The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-9207 | PRTG Network Monitor v7.1.3.3378 allows XSS via the /search.htm searchtext parameter. NOTE: This product is discontinued. | MEDIUM | Jan 3, 2020 |
| CVE-2019-9206 | PRTG Network Monitor v7.1.3.3378 allows XSS via the /public/login.htm errormsg or loginurl parameter. NOTE: This product is discontinued. | MEDIUM | Jan 3, 2020 |
| CVE-2019-9204 | SQL injection vulnerability in Nagios IM (component of Nagios XI) before 2.2.7 allows attackers to execute arbitrary SQL commands. | HIGH | Mar 28, 2019 |
| CVE-2019-9204 | SQL injection vulnerability in Nagios IM (component of Nagios XI) before 2.2.7 allows attackers to execute arbitrary SQL commands. | HIGH | Apr 15, 2019 |
| CVE-2019-9203 | Authorization bypass in Nagios IM (component of Nagios XI) before 2.2.7 allows closing incidents in IM via the API. | HIGH | Mar 28, 2019 |
| CVE-2019-9203 | Authorization bypass in Nagios IM (component of Nagios XI) before 2.2.7 allows closing incidents in IM via the API. | HIGH | Apr 15, 2019 |
| CVE-2019-9202 | Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues. | MEDIUM | Mar 28, 2019 |
| CVE-2019-9202 | Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues. | MEDIUM | Apr 15, 2019 |
| CVE-2019-9201 | Multiple Phoenix Contact devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories. | High | Feb 27, 2019 |
| CVE-2019-9200 | A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc in Poppler 0.74.0 that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. | Medium | Mar 13, 2019 |
| CVE-2019-9199 | PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be triggered by sending a crafted PDF file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9197 | The com.unity3d.kharma protocol handler in Unity Editor 2018.3 allows remote attackers to execute arbitrary code. | MEDIUM | Jan 17, 2020 |
| CVE-2019-9196 | The Face authentication component in Aware mobile liveness 2.2.1 sdk 2.2.0 for Knomi allows a Biometrical Liveness authentication bypass via parameter tampering of the /knomi/analyze security_level field. | MEDIUM | May 17, 2019 |
| CVE-2019-9195 | util/src/zip.rs in Grin before 1.0.2 mishandles suspicious files. An attacker can execute arbitrary code via directory traversal in a ZIP archive. | HIGH | Mar 20, 2019 |
| CVE-2019-9194 | elFinder before 2.1.48 has a command injection vulnerability in the PHP connector. | HIGH | Mar 20, 2019 |
| CVE-2019-9193 | In PostgreSQL 9.3 through 11.2, the COPY TO/FROM PROGRAM function allows superusers and users in the \'pg_execute_server_program\' group to execute arbitrary code in the context of the database\'s operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’. | HIGH | Oct 10, 2019 |
| CVE-2019-9192 | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by \'(|)(\\\\1\\\\1)*\' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern | MEDIUM | Nov 5, 2019 |
| CVE-2019-9191 | The ETSI Enterprise Transport Security (ETS, formerly known as eTLS) protocol does not provide per-session forward secrecy. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9189 | Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access. | High | Jun 5, 2019 |
| CVE-2019-9187 | ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190228 allows SSRF via the aggregate plugin. The impact also includes reading local files via file: URIs. | Medium | Jun 6, 2019 |
| CVE-2019-9186 | In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7. | HIGH | Jul 10, 2019 |
| CVE-2019-9185 | Controller/Async/FilesystemManager.php in the filemanager in Bolt before 3.6.5 allows remote attackers to execute arbitrary PHP code by renaming a previously uploaded file to have a .php extension. | Medium | Mar 26, 2019 |
| CVE-2019-9184 | SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the product_option[] parameter. | HIGH | Mar 20, 2019 |
| CVE-2019-9183 | An issue was discovered in Contiki-NG through 4.3 and Contiki through 3.0. A buffer overflow is present due to an integer underflow during 6LoWPAN fragment processing in the face of truncated fragments in os/net/ipv6/sicslowpan.c. This results in accesses of unmapped memory, crashing the application. An attacker can cause a denial-of-service via a crafted 6LoWPAN frame. | MEDIUM | Apr 25, 2020 |
| CVE-2019-9182 | There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9181 | SchoolCMS version 2.3.1 allows file upload via the logo upload feature at admin.php?m=admin&c=site&a=save by using the .jpg extension, changing the Content-Type to image/php, and placing PHP code after the JPEG data. This ultimately allows execution of arbitrary PHP code. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9179 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 5 of 5). | MEDIUM | Apr 17, 2019 |
| CVE-2019-9178 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 4 of 5). | MEDIUM | Apr 17, 2019 |
| CVE-2019-9177 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | High | May 29, 2019 |
| CVE-2019-9176 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows CSRF. | MEDIUM | Apr 17, 2019 |
| CVE-2019-9175 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 3 of 5). | MEDIUM | Apr 17, 2019 |
| CVE-2019-9174 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows SSRF. | HIGH | Apr 17, 2019 |
| CVE-2019-9172 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 2 of 5). | MEDIUM | Apr 17, 2019 |
| CVE-2019-9171 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 1 of 5). | MEDIUM | Apr 17, 2019 |
| CVE-2019-9170 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control. | MEDIUM | Apr 17, 2019 |
| CVE-2019-9169 | In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. | High | Mar 15, 2019 |
| CVE-2019-9168 | WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9167 | Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. | MEDIUM | Mar 28, 2019 |
| CVE-2019-9167 | Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. | MEDIUM | Apr 15, 2019 |
| CVE-2019-9166 | Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php. | HIGH | Mar 28, 2019 |
| CVE-2019-9166 | Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php. | HIGH | Apr 15, 2019 |
| CVE-2019-9165 | SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id. | HIGH | Mar 28, 2019 |
| CVE-2019-9165 | SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id. | HIGH | Apr 15, 2019 |
| CVE-2019-9164 | Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. | MEDIUM | Mar 28, 2019 |
| CVE-2019-9164 | Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. | MEDIUM | Apr 15, 2019 |
| CVE-2019-9163 | The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects. | HIGH | Apr 2, 2020 |
| CVE-2019-9162 | In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper. | Medium | Mar 27, 2019 |
| CVE-2019-9161 | WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.xml file containing the admin password. (The password for root is the WebUI admin password concatenated with a static string.) | HIGH | Apr 19, 2019 |
| CVE-2019-9160 | WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string). | HIGH | Apr 19, 2019 |
| CVE-2019-9158 | Gemalto DS3 Authentication Server 2.6.1-SP01 has Broken Access Control. | LOW | Jun 6, 2019 |
