CVEs from 2019
Total
3,163
critical
critical 238
high
high 485
medium
medium 485
low
low 94
% Critical
7.5%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-1315 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted fi… | |||
| CVE-2019-1064 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |||
| CVE-2019-1129 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |||
| CVE-2019-1069 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists in the way the Task Scheduler Service validates certain file operations. | |||
| CVE-2019-11581 | unknown | — | 1.5 | 4y ago | Atlassian Jira Server and Data Center contain a server-side template injection vulnerability which can allow for remote code execution. | |||
| CVE-2019-1297 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists in Microsoft Excel when the software fails to properly handle objects in memory. | |||
| CVE-2019-1579 | unknown | — | 1.5 | 5y ago | Remote Code Execution in PAN-OS with GlobalProtect Portal or GlobalProtect Gateway Interface enabled. | |||
| CVE-2019-7238 | unknown | — | 1.5 | 5y ago | Sonatype Nexus Repository Manager before 3.15.0 has an incorrect access control vulnerability. Exploitation allows for remote code execution. | |||
| CVE-2019-11634 | unknown | — | 1.5 | 5y ago | Citrix Workspace Application and Receiver for Windows contains remote code execution vulnerability resulting from local drive access preferences not being enforced into the clients' local drives. | |||
| CVE-2019-5591 | unknown | — | 1.5 | 5y ago | Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Direc… | |||
| CVE-2019-13608 | unknown | — | 1.5 | 5y ago | Citrix StoreFront Server contains an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information. | |||
| CVE-2019-0797 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kern… | |||
| CVE-2019-6223 | unknown | — | 1.5 | 5y ago | Apple iOS and macOS Group FaceTime contains an unspecified vulnerability where the call initiator can cause the recipient's Apple device to answer unknowingly or without user interaction. | |||
| CVE-2019-1367 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability in how the scripting engine handles objects in memory. Successful exploitation allows for remote code execution in the context o… | |||
| CVE-2019-1214 | unknown | — | 1.5 | 5y ago | Microsoft Windows Common Log File System (CLFS) driver improperly handles objects in memory which can allow for privilege escalation. | |||
| CVE-2019-0859 | unknown | — | 1.5 | 5y ago | Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel mode. | |||
| CVE-2019-18187 | unknown | — | 1.5 | 5y ago | Trend Micro OfficeScan contains a directory traversal vulnerability by extracting files from a zip file to a specific folder on the OfficeScan server, leading to remote code execution. | |||
| CVE-2019-19356 | unknown | — | 1.5 | 5y ago | Netis WF2419 devices contains an unspecified vulnerability that allows an attacker to perform remote code execution as root through the router's web management page. | |||
| CVE-2019-5544 | unknown | — | 1.5 | 5y ago | VMware ESXi and Horizon Desktop as a Service (DaaS) OpenSLP contains a heap-based buffer overflow vulnerability that allows an attacker with network access to port 427 to overwrite the heap of the Op… | |||
| CVE-2019-16256 | unknown | — | 1.5 | 5y ago | SIMalliance Toolbox Browser contains an command injection vulnerability that could allow remote attackers to retrieve location and IMEI information or execute a range of other attacks by modifying th… | |||
| CVE-2019-7481 | unknown | — | 1.5 | 5y ago | SonicWall SMA100 contains a SQL injection vulnerability allowing an unauthenticated user to gain read-only access to unauthorized resources. | |||
| CVE-2019-10758 | unknown | — | 1.5 | 7y ago | mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. | |||
| CVE-2019-0193 | unknown | — | 1.5 | 7y ago | The optional Apache Solr module DataImportHandler contains a code injection vulnerability. | |||
| CVE-2019-9162 | unknown | — | 1.0 | — | In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and w… | |||
| CVE-2019-8375 | unknown | — | 1.0 | — | The UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.90 and WebKitGTK+ through 2.22.6 and other products, does not prevent the script dialog size from exceeding the web view size, whi… | |||
| CVE-2019-2025 | unknown | — | 1.0 | — | In binder_thread_read of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges n… | |||
| CVE-2019-6215 | unknown | — | 1.0 | — | A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing malic… | |||
| CVE-2019-12928 | unknown | — | 1.0 | — | The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosu… | |||
