The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-9177 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | High | May 29, 2019 | n/a |
| CVE-2019-9178 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 4 of 5). | MEDIUM | Apr 17, 2019 | n/a |
| CVE-2019-9179 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 5 of 5). | MEDIUM | Apr 17, 2019 | n/a |
| CVE-2019-9181 | SchoolCMS version 2.3.1 allows file upload via the logo upload feature at admin.php?m=admin&c=site&a=save by using the .jpg extension, changing the Content-Type to image/php, and placing PHP code after the JPEG data. This ultimately allows execution of arbitrary PHP code. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9182 | There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9183 | An issue was discovered in Contiki-NG through 4.3 and Contiki through 3.0. A buffer overflow is present due to an integer underflow during 6LoWPAN fragment processing in the face of truncated fragments in os/net/ipv6/sicslowpan.c. This results in accesses of unmapped memory, crashing the application. An attacker can cause a denial-of-service via a crafted 6LoWPAN frame. | MEDIUM | Apr 25, 2020 | n/a |
| CVE-2019-9184 | SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the product_option[] parameter. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9185 | Controller/Async/FilesystemManager.php in the filemanager in Bolt before 3.6.5 allows remote attackers to execute arbitrary PHP code by renaming a previously uploaded file to have a .php extension. | Medium | Mar 26, 2019 | n/a |
| CVE-2019-9186 | In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7. | HIGH | Jul 10, 2019 | n/a |
| CVE-2019-9187 | ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190228 allows SSRF via the aggregate plugin. The impact also includes reading local files via file: URIs. | Medium | Jun 6, 2019 | n/a |
| CVE-2019-9189 | Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access. | High | Jun 5, 2019 | n/a |
| CVE-2019-9191 | The ETSI Enterprise Transport Security (ETS, formerly known as eTLS) protocol does not provide per-session forward secrecy. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9192 | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by \'(|)(\\\\1\\\\1)*\' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern | MEDIUM | Nov 5, 2019 | n/a |
| CVE-2019-9193 | In PostgreSQL 9.3 through 11.2, the COPY TO/FROM PROGRAM function allows superusers and users in the \'pg_execute_server_program\' group to execute arbitrary code in the context of the database\'s operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’. | HIGH | Oct 10, 2019 | n/a |
| CVE-2019-9194 | elFinder before 2.1.48 has a command injection vulnerability in the PHP connector. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9195 | util/src/zip.rs in Grin before 1.0.2 mishandles suspicious files. An attacker can execute arbitrary code via directory traversal in a ZIP archive. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9196 | The Face authentication component in Aware mobile liveness 2.2.1 sdk 2.2.0 for Knomi allows a Biometrical Liveness authentication bypass via parameter tampering of the /knomi/analyze security_level field. | MEDIUM | May 17, 2019 | n/a |
| CVE-2019-9197 | The com.unity3d.kharma protocol handler in Unity Editor 2018.3 allows remote attackers to execute arbitrary code. | MEDIUM | Jan 17, 2020 | n/a |
| CVE-2019-9199 | PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be triggered by sending a crafted PDF file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9200 | A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc in Poppler 0.74.0 that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. | Medium | Mar 13, 2019 | n/a |
| CVE-2019-9201 | Multiple Phoenix Contact devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories. | High | Feb 27, 2019 | n/a |
| CVE-2019-9202 | Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues. | MEDIUM | Mar 28, 2019 | n/a |
| CVE-2019-9202 | Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues. | MEDIUM | Apr 15, 2019 | n/a |
| CVE-2019-9203 | Authorization bypass in Nagios IM (component of Nagios XI) before 2.2.7 allows closing incidents in IM via the API. | HIGH | Mar 28, 2019 | n/a |
| CVE-2019-9203 | Authorization bypass in Nagios IM (component of Nagios XI) before 2.2.7 allows closing incidents in IM via the API. | HIGH | Apr 15, 2019 | n/a |
| CVE-2019-9204 | SQL injection vulnerability in Nagios IM (component of Nagios XI) before 2.2.7 allows attackers to execute arbitrary SQL commands. | HIGH | Mar 28, 2019 | n/a |
