The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-12880 | BCN Quark Quarking Password Manager 3.1.84 suffers from a clickjacking vulnerability caused by allowing * within web_accessible_resources. An attacker can take advantage of this vulnerability and cause significant harm. | MEDIUM | Jun 25, 2019 |
| CVE-2019-10271 | An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. To perform such a modification, one first needs to (for example) intercept an upload-picture request and modify the user_id parameter. | MEDIUM | Jun 25, 2019 |
| CVE-2014-9699 | The MakerBot Replicator 5G printer runs an Apache HTTP Server with directory indexing enabled. Apache logs, system logs, design files (i.e., a history of print files), and more are exposed to unauthenticated attackers through this HTTP server. | MEDIUM | Jun 25, 2019 |
| CVE-2019-12935 | Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI. | MEDIUM | Jun 25, 2019 |
| CVE-2019-10072 | The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. | MEDIUM | Jun 25, 2019 |
| CVE-2019-12836 | The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover. | MEDIUM | Jun 25, 2019 |
| CVE-2019-12875 | Alpine Linux abuild through 3.4.0 allows an unprivileged member of the abuild group to add an untrusted package via a --keys-dir option that causes acceptance of an untrusted signing key. | MEDIUM | Jun 25, 2019 |
| CVE-2019-12874 | An issue was discovered in zlib_decompress_extra in modules/demux/mkv/util.cpp in VideoLAN VLC media player 3.x through 3.0.7. The Matroska demuxer, while parsing a malformed MKV file type, has a double free. | High | Jun 25, 2019 |
| CVE-2019-1625 | A vulnerability in the CLI of Cisco SD-WAN Solution could allow an authenticated, local attacker to elevate lower-level privileges to the root user on an affected device. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow the attacker to make configuration changes to the system as the root user. | HIGH | Jun 25, 2019 |
| CVE-2018-16118 | A shell escape vulnerability in /webconsole/APIController in the API Configuration component of Sophos XG firewall 17.0.8 MR-8 allows remote attackers to execute arbitrary OS commands via shell metachracters in the \"X-Forwarded-for\" HTTP header. | HIGH | Jun 25, 2019 |
| CVE-2019-0755 | An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka \'Windows Kernel Information Disclosure Vulnerability\'. This CVE ID is unique from CVE-2019-0702, CVE-2019-0767, CVE-2019-0775, CVE-2019-0782. | LOW | Jun 25, 2019 |
| CVE-2016-2203 | The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges. | LOW | Jun 25, 2019 |
| CVE-2019-12828 | An issue was discovered in Electronic Arts Origin before 10.5.39. Due to improper sanitization of the origin:// and origin2:// URI schemes, it is possible to inject additional arguments into the Origin process and ultimately leverage code execution by loading a backdoored Qt plugin remotely via the platformpluginpath argument supplied with a Windows network share. | MEDIUM | Jun 24, 2019 |
| CVE-2019-11128 | Insufficient input validation in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access. | MEDIUM | Jun 24, 2019 |
| CVE-2019-11127 | Buffer overflow in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access. | MEDIUM | Jun 24, 2019 |
| CVE-2019-11126 | Pointer corruption in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access. | MEDIUM | Jun 24, 2019 |
| CVE-2019-11125 | Insufficient input validation in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access. | MEDIUM | Jun 24, 2019 |
| CVE-2019-11124 | Out of bound read/write in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access. | MEDIUM | Jun 24, 2019 |
| CVE-2019-11123 | Insufficient session validation in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access. | MEDIUM | Jun 24, 2019 |
| CVE-2019-11119 | Insufficient session validation in the service API for Intel(R) RWC3 version 4.186 and before may allow an unauthenticated user to potentially enable escalation of privilege via network access. | HIGH | Jun 24, 2019 |
| CVE-2019-0183 | Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | LOW | Jun 24, 2019 |
| CVE-2019-0182 | Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | LOW | Jun 24, 2019 |
| CVE-2019-0181 | Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | MEDIUM | Jun 24, 2019 |
| CVE-2019-0180 | Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | LOW | Jun 24, 2019 |
| CVE-2019-0179 | Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | LOW | Jun 24, 2019 |
