The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-16959 | SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket. | MEDIUM | Dec 23, 2020 |
| CVE-2019-16960 | SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field. | LOW | Jan 6, 2021 |
| CVE-2019-16961 | SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name. | LOW | Jan 15, 2021 |
| CVE-2019-16962 | Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report. | LOW | Jan 8, 2021 |
| CVE-2019-16964 | app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any commands on the host as www-data. | HIGH | Oct 24, 2019 |
| CVE-2019-16965 | resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data. | HIGH | Oct 23, 2019 |
| CVE-2019-16966 | An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\\admin\\modules\\contactmanager\\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager. | MEDIUM | Oct 24, 2019 |
| CVE-2019-16967 | An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\\admin\\modules\\manager\\views\\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16968 | An issue was discovered in FusionPBX up to 4.5.7. In the file app\\conference_controls\\conference_control_details.php, an unsanitized id variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16969 | In FusionPBX up to 4.5.7, the file app\\fifo_list\\fifo_interactive.php uses an unsanitized \"c\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16970 | In FusionPBX up to 4.5.7, the file app\\sip_status\\sip_status.php uses an unsanitized \"savemsg\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16971 | In FusionPBX up to 4.5.7, the file app\\messages\\messages_thread.php uses an unsanitized \"contact_uuid\" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16972 | In FusionPBX up to 4.5.7, the file app\\contacts\\contact_addresses.php uses an unsanitized \"id\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16973 | In FusionPBX up to 4.5.7, the file app\\contacts\\contact_edit.php uses an unsanitized \"query_string\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16974 | In FusionPBX up to 4.5.7, the file app\\contacts\\contact_times.php uses an unsanitized \"id\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16975 | In FusionPBX up to 4.5.7, the file app\\contacts\\contact_notes.php uses an unsanitized \"id\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 24, 2019 |
| CVE-2019-16976 | In FusionPBX up to 4.5.7, the file app\\destinations\\destination_imports.php uses an unsanitized \"query_string\" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | MEDIUM | Oct 28, 2019 |
| CVE-2019-16977 | In FusionPBX up to 4.5.7, the file app\\extensions\\extension_imports.php uses an unsanitized \"query_string\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 28, 2019 |
| CVE-2019-16978 | In FusionPBX up to v4.5.7, the file app\\devices\\device_settings.php uses an unsanitized \"id\" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16979 | In FusionPBX up to v4.5.7, the file app\\contacts\\contact_urls.php uses an unsanitized \"id\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16980 | In FusionPBX up to v4.5.7, the file app\\call_broadcast\\call_broadcast_edit.php uses an unsanitized \"id\" variable coming from the URL in an unparameterized SQL query, leading to SQL injection. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16981 | In FusionPBX up to v4.5.7, the file app\\conference_profiles\\conference_profile_params.php uses an unsanitized \"id\" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16982 | In FusionPBX up to v4.5.7, the file app\\access_controls\\access_control_nodes.php uses an unsanitized \"id\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16983 | In FusionPBX up to v4.5.7, the file resources\\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized \"param\" variable constructed partially from the URL args and reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16984 | In FusionPBX up to v4.5.7, the file app\\recordings\\recording_play.php uses an unsanitized \"filename\" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16985 | In FusionPBX up to v4.5.7, the file app\\xml_cdr\\xml_cdr_delete.php uses an unsanitized \"rec\" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system. | HIGH | Oct 23, 2019 |
| CVE-2019-16986 | In FusionPBX up to v4.5.7, the file resources\\download.php uses an unsanitized \"f\" variable coming from the URL, which takes any pathname and allows a download of it. (resources\\secure_download.php is also affected.) | MEDIUM | Oct 23, 2019 |
| CVE-2019-16987 | In FusionPBX up to v4.5.7, the file app\\contacts\\contact_import.php uses an unsanitized \"query_string\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16988 | In FusionPBX up to v4.5.7, the file app\\basic_operator_panel\\resources\\content.php uses an unsanitized \"eavesdrop_dest\" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16989 | In FusionPBX up to v4.5.7, the file app\\conferences_active\\conference_interactive.php uses an unsanitized \"c\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16990 | In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized \"file\" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16991 | In FusionPBX up to v4.5.7, the file app\\edit\\filedelete.php uses an unsanitized \"file\" variable coming from the URL, which is reflected in HTML, leading to XSS. | MEDIUM | Oct 23, 2019 |
| CVE-2019-16992 | The Keybase app 2.13.2 for iOS provides potentially insufficient notice that it is employing a user\'s private key to sign a certain cryptocurrency attestation (that an address at keybase.io can be used for Stellar payments to the user), which might be incompatible with a user\'s personal position on the semantics of an attestation. | MEDIUM | Oct 8, 2019 |
| CVE-2019-16993 | In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them. | MEDIUM | Oct 7, 2019 |
| CVE-2019-16994 | In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a. | High | Oct 4, 2019 |
| CVE-2019-16995 | In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d. | High | Oct 4, 2019 |
| CVE-2019-16996 | In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/product/admin/product_admin.class.php via the admin/?n=product&c=product_admin&a=dopara&app_type=shop id parameter. | MEDIUM | Oct 4, 2019 |
| CVE-2019-16997 | In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php via the admin/?n=language&c=language_general&a=doExportPack appno parameter. | MEDIUM | Oct 4, 2019 |
| CVE-2019-16999 | CloudBoot through2019-03-08 allows SQL Injection via a crafted Status field in JSON data to the api/osinstall/v1/device/getNumByStatus URI. | HIGH | Oct 2, 2019 |
| CVE-2019-17000 | An object tag with a data URI did not correctly inherit the document\'s Content Security Policy. This allowed a CSP bypass in a cross-origin frame if the document\'s policy explicitly allowed data: URIs. This vulnerability affects Firefox < 70. | MEDIUM | Jan 13, 2020 |
| CVE-2019-17001 | A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This flaw only affected Firefox 69 and was not present in earlier versions.*. This vulnerability affects Firefox < 70. | MEDIUM | Jan 13, 2020 |
| CVE-2019-17002 | If upgrade-insecure-requests was specified in the Content Security Policy, and a link was dragged and dropped from that page, the link was not upgraded to https. This vulnerability affects Firefox < 70. | MEDIUM | Jan 13, 2020 |
| CVE-2019-17003 | Scanning a QR code that contained a javascript: URL would have resulted in the Javascript being executed. | -- | Feb 17, 2023 |
| CVE-2019-17005 | The plain text serializer used a fixed-size array for the number of <ol> elements it could process; however it was possible to overflow the static-sized array leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. | MEDIUM | Jan 16, 2020 |
| CVE-2019-17006 | In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. | HIGH | Aug 31, 2020 |
| CVE-2019-17007 | In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service. | MEDIUM | Sep 9, 2020 |
| CVE-2019-17008 | When using nested workers, a use-after-free could occur during worker destruction. This resulted in a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. | MEDIUM | Jan 16, 2020 |
| CVE-2019-17009 | When running, the updater service wrote status and log files to an unrestricted location; potentially allowing an unprivileged process to locate and exploit a vulnerability in file handling in the updater service. *Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.*. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. | MEDIUM | Jan 13, 2020 |
| CVE-2019-17010 | Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. | MEDIUM | Jan 16, 2020 |
| CVE-2019-17011 | Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race condition could cause a use-after-free condition and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. | MEDIUM | Jan 16, 2020 |
