CVEs from 2019
Total
4,212
critical
critical 232
high
high 331
medium
medium 302
low
low 72
% Critical
5.5%
% with KEV
2.8%
% with exploit
2.8%
Top products
- u-boot 20
- nsauditor 1
- crypto 1
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2019-13720 | critical | — | 10.0 | 4y ago | Google Chrome WebAudio contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2019-11707 | critical | — | 10.0 | 4y ago | Mozilla Firefox and Thunderbird contain a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, allowing for an exploitable crash. | |
| CVE-2019-11043 | critical | — | 10.0 | 4y ago | Critical: php:7.2 security update | |
| CVE-2019-16928 | critical | — | 10.0 | 4y ago | Exim contains an out-of-bounds write vulnerability which can allow for remote code execution. | |
| CVE-2019-10149 | critical | — | 10.0 | 4y ago | Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. | |
| CVE-2019-0211 | critical | — | 10.0 | 5y ago | Apache HTTP Server, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute c… | |
| CVE-2019-17026 | critical | — | 10.0 | 5y ago | Mozilla Firefox and Thunderbird contain a type confusion vulnerability due to incorrect alias information in the IonMonkey JIT compiler when setting array elements. | |
| CVE-2019-11708 | high | — | 9.5 | 4y ago | Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution. | |
| CVE-2019-5786 | high | — | 9.5 | 6y ago | Google Chrome Blink contains a heap use-after-free vulnerability that allows an attacker to potentially perform out of bounds memory access via a crafted HTML page. | |
| CVE-2019-8720 | medium | — | 7.0 | 4y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2019-8506 | low | — | 4.0 | 4y ago | Low: GNOME security, bug fix, and enhancement update | |
| CVE-2019-5418 | unknown | — | 2.5 | 7y ago | Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server… | |
| CVE-2019-19006 | unknown | — | 1.5 | 4mo ago | Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin. | |
| CVE-2019-9621 | unknown | — | 1.5 | 11mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component. | |
| CVE-2019-6693 | unknown | — | 1.5 | 11mo ago | Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. | |
| CVE-2019-9875 | unknown | — | 1.5 | 1y ago | Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a… | |
| CVE-2019-9874 | unknown | — | 1.5 | 1y ago | Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending… | |
| CVE-2019-11001 | unknown | — | 1.5 | 2y ago | Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras contain an authenticated OS command injection vulnerability. This vulnerability allows an authenticated admin to use the "TestEmail… | |
| CVE-2019-16278 | unknown | — | 1.5 | 2y ago | Nostromo nhttpd contains a directory traversal vulnerability in the http_verify() function in a non-chrooted nhttpd server allowing for remote code execution. | |
| CVE-2019-0344 | unknown | — | 1.5 | 2y ago | SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection. | |
| CVE-2019-7256 | unknown | — | 1.5 | 2y ago | Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution. | |
| CVE-2019-20500 | unknown | — | 1.5 | 3y ago | D-Link DWL-2600AP access point contains an authenticated command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?act… | |
| CVE-2019-17621 | unknown | — | 1.5 | 3y ago | D-Link DIR-859 router contains a command execution vulnerability in the UPnP endpoint URL, /gena.cgi. Exploitation allows an unauthenticated remote attacker to execute system commands as root by send… | |
| CVE-2019-8526 | unknown | — | 1.5 | 3y ago | Apple macOS contains a use-after-free vulnerability that could allow for privilege escalation. | |
| CVE-2019-1388 | unknown | — | 1.5 | 3y ago | Microsoft Windows Certificate Dialog contains a privilege escalation vulnerability, allowing attackers to run processes in an elevated context. | |
| CVE-2019-8605 | unknown | — | 1.5 | 4y ago | A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges. | |
| CVE-2019-7193 | unknown | — | 1.5 | 4y ago | QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. | |
| CVE-2019-7194 | unknown | — | 1.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |
| CVE-2019-5825 | unknown | — | 1.5 | 4y ago | Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |
| CVE-2019-15271 | unknown | — | 1.5 | 4y ago | A deserialization of untrusted data vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an attacker to execute code with root privileges. | |
| CVE-2019-7195 | unknown | — | 1.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |
| CVE-2019-7192 | unknown | — | 1.5 | 4y ago | QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. | |
