The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-20516 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20515 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20514 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20513 | Open edX Ironwood.1 allows support/certificates?user= reflected XSS. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20512 | Open edX Ironwood.1 allows support/certificates?course_id= reflected XSS. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20511 | ERPNext 11.1.47 allows blog?blog_category= Frame Injection. | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-20510 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-13456. Reason: This candidate is a duplicate of CVE-2019-13456. Notes: All CVE users should reference CVE-2019-13456 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Nov 7, 2023 | n/a |
| CVE-2019-20509 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it only affected a development version. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2019-20504 | service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter. | HIGH | Mar 10, 2020 | n/a |
| CVE-2019-20503 | usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init. | MEDIUM | Mar 12, 2020 | n/a |
| CVE-2019-20502 | An issue was discovered in EFS Easy Chat Server 3.1. There is a buffer overflow via a long body2.ghp message parameter. | MEDIUM | Mar 6, 2020 | n/a |
| CVE-2019-20501 | D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Upgrade Firmware functionality in the Web interface, using shell metacharacters in the admin.cgi?action=upgrade firmwareRestore or firmwareServerip parameter. | HIGH | Mar 6, 2020 | n/a |
| CVE-2019-20500 | D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter. | HIGH | Mar 6, 2020 | n/a |
| CVE-2019-20499 | D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter. | HIGH | Mar 6, 2020 | n/a |
| CVE-2019-20498 | cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534). | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-20497 | cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533). | LOW | Mar 19, 2020 | n/a |
| CVE-2019-20496 | cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20495 | cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20494 | In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525). | LOW | Mar 19, 2020 | n/a |
| CVE-2019-20493 | cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520). | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-20492 | cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20491 | cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20490 | cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499). | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-20489 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. The web management interface (setup.cgi) has an authentication bypass and other problems that ultimately allow an attacker to remotely compromise the device from a malicious webpage. The attacker sends an FW_remote.htm&todo=cfg_init request without a cookie, reads the Set-Cookie header in the 401 Unauthorized response, and then repeats the FW_remote.htm&todo=cfg_init request with the specified cookie. | MEDIUM | Mar 4, 2020 | n/a |
| CVE-2019-20488 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the web management interface (setup.cgi) are vulnerable to command injection, allowing remote attackers to execute arbitrary commands, as demonstrated by shell metacharacters in the sysDNSHost parameter. | HIGH | Mar 4, 2020 | n/a |
| CVE-2019-20487 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the WNR1000V4 web management console are vulnerable to an unauthenticated GET request (exploitable directly or through CSRF), as demonstrated by the setup.cgi?todo=save_htp_account URI. | MEDIUM | Mar 4, 2020 | n/a |
| CVE-2019-20486 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple pages (setup.cgi and adv_index.htm) within the web management console are vulnerable to stored XSS, as demonstrated by the configuration of the UI language. | MEDIUM | Mar 4, 2020 | n/a |
| CVE-2019-20485 | qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage). | LOW | Mar 19, 2020 | n/a |
| CVE-2019-20484 | An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in. | MEDIUM | Jan 8, 2021 | n/a |
| CVE-2019-20483 | An issue was discovered in Viki Vera 4.9.1.26180. An attacker could set a user\'s last name to an XSS Payload, and read another user\'s cookie and use that to login to the application. | LOW | Jan 8, 2021 | n/a |
| CVE-2019-20481 | In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480. | MEDIUM | Feb 28, 2020 | n/a |
| CVE-2019-20480 | In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the admin panel because there is no CSRF protection. | MEDIUM | Feb 28, 2020 | n/a |
| CVE-2019-20479 | A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning. | MEDIUM | Feb 25, 2020 | n/a |
| CVE-2019-20478 | In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases. | HIGH | Feb 27, 2020 | n/a |
| CVE-2019-20477 | PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342. | HIGH | Feb 26, 2020 | n/a |
| CVE-2019-20474 | An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF. | MEDIUM | Feb 20, 2020 | n/a |
| CVE-2019-20473 | An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a Remove PIN and restart! message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device. | MEDIUM | Feb 5, 2021 | n/a |
| CVE-2019-20471 | An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. When using the device at initial setup, a default password is used (123456) for administrative purposes. There is no prompt to change this password. Note that this password can be used in combination with CVE-2019-20470. | HIGH | Feb 5, 2021 | n/a |
| CVE-2019-20470 | An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It performs actions based on certain SMS commands. This can be used to set up a voice communication channel from the watch to any telephone number, initiated by sending a specific SMS and using the default password, e.g., pw,<password>,call,<mobile_number> triggers an outbound call from the watch. The password is sometimes available because of CVE-2019-20471. | MEDIUM | Feb 5, 2021 | n/a |
| CVE-2019-20468 | An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It has unnecessary permissions such as READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and READ_CONTACTS. | HIGH | Feb 5, 2021 | n/a |
| CVE-2019-20467 | An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. The device by default has a TELNET interface available (which is not advertised or functionally used, but is nevertheless available). Two backdoor accounts (root and default) exist that can be used on this interface. The usernames and passwords of the backdoor accounts are the same on all devices. Attackers can use these backdoor accounts to obtain access and execute code as root within the device. | HIGH | Jul 22, 2021 | n/a |
| CVE-2019-20466 | An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A local attacker with the default account is capable of reading the /etc/passwd file, which contains a weakly hashed root password. By taking this hash and cracking it, the attacker can obtain root rights on the device. | HIGH | Apr 2, 2021 | n/a |
| CVE-2019-20465 | An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. It is possible (using TELNET without a password) to control the camera\'s pan/zoom/tilt functionality. | MEDIUM | Apr 2, 2021 | n/a |
| CVE-2019-20464 | An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. By default, a mobile application is used to stream over UDP. However, the device offers many more services that also enable streaming. Although the service used by the mobile application requires a password, the other streaming services do not. By initiating communication on the RTSP port, an attacker can obtain access to the video feed without authenticating. | MEDIUM | Apr 2, 2021 | n/a |
| CVE-2019-20463 | An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A crash and reboot can be triggered by crafted IP traffic, as demonstrated by the Nikto vulnerability scanner. For example, sending the 111111 string to UDP port 20188 causes a reboot. To deny service for a long time period, the crafted IP traffic may be sent periodically. | HIGH | Apr 2, 2021 | n/a |
| CVE-2019-20456 | Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking. | MEDIUM | Feb 26, 2020 | n/a |
| CVE-2019-20455 | Gateways/Gateway.php in Heartland & Global Payments PHP SDK before 2.0.0 does not enforce SSL certificate validations. | MEDIUM | Feb 14, 2020 | n/a |
| CVE-2019-20454 | An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \\X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. | MEDIUM | Feb 26, 2020 | n/a |
| CVE-2019-20453 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | MEDIUM | Mar 17, 2020 | n/a |
| CVE-2019-20452 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | MEDIUM | Mar 17, 2020 | n/a |
