CVEs from 2019
Total
4,212
critical
critical 232
high
high 331
medium
medium 302
low
low 72
% Critical
5.5%
% with KEV
2.8%
% with exploit
2.8%
Top products
- u-boot 20
- nsauditor 1
- crypto 1
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2019-5418 | unknown | — | 2.5 | 7y ago | Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server… | |
| CVE-2019-19006 | unknown | — | 1.5 | 4mo ago | Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin. | |
| CVE-2019-9621 | unknown | — | 1.5 | 11mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component. | |
| CVE-2019-6693 | unknown | — | 1.5 | 11mo ago | Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. | |
| CVE-2019-9874 | unknown | — | 1.5 | 1y ago | Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending… | |
| CVE-2019-9875 | unknown | — | 1.5 | 1y ago | Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a… | |
| CVE-2019-11001 | unknown | — | 1.5 | 2y ago | Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras contain an authenticated OS command injection vulnerability. This vulnerability allows an authenticated admin to use the "TestEmail… | |
| CVE-2019-16278 | unknown | — | 1.5 | 2y ago | Nostromo nhttpd contains a directory traversal vulnerability in the http_verify() function in a non-chrooted nhttpd server allowing for remote code execution. | |
| CVE-2019-0344 | unknown | — | 1.5 | 2y ago | SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection. | |
| CVE-2019-7256 | unknown | — | 1.5 | 2y ago | Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution. | |
| CVE-2019-17621 | unknown | — | 1.5 | 3y ago | D-Link DIR-859 router contains a command execution vulnerability in the UPnP endpoint URL, /gena.cgi. Exploitation allows an unauthenticated remote attacker to execute system commands as root by send… | |
| CVE-2019-20500 | unknown | — | 1.5 | 3y ago | D-Link DWL-2600AP access point contains an authenticated command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?act… | |
| CVE-2019-8526 | unknown | — | 1.5 | 3y ago | Apple macOS contains a use-after-free vulnerability that could allow for privilege escalation. | |
| CVE-2019-1388 | unknown | — | 1.5 | 3y ago | Microsoft Windows Certificate Dialog contains a privilege escalation vulnerability, allowing attackers to run processes in an elevated context. | |
| CVE-2019-8605 | unknown | — | 1.5 | 4y ago | A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges. | |
| CVE-2019-7192 | unknown | — | 1.5 | 4y ago | QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. | |
| CVE-2019-15271 | unknown | — | 1.5 | 4y ago | A deserialization of untrusted data vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an attacker to execute code with root privileges. | |
| CVE-2019-5825 | unknown | — | 1.5 | 4y ago | Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |
| CVE-2019-7194 | unknown | — | 1.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |
| CVE-2019-7193 | unknown | — | 1.5 | 4y ago | QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. | |
| CVE-2019-7195 | unknown | — | 1.5 | 4y ago | QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. | |
| CVE-2019-3010 | unknown | — | 1.5 | 4y ago | Oracle Solaris component: XScreenSaver contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2019-7287 | unknown | — | 1.5 | 4y ago | Apple iOS contains a memory corruption vulnerability which could allow an attacker to perform remote code execution. | |
| CVE-2019-1130 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. | |
| CVE-2019-1385 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files. | |
| CVE-2019-0676 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of fi… | |
| CVE-2019-0880 | unknown | — | 1.5 | 4y ago | A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system … | |
| CVE-2019-0703 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, which could lead to information disclosure from the server. | |
| CVE-2019-18426 | unknown | — | 1.5 | 4y ago | A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. | |
| CVE-2019-7286 | unknown | — | 1.5 | 4y ago | Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for privilege escalation. | |
| CVE-2019-1003030 | unknown | — | 1.5 | 4y ago | Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. | |
| CVE-2019-1003029 | unknown | — | 1.5 | 4y ago | Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. | |
| CVE-2019-3568 | unknown | — | 1.5 | 4y ago | A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. | |
| CVE-2019-16057 | unknown | — | 1.5 | 4y ago | The login_mgr.cgi script in D-Link DNS-320 is vulnerable to remote code execution. | |
| CVE-2019-3929 | unknown | — | 1.5 | 4y ago | Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system comma… | |
