The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-9712 | An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9711 | An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9710 | An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9709 | An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection\'s SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user. | LOW | May 7, 2019 |
| CVE-2019-9708 | An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can suspend the system user (root), causing all users to be locked out from the system. | MEDIUM | May 7, 2019 |
| CVE-2019-9706 | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error. | LOW | Mar 22, 2019 |
| CVE-2019-9705 | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted. | LOW | Mar 22, 2019 |
| CVE-2019-9704 | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked. | LOW | Mar 22, 2019 |
| CVE-2019-9703 | Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. | MEDIUM | Jul 7, 2019 |
| CVE-2019-9702 | Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. | MEDIUM | Jul 7, 2019 |
| CVE-2019-9701 | DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site scripting (XSS) vulnerability, a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. | LOW | Jul 3, 2019 |
| CVE-2019-9700 | Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic. | LOW | Jul 18, 2019 |
| CVE-2019-9699 | Symantec Messaging Gateway (prior to 10.7.0), may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data. | LOW | Oct 30, 2019 |
| CVE-2019-9698 | Symantec AV Engine, prior to 13.0.9r17, may be susceptible to an arbitrary file deletion issue, which is a type of vulnerability that could allow an attacker to delete files on the resident system without elevated privileges. | LOW | May 9, 2019 |
| CVE-2019-9697 | An information disclosure vulnerability in the Management Center (MC) REST API 2.0, 2.1, and 2.2 prior to 2.2.2.1 allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access. | MEDIUM | Sep 5, 2019 |
| CVE-2019-9696 | Symantec VIP Enterprise Gateway (all versions) may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy. | MEDIUM | Apr 10, 2019 |
| CVE-2019-9695 | Norton Core prior to v278 may be susceptible to an arbitrary code execution issue, which is a type of vulnerability that has the potential of allowing an individual to execute arbitrary commands or code on a target machine or in a target process. Note that this exploit is only possible with direct physical access to the device. | HIGH | Apr 1, 2019 |
| CVE-2019-9694 | Symantec Endpoint Encryption prior to SEE 11.2.1 MP1 may be susceptible to a Privilege Escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | MEDIUM | Apr 12, 2019 |
| CVE-2019-9693 | In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id), and _Deletepicture (parameter picture_id). | MEDIUM | Mar 20, 2019 |
| CVE-2019-9692 | class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). | MEDIUM | Mar 28, 2019 |
| CVE-2019-9689 | process_certificate in tls1.c in Cameron Hamilton-Rich axTLS through 2.1.5 has a Buffer Overflow via a crafted TLS certificate handshake message with zero certificates. | MEDIUM | Dec 4, 2019 |
| CVE-2019-9688 | sftnow through 2018-12-29 allows index.php?g=Admin&m=User&a=add_post CSRF to add an admin account. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9687 | PoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF16toUTF8 in base/PdfString.cpp. | HIGH | Mar 20, 2019 |
| CVE-2019-9686 | pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL pacman -U <url> due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman\'s package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c. | High | Mar 12, 2019 |
| CVE-2019-9682 | Dahua devices with Build time before December 2019 use strong security login mode by default, but in order to be compatible with the normal login of early devices, some devices retain the weak security login mode that users can control. If the user uses a weak security login method, an attacker can monitor the device network to intercept network packets to attack the device. So it is recommended that the user disable this login method. | MEDIUM | May 13, 2020 |
| CVE-2019-9681 | Online upgrade information in some firmware packages of Dahua products is not encrypted. Attackers can obtain this information by analyzing firmware packages by specific means. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18,2019. | MEDIUM | Sep 19, 2019 |
| CVE-2019-9680 | Some Dahua products have information leakage issues. Attackers can obtain the IP address and device model information of the device by constructing malicious data packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019. | MEDIUM | Sep 19, 2019 |
| CVE-2019-9679 | Some of Dahua\'s Debug functions do not have permission separation. Low-privileged users can use the Debug function after logging in. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18,2019. | MEDIUM | Sep 19, 2019 |
| CVE-2019-9678 | Some Dahua products have the problem of denial of service during the login process. An attacker can cause a device crashed by constructing a malicious packet. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019. | MEDIUM | Sep 19, 2019 |
