The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-9737 | Editor.md 1.5.0 has DOM-based XSS via vectors involving the \'<EMBED SRC=\"data:image/svg+xml\' substring. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9736 | DOM-based XSS exists in 1024Tools Markdown 1.0 via vectors involving the \'<EMBED SRC=\"data:image/svg+xml\' substring. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9735 | An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn\'t support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it\'s applied. (Only deployments using the iptables security group driver are affected.) | MEDIUM | Mar 22, 2019 | n/a |
| CVE-2019-9734 | Aquarius CMS through 4.3.5 writes POST and GET parameters (including passwords) to a log file due to an overwriting of configuration parameters under certain circumstances. | Medium | Apr 30, 2019 | n/a |
| CVE-2019-9733 | An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory\'s API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory. | HIGH | Apr 12, 2019 | n/a |
| CVE-2019-9732 | An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control. | HIGH | May 29, 2019 | n/a |
| CVE-2019-9730 | Incorrect access control in the CxUtilSvc component of the Synaptics Sound Device drivers prior to version 2.29 allows a local attacker to increase access privileges to the Windows Registry via an unpublished API. | HIGH | Jun 7, 2019 | n/a |
| CVE-2019-9729 | In Shanda MapleStory Online V160, the SdoKeyCrypt.sys driver allows privilege escalation to NT AUTHORITY\\SYSTEM because of not validating the IOCtl 0x8000c01c input value, leading to an integer signedness error and a heap-based buffer underflow. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9727 | Unauthenticated password hash disclosure in the User.getUserPWD method in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to retrieve the GUI password hashes of GUI users. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. | MEDIUM | May 14, 2019 | n/a |
| CVE-2019-9726 | Directory Traversal / Arbitrary File Read in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to read arbitrary files of the device\'s filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. | MEDIUM | May 14, 2019 | n/a |
| CVE-2019-9725 | The Web manager (aka Commander) on Korenix JetPort 5601 and 5601f devices has Persistent XSS via the Port Alias field under Serial Setting. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9724 | aquaverde Aquarius CMS through 4.3.5 allows Information Exposure through Log Files because of an error in the Log-File writer component. | MEDIUM | Apr 29, 2019 | n/a |
| CVE-2019-9723 | LogicalDOC Community Edition 8.x before 8.2.1 has a path traversal vulnerability that allows reading arbitrary files and the creation of directories, in the class PluginRegistry. | MEDIUM | Jun 11, 2019 | n/a |
| CVE-2019-9721 | A denial of service in the subtitle decoder in FFmpeg 3.2 and 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf. | Medium | Mar 14, 2019 | n/a |
| CVE-2019-9720 | A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf. | High | Sep 20, 2019 | n/a |
| CVE-2019-9719 | A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf. NOTE: Third parties dispute that this is a vulnerability because “no evidence of a vulnerability is provided” and only “a generic warning from a static code analysis” is provided | Medium | Sep 20, 2019 | n/a |
| CVE-2019-9718 | In FFmpeg 3.2 and 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf. | Medium | Mar 15, 2019 | n/a |
| CVE-2019-9717 | In Libav 12.3, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf. | High | Sep 20, 2019 | n/a |
| CVE-2019-9714 | An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9713 | An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9712 | An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9711 | An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9710 | An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9709 | An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection\'s SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user. | LOW | May 7, 2019 | n/a |
| CVE-2019-9708 | An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can suspend the system user (root), causing all users to be locked out from the system. | MEDIUM | May 7, 2019 | n/a |
| CVE-2019-9706 | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error. | LOW | Mar 22, 2019 | n/a |
| CVE-2019-9705 | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted. | LOW | Mar 22, 2019 | n/a |
| CVE-2019-9704 | Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked. | LOW | Mar 22, 2019 | n/a |
| CVE-2019-9703 | Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. | MEDIUM | Jul 7, 2019 | n/a |