| CVE-2019-3010 | unknown | — | 1.5 | 4y ago | Oracle Solaris component: XScreenSaver contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2019-7286 | unknown | — | 1.5 | 4y ago | Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for privilege escalation. | |
| CVE-2019-0703 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, which could lead to information disclosure from the server. | |
| CVE-2019-0880 | unknown | — | 1.5 | 4y ago | A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system … | |
| CVE-2019-7287 | unknown | — | 1.5 | 4y ago | Apple iOS contains a memory corruption vulnerability which could allow an attacker to perform remote code execution. | |
| CVE-2019-1385 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files. | |
| CVE-2019-18426 | unknown | — | 1.5 | 4y ago | A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. | |
| CVE-2019-1130 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. | |
| CVE-2019-0676 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of fi… | |
| CVE-2019-1003030 | unknown | — | 1.5 | 4y ago | Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. | |
| CVE-2019-1003029 | unknown | — | 1.5 | 4y ago | Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. | |
| CVE-2019-3568 | unknown | — | 1.5 | 4y ago | A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. | |
| CVE-2019-3929 | unknown | — | 1.5 | 4y ago | Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system comma… | |
| CVE-2019-16057 | unknown | — | 1.5 | 4y ago | The login_mgr.cgi script in D-Link DNS-320 is vulnerable to remote code execution. | |
| CVE-2019-7483 | unknown | — | 1.5 | 4y ago | In SonicWall SMA100, an unauthenticated Directory Traversal vulnerability in the handleWAFRedirect CGI allows the user to test for the presence of a file on the server. | |
| CVE-2019-16920 | unknown | — | 1.5 | 4y ago | Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise. | |
| CVE-2019-15107 | unknown | — | 1.5 | 4y ago | An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability. | |
| CVE-2019-12989 | unknown | — | 1.5 | 4y ago | Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection. | |
| CVE-2019-0903 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could… | |
| CVE-2019-10068 | unknown | — | 1.5 | 4y ago | Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution. | |
| CVE-2019-12991 | unknown | — | 1.5 | 4y ago | Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance. | |
| CVE-2019-2616 | unknown | — | 1.5 | 4y ago | Oracle BI Publisher, formerly XML Publisher, contains an unspecified vulnerability that allows for various unauthorized actions. Open-source reporting attributes this vulnerability to allowing for au… | |
| CVE-2019-1129 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |
| CVE-2019-1315 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted fi… | |
| CVE-2019-0543 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |
| CVE-2019-1405 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when the Windows UPnP service improperly allows COM object creation. | |
| CVE-2019-1132 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. | |
| CVE-2019-1064 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |
| CVE-2019-1069 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists in the way the Task Scheduler Service validates certain file operations. | |
| CVE-2019-0841 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |
| CVE-2019-1322 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |
| CVE-2019-1253 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. | |
| CVE-2019-11581 | unknown | — | 1.5 | 4y ago | Atlassian Jira Server and Data Center contain a server-side template injection vulnerability which can allow for remote code execution. | |
| CVE-2019-1652 | unknown | — | 1.5 | 4y ago | A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges… | |
| CVE-2019-1297 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists in Microsoft Excel when the software fails to properly handle objects in memory. | |
| CVE-2019-0752 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer | |
| CVE-2019-1579 | unknown | — | 1.5 | 4y ago | Remote Code Execution in PAN-OS with GlobalProtect Portal or GlobalProtect Gateway Interface enabled. | |
| CVE-2019-1458 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP. | |
| CVE-2019-9670 | unknown | — | 1.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component. | |
| CVE-2019-2725 | unknown | — | 1.5 | 4y ago | Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). | |
| CVE-2019-7609 | unknown | — | 1.5 | 4y ago | Kibana contain an arbitrary code execution flaw in the Timelion visualizer. | |
