CVEs from 2019
Total
4,015
critical
critical 232
high
high 332
medium
medium 301
low
low 72
% Critical
5.8%
% with KEV
2.9%
% with exploit
3.0%
Top products
- u-boot 20
- nsauditor 1
- crypto 1
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2019-13759 | critical | — | 9.5 | — | Incorrect security UI in interstitials in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |
| CVE-2019-9795 | critical | — | 9.5 | — | A vulnerability where type-confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by malicious JavaScript to trigger a potentially exploitable crash. This vulnerability affe… | |
| CVE-2019-13757 | critical | — | 9.5 | — | Incorrect security UI in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |
| CVE-2019-11709 | critical | — | 9.5 | — | Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enoug… | |
| CVE-2019-11727 | critical | — | 9.5 | — | A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in Certificat… | |
| CVE-2019-9956 | critical | — | 9.5 | — | In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted i… | |
| CVE-2019-11724 | critical | — | 9.5 | — | Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnece… | |
| CVE-2019-17000 | critical | — | 9.5 | — | An object tag with a data URI did not correctly inherit the document's Content Security Policy. This allowed a CSP bypass in a cross-origin frame if the document's policy explicitly allowed data: URI… | |
| CVE-2019-5808 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-13745 | critical | — | 9.5 | — | Insufficient policy enforcement in audio in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2019-13763 | critical | — | 9.5 | — | Insufficient policy enforcement in payments in Google Chrome prior to 79.0.3945.79 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. | |
| CVE-2019-7221 | critical | — | 9.5 | — | The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. | |
| CVE-2019-13767 | critical | — | 9.5 | — | Use after free in media picker in Google Chrome prior to 79.0.3945.88 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2019-13755 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to disable extensions via a crafted HTML page. | |
| CVE-2019-13742 | critical | — | 9.5 | — | Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |
| CVE-2019-9813 | critical | — | 9.5 | — | Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firef… | |
| CVE-2019-13729 | critical | — | 9.5 | — | Use-after-free in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2019-9802 | critical | — | 9.5 | — | If a Sandbox content process is compromised, it can initiate an FTP download which will then use a child process to render the downloaded data. The downloaded data can then be passed to the Chrome pr… | |
| CVE-2019-13725 | critical | — | 9.5 | — | Use-after-free in Bluetooth in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | |
| CVE-2019-5756 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-11714 | critical | — | 9.5 | — | Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances. This vulnerability affects Firefox < 68. | |
| CVE-2019-17008 | critical | — | 9.5 | — | When using nested workers, a use-after-free could occur during worker destruction. This resulted in a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3,… | |
| CVE-2019-13739 | critical | — | 9.5 | — | Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |
| CVE-2019-11763 | critical | — | 9.5 | — | Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could… | |
| CVE-2019-13735 | critical | — | 9.5 | — | Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | |
| CVE-2019-0220 | critical | — | 9.5 | — | multiple issues in apache | |
| CVE-2019-9814 | critical | — | 9.5 | — | Mozilla developers and community members reported memory safety bugs present in Firefox 66. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of… | |
| CVE-2019-13762 | critical | — | 9.5 | — | Insufficient policy enforcement in downloads in Google Chrome on Windows prior to 79.0.3945.79 allowed a local attacker to spoof downloaded files via local code. | |
| CVE-2019-9799 | critical | — | 9.5 | — | Insufficient bounds checking of data during inter-process communication might allow a compromised content process to be able to read memory from the parent process under certain conditions. This vuln… | |
| CVE-2019-11761 | critical | — | 9.5 | — | By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it … | |
| CVE-2019-13758 | critical | — | 9.5 | — | Insufficient policy enforcement in navigation in Google Chrome on Android prior to 79.0.3945.79 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |
| CVE-2019-13726 | critical | — | 9.5 | — | Buffer overflow in password manager in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | |
| CVE-2019-11698 | critical | — | 9.5 | — | If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's b… | |
| CVE-2019-17022 | critical | — | 9.5 | — | When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text … | |
| CVE-2019-9793 | critical | — | 9.5 | — | A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. This vulnerability could allow an attacker to create… | |
| CVE-2019-7733 | critical | — | 9.5 | — | multiple issues in live-media | |
| CVE-2019-5762 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-13753 | critical | — | 9.5 | — | Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |
| CVE-2019-13730 | critical | — | 9.5 | — | Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2019-17012 | critical | — | 9.5 | — | Mozilla developers reported memory safety bugs present in Firefox 70 and Firefox ESR 68.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these… | |
| CVE-2019-13744 | critical | — | 9.5 | — | Insufficient policy enforcement in cookies in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2019-11729 | critical | — | 9.5 | — | Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8… | |
| CVE-2019-13752 | critical | — | 9.5 | — | Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |
| CVE-2019-11715 | critical | — | 9.5 | — | Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability aff… | |
| CVE-2019-0215 | critical | — | 9.5 | — | multiple issues in apache | |
