The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2019-9124 | An issue was discovered on D-Link DIR-878 1.12B01 devices. At the /HNAP1 URI, an attacker can log in with a blank password. | HIGH | Mar 20, 2019 | n/a |
CVE-2019-9125 | An issue was discovered on D-Link DIR-878 1.12B01 devices. Because strncpy is misused, there is a stack-based buffer overflow vulnerability that does not require authentication via the HNAP_AUTH HTTP header. | HIGH | Mar 20, 2019 | n/a |
CVE-2019-9126 | An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. There is an information disclosure vulnerability via requests for the router_info.xml document. This will reveal the PIN code, MAC address, routing table, firmware version, update time, QOS information, LAN information, and WLAN information of the device. | MEDIUM | Mar 20, 2019 | n/a |
CVE-2019-9132 | Remote code execution vulnerability exists in KaKaoTalk PC messenger when user clicks specially crafted link in the message window. This affects KaKaoTalk windows version 2.7.5.2024 or lower. | MEDIUM | Apr 2, 2019 | n/a |
CVE-2019-9133 | When processing subtitles format media file, KMPlayer version 2018.12.24.14 or lower doesn\'t check object size correctly, which leads to integer underflow then to memory out-of-bound read/write. An attacker can exploit this issue by enticing an unsuspecting user to open a malicious file. | MEDIUM | Apr 10, 2019 | n/a |
CVE-2019-9134 | Architectural Information System 1.0 and earlier versions have a Stack-based buffer overflow, allows remote attackers to execute arbitrary code. | HIGH | Apr 10, 2019 | n/a |
CVE-2019-9135 | DaviewIndy 8.98.7 and earlier versions have a Heap-based overflow vulnerability, triggered when the user opens a malformed DIB format file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution. | MEDIUM | Apr 26, 2019 | n/a |
CVE-2019-9136 | DaviewIndy 8.98.7 and earlier versions have a Heap-based overflow vulnerability, triggered when the user opens a malformed JPEG2000 format file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution. | MEDIUM | Apr 26, 2019 | n/a |
CVE-2019-9137 | DaviewIndy 8.98.7 and earlier versions have a Integer overflow vulnerability, triggered when the user opens a malformed Image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution. | MEDIUM | May 1, 2019 | n/a |
CVE-2019-9138 | DaviewIndy 8.98.7 and earlier versions have a Integer overflow vulnerability, triggered when the user opens a malformed PhotoShop file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution. | MEDIUM | Apr 26, 2019 | n/a |
CVE-2019-9139 | DaviewIndy 8.98.7 and earlier versions have a Integer overflow vulnerability, triggered when the user opens a malformed PDF file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution. | MEDIUM | Apr 26, 2019 | n/a |
CVE-2019-9140 | When processing Deeplink scheme, Happypoint mobile app 6.3.19 and earlier versions doesn\'t check Deeplink URL correctly. This could lead to javascript code execution, url redirection, sensitive information disclosure. An attacker can exploit this issue by enticing an unsuspecting user to open a specific malicious URL. | MEDIUM | Aug 8, 2019 | n/a |
CVE-2019-9141 | ZInsVX.dll ActiveX Control 2018.02 and earlier in Zoneplayer contains a vulnerability that could allow remote attackers to execute arbitrary files by setting the arguments to the ActiveX method. This can be leveraged for remote code execution. | HIGH | Aug 14, 2019 | n/a |
CVE-2019-9142 | An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java. | MEDIUM | Mar 20, 2019 | n/a |
CVE-2019-9143 | An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. | MEDIUM | Mar 20, 2019 | n/a |
CVE-2019-9144 | An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. | MEDIUM | Mar 20, 2019 | n/a |
CVE-2019-9145 | An issue was discovered in Hsycms V1.1. There is an XSS vulnerability via the name field to the /book page. | MEDIUM | Mar 20, 2019 | n/a |
CVE-2019-9146 | Jamf Self Service 10.9.0 allows man-in-the-middle attackers to obtain a root shell by leveraging the \"publish Bash shell scripts\" feature to insert \"/Applications/Utilities/Terminal app/Contents/MacOS/Terminal\" into the TCP data stream. | HIGH | Mar 20, 2019 | n/a |