| CVE-2019-7483 | unknown | — | 1.5 | 4y ago | In SonicWall SMA100, an unauthenticated Directory Traversal vulnerability in the handleWAFRedirect CGI allows the user to test for the presence of a file on the server. | |
| CVE-2019-12991 | unknown | — | 1.5 | 4y ago | Authenticated Command Injection in Citrix SD-WAN Appliance and NetScaler SD-WAN Appliance. | |
| CVE-2019-2616 | unknown | — | 1.5 | 4y ago | Oracle BI Publisher, formerly XML Publisher, contains an unspecified vulnerability that allows for various unauthorized actions. Open-source reporting attributes this vulnerability to allowing for au… | |
| CVE-2019-12989 | unknown | — | 1.5 | 4y ago | Citrix SD-WAN and NetScaler SD-WAN allow SQL Injection. | |
| CVE-2019-10068 | unknown | — | 1.5 | 4y ago | Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution. | |
| CVE-2019-0903 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could… | |
| CVE-2019-15107 | unknown | — | 1.5 | 4y ago | An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability. | |
| CVE-2019-16920 | unknown | — | 1.5 | 4y ago | Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise. | |
| CVE-2019-0841 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |
| CVE-2019-1069 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists in the way the Task Scheduler Service validates certain file operations. | |
| CVE-2019-1064 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |
| CVE-2019-1132 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. | |
| CVE-2019-1405 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when the Windows UPnP service improperly allows COM object creation. | |
| CVE-2019-1129 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. | |
| CVE-2019-0543 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |
| CVE-2019-1253 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. | |
| CVE-2019-1322 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated conte… | |
| CVE-2019-1315 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted fi… | |
| CVE-2019-11581 | unknown | — | 1.5 | 4y ago | Atlassian Jira Server and Data Center contain a server-side template injection vulnerability which can allow for remote code execution. | |
| CVE-2019-1652 | unknown | — | 1.5 | 4y ago | A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges… | |
| CVE-2019-1297 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists in Microsoft Excel when the software fails to properly handle objects in memory. | |
| CVE-2019-0752 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer | |
| CVE-2019-1458 | unknown | — | 1.5 | 4y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP. | |
| CVE-2019-2725 | unknown | — | 1.5 | 4y ago | Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). | |
| CVE-2019-7609 | unknown | — | 1.5 | 4y ago | Kibana contain an arbitrary code execution flaw in the Timelion visualizer. | |
| CVE-2019-1579 | unknown | — | 1.5 | 4y ago | Remote Code Execution in PAN-OS with GlobalProtect Portal or GlobalProtect Gateway Interface enabled. | |
| CVE-2019-9670 | unknown | — | 1.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component. | |
| CVE-2019-7238 | unknown | — | 1.5 | 5y ago | Sonatype Nexus Repository Manager before 3.15.0 has an incorrect access control vulnerability. Exploitation allows for remote code execution. | |
| CVE-2019-13272 | unknown | — | 1.5 | 5y ago | Kernel/ptrace.c in Linux kernel mishandles contains an improper privilege management vulnerability that allows local users to obtain root access. | |
| CVE-2019-8394 | unknown | — | 1.5 | 5y ago | Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization. | |
| CVE-2019-7481 | unknown | — | 1.5 | 5y ago | SonicWall SMA100 contains a SQL injection vulnerability allowing an unauthenticated user to gain read-only access to unauthorized resources. | |
| CVE-2019-0863 | unknown | — | 1.5 | 5y ago | Microsoft Windows Error Reporting (WER) contains a privilege escalation vulnerability due to the way it handles files, allowing for code execution in kernel mode. | |
| CVE-2019-19356 | unknown | — | 1.5 | 5y ago | Netis WF2419 devices contains an unspecified vulnerability that allows an attacker to perform remote code execution as root through the router's web management page. | |
| CVE-2019-18935 | unknown | — | 1.5 | 5y ago | Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe proce… | |
| CVE-2019-0541 | unknown | — | 1.5 | 5y ago | Microsoft MSHTML engine contains an improper input validation vulnerability that allows for remote code execution vulnerability. | |
| CVE-2019-1214 | unknown | — | 1.5 | 5y ago | Microsoft Windows Common Log File System (CLFS) driver improperly handles objects in memory which can allow for privilege escalation. | |
| CVE-2019-2215 | unknown | — | 1.5 | 5y ago | Android Kernel contains a use-after-free vulnerability in binder.c that allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-… | |
