The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-8932 | Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application. | MEDIUM | Jul 22, 2019 | n/a |
| CVE-2019-8933 | In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-8934 | hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. | Low | Mar 26, 2019 | n/a |
| CVE-2019-8935 | Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter. | LOW | Mar 20, 2019 | n/a |
| CVE-2019-8936 | NTP through 4.2.8p12 has a NULL Pointer Dereference. | Medium | May 31, 2019 | n/a |
| CVE-2019-8937 | HotelDruid 2.3.0 has XSS affecting the nsextt, cambia1, mese_fine, origine, and anno parameters in creaprezzi.php, tabella3.php, personalizza.php, and visualizza_tabelle.php. | MEDIUM | May 17, 2019 | n/a |
| CVE-2019-8938 | VertrigoServ 2.17 allows XSS via the /inc/extensions.php ext parameter. | MEDIUM | Mar 26, 2019 | n/a |
| CVE-2019-8939 | data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-8942 | WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. | MEDIUM | Mar 21, 2019 | n/a |
| CVE-2019-8943 | WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. | MEDIUM | Mar 21, 2019 | n/a |
| CVE-2019-8944 | An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-8945 | Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. | MEDIUM | Jan 28, 2020 | n/a |
| CVE-2019-8946 | Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. | MEDIUM | Jan 28, 2020 | n/a |
| CVE-2019-8947 | Zimbra Collaboration 8.7.x - 8.8.11P2 contains non-persistent XSS. | MEDIUM | Jan 28, 2020 | n/a |
| CVE-2019-8948 | PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-8950 | The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-8951 | An Open Redirect vulnerability located in the webserver affects several Bosch hardware and software products. The vulnerability potentially allows a remote attacker to redirect users to an arbitrary URL. Affected hardware products: Bosch DIVAR IP 2000 (vulnerable versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; fixed versions: 3.62.0019 and newer), Bosch DIVAR IP 5000 (vulnerable versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; fixed versions: 3.80.0033 and newer). Affected software products: Video Recording Manager (VRM) (vulnerable versions: 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; fixed versions: 3.70.0056 and newer; 3.81.0032 and newer), Bosch Video Management System (BVMS) (vulnerable versions: 3.50.00XX; 3.55.00XX; 3.60.00XX; fixed versions: 7.5; 3.70.0056). | MEDIUM | May 16, 2019 | n/a |
| CVE-2019-8952 | A Path Traversal vulnerability located in the webserver affects several Bosch hardware and software products. The vulnerability potentially allows a remote authorized user to access arbitrary files on the system via the network interface. Affected hardware products: Bosch DIVAR IP 2000 (vulnerable versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; fixed versions: 3.62.0019 and newer), Bosch DIVAR IP 5000 (vulnerable versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; fixed versions: 3.80.0033 and newer). Affected software products: Video Recording Manager (VRM) (vulnerable versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; 3.70; 3.71 before 3.71.0032 ; fixed versions: 3.71.0032; 3.81.0032 and newer), Bosch Video Management System (BVMS) (vulnerable versions: 3.50.00XX; 3.55.00XX; 3.60.00XX; 3.70.0056; fixed versions: 7.5; 3.71.0032). | MEDIUM | May 16, 2019 | n/a |
| CVE-2019-8953 | The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-8954 | In Indexhibit 2.1.5, remote attackers can execute arbitrary code via the v parameter (in conjunction with the id parameter) in a upd_jxcode=true action to the ndxzstudio/?a=system URI. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-8955 | In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler. | Medium | Feb 26, 2019 | n/a |
| CVE-2019-8956 | In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the sctp_sendmsg() function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory. | High | Apr 3, 2019 | n/a |
| CVE-2019-8960 | A Denial of Service vulnerability related to command handling has been identified in FlexNet Publisher lmadmin.exe version 11.16.2. The message reading function used in lmadmin.exe can, given a certain message, call itself again and then wait for a further message. With a particular flag set in the original message, but no second message received, the function eventually return an unexpected value which leads to an exception being thrown. The end result can be process termination. | MEDIUM | Apr 21, 2020 | n/a |
| CVE-2019-8961 | A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition. | MEDIUM | Apr 21, 2020 | n/a |
| CVE-2019-8963 | A Denial of Service (DoS) vulnerability was discovered in FlexNet Publisher\'s lmadmin 11.16.5, when doing a crafted POST request on lmadmin using the web-based tool. | -- | Mar 30, 2023 | n/a |
| CVE-2019-8978 | An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim\'s session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim\'s UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim. | MEDIUM | May 16, 2019 | n/a |
| CVE-2019-8979 | Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled. | High | Feb 21, 2019 | n/a |
| CVE-2019-8980 | A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures. | High | Feb 26, 2019 | n/a |
| CVE-2019-8981 | tls1.c in Cameron Hamilton-Rich axTLS before 2.1.5 has a Buffer Overflow via a crafted sequence of TLS packets because the need_bytes value is mismanaged. | HIGH | Mar 28, 2019 | n/a |
| CVE-2019-8982 | com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-8983 | MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 1 of 2). | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-8984 | MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 2 of 2). | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-8985 | On Netis WF2411 with firmware 2.1.36123 and other Netis WF2xxx devices (possibly WF2411 through WF2880), there is a stack-based buffer overflow that does not require authentication. This can cause denial of service (device restart) or remote code execution. This vulnerability can be triggered by a GET request with a long HTTP Authorization: Basic header that is mishandled by user_auth->user_ok in /bin/boa. | High | Feb 22, 2019 | n/a |