CVE-2019-9147 | Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser\'s extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed. | MEDIUM | Jul 11, 2019 | n/a |
CVE-2019-9148 | Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. Keys that are obviously invalid are not rejected during import. An attacker that is able to get a victim to import a manipulated key could claim to have signed a message that originates from another person. | MEDIUM | Jul 11, 2019 | n/a |
CVE-2019-9149 | Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign (and encrypt) arbitrary messages with Mailvelope, assuming the private key password is cached. A second vulnerability allows an attacker to decrypt an arbitrary message when the GnuPG backend is used in Mailvelope. | MEDIUM | Jul 11, 2019 | n/a |
CVE-2019-9150 | Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the user or obscure which key was imported. | MEDIUM | Jul 11, 2019 | n/a |
CVE-2019-9151 | An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5VM_memcpyvv in H5VM.c when called from H5D__compact_readvv in H5Dcompact.c. | MEDIUM | Mar 20, 2019 | n/a |
CVE-2019-9152 | An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5MM_xstrdup in H5MM.c when called from H5O_dtype_decode_helper in H5Odtype.c. | MEDIUM | Mar 20, 2019 | n/a |
CVE-2019-9153 | Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a \"standalone\" or \"timestamp\" signature. | MEDIUM | Aug 30, 2019 | n/a |
CVE-2019-9154 | Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed. | MEDIUM | Aug 30, 2019 | n/a |
CVE-2019-9155 | A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim\'s ECDH private key. | MEDIUM | Aug 30, 2019 | n/a |
CVE-2019-9156 | Gemalto DS3 Authentication Server 2.6.1-SP01 allows OS Command Injection. | MEDIUM | Jun 6, 2019 | n/a |
CVE-2019-9157 | Gemalto DS3 Authentication Server 2.6.1-SP01 allows Local File Disclosure. | LOW | Jun 6, 2019 | n/a |
CVE-2019-9158 | Gemalto DS3 Authentication Server 2.6.1-SP01 has Broken Access Control. | LOW | Jun 6, 2019 | n/a |
CVE-2019-9160 | WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string). | HIGH | Apr 19, 2019 | n/a |
CVE-2019-9161 | WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.xml file containing the admin password. (The password for root is the WebUI admin password concatenated with a static string.) | HIGH | Apr 19, 2019 | n/a |
CVE-2019-9162 | In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper. | Medium | Mar 27, 2019 | n/a |
CVE-2019-9163 | The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects. | HIGH | Apr 2, 2020 | n/a |
CVE-2019-9164 | Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. | MEDIUM | Mar 28, 2019 | n/a |
CVE-2019-9164 | Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job. | MEDIUM | Apr 15, 2019 | n/a |
CVE-2019-9165 | SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id. | HIGH | Mar 28, 2019 | n/a |
CVE-2019-9165 | SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id. | HIGH | Apr 15, 2019 | n/a |
CVE-2019-9166 | Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php. | HIGH | Mar 28, 2019 | n/a |
CVE-2019-9166 | Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php. | HIGH | Apr 15, 2019 | n/a |
CVE-2019-9167 | Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. | MEDIUM | Mar 28, 2019 | n/a |
CVE-2019-9167 | Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. | MEDIUM | Apr 15, 2019 | n/a |
CVE-2019-9168 | WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. | MEDIUM | Mar 20, 2019 | n/a |
CVE-2019-9169 | In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. | High | Mar 15, 2019 | n/a |
CVE-2019-9170 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control. | MEDIUM | Apr 17, 2019 | n/a |
CVE-2019-9171 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 1 of 5). | MEDIUM | Apr 17, 2019 | n/a |
CVE-2019-9172 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 2 of 5). | MEDIUM | Apr 17, 2019 | n/a |
CVE-2019-9174 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows SSRF. | HIGH | Apr 17, 2019 | n/a |
CVE-2019-9175 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 3 of 5). | MEDIUM | Apr 17, 2019 | n/a |
CVE-2019-9176 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows CSRF. | MEDIUM | Apr 17, 2019 | n/a |