| CVE-2019-9702 | Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. | MEDIUM | Jul 7, 2019 | n/a |
| CVE-2019-9701 | DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site scripting (XSS) vulnerability, a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. | LOW | Jul 3, 2019 | n/a |
| CVE-2019-9700 | Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic. | LOW | Jul 18, 2019 | n/a |
| CVE-2019-9699 | Symantec Messaging Gateway (prior to 10.7.0), may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data. | LOW | Oct 30, 2019 | n/a |
| CVE-2019-9698 | Symantec AV Engine, prior to 13.0.9r17, may be susceptible to an arbitrary file deletion issue, which is a type of vulnerability that could allow an attacker to delete files on the resident system without elevated privileges. | LOW | May 9, 2019 | n/a |
| CVE-2019-9697 | An information disclosure vulnerability in the Management Center (MC) REST API 2.0, 2.1, and 2.2 prior to 2.2.2.1 allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access. | MEDIUM | Sep 5, 2019 | n/a |
| CVE-2019-9696 | Symantec VIP Enterprise Gateway (all versions) may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy. | MEDIUM | Apr 10, 2019 | n/a |
| CVE-2019-9695 | Norton Core prior to v278 may be susceptible to an arbitrary code execution issue, which is a type of vulnerability that has the potential of allowing an individual to execute arbitrary commands or code on a target machine or in a target process. Note that this exploit is only possible with direct physical access to the device. | HIGH | Apr 1, 2019 | n/a |
| CVE-2019-9694 | Symantec Endpoint Encryption prior to SEE 11.2.1 MP1 may be susceptible to a Privilege Escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | MEDIUM | Apr 12, 2019 | n/a |
| CVE-2019-9693 | In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id), and _Deletepicture (parameter picture_id). | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9692 | class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). | MEDIUM | Mar 28, 2019 | n/a |
| CVE-2019-9689 | process_certificate in tls1.c in Cameron Hamilton-Rich axTLS through 2.1.5 has a Buffer Overflow via a crafted TLS certificate handshake message with zero certificates. | MEDIUM | Dec 4, 2019 | n/a |
| CVE-2019-9688 | sftnow through 2018-12-29 allows index.php?g=Admin&m=User&a=add_post CSRF to add an admin account. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9687 | PoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF16toUTF8 in base/PdfString.cpp. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9686 | pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL pacman -U <url> due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman\'s package signature checking. This occurs in curl_download_internal in lib/libalpm/dload.c. | High | Mar 12, 2019 | n/a |
| CVE-2019-9682 | Dahua devices with Build time before December 2019 use strong security login mode by default, but in order to be compatible with the normal login of early devices, some devices retain the weak security login mode that users can control. If the user uses a weak security login method, an attacker can monitor the device network to intercept network packets to attack the device. So it is recommended that the user disable this login method. | MEDIUM | May 13, 2020 | n/a |
| CVE-2019-9681 | Online upgrade information in some firmware packages of Dahua products is not encrypted. Attackers can obtain this information by analyzing firmware packages by specific means. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18,2019. | MEDIUM | Sep 19, 2019 | n/a |
| CVE-2019-9680 | Some Dahua products have information leakage issues. Attackers can obtain the IP address and device model information of the device by constructing malicious data packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019. | MEDIUM | Sep 19, 2019 | n/a |
| CVE-2019-9679 | Some of Dahua\'s Debug functions do not have permission separation. Low-privileged users can use the Debug function after logging in. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18,2019. | MEDIUM | Sep 19, 2019 | n/a |
| CVE-2019-9678 | Some Dahua products have the problem of denial of service during the login process. An attacker can cause a device crashed by constructing a malicious packet. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019. | MEDIUM | Sep 19, 2019 | n/a |
| CVE-2019-9677 | The specific fields of CGI interface of some Dahua products are not strictly verified, an attacker can cause a buffer overflow by constructing malicious packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019. | HIGH | Sep 19, 2019 | n/a |