| CVE-2019-13272 | unknown | — | 1.5 | 5y ago | Kernel/ptrace.c in Linux kernel mishandles contains an improper privilege management vulnerability that allows local users to obtain root access. | |
| CVE-2019-7238 | unknown | — | 1.5 | 5y ago | Sonatype Nexus Repository Manager before 3.15.0 has an incorrect access control vulnerability. Exploitation allows for remote code execution. | |
| CVE-2019-20085 | unknown | — | 1.5 | 5y ago | TVT devices utilizing NVMS-1000 software contain a directory traversal vulnerability via GET /.. requests. | |
| CVE-2019-18935 | unknown | — | 1.5 | 5y ago | Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe proce… | |
| CVE-2019-19356 | unknown | — | 1.5 | 5y ago | Netis WF2419 devices contains an unspecified vulnerability that allows an attacker to perform remote code execution as root through the router's web management page. | |
| CVE-2019-19781 | unknown | — | 1.5 | 5y ago | Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution. | |
| CVE-2019-1429 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user. | |
| CVE-2019-0863 | unknown | — | 1.5 | 5y ago | Microsoft Windows Error Reporting (WER) contains a privilege escalation vulnerability due to the way it handles files, allowing for code execution in kernel mode. | |
| CVE-2019-11580 | unknown | — | 1.5 | 5y ago | Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in release builds. | |
| CVE-2019-1214 | unknown | — | 1.5 | 5y ago | Microsoft Windows Common Log File System (CLFS) driver improperly handles objects in memory which can allow for privilege escalation. | |
| CVE-2019-1215 | unknown | — | 1.5 | 5y ago | Microsoft Windows contains an unspecified vulnerability due to the way ws2ifsl.sys (Winsock) handles objects in memory, allowing for privilege escalation. Successful exploitation allows an attacker t… | |
| CVE-2019-0541 | unknown | — | 1.5 | 5y ago | Microsoft MSHTML engine contains an improper input validation vulnerability that allows for remote code execution vulnerability. | |
| CVE-2019-5591 | unknown | — | 1.5 | 5y ago | Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Direc… | |
| CVE-2019-11510 | unknown | — | 1.5 | 5y ago | Ivanti Pulse Connect Secure contains an arbitrary file read vulnerability that allows an unauthenticated remote attacker with network access via HTTPS to send a specially crafted URI. | |
| CVE-2019-0604 | unknown | — | 1.5 | 5y ago | Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote code in the context of the SharePoint applica… | |
| CVE-2019-3398 | unknown | — | 1.5 | 5y ago | Atlassian Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource that may allow a privileged, remote attacker to write files. Exploitation can… | |
| CVE-2019-9082 | unknown | — | 1.5 | 5y ago | ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by… | |
| CVE-2019-1653 | unknown | — | 1.5 | 5y ago | Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers contain improper access controls for URLs. Exploitation could allow an attacker to download the router configuration or detailed diag… | |
| CVE-2019-1367 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability in how the scripting engine handles objects in memory. Successful exploitation allows for remote code execution in the context o… | |
| CVE-2019-8394 | unknown | — | 1.5 | 5y ago | Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization. | |
| CVE-2019-18988 | unknown | — | 1.5 | 5y ago | TeamViewer Desktop allows for bypass of remote-login access control because the same AES key is used for different customers' installations. If an attacker were to know this key, they could decrypt p… | |
| CVE-2019-6223 | unknown | — | 1.5 | 5y ago | Apple iOS and macOS Group FaceTime contains an unspecified vulnerability where the call initiator can cause the recipient's Apple device to answer unknowingly or without user interaction. | |
| CVE-2019-0797 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kern… | |
| CVE-2019-15949 | unknown | — | 1.5 | 5y ago | Nagios XI contains a remote code execution vulnerability in which a user can modify the check_plugin executable and insert malicious commands to execute as root. | |
| CVE-2019-18187 | unknown | — | 1.5 | 5y ago | Trend Micro OfficeScan contains a directory traversal vulnerability by extracting files from a zip file to a specific folder on the OfficeScan server, leading to remote code execution. | |
| CVE-2019-0803 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in k… | |
| CVE-2019-0808 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability due to the component failing to properly handle objects in memory. Successful exploitation allows an attacker to run code in kernel mode. |