CVEs from 2019
Total
3,286
critical
critical 204
high
high 479
medium
medium 471
low
low 94
% Critical
6.2%
% with KEV
3.6%
% with exploit
7.7%
Top products
- u-boot 20
- active_iq_unified_manager 7
- jdk 5
- weblogic_server 5
- oncommand_workflow_automation 5
- oncommand_insight 4
- codeready_linux_builder_eus 4
- libxslt 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-10746 | medium | — | 5.5 | 7y ago | RHSA-2021:0549: nodejs:12 security update (Moderate) | |||
| CVE-2019-14234 | medium | — | 5.5 | 7y ago | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.… | |||
| CVE-2019-2805 | medium | — | 5.5 | 7y ago | RHSA-2019:3708: mariadb:10.3 security and bug fix update (Moderate) | |||
| CVE-2019-2740 | medium | — | 5.5 | 7y ago | RHSA-2019:3708: mariadb:10.3 security and bug fix update (Moderate) | |||
| CVE-2019-2739 | medium | — | 5.5 | 7y ago | RHSA-2019:3708: mariadb:10.3 security and bug fix update (Moderate) | |||
| CVE-2019-2758 | medium | — | 5.5 | 7y ago | RHSA-2019:3708: mariadb:10.3 security and bug fix update (Moderate) | |||
| CVE-2019-2614 | medium | — | 5.5 | 7y ago | RHSA-2019:3708: mariadb:10.3 security and bug fix update (Moderate) | |||
| CVE-2019-2628 | medium | — | 5.5 | 7y ago | RHSA-2019:3708: mariadb:10.3 security and bug fix update (Moderate) | |||
| CVE-2019-2627 | medium | — | 5.5 | 7y ago | RHSA-2019:3708: mariadb:10.3 security and bug fix update (Moderate) | |||
| CVE-2019-2537 | medium | — | 5.5 | 7y ago | RHSA-2019:3708: mariadb:10.3 security and bug fix update (Moderate) | |||
| CVE-2019-2737 | medium | — | 5.5 | 7y ago | RHSA-2019:3708: mariadb:10.3 security and bug fix update (Moderate) | |||
| CVE-2019-14233 | medium | — | 5.5 | 7y ago | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremel… | |||
| CVE-2019-14235 | medium | — | 5.5 | 7y ago | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage… | |||
| CVE-2019-14232 | medium | — | 5.5 | 7y ago | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, … | |||
| CVE-2019-17007 | medium | — | 5.5 | 7y ago | In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service. | |||
| CVE-2019-11719 | medium | — | 5.5 | 7y ago | When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to inf… | |||
| CVE-2019-11727 | medium | — | 5.5 | 7y ago | A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in Certificat… | |||
| CVE-2019-11729 | medium | — | 5.5 | 7y ago | Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8… | |||
| CVE-2019-0816 | medium | — | 5.5 | 7y ago | RHBA-2019:1992: cloud-init bug fix and enhancement update (Moderate) | |||
| CVE-2019-2821 | medium | — | 5.5 | 7y ago | RHSA-2019:1817: java-11-openjdk security update (Moderate) | |||
| CVE-2019-2818 | medium | — | 5.5 | 7y ago | RHSA-2019:1817: java-11-openjdk security update (Moderate) | |||
| CVE-2019-2745 | medium | — | 5.5 | 7y ago | RHSA-2019:1817: java-11-openjdk security update (Moderate) | |||
| CVE-2019-2842 | medium | — | 5.5 | 7y ago | RHSA-2019:1816: java-1.8.0-openjdk security update (Moderate) | |||
| CVE-2019-12814 | medium | — | 5.5 | 7y ago | RHBA-2019:3416: pki-core:10.6 and pki-deps:10:6 bug fix and enhancement update (Moderate) | |||
| CVE-2019-13114 | medium | — | 5.5 | 7y ago | RHSA-2020:1577: exiv2 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2019-0804 | medium | — | 5.5 | 7y ago | RHSA-2019:1527: WALinuxAgent security update (Moderate) | |||
| CVE-2019-9741 | medium | — | 5.5 | 7y ago | RHSA-2019:1519: go-toolset:rhel8 security update (Moderate) | |||
| CVE-2019-3827 | medium | — | 5.5 | 7y ago | RHSA-2019:1517: gvfs security update (Moderate) | |||
| CVE-2019-12308 | medium | — | 5.5 | 7y ago | An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without… | |||
| CVE-2019-12086 | medium | — | 5.5 | 7y ago | RHBA-2019:3416: pki-core:10.6 and pki-deps:10:6 bug fix and enhancement update (Moderate) | |||
| CVE-2019-2602 | medium | — | 5.5 | 7y ago | RHSA-2019:1518: java-11-openjdk security update (Moderate) | |||
| CVE-2019-2684 | medium | — | 5.5 | 7y ago | RHSA-2019:1518: java-11-openjdk security update (Moderate) | |||
| CVE-2019-6454 | medium | — | 5.5 | 7y ago | RHSA-2019:0990: systemd security and bug fix update (Moderate) | |||
