The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-20529 | In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files. | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-20528 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter. | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-20527 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20526 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20525 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20524 | ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner parameter. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20523 | ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name parameter. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20522 | ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link parameter. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20521 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20520 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20519 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20518 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20517 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20516 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20515 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20514 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20513 | Open edX Ironwood.1 allows support/certificates?user= reflected XSS. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20512 | Open edX Ironwood.1 allows support/certificates?course_id= reflected XSS. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20511 | ERPNext 11.1.47 allows blog?blog_category= Frame Injection. | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-20510 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-13456. Reason: This candidate is a duplicate of CVE-2019-13456. Notes: All CVE users should reference CVE-2019-13456 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Nov 7, 2023 | 10.19.45.3 (Wind River Linux LTS 19) |
| CVE-2019-20509 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it only affected a development version. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2019-20504 | service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter. | HIGH | Mar 10, 2020 | n/a |
| CVE-2019-20503 | usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init. | MEDIUM | Mar 12, 2020 | n/a |
| CVE-2019-20502 | An issue was discovered in EFS Easy Chat Server 3.1. There is a buffer overflow via a long body2.ghp message parameter. | MEDIUM | Mar 6, 2020 | n/a |
| CVE-2019-20501 | D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Upgrade Firmware functionality in the Web interface, using shell metacharacters in the admin.cgi?action=upgrade firmwareRestore or firmwareServerip parameter. | HIGH | Mar 6, 2020 | n/a |
| CVE-2019-20500 | D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter. | HIGH | Mar 6, 2020 | n/a |
| CVE-2019-20499 | D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter. | HIGH | Mar 6, 2020 | n/a |
| CVE-2019-20498 | cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534). | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-20497 | cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533). | LOW | Mar 19, 2020 | n/a |
| CVE-2019-20496 | cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20495 | cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20494 | In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525). | LOW | Mar 19, 2020 | n/a |
| CVE-2019-20493 | cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520). | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-20492 | cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20491 | cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20490 | cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20489 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. The web management interface (setup.cgi) has an authentication bypass and other problems that ultimately allow an attacker to remotely compromise the device from a malicious webpage. The attacker sends an FW_remote.htm&todo=cfg_init request without a cookie, reads the Set-Cookie header in the 401 Unauthorized response, and then repeats the FW_remote.htm&todo=cfg_init request with the specified cookie. | MEDIUM | Mar 4, 2020 | n/a |
| CVE-2019-20488 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the web management interface (setup.cgi) are vulnerable to command injection, allowing remote attackers to execute arbitrary commands, as demonstrated by shell metacharacters in the sysDNSHost parameter. | HIGH | Mar 4, 2020 | n/a |
| CVE-2019-20487 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the WNR1000V4 web management console are vulnerable to an unauthenticated GET request (exploitable directly or through CSRF), as demonstrated by the setup.cgi?todo=save_htp_account URI. | MEDIUM | Mar 4, 2020 | n/a |
| CVE-2019-20486 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple pages (setup.cgi and adv_index.htm) within the web management console are vulnerable to stored XSS, as demonstrated by the configuration of the UI language. | MEDIUM | Mar 4, 2020 | n/a |
| CVE-2019-20485 | qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage). | LOW | Mar 19, 2020 | 10.19.45.6 (Wind River Linux LTS 19) |
| CVE-2019-20484 | An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in. | MEDIUM | Jan 8, 2021 | n/a |
| CVE-2019-20483 | An issue was discovered in Viki Vera 4.9.1.26180. An attacker could set a user\'s last name to an XSS Payload, and read another user\'s cookie and use that to login to the application. | LOW | Jan 8, 2021 | n/a |
| CVE-2019-20481 | In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480. | MEDIUM | Feb 28, 2020 | n/a |
| CVE-2019-20480 | In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the admin panel because there is no CSRF protection. | MEDIUM | Feb 28, 2020 | n/a |
| CVE-2019-20479 | A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning. | MEDIUM | Feb 25, 2020 | n/a |
| CVE-2019-20478 | In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases. | HIGH | Feb 27, 2020 | n/a |
| CVE-2019-20477 | PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342. | HIGH | Feb 26, 2020 | n/a |
| CVE-2019-20474 | An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF. | MEDIUM | Feb 20, 2020 | n/a |
| CVE-2019-20473 | An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a Remove PIN and restart! message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device. | MEDIUM | Feb 5, 2021 | n/a |