| CVE-2019-8986 | The SOAP API component vulnerability of TIBCO Software Inc.\'s TIBCO JasperReports Server, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that may allow a malicious authenticated user to copy text files from the host operating system. Affected releases are TIBCO Software Inc.\'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3. | Medium | Mar 11, 2019 | n/a |
| CVE-2019-8987 | The application server component of TIBCO Software Inc.\'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site scripting vulnerability that theoretically allows an authenticated user to gain access to all the capabilities of the web interface available to more privileged users. Affected releases are TIBCO Software Inc.\'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0. | LOW | Mar 29, 2019 | n/a |
| CVE-2019-8988 | The application server component of TIBCO Software Inc.\'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site contains a vulnerability that theoretically allows a user to escalate their privileges on the affected system, in a way that may allow for data modifications and deletions that should be denied. Affected releases are TIBCO Software Inc.\'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0. | MEDIUM | Mar 28, 2019 | n/a |
| CVE-2019-8989 | The application server component of TIBCO Software Inc.\'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a vulnerability that theoretically enables a user to spoof their account to look like a different user in the affected system. Affected releases are TIBCO Software Inc.\'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0. | MEDIUM | Mar 29, 2019 | n/a |
| CVE-2019-8990 | The HTTP Connector component of TIBCO Software Inc.\'s TIBCO ActiveMatrix BusinessWorks contains a vulnerability that theoretically allows unauthenticated HTTP requests to be processed by the BusinessWorks engine even when authentication is required. This possibility is restricted to circumstances where HTTP \"Basic Authentication\" policy is used in conjunction with an XML Authentication resource. The BusinessWorks engine might instead use credentials from a prior HTTP request for authorization purposes. Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and including 6.4.2. | MEDIUM | Apr 10, 2019 | n/a |
| CVE-2019-8991 | The administrator web interface of TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains multiple vulnerabilities that may allow for cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, TIBCO ActiveMatrix Policy Director: versions up to and including 1.1.0, TIBCO ActiveMatrix Service Bus: versions up to and including 3.3.0, TIBCO ActiveMatrix Service Grid: versions up to and including 3.3.1, TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid: versions up to and including 1.3.1. | MEDIUM | Apr 29, 2019 | n/a |
| CVE-2019-8992 | The administrative server component of TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains a vulnerability wherein a user without privileges to upload distributed application archives (\"Upload DAA\" permission) can theoretically upload arbitrary code, and in some circumstances then execute that code on ActiveMatrix Service Grid nodes. Affected releases are TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, TIBCO ActiveMatrix Policy Director: versions up to and including 1.1.0, TIBCO ActiveMatrix Service Bus: versions up to and including 3.3.0, TIBCO ActiveMatrix Service Grid: versions up to and including 3.3.1, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric: versions up to and including 3.3.0, TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid: versions up to and including 1.3.1. | MEDIUM | Apr 29, 2019 | n/a |
| CVE-2019-8993 | The administrative web server component of TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains a vulnerability that could theoretically allow an unauthenticated user to download a file with credentials information. Affected releases are TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, TIBCO ActiveMatrix Policy Director: versions up to and including 1.1.0, TIBCO ActiveMatrix Service Bus: versions up to and including 3.3.0, TIBCO ActiveMatrix Service Grid: versions up to and including 3.3.1, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric: versions up to and including 3.3.0, TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid: versions up to and including 1.3.1. | MEDIUM | Apr 29, 2019 | n/a |
| CVE-2019-8994 | The workspace client of TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contains vulnerabilities where an authenticated user can change settings that can theoretically adversely impact other users. Affected releases are TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1. | MEDIUM | May 2, 2019 | n/a |
| CVE-2019-8995 | The workspace client, openspace client, and app development client of TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contain a vulnerability wherein a malicious URL could trick a user into visiting a website of the attacker\'s choice. Affected releases are TIBCO Software Inc.\'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1. | MEDIUM | Apr 29, 2019 | n/a |
| CVE-2019-8996 | In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-8997 | An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted XML in an existing field. | MEDIUM | Mar 25, 2019 | n/a |
| CVE-2019-8998 | An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space. | MEDIUM | Jul 16, 2019 | n/a |
| CVE-2019-8999 | An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account. | MEDIUM | Apr 19, 2019 | n/a |
| CVE-2019-9002 | An issue was discovered in Tiny Issue 1.3.1 and pixeline Bugs through 1.3.2c. install/config-setup.php allows remote attackers to execute arbitrary PHP code via the database_host parameter if the installer remains present in its original directory after installation is completed. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9003 | In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a service ipmievd restart loop. | High | Mar 27, 2019 | n/a |
| CVE-2019-9004 | In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of the LWM2M server after exhausting all available memory. | MEDIUM | Mar 20, 2019 | n/a |
