The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-19724 | Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. | MEDIUM | Dec 19, 2019 |
| CVE-2019-19722 | In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. | MEDIUM | Dec 13, 2019 |
| CVE-2019-19721 | An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product. | MEDIUM | May 15, 2020 |
| CVE-2019-19720 | Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file. | MEDIUM | Dec 11, 2019 |
| CVE-2019-19719 | Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page. | MEDIUM | Dec 12, 2019 |
| CVE-2019-19714 | Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered. | MEDIUM | Dec 18, 2019 |
| CVE-2019-19712 | Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. | MEDIUM | Dec 17, 2019 |
| CVE-2019-19709 | MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. | MEDIUM | Dec 11, 2019 |
| CVE-2019-19708 | The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute. | MEDIUM | Dec 11, 2019 |
| CVE-2019-19707 | On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets. | HIGH | Dec 11, 2019 |
| CVE-2019-19705 | Realtek Audio Drivers for Windows, as used on the Lenovo ThinkPad X1 Carbon 20A7, 20A8, 20BS, and 20BT before 6.0.8882.1 and 20KH and 20KG before 6.0.8907.1 (and on many other Lenovo and non-Lenovo products), mishandles DLL preloading. | -- | Dec 27, 2022 |
| CVE-2019-19704 | In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm. | MEDIUM | Aug 9, 2020 |
| CVE-2019-19703 | In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location. | MEDIUM | Dec 13, 2019 |
| CVE-2019-19702 | The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain. | MEDIUM | Dec 11, 2019 |
| CVE-2019-19699 | There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration. | HIGH | Apr 6, 2020 |
| CVE-2019-19698 | marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c. | MEDIUM | Dec 11, 2019 |
| CVE-2019-19697 | An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administrator privileges on the target machine in order to exploit the vulnerability. | HIGH | Jan 18, 2020 |
| CVE-2019-19696 | A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishing sites. | LOW | Jan 18, 2020 |
| CVE-2019-19695 | A privilege escalation vulnerability in Trend Micro Antivirus for Mac 2019 (v9.0.1379 and below) could potentially allow an attacker to create a symbolic link to a target file and modify it. | MEDIUM | Dec 26, 2019 |
| CVE-2019-19694 | The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product\'s malware protection functions or the entire product completely.. | LOW | Feb 28, 2020 |
| CVE-2019-19693 | The Trend Micro Security 2020 consumer family of products contains a vulnerability that could allow a local attacker to disclose sensitive information or to create a denial-of-service condition on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | LOW | Dec 20, 2019 |
| CVE-2019-19692 | Trend Micro Apex One (2019) is affected by a cross-site scripting (XSS) vulnerability on the product console. Note that the Japanese version of the product is NOT affected. | MEDIUM | Dec 20, 2019 |
| CVE-2019-19691 | A vulnerability in Trend Micro Apex One and OfficeScan XG could allow an attacker to expose a masked credential key by manipulating page elements using development tools. Note that the attacker must already have admin/root privileges on the product console to exploit this vulnerability. | MEDIUM | Dec 20, 2019 |
| CVE-2019-19690 | Trend Micro Mobile Security for Android (Consumer) versions 10.3.1 and below on Android 8.0+ has an issue in which an attacker could bypass the product\'s App Password Protection feature. | HIGH | Dec 18, 2019 |
| CVE-2019-19689 | Trend Micro HouseCall for Home Networks (versions below 5.3.0.1063) could be exploited via a DLL Hijack related to a vulnerability on the packer that the program uses. | MEDIUM | Dec 27, 2019 |
| CVE-2019-19688 | A privilege escalation vulnerability in Trend Micro HouseCall for Home Networks (versions below 5.3.0.1063) could be exploited allowing an attacker to place a malicious DLL file into the application directory and elevate privileges. | MEDIUM | Dec 18, 2019 |
| CVE-2019-19687 | OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users\' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) | LOW | Dec 9, 2019 |
| CVE-2019-19685 | RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions. | MEDIUM | Dec 9, 2019 |
| CVE-2019-19684 | nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin. | MEDIUM | Dec 11, 2019 |
| CVE-2019-19683 | RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/ProcessRequest because of Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs. | HIGH | Dec 9, 2019 |
| CVE-2019-19682 | nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \\Presentation\\Nop.Web\\Areas\\Admin\\Controllers\\NewsController.cs and \\Presentation\\Nop.Web\\Areas\\Admin\\Controllers\\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the vendor reportedly considers this a feature because the affected components are an HTML content editor. | LOW | Dec 10, 2019 |
| CVE-2019-19681 | Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands | HIGH | Dec 26, 2019 |
| CVE-2019-19680 | A file-extension filtering vulnerability in Proofpoint Enterprise Protection (PPS / PoD), in the unpatched versions of PPS through 8.9.22 and 8.14.2 respectively, allows attackers to bypass protection mechanisms (related to extensions, MIME types, virus detection, and journal entries for transmitted files) by sending malformed (not RFC compliant) multipart email. | MEDIUM | Jan 16, 2020 |
| CVE-2019-19679 | In Xray Test Management for Jira prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue. | LOW | Dec 11, 2019 |
| CVE-2019-19678 | In Xray Test Management for Jira prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue. | LOW | Dec 11, 2019 |
| CVE-2019-19677 | arxes-tolina 3.0.0 allows User Enumeration. | MEDIUM | Mar 19, 2020 |
| CVE-2019-19676 | A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user\'s PC. | HIGH | Mar 19, 2020 |
| CVE-2019-19675 | In Ivanti Workspace Control before 10.3.180.0. a locally authenticated user with low privileges can bypass Managed Application Security by leveraging an unspecified attack vector in Workspace Preferences, when it is enabled. As a result, the attacker can start applications that should be blocked. | MEDIUM | Dec 17, 2019 |
| CVE-2019-19670 | A HTTP Response Splitting vulnerability was identified in the Web Settings Component of Web File Manager in Rumpus FTP Server 8.2.9.1. A successful exploit can result in stored XSS, website defacement, etc. via ExtraHTTPHeader to RAPR/WebSettingsGeneralSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19669 | A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1. This could allow an attacker to delete, create, and update the upload forms via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19668 | A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19667 | A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19666 | A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19665 | A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server FTP settings at RAPR/FTPSettingsSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19664 | A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html. | MEDIUM | Feb 10, 2020 |
| CVE-2019-19663 | A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html. | MEDIUM | Feb 10, 2020 |
| CVE-2019-19662 | A CSRF vulnerability exists in the Web File Manager\'s Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can Create and Delete accounts via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 10, 2020 |
| CVE-2019-19661 | A Cookie based reflected XSS exists in the Web File Manager of Rumpus FTP Server 8.2.9.1, related to RumpusLoginUserName and snp. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19660 | A CSRF vulnerability exists in the Web File Manager\'s Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19659 | A CSRF vulnerability exists in the Web File Manager\'s Edit Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can take over a user account by changing the password, update users\' details, and escalate privileges via RAPR/DefineUsersSet.html. | MEDIUM | Feb 11, 2020 |
