CVEs from 2019
Total
3,157
critical
critical 227
high
high 474
medium
medium 476
low
low 94
% Critical
7.2%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-11708 | high | — | 10.0 | 4y ago | Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution. | |||
| CVE-2019-13272 | high | — | 10.0 | 5y ago | Kernel/ptrace.c in Linux kernel mishandles contains an improper privilege management vulnerability that allows local users to obtain root access. | |||
| CVE-2019-0211 | high | — | 10.0 | 5y ago | In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scrip… | |||
| CVE-2019-5786 | high | — | 10.0 | 6y ago | Google Chrome Blink contains a heap use-after-free vulnerability that allows an attacker to potentially perform out of bounds memory access via a crafted HTML page. | |||
| CVE-2019-5789 | high | — | 9.0 | — | An integer overflow that leads to a use-after-free in WebMIDI in Google Chrome on Windows prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary… | |||
| CVE-2019-5797 | high | — | 9.0 | — | Double free in DOMStorage in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5796 | high | — | 9.0 | — | Data race in extensions guest view in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-8943 | high | — | 9.0 | — | WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two … | |||
| CVE-2019-5788 | high | — | 9.0 | — | An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbit… | |||
| CVE-2019-18634 | high | — | 9.0 | 6y ago | In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and ele… | |||
| CVE-2019-19844 | high | — | 9.0 | 7y ago | Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of… | |||
| CVE-2019-14378 | high | — | 9.0 | 7y ago | ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. | |||
| CVE-2019-14287 | high | — | 9.0 | 7y ago | In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a cra… | |||
| CVE-2019-11599 | high | — | 9.0 | 7y ago | The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sen… | |||
| CVE-2019-1125 | high | — | 9.0 | 7y ago | An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged … | |||
| CVE-2019-11703 | high | — | 9.0 | 7y ago | multiple issues in thunderbird | |||
| CVE-2019-11706 | high | — | 9.0 | 7y ago | multiple issues in thunderbird | |||
| CVE-2019-12735 | high | — | 9.0 | 7y ago | RHSA-2019:1619: vim security update (Important) | |||
| CVE-2019-11705 | high | — | 9.0 | 7y ago | multiple issues in thunderbird | |||
| CVE-2019-11704 | high | — | 9.0 | 7y ago | multiple issues in thunderbird | |||
| CVE-2019-9213 | high | — | 9.0 | 7y ago | In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SM… | |||
| CVE-2019-5736 | high | — | 9.0 | 7y ago | RHSA-2019:0975: container-tools:rhel8 security and bug fix update (Important) | |||
| CVE-2019-6116 | high | — | 9.0 | 7y ago | RHSA-2019:0971: ghostscript security update (Important) | |||
| CVE-2019-13721 | high | 8.8 | 8.8 | 7y ago | Use after free in PDFium in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-25719 | high | 8.6 | 8.6 | 2d ago | Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow netwo… | |||
| CVE-2019-25718 | high | 8.4 | 8.4 | 2d ago | Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the underlying operating system through a specific dialog inter… | |||
| CVE-2019-25650 | high | 8.4 | 8.4 | 2mo ago | River Past CamDo 3.7.6 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the Lame_en… | |||
| CVE-2019-25651 | high | 8.3 | 8.3 | 2mo ago | Ubiquiti UniFi Network Controller prior to 5.10.12 (excluding 5.6.42), UAP FW prior to 4.0.6, UAP-AC, UAP-AC v2, and UAP-AC Outdoor FW prior to 3.8.17, USW FW prior to 4.0.6, USG FW prior to 4.4.34 u… | |||
| CVE-2019-25642 | high | 8.2 | 8.2 | 2mo ago | Bootstrapy CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters. Attackers can… | |||
| CVE-2019-25640 | high | 8.2 | 8.2 | 2mo ago | Inout Article Base CMS contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the 'p' and 'u' parameters. Attackers can inject SQL code usi… | |||
| CVE-2019-6820 | high | 8.2 | 8.2 | 7y ago | A CWE-306: Missing Authentication for Critical Function vulnerability exists which could cause a modification of device IP configuration (IP address, network mask and gateway IP address) when a speci… | |||
| CVE-2019-13533 | high | 8.1 | 8.1 | 7y ago | In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening … | |||
| CVE-2019-13703 | high | — | 8.0 | — | Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-14318 | high | — | 8.0 | — | Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing opera… | |||
| CVE-2019-5793 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to initiate the extensions installation user interface via a crafted HTML page. | |||
| CVE-2019-5865 | high | — | 8.0 | — | Insufficient policy enforcement in navigations in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML pa… | |||
| CVE-2019-7524 | high | — | 8.0 | — | In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing c… | |||
| CVE-2019-13709 | high | — | 8.0 | — | Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | |||
| CVE-2019-6472 | high | — | 8.0 | — | A packet containing a malformed DUID can cause the Kea DHCPv6 server process (kea-dhcp6) to exit due to an assertion failure. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2. | |||
| CVE-2019-13700 | high | — | 8.0 | — | Out of bounds memory access in the gamepad API in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a c… | |||
| CVE-2019-13693 | high | — | 8.0 | — | Use after free in IndexedDB in Google Chrome prior to 77.0.3865.120 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. | |||
| CVE-2019-13697 | high | — | 8.0 | — | Insufficient policy enforcement in performance APIs in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-5803 | high | — | 8.0 | — | Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-5795 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially perform out of bounds memory access via a crafted PDF file. | |||
| CVE-2019-6473 | high | — | 8.0 | — | An invalid hostname option can trigger an assertion failure in the Kea DHCPv4 server process (kea-dhcp4), causing the server process to exit. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0… | |||
| CVE-2019-3871 | high | — | 8.0 | — | A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the … | |||
