The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-20796 | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by \'(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+\' in grep. | Medium | Mar 15, 2019 |
| CVE-2019-9169 | In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. | High | Mar 15, 2019 |
| CVE-2019-9070 | An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls. | Medium | Mar 15, 2019 |
| CVE-2019-9071 | An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls. | Medium | Mar 15, 2019 |
| CVE-2019-9072 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c. | Medium | Mar 15, 2019 |
| CVE-2019-9073 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c. | Medium | Mar 15, 2019 |
| CVE-2019-9074 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c. | Medium | Mar 15, 2019 |
| CVE-2019-9075 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c. | Medium | Mar 15, 2019 |
| CVE-2019-9076 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c. | Medium | Mar 15, 2019 |
| CVE-2019-9077 | An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section. | Medium | Mar 15, 2019 |
| CVE-2019-0135 | Improper permissions in the installer for Intel(R) Accelerated Storage Manager in Intel(R) RSTe before version 5.5.0.2015 may allow an authenticated user to potentially enable escalation of privilege via local access. L-SA-00206 | Medium | Mar 15, 2019 |
| CVE-2018-17937 | gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs. | Medium | Mar 18, 2019 |
| CVE-2019-9834 | The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot | Medium | Mar 18, 2019 |
| CVE-2019-0271 | ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below. | Medium | Mar 19, 2019 |
| CVE-2018-20806 | Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter). | MEDIUM | Mar 20, 2019 |
| CVE-2019-9829 | Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9831 | The AirMore application through 1.6.1 for Android allows remote attackers to cause a denial of service (system hang) via many simultaneous /?Key=PhoneRequestAuthorization requests. | HIGH | Mar 20, 2019 |
| CVE-2019-9832 | The AirDrop application through 2.0 for Android allows remote attackers to cause a denial of service via a client that makes many socket connections through a configured port. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9833 | The Screen Stream application through 3.0.15 for Android allows remote attackers to cause a denial of service via many simultaneous /start-stop requests. | MEDIUM | Mar 20, 2019 |
| CVE-2018-20801 | In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9760 | FTPGetter Standard v.5.97.0.177 allows remote code execution when a user initiates an FTP connection to an attacker-controlled machine that sends crafted responses. Long responses can also crash the FTP client with memory corruption. | HIGH | Mar 20, 2019 |
| CVE-2019-9761 | An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. This occurs because of the call to wechat_getxml in include/plugin/payment/wechat/notify_url.php. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9762 | A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment/alipay/pay.php with the parameter id. The vulnerability does not need any authentication. | HIGH | Mar 20, 2019 |
| CVE-2019-9765 | In Blog_mini 1.0, XSS exists via the author name of a comment reply in the app/main/views.py articleDetails() function, related to app/templates/_article_comments.html. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9766 | Stack-based buffer overflow in Free MP3 CD Ripper 2.6, when converting a file, allows user-assisted remote attackers to execute arbitrary code via a crafted .mp3 file. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9767 | Stack-based buffer overflow in Free MP3 CD Ripper 2.6, when converting a file, allows user-assisted remote attackers to execute arbitrary code via a crafted .wma file. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9769 | PilusCart 1.4.1 is vulnerable to index.php?module=users&action=newUser CSRF, leading to the addition of a new user as administrator. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9785 | gitnote 3.1.0 allows remote attackers to execute arbitrary code via a crafted Markdown file, as demonstrated by a javascript:window.parent.top.require(\'child_process\').execFile substring in the onerror attribute of an IMG element. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9825 | FeiFeiCMS 4.1.190209 allows remote attackers to upload and execute arbitrary PHP code by visiting index.php?s=Admin-Index to modify the set of allowable file extensions, as demonstrated by adding php to the default jpg,gif,png,jpeg setting, and then using the \"add article\" feature. | HIGH | Mar 20, 2019 |