| CVE-2019-11697 | critical | — | 9.5 | — | If the ALT and "a" keys are pressed when users receive an extension installation prompt, the extension will be installed without the install prompt delay that keeps the prompt visible in order for us… | |
| CVE-2019-11716 | critical | — | 9.5 | — | Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depen… | |
| CVE-2019-5439 | critical | — | 9.5 | — | arbitrary code execution in vlc | |
| CVE-2019-11721 | critical | — | 9.5 | — | The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confus… | |
| CVE-2019-13764 | critical | — | 9.5 | — | Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2019-13747 | critical | — | 9.5 | — | Uninitialized data in rendering in Google Chrome on Android prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2019-13743 | critical | — | 9.5 | — | Incorrect security UI in external protocol handling in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof security UI via a crafted HTML page. | |
| CVE-2019-13749 | critical | — | 9.5 | — | Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |
| CVE-2019-9800 | critical | — | 9.5 | — | Mozilla developers and community members reported memory safety bugs present in Firefox 66, Firefox ESR 60.6, and Thunderbird 60.6. Some of these bugs showed evidence of memory corruption and we pres… | |
| CVE-2019-13746 | critical | — | 9.5 | — | Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |
| CVE-2019-11725 | critical | — | 9.5 | — | When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not… | |
| CVE-2019-11723 | critical | — | 9.5 | — | A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across dif… | |
| CVE-2019-11712 | critical | — | 9.5 | — | POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) a… | |
| CVE-2019-5769 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-17016 | critical | — | 9.5 | — | When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites re… | |
| CVE-2019-11762 | critical | — | 9.5 | — | If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulner… | |
| CVE-2019-13732 | critical | — | 9.5 | — | Use-after-free in WebAudio in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2019-13728 | critical | — | 9.5 | — | Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2019-9808 | critical | — | 9.5 | — | If WebRTC permission is requested from documents with data: or blob: URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown origin" as the… | |
| CVE-2019-13740 | critical | — | 9.5 | — | Incorrect security UI in sharing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |
| CVE-2019-11730 | critical | — | 9.5 | — | A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. … | |
| CVE-2019-13741 | critical | — | 9.5 | — | Insufficient validation of untrusted input in Blink in Google Chrome prior to 79.0.3945.79 allowed a local attacker to bypass same origin policy via crafted clipboard content. | |
| CVE-2019-13737 | critical | — | 9.5 | — | Insufficient policy enforcement in autocomplete in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML pag… | |
| CVE-2019-13734 | critical | — | 9.5 | — | Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2019-12874 | critical | — | 9.5 | — | arbitrary code execution in vlc | |
| CVE-2019-5772 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-5811 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-11711 | critical | — | 9.5 | — | When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page… | |
| CVE-2019-7222 | critical | — | 9.5 | — | The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. | |
| CVE-2019-5831 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-5829 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-11760 | critical | — | 9.5 | — | A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances. This vulnerability affects Firefox < 70, Thunderb… | |
| CVE-2019-9805 | critical | — | 9.5 | — | A latent vulnerability exists in the Prio library where data may be read from uninitialized memory for some functions, leading to potential memory corruption. This vulnerability affects Firefox < 66. | |
| CVE-2019-11728 | critical | — | 9.5 | — | The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects F… | |
| CVE-2019-11765 | critical | — | 9.5 | — | A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process… | |
| CVE-2019-17024 | critical | — | 9.5 | — | Mozilla developers reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these… | |
| CVE-2019-11757 | critical | — | 9.5 | — | When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitabl… | |
| CVE-2019-5830 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-5822 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-11759 | critical | — | 9.5 | — | An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a c… | |
| CVE-2019-18511 | critical | — | 9.5 | — | multiple issues in thunderbird | |
| CVE-2019-17014 | critical | — | 9.5 | — | If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects… | |
| CVE-2019-3855 | critical | — | 9.5 | — | An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server … | |
| CVE-2019-5781 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-11717 | critical | — | 9.5 | — | A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vuln… | |
| CVE-2019-15846 | critical | — | 9.5 | — | Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. | |
| CVE-2019-3829 | critical | — | 9.5 | — | A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifi… | |
| CVE-2019-17017 | critical | — | 9.5 | — | Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. Thi… | |
| CVE-2019-13738 | critical | — | 9.5 | — | Insufficient policy enforcement in navigation in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass site isolation via a crafted HTML page. | |
| CVE-2019-9816 | critical | — | 9.5 | — | A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vu… | |
| CVE-2019-8942 | critical | — | 9.5 | — | WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php su… | |
| CVE-2019-13756 | critical | — | 9.5 | — | Incorrect security UI in printing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |
| CVE-2019-5823 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2019-13754 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |
| CVE-2019-5819 | critical | — | 9.5 | — | multiple issues in chromium |