| CVE-2019-0178 | Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | LOW | Jun 24, 2019 |
| CVE-2019-0177 | Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | LOW | Jun 24, 2019 |
| CVE-2019-0175 | Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | LOW | Jun 24, 2019 |
| CVE-2019-0157 | Insufficient input validation in the Intel(R) SGX driver for Linux may allow an authenticated user to potentially enable a denial of service via local access. | LOW | Jun 24, 2019 |
| CVE-2019-12940 | LiveZilla Server before 8.0.1.1 is vulnerable to Denial Of Service (memory consumption) in knowledgebase.php via a large integer value of the depth parameter. | HIGH | Jun 24, 2019 |
| CVE-2019-11648 | An information leakage exists in Micro Focus NetIQ Self Service Password Reset Software all versions prior to version 4.4. The vulnerability could be exploited to expose sensitive information. | MEDIUM | Jun 24, 2019 |
| CVE-2019-11647 | A potential XSS exists in Self Service Password Reset, in Micro Focus NetIQ Software all versions prior to version 4.4. The vulnerability could be exploited to enable an XSS attack. | MEDIUM | Jun 24, 2019 |
| CVE-2019-12937 | apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable. | HIGH | Jun 24, 2019 |
| CVE-2019-12929 | The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU\'s -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue | High | Jun 24, 2019 |
| CVE-2019-12928 | The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU\'s -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue | High | Jun 24, 2019 |
| CVE-2019-12933 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-11877. Reason: This candidate is a duplicate of CVE-2019-11877. Notes: All CVE users should reference CVE-2019-11877 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | Medium | Jun 24, 2019 |
| CVE-2019-10270 | An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation. | MEDIUM | Jun 24, 2019 |
| CVE-2019-10028 | Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019. | MEDIUM | Jun 24, 2019 |
| CVE-2019-12745 | out/out.UsrMgr.php in SeedDMS before 5.1.11 allows Stored Cross-Site Scripting (XSS) via the name field. | LOW | Jun 24, 2019 |
| CVE-2019-12744 | SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940. | MEDIUM | Jun 24, 2019 |
| CVE-2019-12904 | In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor\'s position is that the issue report cannot be validated because there is no description of an attack | Medium | Jun 24, 2019 |
| CVE-2019-12902 | Pydio Cells before 1.5.0 does incomplete cleanup of a user\'s data upon deletion. This allows a new user, holding the same User ID as a deleted user, to restore the deleted user\'s data. | MEDIUM | Jun 24, 2019 |
| CVE-2019-12900 | BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. | High | Jun 24, 2019 |
| CVE-2019-12890 | RedwoodHQ 2.5.5 does not require any authentication for database operations, which allows remote attackers to create admin users via a con.automationframework users insert_one call. | HIGH | Jun 24, 2019 |
| CVE-2019-11649 | Cross-Site Scripting vulnerability in Micro Focus Fortify Software Security Center Server, versions 17.2, 18.1, 18.2, has been identified in Micro Focus Software Security Center. The vulnerability could be exploited to execute JavaScript code in user’s browser. The vulnerability could be exploited to execute JavaScript code in user’s browser. | Low | Jun 24, 2019 |
| CVE-2019-12881 | i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0. | Medium | Jun 24, 2019 |
| CVE-2019-12801 | out/out.GroupMgr.php in SeedDMS 5.1.11 has Stored XSS by making a new group with a JavaScript payload as the \"GROUP\" Name. | MEDIUM | Jun 24, 2019 |
| CVE-2019-3787 | Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user\'s email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user\'s account. | Medium | Jun 24, 2019 |
| CVE-2019-3737 | Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by an LFI vulnerability which may allow a malicious user to download arbitrary files from the affected system by sending a specially crafted request to the Web Interface application. | MEDIUM | Jun 24, 2019 |
| CVE-2019-3735 | Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs version 2.2, 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0.1, 3.0.2, 3.1, 3.2, and 3.2.1 contain an Improper Privilege Management Vulnerability. A malicious local user can exploit this vulnerability by inheriting a system thread using a leaked thread handle to gain system privileges on the affected machine. | HIGH | Jun 24, 2019 |