| CVE-2019-11324 | medium | — | 5.5 | 7y ago | RHSA-2020:1916: python-pip security update (Moderate) | |||
| CVE-2019-7164 | medium | — | 5.5 | 7y ago | RHSA-2019:0984: python36:3.6 security update (Moderate) | |||
| CVE-2019-7548 | medium | — | 5.5 | 7y ago | RHSA-2019:0984: python36:3.6 security update (Moderate) | |||
| CVE-2019-8321 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8325 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8323 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8322 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8320 | medium | — | 5.5 | 7y ago | RHBA-2019:3384: ruby:2.5 bug fix and enhancement update (Moderate) | |||
| CVE-2019-8331 | medium | — | 5.5 | 7y ago | RHSA-2020:4847: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2019-6975 | medium | — | 5.5 | 7y ago | Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() func… | |||
| CVE-2019-3498 | medium | — | 5.5 | 8y ago | In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defa… | |||
| CVE-2019-3881 | medium | — | 5.5 | 8y ago | RHSA-2021:2588: ruby:2.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2019-13118 | medium | 5.3 | 5.3 | 4y ago | In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, … | |||
| CVE-2019-13117 | medium | 5.3 | 5.3 | 7y ago | In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte o… | |||
| CVE-2019-7317 | medium | 5.3 | 5.3 | 7y ago | multiple issues in thunderbird | |||
| CVE-2019-16230 | medium | 4.7 | 4.7 | 7y ago | drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer stat… | |||
| CVE-2019-15213 | medium | 4.6 | 4.6 | 7y ago | An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver. | |||
| CVE-2019-9621 | unknown | — | 2.5 | 11mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component. | |||
| CVE-2019-16278 | unknown | — | 2.5 | 2y ago | Nostromo nhttpd contains a directory traversal vulnerability in the http_verify() function in a non-chrooted nhttpd server allowing for remote code execution. | |||
| CVE-2019-7256 | unknown | — | 2.5 | 2y ago | Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution. | |||
| CVE-2019-20500 | unknown | — | 2.5 | 3y ago | D-Link DWL-2600AP access point contains an authenticated command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?act… | |||
| CVE-2019-17621 | unknown | — | 2.5 | 3y ago | D-Link DIR-859 router contains a command execution vulnerability in the UPnP endpoint URL, /gena.cgi. Exploitation allows an unauthenticated remote attacker to execute system commands as root by send… | |||
| CVE-2019-8605 | unknown | — | 2.5 | 4y ago | A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges. | |||
| CVE-2019-7195 | unknown | — | 2.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |||
| CVE-2019-7194 | unknown | — | 2.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |||
| CVE-2019-7192 | unknown | — | 2.5 | 4y ago | QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. | |||
| CVE-2019-5825 | unknown | — | 2.5 | 4y ago | Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |||
| CVE-2019-3010 | unknown | — | 2.5 | 4y ago | Oracle Solaris component: XScreenSaver contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2019-7286 | unknown | — | 2.5 | 4y ago | Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for privilege escalation. | |||
| CVE-2019-18426 | unknown | — | 2.5 | 4y ago | A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. | |||
| CVE-2019-1003030 | unknown | — | 2.5 | 4y ago | Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. | |||
| CVE-2019-1003029 | unknown | — | 2.5 | 4y ago | Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. | |||
| CVE-2019-3929 | unknown | — | 2.5 | 4y ago | Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system comma… | |||
| CVE-2019-12989 | unknown | — | 2.5 | 4y ago | Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection. | |||
| CVE-2019-10068 | unknown | — | 2.5 | 4y ago | Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution. | |||
| CVE-2019-12991 | unknown | — | 2.5 | 4y ago | Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance. | |||
