The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-16734 | Use of default credentials for the TELNET server in Petwant PF-103 firmware 4.3.2.50 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | HIGH | Dec 13, 2019 |
| CVE-2019-16733 | processCommandSetUid() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | HIGH | Dec 13, 2019 |
| CVE-2019-16732 | Unencrypted HTTP communications for firmware upgrades in Petalk AI and PF-103 allow man-in-the-middle attackers to run arbitrary code as the root user. | HIGH | Dec 13, 2019 |
| CVE-2019-16731 | The udpServerSys service in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to initiate firmware upgrades and alter device settings. | MEDIUM | Dec 13, 2019 |
| CVE-2019-16730 | processCommandUpgrade() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | HIGH | Dec 13, 2019 |
| CVE-2019-16729 | pam-python before 1.0.7-1 has an issue in regard to the default environment variable handling of Python, which could allow for local root escalation in certain PAM setups. | High | Sep 24, 2019 |
| CVE-2019-16728 | DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari. | MEDIUM | Sep 24, 2019 |
| CVE-2019-16725 | In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates. | MEDIUM | Sep 25, 2019 |
| CVE-2019-16724 | File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter, a similar issue to CVE-2010-2330 and CVE-2010-2331. | HIGH | Sep 26, 2019 |
| CVE-2019-16723 | In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. | MEDIUM | Sep 23, 2019 |
| CVE-2019-16722 | ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation. | HIGH | Sep 23, 2019 |
| CVE-2019-16721 | NoneCMS v1.3 has CSRF in public/index.php/admin/admin/dele.html, as demonstrated by deleting the admin user. | MEDIUM | Sep 23, 2019 |
| CVE-2019-16720 | ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file. | MEDIUM | Sep 23, 2019 |
| CVE-2019-16719 | WTCMS 1.0 allows index.php?g=admin&m=index&a=index CSRF with resultant XSS. | MEDIUM | Sep 23, 2019 |
| CVE-2019-16718 | In radare2 before 3.9.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it\'s possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to an insufficient fix for CVE-2019-14745 and improper handling of symbol names embedded in executables. | MEDIUM | Sep 23, 2019 |
| CVE-2019-16717 | OX App Suite through 7.10.2 has XSS. | MEDIUM | Jan 9, 2020 |
| CVE-2019-16716 | OX App Suite through 7.10.2 has Incorrect Access Control. | HIGH | Jan 15, 2020 |
| CVE-2019-16714 | In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized. | Medium | Sep 24, 2019 |
| CVE-2019-16713 | ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c. | Medium | Sep 23, 2019 |
| CVE-2019-16712 | ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image. | Medium | Sep 23, 2019 |
| CVE-2019-16711 | ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c. | Medium | Sep 23, 2019 |
| CVE-2019-16710 | ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c. | Medium | Sep 23, 2019 |
| CVE-2019-16709 | ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. | Medium | Sep 23, 2019 |
| CVE-2019-16708 | ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage. | Medium | Sep 23, 2019 |
| CVE-2019-16707 | Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx. | Medium | Sep 23, 2019 |
| CVE-2019-16706 | kkcms v1.3 has a CSRF vulnerablity that can add an user account via admin/cms_user_add.php. | MEDIUM | Sep 23, 2019 |
| CVE-2019-16705 | Ming (aka libming) 0.4.8 has an out of bounds read vulnerability in the function OpCode() in the decompile.c file in libutil.a. | MEDIUM | Sep 23, 2019 |
| CVE-2019-16704 | admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. | -- | Sep 23, 2019 |
| CVE-2019-16703 | admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. | -- | Sep 23, 2019 |
| CVE-2019-16702 | Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI. | -- | Sep 23, 2019 |
| CVE-2019-16701 | pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value. | HIGH | Sep 25, 2019 |
| CVE-2019-16700 | The slub_events (aka SLUB: Event Registration) extension through 3.0.2 for TYPO3 allows uploading of arbitrary files to the webserver. For versions 1.2.2 and below, this results in Remote Code Execution. In versions later than 1.2.2, this can result in Denial of Service, since the web space can be filled up with arbitrary files. | HIGH | Oct 31, 2019 |
| CVE-2019-16699 | The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5.2 and below for TYPO3 fails to sanitize user input, which allows execution of arbitrary Extbase actions, resulting in Remote Code Execution. | HIGH | Oct 21, 2019 |
| CVE-2019-16698 | The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter. | MEDIUM | Oct 21, 2019 |
| CVE-2019-16696 | phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used. | HIGH | Sep 23, 2019 |
| CVE-2019-16695 | phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used. | HIGH | Sep 23, 2019 |
| CVE-2019-16694 | phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used. | HIGH | Sep 23, 2019 |
| CVE-2019-16693 | phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used. | HIGH | Sep 23, 2019 |
| CVE-2019-16692 | phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used. | HIGH | Oct 1, 2019 |
| CVE-2019-16691 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
| CVE-2019-16688 | Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.) | LOW | Sep 30, 2019 |
| CVE-2019-16687 | Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the \"Create/modify other users, groups and permissions\" privilege can inject script and can also achieve privilege escalation. | LOW | Sep 30, 2019 |
| CVE-2019-16686 | Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin. | LOW | Sep 30, 2019 |
| CVE-2019-16685 | Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the \"Create/modify other users, groups and permissions\" privilege can inject script and can also achieve privilege escalation. | LOW | Oct 1, 2019 |
| CVE-2019-16684 | An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes. | LOW | Oct 4, 2019 |
| CVE-2019-16683 | An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes. | LOW | Oct 4, 2019 |
| CVE-2019-16682 | The url_redirect (aka URL redirect) extension through 1.2.1 for TYPO3 fails to properly sanitize user input and is susceptible to SQL Injection. | HIGH | Oct 21, 2019 |
| CVE-2019-16681 | The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to the opening of arbitrary URLs, which can inject deceptive content into the UI. (When in physical possession of the device, opening local files is also possible.) NOTE: As of2019-09-23, the vendor has not agreed that this issue has serious impact. The vendor states that the issue is not critical because it does not allow Elevation of Privilege, Sensitive Data Leakage, or any critical unauthorized activity from a malicious user. The vendor also states that a victim must first install a malicious APK to their application. | LOW | Sep 24, 2019 |
| CVE-2019-16680 | An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction. | MEDIUM | Sep 25, 2019 |
| CVE-2019-16679 | Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion. | MEDIUM | Sep 23, 2019 |