| CVE-2018-20800 | An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 and 6.0.13. Users updating to 6.0.13 (also patchlevel updates) or 5.0.31 (only major updates) will experience data loss in their agent preferences table. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9736 | DOM-based XSS exists in 1024Tools Markdown 1.0 via vectors involving the \'<EMBED SRC=\"data:image/svg+xml\' substring. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9737 | Editor.md 1.5.0 has DOM-based XSS via vectors involving the \'<EMBED SRC=\"data:image/svg+xml\' substring. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9738 | jimmykuu Gopher 2.0 has DOM-based XSS via vectors involving the \'<EMBED SRC=\"data:image/svg+xml\' substring. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9742 | gdwfpcd.sys in G Data Total Security before 2019-02-22 allows an attacker to bypass ACLs because Interpreted Device Characteristics lacks FILE_DEVICE_SECURE_OPEN and therefore files and directories \"inside\" the \\\\.\\gdwfpcd device are not properly protected, leading to unintended impersonation or object creation. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9746 | In libwebm before 2019-03-08, a NULL pointer dereference caused by the functions OutputCluster and OutputTracks in webm_info.cc will trigger an abort, which allows a DoS attack, a similar issue to CVE-2018-19212. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9747 | In tinysvcmdns through 2018-01-16, a maliciously crafted mDNS (Multicast DNS) packet triggers an infinite loop while parsing an mDNS query. When mDNS compressed labels point to each other, the function uncompress_nlabel goes into an infinite loop trying to analyze the packet with an mDNS query. As a result, the mDNS server hangs after receiving the malicious mDNS packet. NOTE: the product\'s web site states \"This project is un-maintained, and has been since 2013. ... There are known vulnerabilities ... You are advised to NOT use this library for any new projects / products.\" | MEDIUM | Mar 20, 2019 |
| CVE-2019-9748 | In tinysvcmdns through 2018-01-16, an mDNS server processing a crafted packet can perform arbitrary data read operations up to 16383 bytes from the start of the buffer. This can lead to a segmentation fault in uncompress_nlabel in mdns.c and a crash of the server (depending on the memory protection of the CPU and the operating system), or disclosure of memory content via error messages or a server response. NOTE: the product\'s web site states \"This project is un-maintained, and has been since 2013. ... There are known vulnerabilities ... You are advised to NOT use this library for any new projects / products.\" | HIGH | Mar 20, 2019 |
| CVE-2019-9750 | In IoTivity through 1.3.1, the CoAP server interface can be used for Distributed Denial of Service attacks using source IP address spoofing and UDP-based traffic amplification. The reflected traffic is 6 times bigger than spoofed requests. This occurs because the construction of a \"4.01 Unauthorized\" response is mishandled. NOTE: the vendor states \"While this is an interesting attack, there is no plan for maintainer to fix, as we are migrating to IoTivity Lite.\" | MEDIUM | Mar 20, 2019 |
| CVE-2019-9751 | An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm. | LOW | Mar 20, 2019 |
| CVE-2019-9754 | An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 1 byte out of bounds write in the end_macro function in tccpp.c. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9557 | Ability Mail Server 4.2.6 has Persistent Cross Site Scripting (XSS) via the body e-mail body. To exploit the vulnerability, the victim must open an email with malicious Javascript inserted into the body of the email as an iframe. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9558 | Mailtraq WebMail version 2.17.7.3550 has Persistent Cross Site Scripting (XSS) via the body of an e-mail message. To exploit the vulnerability, the victim must open an email with malicious Javascript inserted into the body of the email as an iframe. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9644 | An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer\'s error messages can include the content of any invalid JavaScript that was encountered. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9710 | An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9711 | An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9712 | An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9713 | An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9714 | An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9725 | The Web manager (aka Commander) on Korenix JetPort 5601 and 5601f devices has Persistent XSS via the Port Alias field under Serial Setting. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9729 | In Shanda MapleStory Online V160, the SdoKeyCrypt.sys driver allows privilege escalation to NT AUTHORITY\\SYSTEM because of not validating the IOCtl 0x8000c01c input value, leading to an integer signedness error and a heap-based buffer underflow. | HIGH | Mar 20, 2019 |
