The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-15520 | comelz Quark before2019-03-26 allows directory traversal to locations outside of the project directory. | MEDIUM | Aug 27, 2019 | n/a |
| CVE-2019-15519 | Power-Response before2019-02-02 allows directory traversal (up to the application\'s main directory) via a plugin. | HIGH | Aug 30, 2019 | n/a |
| CVE-2019-15518 | Swoole before 4.2.13 allows directory traversal in swPort_http_static_handler. | MEDIUM | Aug 27, 2019 | n/a |
| CVE-2019-15517 | jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal. | MEDIUM | Aug 27, 2019 | n/a |
| CVE-2019-15516 | Cuberite before2019-06-11 allows webadmin directory traversal via ....// because the protection mechanism simply removes one ../ substring. | MEDIUM | Aug 27, 2019 | n/a |
| CVE-2019-15515 | Discourse 2.3.2 sends the CSRF token in the query string. | MEDIUM | Aug 29, 2019 | n/a |
| CVE-2019-15514 | The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region\'s assigned phone numbers. | MEDIUM | Aug 30, 2019 | n/a |
| CVE-2019-15513 | An issue was discovered in OpenWrt libuci (aka Library for the Unified Configuration Interface) before 15.05.1 as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang. | HIGH | Aug 23, 2019 | n/a |
| CVE-2019-15511 | An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. All GOG Galaxy versions before 1.2.60 and all corresponding versions of GOG Galaxy 2.0 Beta are affected. | HIGH | Nov 21, 2019 | n/a |
| CVE-2019-15510 | ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. | MEDIUM | Mar 25, 2020 | n/a |
| CVE-2019-15508 | In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7. | LOW | Aug 27, 2019 | n/a |
| CVE-2019-15507 | In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8. | LOW | Aug 27, 2019 | n/a |
| CVE-2019-15506 | An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37. It has a critical information disclosure vulnerability. An unauthenticated attacker can send properly formatted requests to the web application and download sensitive files and information. For example, the /DATAREPORTS directory can be farmed for reports. Because this directory contains the results of reports such as NMAP, Patch Status, and Active Directory domain metadata, an attacker can easily collect this critical information and parse it for information. There are a number of directories affected. | HIGH | Aug 26, 2019 | n/a |
| CVE-2019-15505 | drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir). | High | Aug 26, 2019 | 10.17.41.19 (Wind River Linux LTS 17) |
| CVE-2019-15504 | drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir). | High | Aug 26, 2019 | n/a |
| CVE-2019-15503 | cgi-cpn/xcoding/prontus_videocut.cgi in AltaVoz Prontus (aka ProntusCMS) through 12.0.3.0 has \"Improper Neutralization of Special Elements used in an OS Command,\" allowing attackers to execute OS commands via an HTTP GET parameter. | HIGH | Aug 30, 2019 | n/a |
| CVE-2019-15502 | The TeamSpeak client before 3.3.2 allows remote servers to trigger a crash via the 0xe2 0x81 0xa8 0xe2 0x81 0xa7 byte sequence, aka Unicode characters U+2068 (FIRST STRONG ISOLATE) and U+2067 (RIGHT-TO-LEFT ISOLATE). | -- | Aug 29, 2019 | n/a |
| CVE-2019-15501 | Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter. | MEDIUM | Aug 28, 2019 | n/a |
| CVE-2019-15499 | CodiMD 1.3.1, when Safari is used, allows XSS via an IFRAME element with allow-top-navigation in the sandbox attribute, in conjunction with a data: URL. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2019-15498 | cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh. | HIGH | Aug 27, 2019 | n/a |
| CVE-2019-15497 | Black Box iCOMPEL 9.2.3 through 11.1.4, as used in ONELAN Net-Top-Box 9.2.3 through 11.1.4 and other products, has default credentials that allow remote attackers to access devices remotely via SSH, HTTP, HTTPS, and FTP. | HIGH | Sep 4, 2019 | n/a |
| CVE-2019-15496 | MyT Project Management 1.5.1 lacks CSRF protection and, for example, allows a user/create CSRF attack. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page. | MEDIUM | Aug 30, 2019 | n/a |
| CVE-2019-15494 | openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. | HIGH | Aug 26, 2019 | n/a |
| CVE-2019-15493 | openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15492 | openITCOCKPIT before 3.7.1 has reflected XSS, aka RVID 3-445b21. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15491 | openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15490 | openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. | HIGH | Aug 26, 2019 | n/a |
| CVE-2019-15489 | laracom (aka Laravel FREE E-Commerce Software) 1.4.11 has search?q= XSS. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15488 | Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15487 | DfE School Experience before v16333-GA has XSS via a teacher training URL. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15486 | django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15485 | Bolt before 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php. | Medium | Aug 26, 2019 | n/a |
| CVE-2019-15484 | Bolt before 3.6.10 has XSS via an image\'s alt or title field. | Medium | Aug 26, 2019 | n/a |
| CVE-2019-15483 | Bolt before 3.6.10 has XSS via a title that is mishandled in the system log. | Medium | Aug 26, 2019 | n/a |
| CVE-2019-15482 | selectize-plugin-a11y before 1.1.0 has XSS via the msg field. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15481 | Kimai v2 before 1.1 has XSS via a timesheet description. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15480 | Domoticz 4.10717 has XSS via item.Name. | LOW | Aug 26, 2019 | n/a |
| CVE-2019-15479 | Status Board 1.1.81 has reflected XSS via dashboard.ts. | MEDIUM | Aug 28, 2019 | n/a |
| CVE-2019-15478 | Status Board 1.1.81 has reflected XSS via logic.ts. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15477 | Jooby before 1.6.4 has XSS via the default error handler. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15476 | Former before 4.2.1 has XSS via a checkbox value. | MEDIUM | Aug 26, 2019 | n/a |
| CVE-2019-15475 | The Xiaomi Mi A3 Android device with a build fingerprint of xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | LOW | Nov 14, 2019 | n/a |
| CVE-2019-15474 | The Xiaomi Cepheus Android device with a build fingerprint of Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | LOW | Nov 14, 2019 | n/a |
| CVE-2019-15473 | The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/jasmine/jasmine_sprout:9/PKQ1.180904.001/V10.0.2.0.PDIMIFJ:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | LOW | Nov 14, 2019 | n/a |
| CVE-2019-15472 | The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | LOW | Nov 14, 2019 | n/a |
| CVE-2019-15471 | The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage. | LOW | Nov 14, 2019 | n/a |
| CVE-2019-15470 | The Xiaomi Redmi Note 6 Pro Android device with a build fingerprint of xiaomi/tulip/tulip:8.1.0/OPM1.171019.011/V10.2.2.0.OEKMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage. | LOW | Nov 14, 2019 | n/a |
| CVE-2019-15469 | The Xiaomi Mi Pad 4 Android device with a build fingerprint of Xiaomi/clover/clover:8.1.0/OPM1.171019.019/V9.6.26.0.ODJCNFD:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage. | LOW | Nov 14, 2019 | n/a |
| CVE-2019-15468 | The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812071953) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | LOW | Nov 14, 2019 | n/a |
| CVE-2019-15467 | The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=A2060_201801032053) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | LOW | Nov 14, 2019 | n/a |
