The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-8449 | The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | MEDIUM | Sep 11, 2019 |
| CVE-2019-8448 | The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | MEDIUM | Aug 19, 2019 |
| CVE-2019-8447 | The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability. | MEDIUM | Aug 29, 2019 |
| CVE-2019-8446 | The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check. | MEDIUM | Aug 28, 2019 |
| CVE-2019-8445 | Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check. | MEDIUM | Aug 29, 2019 |
| CVE-2019-8444 | The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification. | LOW | Aug 30, 2019 |
| CVE-2019-8443 | The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator\'s session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass \"WebSudo\" through an improper access control vulnerability. | MEDIUM | May 27, 2019 |
| CVE-2019-8442 | The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. | MEDIUM | May 27, 2019 |
| CVE-2019-8440 | An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the third textbox (aka site logo) of \"System setting->site setting\" of admin/index.php, aka site_logo. | LOW | Mar 20, 2019 |
| CVE-2019-8439 | An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the second textbox of \"System setting->site setting\" of admin/index.php, aka site_domain. | LOW | Mar 20, 2019 |
| CVE-2019-8438 | An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the first textbox of \"System setting->site setting\" of admin/index.php, aka site_name. | LOW | Mar 20, 2019 |
| CVE-2019-8437 | njiandan-cms through 2013-05-23 has index.php/admin/user_new CSRF to add an administrator. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8436 | imcat 4.5 has Stored XSS via the root/run/adm.php fm[instop][note] parameter. | LOW | Mar 20, 2019 |
| CVE-2019-8435 | admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header. | LOW | Mar 20, 2019 |
| CVE-2019-8434 | In CmsEasy 7.0, there is XSS via the ckplayer.php autoplay parameter. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8433 | JTBC(PHP) 3.0.1.8 allows Arbitrary File Upload via the console/#/console/file/manage.php?type=list URI, as demonstrated by a .php file. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8432 | In CmsEasy 7.0, there is XSS via the ckplayer.php url parameter. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8429 | ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. | HIGH | Mar 20, 2019 |
| CVE-2019-8428 | ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value. | HIGH | Mar 20, 2019 |
| CVE-2019-8427 | daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. | HIGH | Mar 20, 2019 |
| CVE-2019-8426 | skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8425 | includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8424 | ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. | HIGH | Mar 20, 2019 |
| CVE-2019-8423 | ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter. | HIGH | Mar 20, 2019 |
| CVE-2019-8422 | A SQL Injection vulnerability exists in PbootCMS v1.3.2 via the description parameter in apps\\admin\\controller\\content\\ContentController.php. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8421 | upload/protected/modules/admini/views/post/index.php in BageCMS through 3.1.4 allows SQL Injection via the title or titleAlias parameter. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8419 | VNote 2.2 has XSS via a new text note. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8418 | SeaCMS 7.2 mishandles member.php?mod=repsw4 requests. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8413 | On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer dereference in the ioctl interface of the device file /dev/elliptic1 or /dev/elliptic0 causes a system crash via IOCTL 0x4008c575 (aka decimal 1074316661). | MEDIUM | Mar 20, 2019 |
| CVE-2019-8412 | FeiFeiCms 4.0.181010 on Windows allows remote attackers to read or delete arbitrary files via index.php?s=Admin-Data-Down-id-..\\ or index.php?s=Admin-Data-Del-id-..\\ directory traversal. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8411 | admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers to delete arbitrary files via action=del&filename=../ directory traversal. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8410 | Maccms 8.0 allows XSS via the inc/config/cache.php t_key parameter because template/paody/html/vod_type.html mishandles the keywords parameter, and a/tpl/module/db.php only filters the t_name parameter (not t_key). | MEDIUM | Mar 20, 2019 |
| CVE-2019-8408 | OneFileCMS 3.6.13 allows remote attackers to modify onefilecms.php by clicking the Copy button twice. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8407 | HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php/language/edit URI. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8404 | An issue was discovered in Webiness Inventory 2.3. The ProductModel component allows Arbitrary File Upload via a crafted product image during the creation of a new product. Consequently, an attacker can steal information from the site with the help of an installed executable file, or change the contents of pages. | MEDIUM | May 22, 2019 |
| CVE-2019-8401 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none | -- | Nov 7, 2023 |
| CVE-2019-8400 | ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8398 | An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_get_size in H5T.c. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8397 | An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_close_real in H5T.c. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8396 | A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka \"Invalid write of size 2.\" | MEDIUM | Mar 20, 2019 |
| CVE-2019-8395 | An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. | HIGH | Mar 20, 2019 |
| CVE-2019-8394 | Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8393 | Hotels_Server through 2018-11-05 has SQL Injection via the API because the controller/api/login.php telephone parameter is mishandled. | HIGH | Mar 20, 2019 |
| CVE-2019-8392 | An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead. | MEDIUM | Mar 20, 2019 |
| CVE-2019-8391 | qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. | MEDIUM | May 15, 2019 |
| CVE-2019-8390 | qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. | MEDIUM | May 15, 2019 |
| CVE-2019-8389 | A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) to the download.script endpoint. This will create a MusicPlayerArchive.zip archive that is publicly accessible and includes the content of any requested file (such as the /etc/passwd file). | MEDIUM | Sep 17, 2019 |
| CVE-2019-8387 | MASTER IPCAMERA01 3.3.4.2103 devices allow Remote Command Execution, related to the thttpd component. | HIGH | May 8, 2019 |
| CVE-2019-8385 | An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.358. An unauthenticated directory traversal and local file inclusion vulnerability in the ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe allows a remote attacker to list or enumerate sensitive contents of files via a \\.. to port 6677. Additionally, this could allow for privilege escalation by dumping the affected machine\'s SAM and SYSTEM database files, as well as remote code execution. | HIGH | Jun 6, 2019 |
| CVE-2019-8383 | An issue was discovered in AdvanceCOMP through 2.1. An invalid memory address occurs in the function adv_png_unfilter_8 in lib/png.c. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file. | Medium | Feb 27, 2019 |