| CVE-2019-19241 | unknown | — | 1.0 | — | In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and n… | |||
| CVE-2019-15791 | unknown | — | 1.0 | — | In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem wit… | |||
| CVE-2019-7304 | unknown | — | 1.0 | — | Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37… | |||
| CVE-2019-6110 | unknown | — | 1.0 | — | In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI c… | |||
| CVE-2019-1999 | unknown | — | 1.0 | — | In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privi… | |||
| CVE-2019-7303 | unknown | — | 1.0 | — | A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to ma… | |||
| CVE-2019-15792 | unknown | — | 1.0 | — | In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resu… | |||
| CVE-2019-15793 | unknown | — | 1.0 | — | In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the l… | |||
| CVE-2019-10475 | unknown | — | 1.0 | 4y ago | Jenkins build-metrics Plugin reflected cross-site scripting vulnerability | |||
| CVE-2019-11932 | unknown | — | 1.0 | 4y ago | android-gif-drawable Double Free vulnerability | |||
| CVE-2019-10349 | unknown | — | 1.0 | 4y ago | Jenkins Dependency Graph Viewer Plugin contains Cross-site Scripting | |||
| CVE-2019-6588 | unknown | — | 1.0 | 4y ago | Liferay Portal Allows Cross-Site Scripting (XSS) via the SimpleCaptcha API | |||
| CVE-2019-0186 | unknown | — | 1.0 | 4y ago | Cross-site Scripting in Apache Pluto Chatroom demo | |||
| CVE-2019-1003001 | unknown | — | 1.0 | 4y ago | Jenkins Groovy Plugin sandbox bypass vulnerability | |||
| CVE-2019-1003002 | unknown | — | 1.0 | 4y ago | Jenkins Pipeline Declarative Plugin sandbox bypass vulnerability | |||
| CVE-2019-1003000 | unknown | — | 1.0 | 4y ago | Protection Mechanism Failure in Jenkins Script Security Plugin | |||
| CVE-2019-6804 | unknown | — | 1.0 | 4y ago | Rundeck Community Edition vulnerable to Cross-site Scripting | |||
| CVE-2019-1003005 | unknown | — | 1.0 | 4y ago | Sandbox Bypass in Script Security Plugin | |||
| CVE-2019-0230 | unknown | — | 1.0 | 5y ago | Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts | |||
| CVE-2019-17554 | unknown | — | 1.0 | 6y ago | Improper Restriction of XML External Entity Reference in Apache Olingo | |||
| CVE-2019-13236 | unknown | — | 1.0 | 7y ago | XSS issues in the management interface | |||
| CVE-2019-13235 | unknown | — | 1.0 | 7y ago | XSS in login form | |||
| CVE-2019-13237 | unknown | — | 1.0 | 7y ago | Local file inclusion allows unauthorized access to internal resources in Alkacon OpenCms | |||
| CVE-2019-13234 | unknown | — | 1.0 | 7y ago | XSS in search engine | |||
| CVE-2019-11269 | unknown | — | 1.0 | 7y ago | Open Redirect in Spring Security OAuth | |||
| CVE-2019-0221 | unknown | — | 1.0 | 7y ago | The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by… | |||
| CVE-2019-3799 | unknown | — | 1.0 | 7y ago | Path Traversal in Spring Cloud Config | |||
| CVE-2019-0227 | unknown | — | 1.0 | 7y ago | Server Side Request Forgery in Apache Axis | |||
| CVE-2019-0232 | unknown | — | 1.0 | 7y ago | When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a b… | |||
| CVE-2019-3778 | unknown | — | 1.0 | 7y ago | spring-security-oauth and spring-security-oauth2 Open Redirect vulnerability | |||
| CVE-2019-5812 | unknown | — | — | — | Inadequate security UI in iOS UI in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2019-5443 | unknown | — | — | — | A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") … | |||
| CVE-2019-13661 | unknown | — | — | — | UI spoofing in Chromium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof notifications via a crafted HTML page. | |||
| CVE-2019-13662 | unknown | — | — | — | Insufficient policy enforcement in navigations in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-13664 | unknown | — | — | — | Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-13665 | unknown | — | — | — | Insufficient filtering in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass multiple file download protection via a crafted HTML page. | |||
| CVE-2019-13670 | unknown | — | — | — | Insufficient data validation in JavaScript in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13669 | unknown | — | — | — | Incorrect data validation in navigation in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-13668 | unknown | — | — | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-13671 | unknown | — | — | — | UI spoofing in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||
| CVE-2019-12436 | unknown | — | — | — | Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to an AD DC LDAP server Denial of Service. This is related to an attacker using the paged search control. The attacker must have dir… | |||
