The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-15685 | Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component allowed an attacker remotely disable such product\'s security features as private browsing and anti-banner. Bypass. | MEDIUM | Nov 26, 2019 |
| CVE-2019-15684 | Kaspersky Protection extension for web browser Google Chrome prior to 30.112.62.0 was vulnerable to unauthorized access to its features remotely that could lead to removing other installed extensions. | MEDIUM | Nov 25, 2019 |
| CVE-2019-15683 | TurboVNC server code contains stack buffer overflow vulnerability in commit prior to cea98166008301e614e0d36776bf9435a536136e. This could possibly result into remote code execution, since stack frame is not protected with stack canary. This attack appear to be exploitable via network connectivity. To exploit this vulnerability authorization on server is required. These issues have been fixed in commit cea98166008301e614e0d36776bf9435a536136e. | HIGH | Oct 29, 2019 |
| CVE-2019-15682 | RDesktop version 1.8.4 contains multiple out-of-bound access read vulnerabilities in its code, which results in a denial of service (DoS) condition. This attack appear to be exploitable via network connectivity. These issues have been fixed in version 1.8.5 | MEDIUM | Oct 30, 2019 |
| CVE-2019-15681 | LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in commit d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a. | MEDIUM | Oct 29, 2019 |
| CVE-2019-15680 | TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity. | MEDIUM | Oct 30, 2019 |
| CVE-2019-15679 | TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity. | HIGH | Oct 30, 2019 |
| CVE-2019-15678 | TightVNC code version 1.3.10 contains heap buffer overflow in rfbServerCutText handler, which can potentially result code execution.. This attack appear to be exploitable via network connectivity. | HIGH | Oct 30, 2019 |
| CVE-2019-15666 | An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in __xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandles directory validation. | HIGH | Aug 27, 2019 |
| CVE-2019-15665 | An issue was discovered in Rivet Killer Control Center before 2.1.1352. IOCTL 0x120004 in KfeCo10X64.sys fails to validate an offset passed as a parameter during a memory operation, leading to an arbitrary write primitive that can lead to code execution or escalation of privileges. | HIGH | Mar 26, 2020 |
| CVE-2019-15664 | An issue was discovered in Rivet Killer Control Center before 2.1.1352. IOCTL 0x120404 in KfeCo10X64.sys fails to validate an offset passed as a parameter during a memory operation, leading to an out-of-bounds read that can be used as part of a chain to escalate privileges (issue 2 of 2). | MEDIUM | Mar 26, 2020 |
| CVE-2019-15663 | An issue was discovered in Rivet Killer Control Center before 2.1.1352. IOCTL 0x120404 in KfeCo10X64.sys fails to validate an offset passed as a parameter during a memory operation, leading to an out-of-bounds read that can be used as part of a chain to escalate privileges (issue 1 of 2). | MEDIUM | Mar 26, 2020 |
| CVE-2019-15662 | An issue was discovered in Rivet Killer Control Center before 2.1.1352. IOCTL 0x120444 in KfeCo10X64.sys fails to validate an offset passed as a parameter during a memory operation, leading to an arbitrary read primitive that can be used as part of a chain to escalate privileges. | MEDIUM | Mar 26, 2020 |
| CVE-2019-15661 | An issue was discovered in Rivet Killer Control Center before 2.1.1352. IOCTL 0x120004 in KfeCo10X64.sys fails to validate parameters, leading to a stack-based buffer overflow, which can lead to code execution or escalation of privileges. | HIGH | Mar 26, 2020 |
| CVE-2019-15660 | The wp-members plugin before 3.2.8 for WordPress has CSRF. | MEDIUM | Aug 28, 2019 |
| CVE-2019-15659 | The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969. | HIGH | Aug 28, 2019 |
| CVE-2019-15658 | connect-pg-simple before 6.0.1 allows SQL injection if tableName or schemaName is untrusted data. | HIGH | Aug 30, 2019 |
| CVE-2019-15657 | In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code. | HIGH | Aug 30, 2019 |
| CVE-2019-15656 | D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables. | MEDIUM | Mar 19, 2020 |
| CVE-2019-15655 | D-Link DSL-2875AL devices through 1.00.05 are prone to password disclosure via a simple crafted /romfile.cfg request to the web management server. This request doesn\'t require any authentication and will lead to saving the configuration file. The password is stored in cleartext. | MEDIUM | Mar 19, 2020 |
| CVE-2019-15654 | Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn\'t require any authentication and will lead to saving the DBconfig.cfg file. At the end of the file, the login information is stored in cleartext. | MEDIUM | Mar 19, 2020 |