| CVE-2019-2616 | unknown | — | 2.5 | 4y ago | Oracle BI Publisher, formerly XML Publisher, contains an unspecified vulnerability that allows for various unauthorized actions. Open-source reporting attributes this vulnerability to allowing for au… | |||
| CVE-2019-15107 | unknown | — | 2.5 | 4y ago | An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability. | |||
| CVE-2019-0841 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |||
| CVE-2019-0543 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |||
| CVE-2019-1253 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. | |||
| CVE-2019-1132 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. | |||
| CVE-2019-1322 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |||
| CVE-2019-1405 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when the Windows UPnP service improperly allows COM object creation. | |||
| CVE-2019-1652 | unknown | — | 2.5 | 4y ago | A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges… | |||
| CVE-2019-0752 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer | |||
| CVE-2019-7609 | unknown | — | 2.5 | 4y ago | Kibana contain an arbitrary code execution flaw in the Timelion visualizer. | |||
| CVE-2019-9670 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component. | |||
| CVE-2019-2725 | unknown | — | 2.5 | 4y ago | Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). | |||
| CVE-2019-1458 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP. | |||
| CVE-2019-9978 | unknown | — | 2.5 | 5y ago | WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro. | |||
| CVE-2019-2215 | unknown | — | 2.5 | 5y ago | Android Kernel contains a use-after-free vulnerability in binder.c that allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-… | |||
| CVE-2019-3398 | unknown | — | 2.5 | 5y ago | Atlassian Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource that may allow a privileged, remote attacker to write files. Exploitation can… | |||
| CVE-2019-0803 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in k… | |||
| CVE-2019-18935 | unknown | — | 2.5 | 5y ago | Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe proce… | |||
| CVE-2019-16759 | unknown | — | 2.5 | 5y ago | The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | |||
| CVE-2019-0604 | unknown | — | 2.5 | 5y ago | Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote code in the context of the SharePoint applica… | |||
| CVE-2019-11510 | unknown | — | 2.5 | 5y ago | Ivanti Pulse Connect Secure contains an arbitrary file read vulnerability that allows an unauthenticated remote attacker with network access via HTTPS to send a specially crafted URI. | |||
| CVE-2019-4716 | unknown | — | 2.5 | 5y ago | IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. | |||
| CVE-2019-8394 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization. | |||
| CVE-2019-18988 | unknown | — | 2.5 | 5y ago | TeamViewer Desktop allows for bypass of remote-login access control because the same AES key is used for different customers' installations. If an attacker were to know this key, they could decrypt p… | |||
| CVE-2019-11539 | unknown | — | 2.5 | 5y ago | Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands. | |||
| CVE-2019-15752 | unknown | — | 2.5 | 5y ago | Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low… | |||
| CVE-2019-0808 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability due to the component failing to properly handle objects in memory. Successful exploitation allows an attacker to run code in kernel mode. | |||
| CVE-2019-1215 | unknown | — | 2.5 | 5y ago | Microsoft Windows contains an unspecified vulnerability due to the way ws2ifsl.sys (Winsock) handles objects in memory, allowing for privilege escalation. Successful exploitation allows an attacker t… | |||
| CVE-2019-1653 | unknown | — | 2.5 | 5y ago | Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers contain improper access controls for URLs. Exploitation could allow an attacker to download the router configuration or detailed diag… | |||
| CVE-2019-19781 | unknown | — | 2.5 | 5y ago | Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution. |