| CVE-2019-9204 | SQL injection vulnerability in Nagios IM (component of Nagios XI) before 2.2.7 allows attackers to execute arbitrary SQL commands. | HIGH | Apr 15, 2019 | n/a |
| CVE-2019-9206 | PRTG Network Monitor v7.1.3.3378 allows XSS via the /public/login.htm errormsg or loginurl parameter. NOTE: This product is discontinued. | MEDIUM | Jan 3, 2020 | n/a |
| CVE-2019-9207 | PRTG Network Monitor v7.1.3.3378 allows XSS via the /search.htm searchtext parameter. NOTE: This product is discontinued. | MEDIUM | Jan 3, 2020 | n/a |
| CVE-2019-9208 | In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the TCAP dissector could crash. This was addressed in epan/dissectors/asn1/tcap/tcap.cnf by avoiding NULL pointer dereferences. | Medium | Mar 25, 2019 | n/a |
| CVE-2019-9209 | In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and related dissectors could crash. This was addressed in epan/dissectors/packet-ber.c by preventing a buffer overflow associated with excessive digits in time values. | Medium | Mar 27, 2019 | n/a |
| CVE-2019-9210 | In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer overflow upon encountering an invalid PNG size, which results in an attempted memcpy to write into a buffer that is too small. (There is also a heap-based buffer over-read.) | Medium | Mar 4, 2019 | n/a |
| CVE-2019-9211 | There is a reachable assertion abort in the function write_long_string_missing_values() in data/sys-file-writer.c in libdata.a in GNU PSPP 1.2.0 that will lead to denial of service. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9212 | SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated | High | Feb 28, 2019 | n/a |
| CVE-2019-9213 | In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task. | Medium | Mar 27, 2019 | n/a |
| CVE-2019-9214 | In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the RPCAP dissector could crash. This was addressed in epan/dissectors/packet-rpcap.c by avoiding an attempted dereference of a NULL conversation. | Medium | Mar 25, 2019 | n/a |
| CVE-2019-9215 | In Live555 before 2019.02.27, malformed headers lead to invalid memory access in the parseAuthorizationHeader function. | High | Mar 21, 2019 | n/a |
| CVE-2019-9217 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. Its User Interface has a Misrepresentation of Critical Information. | HIGH | Apr 17, 2019 | n/a |
| CVE-2019-9218 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 1 of 5). | HIGH | May 29, 2019 | n/a |
| CVE-2019-9219 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5). | MEDIUM | Apr 17, 2019 | n/a |
| CVE-2019-9220 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Uncontrolled Resource Consumption. | MEDIUM | Apr 17, 2019 | n/a |
| CVE-2019-9221 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 3 of 5). | LOW | May 29, 2019 | n/a |
| CVE-2019-9222 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions. | MEDIUM | Apr 17, 2019 | n/a |
| CVE-2019-9223 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure. | MEDIUM | Apr 18, 2019 | n/a |
| CVE-2019-9224 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 4 of 5). | MEDIUM | Apr 17, 2019 | n/a |
| CVE-2019-9225 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 5 of 5). | MEDIUM | Apr 17, 2019 | n/a |
| CVE-2019-9226 | An issue was discovered in baigo CMS 2.1.1. There is a persistent XSS vulnerability that allows remote attackers to inject arbitrary web script or HTML via the opt[base][BG_SITE_NAME] parameter to the bg_console/index.php?m=opt&c=request URI. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9227 | An issue was discovered in baigo CMS 2.1.1. There is a vulnerability that allows remote attackers to execute arbitrary code. A BG_SITE_NAME parameter with malicious code can be written into the opt_base.inc.php file. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9228 | An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A at least to 7.20A.252.062. The (1) management SSH and (2) management TELNET features allow remote attackers to cause a denial of service (connection slot exhaustion) via 5 unauthenticated connection attempts, because the maximum number of unauthenticated clients that can be configured is 5. NOTE: the vendor\'s position is that this is a design choice. | MEDIUM | Jul 26, 2019 | n/a |
| CVE-2019-9229 | An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can authenticate with the default 1234 password that cannot be changed, and can execute malicious and unauthorized actions. | MEDIUM | Jul 26, 2019 | n/a |