| CVE-2019-0808 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability due to the component failing to properly handle objects in memory. Successful exploitation allows an attacker to run code in kernel mode. | |
| CVE-2019-18187 | unknown | — | 1.5 | 5y ago | Trend Micro OfficeScan contains a directory traversal vulnerability by extracting files from a zip file to a specific folder on the OfficeScan server, leading to remote code execution. | |
| CVE-2019-15949 | unknown | — | 1.5 | 5y ago | Nagios XI contains a remote code execution vulnerability in which a user can modify the check_plugin executable and insert malicious commands to execute as root. | |
| CVE-2019-18988 | unknown | — | 1.5 | 5y ago | TeamViewer Desktop allows for bypass of remote-login access control because the same AES key is used for different customers' installations. If an attacker were to know this key, they could decrypt p… | |
| CVE-2019-1367 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability in how the scripting engine handles objects in memory. Successful exploitation allows for remote code execution in the context o… | |
| CVE-2019-1653 | unknown | — | 1.5 | 5y ago | Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers contain improper access controls for URLs. Exploitation could allow an attacker to download the router configuration or detailed diag… | |
| CVE-2019-9082 | unknown | — | 1.5 | 5y ago | ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by… | |
| CVE-2019-1429 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user. | |
| CVE-2019-0797 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kern… | |
| CVE-2019-19781 | unknown | — | 1.5 | 5y ago | Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution. | |
| CVE-2019-6223 | unknown | — | 1.5 | 5y ago | Apple iOS and macOS Group FaceTime contains an unspecified vulnerability where the call initiator can cause the recipient's Apple device to answer unknowingly or without user interaction. | |
| CVE-2019-3398 | unknown | — | 1.5 | 5y ago | Atlassian Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource that may allow a privileged, remote attacker to write files. Exploitation can… | |
| CVE-2019-5591 | unknown | — | 1.5 | 5y ago | Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Direc… | |
| CVE-2019-20085 | unknown | — | 1.5 | 5y ago | TVT devices utilizing NVMS-1000 software contain a directory traversal vulnerability via GET /.. requests. | |
| CVE-2019-16759 | unknown | — | 1.5 | 5y ago | The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | |
| CVE-2019-4716 | unknown | — | 1.5 | 5y ago | IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. | |
| CVE-2019-11634 | unknown | — | 1.5 | 5y ago | Citrix Workspace Application and Receiver for Windows contains remote code execution vulnerability resulting from local drive access preferences not being enforced into the clients' local drives. | |
| CVE-2019-15752 | unknown | — | 1.5 | 5y ago | Docker Desktop Community Edition contains a vulnerability that may allow local users to escalate privileges by placing a trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop… | |
| CVE-2019-11539 | unknown | — | 1.5 | 5y ago | Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands. | |
| CVE-2019-0803 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in k… | |
| CVE-2019-3396 | unknown | — | 1.5 | 5y ago | Atlassian Confluence Server and Data Center contain a server-side template injection vulnerability that may allow an attacker to achieve path traversal and remote code execution. | |
| CVE-2019-0708 | unknown | — | 1.5 | 5y ago | Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the target system using RDP and send… | |
| CVE-2019-5544 | unknown | — | 1.5 | 5y ago | VMware ESXi and Horizon Desktop as a Service (DaaS) OpenSLP contains a heap-based buffer overflow vulnerability that allows an attacker with network access to port 427 to overwrite the heap of the Op… | |
| CVE-2019-0604 | unknown | — | 1.5 | 5y ago | Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote code in the context of the SharePoint applica… | |
| CVE-2019-9978 | unknown | — | 1.5 | 5y ago | WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro. | |
| CVE-2019-0859 | unknown | — | 1.5 | 5y ago | Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel mode. | |
| CVE-2019-16256 | unknown | — | 1.5 | 5y ago | SIMalliance Toolbox Browser contains an command injection vulnerability that could allow remote attackers to retrieve location and IMEI information or execute a range of other attacks by modifying th… | |
| CVE-2019-13608 | unknown | — | 1.5 | 5y ago | Citrix StoreFront Server contains an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information. |