CVEs from 2019
Total
3,162
critical
critical 238
high
high 485
medium
medium 485
low
low 94
% Critical
7.5%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-6454 | medium | — | 5.5 | 7y ago | An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming … | |||
| CVE-2019-11324 | medium | — | 5.5 | 7y ago | RHSA-2020:1916: python-pip security update (Moderate) | |||
| CVE-2019-7164 | medium | — | 5.5 | 7y ago | RHSA-2019:0984: python36:3.6 security update (Moderate) | |||
| CVE-2019-7548 | medium | — | 5.5 | 7y ago | RHSA-2019:0984: python36:3.6 security update (Moderate) | |||
| CVE-2019-8320 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8322 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8325 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8321 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8323 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8331 | medium | — | 5.5 | 7y ago | Bootstrap Vulnerable to Cross-Site Scripting | |||
| CVE-2019-6975 | medium | — | 5.5 | 7y ago | Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() func… | |||
| CVE-2019-3498 | medium | — | 5.5 | 8y ago | In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defa… | |||
| CVE-2019-3881 | medium | — | 5.5 | 8y ago | RHSA-2021:2588: ruby:2.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2019-13118 | medium | 5.3 | 5.3 | 4y ago | In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, … | |||
| CVE-2019-13117 | medium | 5.3 | 5.3 | 7y ago | In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte o… | |||
| CVE-2019-16910 | medium | 5.3 | 5.3 | 7y ago | Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private… | |||
| CVE-2019-7317 | medium | 5.3 | 5.3 | 7y ago | png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute. | |||
| CVE-2019-8506 | low | — | 5.0 | 4y ago | A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution. | |||
| CVE-2019-16230 | medium | 4.7 | 4.7 | 7y ago | drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer stat… | |||
| CVE-2019-14360 | medium | 4.6 | 4.6 | 7y ago | On Hyundai Pay Kasse HK-1000 devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allow… | |||
| CVE-2019-15213 | medium | 4.6 | 4.6 | 7y ago | An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver. | |||
| CVE-2019-25717 | medium | 4.3 | 4.3 | 4d ago | Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain an information disclosure vulnerability that allows unauthenticated network attackers to access log files over a network connection… | |||
| CVE-2019-25734 | medium | 4.0 | 4.0 | 2d ago | Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanit… | |||
| CVE-2019-25723 | medium | 4.0 | 4.0 | 4d ago | Dräger Perseus A500 software versions 2.00 through 2.02 contains an improper input handling vulnerability that allows external attackers to cause a denial of service by sending specifically crafted n… | |||
| CVE-2019-8622 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1, Safari 12.1.1, iTunes for Windows 12.9… | |||
| CVE-2019-8671 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for … | |||
| CVE-2019-8611 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, Safari 12.1.1, iTunes for Windows 12.9.5, iCloud for … | |||
| CVE-2019-8672 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3, Safari 12.1.2, iTunes for Windows 12.9.6… | |||
| CVE-2019-8623 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1, Safari 12.1.1, iTunes for Windows 12.9… | |||
| CVE-2019-8689 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3, Safari 12.1.2, iTunes for Windows 12.9.6… | |||
| CVE-2019-8518 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.2, tvOS 12.2, watchOS 5.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.1… | |||
| CVE-2019-8690 | low | — | 3.5 | 7y ago | A logic issue existed in the handling of document loads. This issue was addressed with improved state management. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTun… | |||
| CVE-2019-8558 | low | — | 3.5 | 7y ago | Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.2, tvOS 12.2, watchOS 5.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.1… | |||
| CVE-2019-11358 | low | — | 3.5 | 7y ago | RHSA-2021:4142: pcs security, bug fix, and enhancement update (Low) | |||
| CVE-2019-7653 | low | — | 2.5 | — | The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools that can load Python modules from the current working directory, allowing code injection, because "python -m" looks in th… | |||
