The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-15620 | Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature. | MEDIUM | Feb 6, 2020 | n/a |
| CVE-2019-15619 | Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project. | LOW | Feb 12, 2020 | n/a |
| CVE-2019-15618 | Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location. | LOW | Feb 6, 2020 | n/a |
| CVE-2019-15617 | A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login. | MEDIUM | Feb 12, 2020 | n/a |
| CVE-2019-15616 | Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-15615 | A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past. | LOW | Feb 13, 2020 | n/a |
| CVE-2019-15614 | Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files. | LOW | Feb 12, 2020 | n/a |
| CVE-2019-15613 | A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes. | MEDIUM | Feb 12, 2020 | n/a |
| CVE-2019-15612 | A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset. | LOW | Feb 11, 2020 | n/a |
| CVE-2019-15611 | Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-15610 | Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle. | MEDIUM | Feb 12, 2020 | n/a |
| CVE-2019-15609 | The kill-port-process package version < 2.2.0 is vulnerable to a Command Injection vulnerability. | HIGH | Feb 28, 2020 | n/a |
| CVE-2019-15608 | The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It\'s not computed again when reading from the cache. This may lead to a cache pollution attack. | MEDIUM | Mar 17, 2020 | n/a |
| CVE-2019-15607 | A stored XSS vulnerability is present within node-red (version: <= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc. | LOW | Jan 29, 2020 | n/a |
| CVE-2019-15606 | Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons | HIGH | Feb 11, 2020 | n/a |
| CVE-2019-15605 | HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed | HIGH | Feb 11, 2020 | n/a |
| CVE-2019-15604 | Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-15603 | The seefl package v0.1.1 is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability via a malicious filename rendered in a directory listing. | MEDIUM | Jan 9, 2020 | n/a |
| CVE-2019-15602 | The fileview package v0.1.6 has inadequate output encoding and escaping, which leads to a stored Cross-Site Scripting (XSS) vulnerability in files it serves. | MEDIUM | Jan 10, 2020 | n/a |
| CVE-2019-15601 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | MEDIUM | Jan 15, 2020 | n/a |
| CVE-2019-15600 | A Path traversal exists in http_server which allows an attacker to read arbitrary system files. | MEDIUM | Dec 23, 2019 | n/a |
| CVE-2019-15599 | A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command. | HIGH | Dec 26, 2019 | n/a |
| CVE-2019-15598 | A Code Injection exists in treekill on Windows which allows a remote code execution when an attacker is able to control the input into the command. | HIGH | Dec 26, 2019 | n/a |
| CVE-2019-15597 | A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input. | HIGH | Dec 26, 2019 | n/a |
| CVE-2019-15596 | A path traversal in statics-server exists in all version that allows an attacker to perform a path traversal when a symlink is used within the working directory. | MEDIUM | Dec 19, 2019 | n/a |
| CVE-2019-15595 | A privilege escalation exists in UniFi Video Controller =<3.10.6 that would allow an attacker on the local machine to run arbitrary commands. | HIGH | Nov 26, 2019 | n/a |
| CVE-2019-15594 | GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint. | MEDIUM | Feb 14, 2020 | n/a |
| CVE-2019-15593 | GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments. | MEDIUM | Nov 25, 2019 | n/a |
| CVE-2019-15592 | GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline. | MEDIUM | Feb 14, 2020 | n/a |
| CVE-2019-15591 | An improper access control vulnerability exists in GitLab <12.3.3 that allows an attacker to obtain container and dependency scanning reports through the merge request widget even though public pipelines were disabled. | MEDIUM | Dec 27, 2019 | n/a |
| CVE-2019-15590 | An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration | MEDIUM | Jan 29, 2020 | n/a |
| CVE-2019-15589 | An improper access control vulnerability exists in Gitlab <v12.3.2, <v12.2.6, <v12.1.12 which would allow a blocked user would be able to use GIT clone and pull if he had obtained a CI/CD token before. | MEDIUM | Dec 27, 2019 | n/a |
| CVE-2019-15588 | There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability. | HIGH | Nov 6, 2019 | n/a |
| CVE-2019-15587 | In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. | LOW | Oct 25, 2019 | n/a |
| CVE-2019-15586 | A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin. | MEDIUM | Jan 28, 2020 | n/a |
| CVE-2019-15585 | Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user\'s account. | HIGH | Jan 29, 2020 | n/a |
| CVE-2019-15584 | A denial of service exists in gitlab <v12.3.2, <v12.2.6, and <v12.1.10 that would let an attacker bypass input validation in markdown fields take down the affected page. | MEDIUM | Dec 21, 2019 | n/a |
| CVE-2019-15583 | An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API. | MEDIUM | Jan 29, 2020 | n/a |
| CVE-2019-15582 | An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment. | MEDIUM | Jan 29, 2020 | n/a |
| CVE-2019-15581 | An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules. | MEDIUM | Jan 29, 2020 | n/a |
| CVE-2019-15580 | An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted. | MEDIUM | Dec 27, 2019 | n/a |
| CVE-2019-15579 | An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones. | MEDIUM | Jan 29, 2020 | n/a |
| CVE-2019-15578 | An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests. | MEDIUM | Jan 29, 2020 | n/a |
| CVE-2019-15577 | An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing. | MEDIUM | Dec 26, 2019 | n/a |
| CVE-2019-15576 | An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint. | MEDIUM | Dec 26, 2019 | n/a |
| CVE-2019-15575 | A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope. | MEDIUM | Dec 27, 2019 | n/a |
| CVE-2019-15574 | Gesior-AAC before2019-05-01 allows serviceID SQL injection in accountmanagement.php. | -- | Aug 26, 2019 | n/a |
| CVE-2019-15573 | Gesior-AAC before2019-05-01 allows SQL injection in tankyou.php. | -- | Aug 26, 2019 | n/a |
| CVE-2019-15572 | Gesior-AAC before2019-05-01 allows ServiceCategoryID SQL injection in shop.php. | -- | Aug 26, 2019 | n/a |
| CVE-2019-15571 | The WEB control panel before2019-04-30 for ClonOS allows SQL injection in clonos.php. | -- | Aug 26, 2019 | n/a |