| CVE-2019-15653 | Comba AP2600-I devices through A02,0202N00PD2 are prone to password disclosure via an insecure authentication mechanism. The HTML source code of the login page contains values that allow obtaining the username and password. The username are password values are a double md5 of the plaintext real value, i.e., md5(md5(value)). | MEDIUM | Mar 19, 2020 |
| CVE-2019-15652 | The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices before 18.1.0 doesn\'t properly sanitize input for error messages, leading to the ability to inject client-side code. | MEDIUM | Nov 22, 2019 |
| CVE-2019-15651 | wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex. | HIGH | Aug 27, 2019 |
| CVE-2019-15650 | The stops-core-theme-and-plugin-updates plugin before 8.0.5 for WordPress has insufficient restrictions on option changes (such as disabling unattended theme updates) because of a nonce check error. | MEDIUM | Aug 29, 2019 |
| CVE-2019-15649 | The insert-or-embed-articulate-content-into-wordpress plugin before 4.2999 for WordPress has insufficient restrictions on file upload. | MEDIUM | Aug 30, 2019 |
| CVE-2019-15648 | The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber. | MEDIUM | Aug 29, 2019 |
| CVE-2019-15647 | The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution. | MEDIUM | Aug 29, 2019 |
| CVE-2019-15646 | The rsvpmaker plugin before 6.2 for WordPress has SQL injection. | HIGH | Aug 28, 2019 |
| CVE-2019-15645 | The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF. | MEDIUM | Aug 28, 2019 |
| CVE-2019-15644 | The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS. | MEDIUM | Aug 28, 2019 |
| CVE-2019-15643 | The ultimate-faqs plugin before 1.8.22 for WordPress has XSS. | MEDIUM | Aug 28, 2019 |
| CVE-2019-15642 | rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users. | MEDIUM | Aug 26, 2019 |
| CVE-2019-15641 | xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. | MEDIUM | Aug 26, 2019 |
| CVE-2019-15640 | Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image. | -- | Aug 26, 2019 |
| CVE-2019-15639 | main/translate.c in Sangoma Asterisk 13.28.0 and 16.5.0 allows a remote attacker to send a specific RTP packet during a call and cause a crash in a specific scenario. | MEDIUM | Sep 10, 2019 |
| CVE-2019-15638 | COPA-DATA zenone32 zenon Editor through 8.10 has an Uncontrolled Search Path Element. | MEDIUM | Dec 14, 2019 |
| CVE-2019-15637 | Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop. | -- | Aug 26, 2019 |
| CVE-2019-15635 | An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the \"Save and test\" button within a data source\'s settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the \"Show password\" box. | MEDIUM | Oct 9, 2019 |
| CVE-2019-15631 | Remote Code Execution vulnerability in MuleSoft Mule CE/EE 3.x and API Gateway 2.x released before October 31, 2019 allows remote attackers to execute arbitrary code. | HIGH | Dec 13, 2019 |
| CVE-2019-15630 | Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process. | MEDIUM | Sep 5, 2019 |
| CVE-2019-15629 | Trend Micro Password Manager versions 3.x, 5.0, and 5.1 for Android is affected by a FLAG_MISUSE vulnerability that could be exploited to allow the application to share information to third-party applications on the device. | MEDIUM | Nov 26, 2019 |
| CVE-2019-15628 | Trend Micro Security (Consumer) 2020 (v16.0.1221 and below) is affected by a DLL hijacking vulnerability that could allow an attacker to use a specific service as an execution and/or persistence mechanism which could execute a malicious program each time the service is started. | MEDIUM | Dec 13, 2019 |
| CVE-2019-15627 | Versions 10.0, 11.0 and 12.0 of the Trend Micro Deep Security Agent are vulnerable to an arbitrary file delete attack, which may lead to availability impact. Local OS access is required. Please note that only Windows agents are affected. | MEDIUM | Oct 22, 2019 |
| CVE-2019-15626 | The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability. | MEDIUM | Oct 22, 2019 |
| CVE-2019-15625 | A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim\'s memory processes to extract sensitive information. | LOW | Jan 18, 2020 |
| CVE-2019-15624 | Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders. | MEDIUM | Feb 11, 2020 |
| CVE-2019-15623 | Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it\'s domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled. | MEDIUM | Feb 6, 2020 |
| CVE-2019-15622 | Not strictly enough sanitization in the Nextcloud Android app 3.6.0 allowed an attacker to get content information from protected tables when using custom queries. | LOW | Feb 12, 2020 |
| CVE-2019-15621 | Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link. | MEDIUM | Feb 12, 2020 |
