The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-16384 | Cybele Thinfinity VirtualUI 2.5.17.2 allows ../ path traversal that can be used for data exfiltration. This enables files outside of the web directory to be retrieved if the exact location is known and the user has permissions. | MEDIUM | Jun 5, 2020 |
| CVE-2019-16383 | MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API, aka SQL Injection. | Medium | Sep 25, 2019 |
| CVE-2019-16382 | An issue was discovered in Ivanti Workspace Control 10.3.110.0. One is able to bypass Ivanti\'s FileGuard folder protection by renaming the WMTemp work folder used by PowerGrid. A malicious PowerGrid XML file can then be created, after which the folder is renamed back to its original value. Also, CVE-2018-15591 exploitation can consequently be achieved by using PowerGrid with the /SEE parameter to execute the arbitrary command specified in the XML file. | HIGH | Mar 19, 2020 |
| CVE-2019-16378 | OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be relevant to the origin of an e-mail message. | HIGH | Sep 17, 2019 |
| CVE-2019-16377 | The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control. | HIGH | Sep 23, 2019 |
| CVE-2019-16375 | An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article. | LOW | Mar 19, 2020 |
| CVE-2019-16374 | Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control. | HIGH | Aug 13, 2020 |
| CVE-2019-16371 | LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted web site that captures the credentials for a victim\'s account on a previously visited web site, because do_popupregister can be bypassed via clickjacking. | MEDIUM | Sep 17, 2019 |
| CVE-2019-16370 | The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900. | MEDIUM | Sep 19, 2019 |
| CVE-2019-16366 | In XS 9.0.0 in Moddable SDK OS180329, there is a heap-based buffer overflow in fxBeginHost in xsAPI.c when called from fxRunDefine in xsRun.c, as demonstrated by crafted JavaScript code to xst. | HIGH | Sep 17, 2019 |
| CVE-2019-16355 | The File Session Manager in Beego 1.10.0 allows local users to read session files because of weak permissions for individual files. | LOW | Sep 17, 2019 |
| CVE-2019-16354 | The File Session Manager in Beego 1.10.0 allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions. | LOW | Sep 17, 2019 |
| CVE-2019-16353 | Emerson GE Automation Proficy Machine Edition 8.0 allows an access violation and application crash via crafted traffic from a remote device, as demonstrated by an RX7i device. | MEDIUM | Sep 18, 2019 |
| CVE-2019-16352 | ffjpeg before2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c. | MEDIUM | Sep 16, 2019 |
| CVE-2019-16351 | ffjpeg before2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c. | MEDIUM | Sep 16, 2019 |
| CVE-2019-16350 | ffjpeg before2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c. | MEDIUM | Sep 16, 2019 |
| CVE-2019-16349 | Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class. | MEDIUM | Sep 17, 2019 |
| CVE-2019-16348 | marc-q libwav through 2017-04-20 has a NULL pointer dereference in gain_file() at wav_gain.c. | Medium | Sep 16, 2019 |
| CVE-2019-16347 | ngiflib 0.4 has a heap-based buffer overflow in WritePixels() in ngiflib.c when called from DecodeGifImg, because deinterlacing for small pictures is mishandled. | MEDIUM | Sep 16, 2019 |
| CVE-2019-16346 | ngiflib 0.4 has a heap-based buffer overflow in WritePixel() in ngiflib.c when called from DecodeGifImg, because deinterlacing for small pictures is mishandled. | MEDIUM | Sep 16, 2019 |
| CVE-2019-16344 | A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password parameter. | MEDIUM | Oct 17, 2019 |
| CVE-2019-16340 | Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI. | MEDIUM | Nov 25, 2019 |
| CVE-2019-16338 | The tfo_common component in HwordApp.dll in Hancom Office 9.6.1.7634 allows a use-after-free via a crafted .docx file. | MEDIUM | Mar 19, 2020 |
| CVE-2019-16337 | The hncbd90 component in Hancom Office 9.6.1.9403 allows a use-after-free via an unknown object in a crafted .docx file. | MEDIUM | Mar 19, 2020 |
| CVE-2019-16336 | The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE component 3.61 and earlier processes data channel frames with a payload length larger than the configured link layer maximum RX payload size, which allows attackers (in radio range) to cause a denial of service (crash) via a crafted BLE Link Layer frame. | LOW | Feb 12, 2020 |