| CVE-2019-13699 | high | — | 8.0 | — | Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5794 | high | — | 8.0 | — | Incorrect handling of cancelled requests in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2019-8337 | high | — | 8.0 | — | In msmtp 1.8.2 and mpop 1.4.3, when tls_trust_file has its default configuration, certificate-verification results are not properly checked. | |||
| CVE-2019-5862 | high | — | 8.0 | — | Insufficient data validation in AppCache in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | |||
| CVE-2019-5802 | high | — | 8.0 | — | Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2019-5800 | high | — | 8.0 | — | Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-5867 | high | — | 8.0 | — | Out of bounds read in JavaScript in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5854 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-1354 | high | — | 8.0 | — | A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-201… | |||
| CVE-2019-6133 | high | — | 8.0 | — | In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to la… | |||
| CVE-2019-0190 | high | — | 8.0 | — | A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This b… | |||
| CVE-2019-1350 | high | — | 8.0 | — | A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-201… | |||
| CVE-2019-13695 | high | — | 8.0 | — | Use after free in audio in Google Chrome on Android prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5861 | high | — | 8.0 | — | Insufficient data validation in Blink in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to bypass anti-clickjacking policy via a crafted HTML page. | |||
| CVE-2019-6474 | high | — | 8.0 | — | A missing check on incoming client requests can be exploited to cause a situation where the Kea server's lease storage contains leases which are rejected as invalid when the server tries to load leas… | |||
| CVE-2019-5787 | high | — | 8.0 | — | Use-after-garbage-collection in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13719 | high | — | 8.0 | — | Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||
| CVE-2019-13701 | high | — | 8.0 | — | Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-5858 | high | — | 8.0 | — | Incorrect security UI in MacOS services integration in Google Chrome on OS X prior to 76.0.3809.87 allowed a local attacker to execute arbitrary code via a crafted HTML page. | |||
| CVE-2019-5853 | high | — | 8.0 | — | Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5855 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-13694 | high | — | 8.0 | — | Use after free in WebRTC in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-12881 | high | — | 8.0 | — | i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) o… | |||
| CVE-2019-5857 | high | — | 8.0 | — | Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. | |||
| CVE-2019-11741 | high | — | 8.0 | — | A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org a… | |||
| CVE-2019-5849 | high | — | 8.0 | — | Out of bounds read in Skia in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-13715 | high | — | 8.0 | — | Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-5848 | high | — | 8.0 | — | Incorrect font handling in autofill in Google Chrome prior to 75.0.3770.142 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-13717 | high | — | 8.0 | — | Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||
| CVE-2019-13707 | high | — | 8.0 | — | Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904.70 allowed a local attacker to leak files via a crafted application. | |||
| CVE-2019-9848 | high | — | 8.0 | — | LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLo… | |||
| CVE-2019-13716 | high | — | 8.0 | — | Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2019-5856 | high | — | 8.0 | — | Insufficient policy enforcement in storage in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | |||
| CVE-2019-25016 | high | — | 8.0 | — | In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed t… | |||
| CVE-2019-13711 | high | — | 8.0 | — | Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-5868 | high | — | 8.0 | — | Use after free in PDFium in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-13708 | high | — | 8.0 | — | Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-9686 | high | — | 8.0 | — | arbitrary code execution in pacman | |||
| CVE-2019-16866 | high | — | 8.0 | — | Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule. | |||
| CVE-2019-1353 | high | — | 8.0 | — | An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known… | |||
| CVE-2019-6956 | high | — | 8.0 | — | An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. It is a buffer over-read in ps_mix_phase in libfaad/ps_dec.c. | |||
| CVE-2019-19977 | high | — | 8.0 | — | libESMTP through 1.0.6 mishandles domain copying into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as demonstrated by a stack-based buffer over-read. | |||
| CVE-2019-0053 | high | — | 8.0 | — | Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS… | |||
| CVE-2019-13705 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 78.0.3904.70 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted … | |||
| CVE-2019-5799 | high | — | 8.0 | — | Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-5859 | high | — | 8.0 | — | Insufficient filtering in URI schemes in Google Chrome on Windows prior to 76.0.3809.87 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2019-5852 | high | — | 8.0 | — | Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-5860 | high | — | 8.0 | — | Use after free in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-19882 | high | — | 8.0 | — | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affe… | |||
| CVE-2019-11461 | high | — | 8.0 | — | An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI … | |||
| CVE-2019-5850 | high | — | 8.0 | — | Use after free in offline mode in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML pag… | |||
| CVE-2019-5790 | high | — | 8.0 | — | An integer overflow leading to an incorrect capacity of a buffer in JavaScript in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafte… | |||
| CVE-2019-18222 | high | — | 8.0 | — | The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to reco… | |||
| CVE-2019-11683 | high | — | 8.0 | — | udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before 5.0.13 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have un… |