The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-19703 | In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location. | MEDIUM | Dec 13, 2019 | n/a |
| CVE-2019-19702 | The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain. | MEDIUM | Dec 11, 2019 | n/a |
| CVE-2019-19699 | There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration. | HIGH | Apr 6, 2020 | n/a |
| CVE-2019-19698 | marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c. | MEDIUM | Dec 11, 2019 | n/a |
| CVE-2019-19697 | An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administrator privileges on the target machine in order to exploit the vulnerability. | HIGH | Jan 18, 2020 | n/a |
| CVE-2019-19696 | A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishing sites. | LOW | Jan 18, 2020 | n/a |
| CVE-2019-19695 | A privilege escalation vulnerability in Trend Micro Antivirus for Mac 2019 (v9.0.1379 and below) could potentially allow an attacker to create a symbolic link to a target file and modify it. | MEDIUM | Dec 26, 2019 | n/a |
| CVE-2019-19694 | The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product\'s malware protection functions or the entire product completely.. | LOW | Feb 28, 2020 | n/a |
| CVE-2019-19693 | The Trend Micro Security 2020 consumer family of products contains a vulnerability that could allow a local attacker to disclose sensitive information or to create a denial-of-service condition on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | LOW | Dec 20, 2019 | n/a |
| CVE-2019-19692 | Trend Micro Apex One (2019) is affected by a cross-site scripting (XSS) vulnerability on the product console. Note that the Japanese version of the product is NOT affected. | MEDIUM | Dec 20, 2019 | n/a |
| CVE-2019-19691 | A vulnerability in Trend Micro Apex One and OfficeScan XG could allow an attacker to expose a masked credential key by manipulating page elements using development tools. Note that the attacker must already have admin/root privileges on the product console to exploit this vulnerability. | MEDIUM | Dec 20, 2019 | n/a |
| CVE-2019-19690 | Trend Micro Mobile Security for Android (Consumer) versions 10.3.1 and below on Android 8.0+ has an issue in which an attacker could bypass the product\'s App Password Protection feature. | HIGH | Dec 18, 2019 | n/a |
| CVE-2019-19689 | Trend Micro HouseCall for Home Networks (versions below 5.3.0.1063) could be exploited via a DLL Hijack related to a vulnerability on the packer that the program uses. | MEDIUM | Dec 27, 2019 | n/a |
| CVE-2019-19688 | A privilege escalation vulnerability in Trend Micro HouseCall for Home Networks (versions below 5.3.0.1063) could be exploited allowing an attacker to place a malicious DLL file into the application directory and elevate privileges. | MEDIUM | Dec 18, 2019 | n/a |
| CVE-2019-19687 | OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users\' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) | LOW | Dec 9, 2019 | n/a |
| CVE-2019-19685 | RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions. | MEDIUM | Dec 9, 2019 | n/a |
| CVE-2019-19684 | nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin. | MEDIUM | Dec 11, 2019 | n/a |
| CVE-2019-19683 | RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/ProcessRequest because of Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs. | HIGH | Dec 9, 2019 | n/a |
| CVE-2019-19682 | nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \\Presentation\\Nop.Web\\Areas\\Admin\\Controllers\\NewsController.cs and \\Presentation\\Nop.Web\\Areas\\Admin\\Controllers\\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the vendor reportedly considers this a feature because the affected components are an HTML content editor. | LOW | Dec 10, 2019 | n/a |
| CVE-2019-19681 | Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands | HIGH | Dec 26, 2019 | n/a |
| CVE-2019-19680 | A file-extension filtering vulnerability in Proofpoint Enterprise Protection (PPS / PoD), in the unpatched versions of PPS through 8.9.22 and 8.14.2 respectively, allows attackers to bypass protection mechanisms (related to extensions, MIME types, virus detection, and journal entries for transmitted files) by sending malformed (not RFC compliant) multipart email. | MEDIUM | Jan 16, 2020 | n/a |
| CVE-2019-19679 | In Xray Test Management for Jira prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue. | LOW | Dec 11, 2019 | n/a |
| CVE-2019-19678 | In Xray Test Management for Jira prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue. | LOW | Dec 11, 2019 | n/a |
| CVE-2019-19677 | arxes-tolina 3.0.0 allows User Enumeration. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-19676 | A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user\'s PC. | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-19675 | In Ivanti Workspace Control before 10.3.180.0. a locally authenticated user with low privileges can bypass Managed Application Security by leveraging an unspecified attack vector in Workspace Preferences, when it is enabled. As a result, the attacker can start applications that should be blocked. | MEDIUM | Dec 17, 2019 | n/a |
| CVE-2019-19670 | A HTTP Response Splitting vulnerability was identified in the Web Settings Component of Web File Manager in Rumpus FTP Server 8.2.9.1. A successful exploit can result in stored XSS, website defacement, etc. via ExtraHTTPHeader to RAPR/WebSettingsGeneralSet.html. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-19669 | A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1. This could allow an attacker to delete, create, and update the upload forms via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-19668 | A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-19667 | A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-19666 | A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-19665 | A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server FTP settings at RAPR/FTPSettingsSet.html. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-19664 | A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html. | MEDIUM | Feb 10, 2020 | n/a |
| CVE-2019-19663 | A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html. | MEDIUM | Feb 10, 2020 | n/a |
| CVE-2019-19662 | A CSRF vulnerability exists in the Web File Manager\'s Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can Create and Delete accounts via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 10, 2020 | n/a |
| CVE-2019-19661 | A Cookie based reflected XSS exists in the Web File Manager of Rumpus FTP Server 8.2.9.1, related to RumpusLoginUserName and snp. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-19660 | A CSRF vulnerability exists in the Web File Manager\'s Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-19659 | A CSRF vulnerability exists in the Web File Manager\'s Edit Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can take over a user account by changing the password, update users\' details, and escalate privileges via RAPR/DefineUsersSet.html. | MEDIUM | Feb 11, 2020 | n/a |
| CVE-2019-19650 | Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. | MEDIUM | Dec 13, 2019 | n/a |
| CVE-2019-19649 | Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. | HIGH | Dec 13, 2019 | n/a |
| CVE-2019-19648 | In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution. | MEDIUM | Dec 9, 2019 | n/a |
| CVE-2019-19647 | radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input. | MEDIUM | Dec 13, 2019 | n/a |
| CVE-2019-19646 | pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns. | HIGH | Dec 9, 2019 | SR0660 (VxWorks 7) |
| CVE-2019-19645 | alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements. | LOW | Dec 9, 2019 | SR0660 (VxWorks 7) |
| CVE-2019-19643 | ise smart connect KNX Vaillant 1.2.839 contain a Denial of Service. | MEDIUM | Aug 14, 2020 | n/a |
| CVE-2019-19642 | On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareName. The attacker can achieve a persistent backdoor. | HIGH | Dec 9, 2019 | n/a |
| CVE-2019-19638 | An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow. | HIGH | Dec 9, 2019 | n/a |
| CVE-2019-19637 | An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c. | HIGH | Dec 9, 2019 | n/a |
| CVE-2019-19636 | An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c. | HIGH | Dec 9, 2019 | n/a |
| CVE-2019-19635 | An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c. | HIGH | Dec 9, 2019 | n/a |