| CVE-2019-13675 | unknown | — | — | — | Insufficient data validation in extensions in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to disable extensions via a crafted HTML page. | |||
| CVE-2019-13681 | unknown | — | — | — | Insufficient data validation in downloads in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | |||
| CVE-2019-16708 | unknown | — | — | — | ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage. | |||
| CVE-2019-13680 | unknown | — | — | — | Inappropriate implementation in TLS in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof client IP address to websites via crafted TLS connections. | |||
| CVE-2019-14902 | unknown | — | — | — | There is an issue in all samba 4.11.x versions before 4.11.5, all samba 4.10.x versions before 4.10.12 and all samba 4.9.x versions before 4.9.18, where the removal of the right to create or modify a… | |||
| CVE-2019-3824 | unknown | — | — | — | A flaw was found in the way an LDAP search expression could crash the shared LDAP server process of a samba AD DC in samba before version 4.10. An authenticated user, having read permissions on the L… | |||
| CVE-2019-3870 | unknown | — | — | — | A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD DC, files are created in a private subdirectory of the insta… | |||
| CVE-2019-13682 | unknown | — | — | — | Insufficient policy enforcement in external protocol handling in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||
| CVE-2019-13683 | unknown | — | — | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-13684 | unknown | — | — | — | Inappropriate implementation in JavaScript in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-13685 | unknown | — | — | — | Use after free in sharing view in Google Chrome prior to 77.0.3865.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13686 | unknown | — | — | — | Use after free in offline mode in Google Chrome prior to 77.0.3865.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13698 | unknown | — | — | — | Out of bounds memory access in JavaScript in Google Chrome prior to 73.0.3683.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13723 | unknown | — | — | — | Use after free in WebBluetooth in Google Chrome prior to 78.0.3904.108 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML pag… | |||
| CVE-2019-13768 | unknown | — | — | — | Use after free in FileAPI in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chrome security severity: High) | |||
| CVE-2019-5816 | unknown | — | — | — | Process lifetime issue in Chrome in Google Chrome on Android prior to 74.0.3729.108 allowed a remote attacker to potentially persist an exploited process via a crafted HTML page. | |||
| CVE-2019-5804 | unknown | — | — | — | Incorrect command line processing in Chrome in Google Chrome prior to 73.0.3683.75 allowed a local attacker to perform domain spoofing via a crafted domain name. | |||
| CVE-2019-13309 | unknown | — | — | — | ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. | |||
| CVE-2019-20840 | unknown | — | — | — | An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws_decode.c can lead to a crash because of unaligned accesses in hybiReadAndDecode. | |||
| CVE-2019-13503 | unknown | — | — | — | mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer over-read. | |||
| CVE-2019-12951 | unknown | — | — | — | An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow. | |||
| CVE-2019-20367 | unknown | — | — | — | nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab). | |||
| CVE-2019-19307 | unknown | — | — | — | An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infinite loop), or possibly cause an out-of-bounds write, by sending a crafted MQTT … | |||
| CVE-2019-13640 | unknown | — | — | — | In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current t… | |||
| CVE-2019-3462 | unknown | — | — | — | Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code executio… | |||
| CVE-2019-5020 | unknown | — | — | — | An exploitable denial of service vulnerability exists in the object lookup functionality of Yara 3.8.1. A specially crafted binary file can cause a negative value to be read to satisfy an assert, res… | |||
| CVE-2019-19648 | unknown | — | — | — | In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, re… | |||
| CVE-2019-5068 | unknown | — | — | — | An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the shared memory without any specific permissions to… | |||
| CVE-2019-5843 | unknown | — | — | — | Out of bounds memory access in JavaScript in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5844 | unknown | — | — | — | Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5845 | unknown | — | — | — | Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |