | 7y ago | Sandbox Breakout / Arbitrary Code Execution in safer-eval | |||
| CVE-2019-16772 | unknown | — | — | 7y ago | Cross-Site Scripting in serialize-to-js | |||
| CVE-2019-16768 | unknown | — | — | 7y ago | Internal exception message exposure for login action in Sylius | |||
| CVE-2019-16769 | unknown | — | — | 7y ago | Cross-Site Scripting in serialize-javascript | |||
| CVE-2019-16771 | unknown | — | — | 7y ago | Low severity vulnerability that affects com.linecorp.armeria:armeria | |||
| CVE-2019-16770 | unknown | — | — | 7y ago | In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Pum… | |||
| CVE-2019-19507 | unknown | — | — | 7y ago | Validation bypass is possible in Json Pattern Validator | |||
| CVE-2019-12421 | unknown | — | — | 7y ago | Apache NiFi user log out issue | |||
| CVE-2019-10083 | unknown | — | — | 7y ago | Apache NiFi process group information disclosure | |||
| CVE-2019-10080 | unknown | — | — | 7y ago | Apache NiFi information disclosure by XXE | |||
| CVE-2019-18954 | unknown | — | — | 7y ago | Pomelo allows external control of critical state data | |||
| CVE-2019-14853 | unknown | — | — | 7y ago | An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could le… | |||
| CVE-2019-10771 | unknown | — | — | 7y ago | Cross-Site Scripting in iobroker.web | |||
| CVE-2019-17632 | unknown | — | — | 7y ago | Unescaped exception messages in error responses in Jetty | |||
| CVE-2019-11458 | unknown | — | — | 7y ago | Unsafe deserialization in SmtpTransport in CakePHP | |||
| CVE-2019-10913 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted inpu… | |||
| CVE-2019-18886 | unknown | — | — | 7y ago | An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthor… | |||
| CVE-2019-18888 | unknown | — | — | 7y ago | An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIM… | |||
| CVE-2019-18889 | unknown | — | — | 7y ago | An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is rel… | |||
| CVE-2019-10767 | unknown | — | — | 7y ago | Arbitrary File Write in iobroker.js-controller | |||
| CVE-2019-10763 | unknown | — | — | 7y ago | Data leakage via SQL Injection in Pimcore | |||
| CVE-2019-19275 | unknown | — | — | 7y ago | typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able t… | |||
| CVE-2019-19274 | unknown | — | — | 7y ago | typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be a… | |||
| CVE-2019-16766 | unknown | — | — | 7y ago | When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new de… | |||
| CVE-2019-16763 | unknown | — | — | 7y ago | Pannellum Cross-Site Scripting due to data not being sanitized for URIs or vbscript | |||
| CVE-2019-12417 | unknown | — | — | 7y ago | A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerabilit… | |||
| CVE-2019-10766 | unknown | — | — | 7y ago | SQL Injection in usmanhalalit/pixie | |||
| CVE-2019-10768 | unknown | — | — | 7y ago | angular Prototype Pollution vulnerability | |||
| CVE-2019-12331 | unknown | — | — | 7y ago | XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue | |||
| CVE-2019-17206 | unknown | — | — | 7y ago | Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts. | |||
| CVE-2019-10764 | unknown | — | — | 7y ago | Timing attacks might allow practical recovery of the long-term private key | |||
| CVE-2019-10212 | unknown | — | — | 7y ago | Potential to access user credentials from the log files when debug logging enabled | |||
| CVE-2019-19010 | unknown | — | — | 7y ago | Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impa… | |||
| CVE-2019-10910 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code exec… | |||
| CVE-2019-0207 | unknown | — | — | 7y ago | Path traversal attack on Windows platforms | |||
| CVE-2019-25009 | unknown | — | — | 7y ago | An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness. | |||
| CVE-2019-25008 | unknown | — | — | 7y ago | Integer Overflow in HeaderMap::reserve() can cause Denial of Service | |||
| CVE-2019-16762 | unknown | — | — | 7y ago | Critical severity vulnerability that affects slpjs | |||
| CVE-2019-16761 | unknown | — | — | 7y ago | Validation Bypass in slp-validate | |||
| CVE-2019-18978 | unknown | — | — | 7y ago | An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure … | |||
| CVE-2019-18848 | unknown | — | — | 7y ago | The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string. | |||
| CVE-2019-25010 | unknown | — | — | 7y ago | An issue was discovered in the failure crate through 2019-11-13 for Rust. Type confusion can occur when __private_get_type_id__ is overridden. | |||
| CVE-2019-12617 | unknown | — | — | 7y ago | SilverStripe Priviledge escalation through cache pollution | |||
| CVE-2019-12245 | unknown | — | — | 7y ago | Lack of access control on upoaded files | |||
| CVE-2019-12203 | unknown | — | — | 7y ago | Session fixation in change password form | |||
| CVE-2019-12204 | unknown | — | — | 7y ago | Missing warning can lead to unauthenticated admin access in SilverStripe | |||
| CVE-2019-16409 | unknown | — | — | 7y ago | SilverStripe Versioned Files module Unpublished files are exposed publicly | |||
| CVE-2019-10909 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Th… | |||
| CVE-2019-8233 | unknown | — | — | 7y ago | Composer JavaScript injection possible via html comments | |||
| CVE-2019-8145 | unknown | — | — | 7y ago | Magento Cross-Site Scripting via Attribute Set Name | |||
| CVE-2019-8133 | unknown | — | — | 7y ago | Bypass of sitemp access restrictions | |||
| CVE-2019-8135 | unknown | — | — | 7y ago | Remote code execution via vulnerable Symphony dependecy injection | |||
| CVE-2019-8121 | unknown | — | — | 7y ago | Using JS libraries with known security vulnerabilities | |||
| CVE-2019-8126 | unknown | — | — | 7y ago | Information disclosure through processing of external XML entities | |||
| CVE-2019-18841 | unknown | — | — | 7y ago | Prototype Pollution in chartkick | |||
| CVE-2019-3465 | unknown | — | — | 7y ago | Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated atta… | |||
| CVE-2019-16403 | unknown | — | — | 7y ago | Authorization Bypass Through User-Controlled Key in Bagisto | |||
| CVE-2019-16126 | unknown | — | — | 7y ago | Cross-site Scripting in Grav | |||
| CVE-2019-15537 | unknown | — | — | 7y ago | SQL Injection in SimpleSAMLphp | |||
| CVE-2019-12406 | unknown | — | — | 7y ago | Potential DOS attack due to unrestricted attachment count in messages | |||
| CVE-2019-12419 | unknown | — | — | 7y ago | Potential session hijack in Apache CXF | |||
| CVE-2019-10749 | unknown | — | — | 7y ago | SQL Injection in sequelize |