| CVE-2019-5882 | low | — | 2.5 | — | Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are expired from the scroll buffer. | |||
| CVE-2019-9621 | unknown | — | 2.5 | 11mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component. | |||
| CVE-2019-16278 | unknown | — | 2.5 | 2y ago | Nostromo nhttpd contains a directory traversal vulnerability in the http_verify() function in a non-chrooted nhttpd server allowing for remote code execution. | |||
| CVE-2019-7256 | unknown | — | 2.5 | 2y ago | Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution. | |||
| CVE-2019-20500 | unknown | — | 2.5 | 3y ago | D-Link DWL-2600AP access point contains an authenticated command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?act… | |||
| CVE-2019-17621 | unknown | — | 2.5 | 3y ago | D-Link DIR-859 router contains a command execution vulnerability in the UPnP endpoint URL, /gena.cgi. Exploitation allows an unauthenticated remote attacker to execute system commands as root by send… | |||
| CVE-2019-8605 | unknown | — | 2.5 | 4y ago | A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges. | |||
| CVE-2019-5825 | unknown | — | 2.5 | 4y ago | Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-7192 | unknown | — | 2.5 | 4y ago | QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. | |||
| CVE-2019-7194 | unknown | — | 2.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |||
| CVE-2019-7195 | unknown | — | 2.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |||
| CVE-2019-3010 | unknown | — | 2.5 | 4y ago | Oracle Solaris component: XScreenSaver contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2019-18426 | unknown | — | 2.5 | 4y ago | A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. | |||
| CVE-2019-7286 | unknown | — | 2.5 | 4y ago | Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for privilege escalation. | |||
| CVE-2019-1003030 | unknown | — | 2.5 | 4y ago | Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. | |||
| CVE-2019-1003029 | unknown | — | 2.5 | 4y ago | Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. | |||
| CVE-2019-3929 | unknown | — | 2.5 | 4y ago | Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system comma… | |||
| CVE-2019-12991 | unknown | — | 2.5 | 4y ago | Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance. | |||
| CVE-2019-15107 | unknown | — | 2.5 | 4y ago | An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability. | |||
| CVE-2019-10068 | unknown | — | 2.5 | 4y ago | Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution. | |||
| CVE-2019-2616 | unknown | — | 2.5 | 4y ago | Oracle BI Publisher, formerly XML Publisher, contains an unspecified vulnerability that allows for various unauthorized actions. Open-source reporting attributes this vulnerability to allowing for au… | |||
| CVE-2019-12989 | unknown | — | 2.5 | 4y ago | Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection. | |||
| CVE-2019-1132 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. | |||
| CVE-2019-1405 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when the Windows UPnP service improperly allows COM object creation. | |||
| CVE-2019-0841 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |||
| CVE-2019-1253 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. | |||
| CVE-2019-0543 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |||
| CVE-2019-1322 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |||
| CVE-2019-1652 | unknown | — | 2.5 | 4y ago | A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges… | |||
| CVE-2019-0752 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer | |||
| CVE-2019-1458 | unknown | — | 2.5 | 5y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP. | |||
| CVE-2019-2725 | unknown | — | 2.5 | 5y ago | Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). | |||
| CVE-2019-9670 | unknown | — | 2.5 | 5y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component. | |||
| CVE-2019-7609 | unknown | — | 2.5 | 5y ago | Kibana contain an arbitrary code execution flaw in the Timelion visualizer. | |||
| CVE-2019-20838 | low | — | 2.5 | 5y ago | RHSA-2021:4373: pcre security update (Low) | |||
| CVE-2019-15752 | unknown | — | 2.5 | 5y ago | Docker Desktop Community Edition contains a vulnerability that may allow local users to escalate privileges by placing a trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop… | |||
| CVE-2019-0803 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in k… | |||
| CVE-2019-1215 | unknown | — | 2.5 | 5y ago | Microsoft Windows contains an unspecified vulnerability due to the way ws2ifsl.sys (Winsock) handles objects in memory, allowing for privilege escalation. Successful exploitation allows an attacker t… | |||
| CVE-2019-0541 | unknown | — | 2.5 | 5y ago | Microsoft MSHTML engine contains an improper input validation vulnerability that allows for remote code execution vulnerability. | |||
| CVE-2019-1429 | unknown | — | 2.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user. | |||
| CVE-2019-0604 | unknown | — | 2.5 | 5y ago | Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote code in the context of the SharePoint applica… | |||
| CVE-2019-0808 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability due to the component failing to properly handle objects in memory. Successful exploitation allows an attacker to run code in kernel mode. | |||
| CVE-2019-0863 | unknown | — | 2.5 | 5y ago | Microsoft Windows Error Reporting (WER) contains a privilege escalation vulnerability due to the way it handles files, allowing for code execution in kernel mode. | |||
| CVE-2019-15949 | unknown | — | 2.5 | 5y ago | Nagios XI contains a remote code execution vulnerability in which a user can modify the check_plugin executable and insert malicious commands to execute as root. | |||
| CVE-2019-18935 | unknown | — | 2.5 | 5y ago | Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe proce… | |||
| CVE-2019-11539 | unknown | — | 2.5 | 5y ago | Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands. | |||
| CVE-2019-20085 | unknown | — | 2.5 | 5y ago | TVT devices utilizing NVMS-1000 software contain a directory traversal vulnerability via GET /.. requests. | |||
| CVE-2019-16759 | unknown | — | 2.5 | 5y ago | The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | |||
| CVE-2019-8394 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization. | |||
| CVE-2019-9978 | unknown | — | 2.5 | 5y ago | WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro. | |||
| CVE-2019-1653 | unknown | — | 2.5 | 5y ago | Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers contain improper access controls for URLs. Exploitation could allow an attacker to download the router configuration or detailed diag… | |||
| CVE-2019-11580 | unknown | — | 2.5 | 5y ago | Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in release builds. | |||
| CVE-2019-3396 | unknown | — | 2.5 | 5y ago | Atlassian Confluence Server and Data Center contain a server-side template injection vulnerability that may allow an attacker to achieve path traversal and remote code execution. | |||
| CVE-2019-19781 | unknown | — | 2.5 | 5y ago | Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution. | |||
| CVE-2019-11510 | unknown | — | 2.5 | 5y ago | Ivanti Pulse Connect Secure contains an arbitrary file read vulnerability that allows an unauthenticated remote attacker with network access via HTTPS to send a specially crafted URI. | |||
| CVE-2019-0708 | unknown | — | 2.5 | 5y ago | Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the target system using RDP and send… | |||
| CVE-2019-18988 | unknown | — | 2.5 | 5y ago | TeamViewer Desktop allows for bypass of remote-login access control because the same AES key is used for different customers' installations. If an attacker were to know this key, they could decrypt p… | |||
| CVE-2019-9082 | unknown | — | 2.5 | 5y ago | ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by… | |||
| CVE-2019-2215 | unknown | — | 2.5 | 5y ago | Android Kernel contains a use-after-free vulnerability in binder.c that allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-… | |||
| CVE-2019-3398 | unknown | — | 2.5 | 5y ago | Atlassian Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource that may allow a privileged, remote attacker to write files. Exploitation can… | |||
| CVE-2019-4716 | unknown | — | 2.5 | 5y ago | IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. | |||
| CVE-2019-17402 | low | — | 2.5 | 5y ago | RHSA-2021:1758: exiv2 security, bug fix, and enhancement update (Low) | |||
| CVE-2019-2708 | low | — | 2.5 | 5y ago | RHSA-2021:1675: libdb security update (Low) | |||
| CVE-2019-18276 | low | — | 2.5 | 5y ago | RHSA-2021:1679: bash security and bug fix update (Low) | |||
| CVE-2019-17450 | low | — | 2.5 | 6y ago | RHSA-2020:4465: binutils security update (Low) |