| CVE-2019-9677 | The specific fields of CGI interface of some Dahua products are not strictly verified, an attacker can cause a buffer overflow by constructing malicious packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019. | HIGH | Sep 19, 2019 |
| CVE-2019-9676 | Buffer overflow vulnerability found in some Dahua IP Camera devices IPC-HFW1XXX,IPC-HDW1XXX,IPC-HFW2XXX Build before 2018/11. The vulnerability exits in the function of redirection display for serial port printing information, which can not be used by product basic functions. After an attacker logs in locally, this vulnerability can be exploited to cause device restart or arbitrary code execution. Dahua has identified the corresponding security problems in the static code auditing process, so it has gradually deleted this function, which is no longer available in the newer devices and softwares. Dahua has released versions of the affected products to fix the vulnerability. | HIGH | Jun 17, 2019 |
| CVE-2019-9675 | An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: This issue allows theoretical compromise of security, but a practical attack is usually impossible. | MEDIUM | Jun 3, 2019 |
| CVE-2019-9674 | Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. | HIGH | Feb 6, 2020 |
| CVE-2019-9673 | Freenet 1483 has a MIME type bypass that allows arbitrary JavaScript execution via a crafted Freenet URI. | MEDIUM | Jun 10, 2019 |
| CVE-2019-9670 | mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml. | High | May 30, 2019 |
| CVE-2019-9669 | The Wordfence plugin 7.2.3 for WordPress allows XSS via a unique attack vector. NOTE: It has been asserted that this is not a valid vulnerability in the context of the Wordfence WordPress plugin as the firewall rules are not maintained as part of the Wordfence software but rather it is a set of rules hosted on vendor servers and pushed to the plugin with no versioning associated. Bypassing a WAF rule doesn\'t make a WordPress site vulnerable (speaking in terms of software vulnerabilities) | Medium | Apr 26, 2019 |
| CVE-2019-9668 | An issue was discovered in rovinbhandari FTP through 2012-03-28. receive_file in file_transfer_functions.c allows remote attackers to cause a denial of service (daemon crash) via a 0xffff datalen field value. | MEDIUM | Jan 10, 2020 |
| CVE-2019-9662 | An issue was discovered in JTBC(PHP) 3.0.1.8. Its cache management module is flawed. An arbitrary file ending in \"inc.php\" can be deleted via a console/cache/manage.php?type=action&action=batch&batch=delete&ids=../ substring. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9661 | Stored XSS exists in YzmCMS 5.2 via the admin/system_manage/user_config_edit.html \"value\" parameter, | LOW | Mar 20, 2019 |
| CVE-2019-9660 | Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html \"catname\" parameter. | LOW | Mar 20, 2019 |
| CVE-2019-9659 | The Chuango 433 MHz burglar-alarm product line uses static codes in the RF remote control, allowing an attacker to arm, disarm, or trigger the alarm remotely via replay attacks, as demonstrated by Chuango branded products, and non-Chuango branded products such as the Eminent EM8617 OV2 Wifi Alarm System. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9658 | Checkstyle before 8.18 loads external DTDs by default. | MEDIUM | Mar 22, 2019 |
| CVE-2019-9657 | Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control, a different issue than CVE-2018-19588. This occurs because of incorrect protection of VPN certificates (used for initiating a VPN session to the Alarm.com infrastructure) on the local camera device. | MEDIUM | Jul 18, 2019 |
| CVE-2019-9656 | An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dereference in the function OFXApplication::startElement in the file lib/ofx_sgml.cpp, as demonstrated by ofxdump. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9653 | NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauthenticated attackers to execute arbitrary commands via shell metacharacters to handle_load_config.php. | HIGH | Jun 3, 2019 |
| CVE-2019-9652 | There is a CSRF in SDCMS V1.7 via an m=admin&c=theme&a=edit request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the t2 parameter. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9651 | An issue was discovered in SDCMS V1.7. In the \\app\\admin\\controller\\themecontroller.php file, the check_bad() function\'s filtering is not strict, resulting in PHP code execution. This occurs because some dangerous PHP functions (such as \"eval\") are blocked but others (such as \"system\") are not, and because \".php\" is blocked but \".PHP\" is not blocked. | HIGH | Mar 20, 2019 |
| CVE-2019-9650 | An XSS issue was discovered in upcoming_events.php in the Upcoming Events plugin before 1.33 for MyBB via a crafted name for an event. | MEDIUM | Mar 27, 2019 |
| CVE-2019-9649 | An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. Using the MDTM FTP command, a remote attacker can use a directory traversal technique (..\\..\\) to browse outside the root directory to determine the existence of a file on the operating system, and its last modified date. | MEDIUM | Mar 27, 2019 |
| CVE-2019-9648 | An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \\..\\..\\ substring, allowing an attacker to enumerate file existence based on the returned information. | MEDIUM | Mar 27, 2019 |