| CVE-2019-16335 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | HIGH | Sep 24, 2019 |
| CVE-2019-16334 | In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636. | LOW | Sep 16, 2019 |
| CVE-2019-16333 | GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php. | LOW | Sep 19, 2019 |
| CVE-2019-16332 | In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS. | MEDIUM | Oct 8, 2019 |
| CVE-2019-16330 | In NCH Express Accounts Accounting v7.02, persistent cross site scripting (XSS) exists in Invoices/Sales Orders/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Sales Orders/Items/Customers/Quotes fields parameter to inject arbitrary JavaScript. | LOW | Oct 21, 2019 |
| CVE-2019-16328 | In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings. | MEDIUM | Oct 10, 2019 |
| CVE-2019-16327 | D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypass. They do not check for authentication at the server side and rely on client-side validation, which is bypassable. NOTE: this is an end-of-life product. | HIGH | Dec 26, 2019 |
| CVE-2019-16326 | D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token is implemented. A remote attacker could exploit this in conjunction with CVE-2019-16327 to enable remote router management and device compromise. NOTE: this is an end-of-life product. | MEDIUM | Dec 26, 2019 |
| CVE-2019-16321 | ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. | MEDIUM | Sep 18, 2019 |
| CVE-2019-16320 | Cobham Sea Tel v170 224521 through v194 225444 devices allow attackers to obtain potentially sensitive information, such as a vessel\'s latitude and longitude, via the public SNMP community. | MEDIUM | Sep 18, 2019 |
| CVE-2019-16319 | In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector could go into an infinite loop. This was addressed in plugins/epan/gryphon/packet-gryphon.c by checking for a message length of zero. | HIGH | Sep 15, 2019 |
| CVE-2019-16318 | In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317. | MEDIUM | Sep 17, 2019 |
| CVE-2019-16317 | In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318. | MEDIUM | Sep 17, 2019 |
| CVE-2019-16314 | Indexhibit 2.1.5 allows a product reinstallation, with resultant remote code execution, via /ndxzstudio/install.php?p=2. | HIGH | Sep 16, 2019 |
| CVE-2019-16313 | ifw8 Router ROM v4.31 allows credential disclosure by reading the action/usermanager.htm HTML source code. | MEDIUM | Sep 16, 2019 |
| CVE-2019-16312 | s-cms V3.0 has XSS in index.php?type=text via the S_id parameter. | MEDIUM | Sep 16, 2019 |
| CVE-2019-16311 | NIUSHOP V1.11 has CSRF via search_info to index.php. | MEDIUM | Sep 16, 2019 |
| CVE-2019-16310 | NIUSHOP V1.11 has XSS via the index.php?s=/admin URI. | LOW | Sep 16, 2019 |
| CVE-2019-16309 | FlameCMS 3.3.5 has SQL injection in account/login.php via accountName. | HIGH | Sep 16, 2019 |
| CVE-2019-16307 | A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKey parameter (deleteWebExMeetingCheck.jsp). | MEDIUM | Sep 18, 2019 |
| CVE-2019-16305 | In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle the link. If accepted, another popup appears asking for further confirmation. If this is also accepted, command execution is achieved, as demonstrated by the MobaXterm://`calc` URI. | MEDIUM | Sep 16, 2019 |
| CVE-2019-16303 | A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover. | HIGH | Sep 16, 2019 |
| CVE-2019-16302 | An issue was discovered in Open Network Operating System (ONOS) 1.14. In the Ethernet VPN application (org.onosproject.evpnopenflow), the host event listener does not handle the following event types: HOST_MOVED, HOST_UPDATED. In combination with other applications, this could lead to the absence of intended code execution. | MEDIUM | Feb 25, 2020 |
| CVE-2019-16301 | An issue was discovered in Open Network Operating System (ONOS) 1.14. In the virtual tenant network application (org.onosproject.vtn), the host event listener does not handle the following event types: HOST_MOVED. In combination with other applications, this could lead to the absence of intended code execution. | MEDIUM | Feb 25, 2020 |
| CVE-2019-16300 | An issue was discovered in Open Network Operating System (ONOS) 1.14. In the access control application (org.onosproject.acl), the host event listener does not handle the following event types: HOST_REMOVED. In combination with other applications, this could lead to the absence of intended code execution. | MEDIUM | Feb 25, 2020 |
