The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-20919 | An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference. | MEDIUM | Sep 18, 2020 |
| CVE-2019-20918 | An issue was discovered in InspIRCd 3 before 3.1.0. The silence module contains a use after free vulnerability. This vulnerability can be used for remote crashing of an InspIRCd server by any user able to fully connect to a server. | MEDIUM | Sep 11, 2020 |
| CVE-2019-20917 | An issue was discovered in InspIRCd 2 before 2.0.28 and 3 before 3.3.0. The mysql module contains a NULL pointer dereference when built against mariadb-connector-c 3.0.5 or newer. When combined with the sqlauth or sqloper modules, this vulnerability can be used for remote crashing of an InspIRCd server by any user able to connect to a server. | MEDIUM | Sep 11, 2020 |
| CVE-2019-20916 | The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. | MEDIUM | Sep 4, 2020 |
| CVE-2019-20915 | An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to a heap-based buffer over-read in bit_write_TF in bits.c. | MEDIUM | Jul 16, 2020 |
| CVE-2019-20914 | An issue was discovered in GNU LibreDWG through 0.9.3. There is a NULL pointer dereference in the function dwg_encode_common_entity_handle_data in common_entity_handle_data.spec. | HIGH | Jul 16, 2020 |
| CVE-2019-20913 | An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to a heap-based buffer over-read in dwg_encode_entity in common_entity_data.spec. | MEDIUM | Jul 16, 2020 |
| CVE-2019-20912 | An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to a stack overflow in bits.c, possibly related to bit_read_TF. | MEDIUM | Jul 16, 2020 |
| CVE-2019-20911 | An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to denial of service in bit_calc_CRC in bits.c, related to a for loop. | MEDIUM | Jul 16, 2020 |
| CVE-2019-20910 | An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to a heap-based buffer over-read in decode_R13_R2000 in decode.c, a different vulnerability than CVE-2019-20011. | MEDIUM | Jul 16, 2020 |
| CVE-2019-20909 | An issue was discovered in GNU LibreDWG through 0.9.3. There is a NULL pointer dereference in the function dwg_encode_LWPOLYLINE in dwg.spec. | MEDIUM | Jul 16, 2020 |
| CVE-2019-20908 | An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032. | MEDIUM | Jul 16, 2020 |
| CVE-2019-20907 | In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. | MEDIUM | Jul 16, 2020 |
| CVE-2019-20903 | The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets. | LOW | Oct 5, 2020 |
| CVE-2019-20902 | Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1. | MEDIUM | Oct 1, 2020 |
| CVE-2019-20901 | The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter. | MEDIUM | Jul 13, 2020 |
| CVE-2019-20900 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0. | LOW | Jul 13, 2020 |
| CVE-2019-20899 | The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1. | MEDIUM | Jul 13, 2020 |
| CVE-2019-20898 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0. | MEDIUM | Jul 13, 2020 |
| CVE-2019-20897 | The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1. | MEDIUM | Jul 13, 2020 |
| CVE-2019-20896 | WebChess 1.0 allows SQL injection via the messageFrom, gameID, opponent, messageID, or to parameter. | HIGH | Jul 9, 2020 |
| CVE-2019-20894 | Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred. | MEDIUM | Jul 2, 2020 |
| CVE-2019-20893 | An issue was discovered in Activision Infinity Ward Call of Duty Modern Warfare 2 through 2019-12-11. PartyHost_HandleJoinPartyRequest has a buffer overflow vulnerability and can be exploited by using a crafted joinParty packet. This can be utilized to conduct arbitrary code execution on a victim\'s machine. | HIGH | Jun 30, 2020 |
| CVE-2019-20892 | net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release. | MEDIUM | Jun 25, 2020 |
| CVE-2019-20891 | WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20890 | An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20889 | An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20888 | An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration. | MEDIUM | Jun 20, 2020 |
| CVE-2019-20887 | An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20886 | An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20885 | An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file. | MEDIUM | Jun 20, 2020 |
| CVE-2019-20884 | An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post. | MEDIUM | Jun 20, 2020 |
| CVE-2019-20883 | An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post. | LOW | Jun 20, 2020 |
| CVE-2019-20882 | An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20881 | An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA. | HIGH | Jun 19, 2020 |
| CVE-2019-20880 | An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph. | MEDIUM | Jun 20, 2020 |
| CVE-2019-20879 | An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20878 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20877 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled. | MEDIUM | Jun 20, 2020 |
| CVE-2019-20876 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20875 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20874 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20873 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20872 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services. | LOW | Jun 19, 2020 |
| CVE-2019-20871 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20870 | An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post\'s file ID. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20869 | An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20868 | An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20867 | An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel\'s post loading via one crafted post. | MEDIUM | Jun 19, 2020 |
| CVE-2019-20866 | An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled. | MEDIUM | Jun 19, 2020 |
