The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-12182 | Directory Traversal in Safescan Timemoto and TA-8000 series version 1.0 allows unauthenticated remote attackers to execute code via the administrative API. | HIGH | Mar 13, 2020 | n/a |
| CVE-2019-12181 | A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux. | MEDIUM | Jun 18, 2019 | n/a |
| CVE-2019-12180 | An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy Load Script is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the Save Script function, which is executed automatically when saving a project. | HIGH | Feb 7, 2020 | n/a |
| CVE-2019-12177 | Privilege escalation due to insecure directory permissions affecting ViveportDesktopService in HTC VIVEPORT before 1.0.0.36 allows local attackers to escalate privileges via DLL hijacking. | HIGH | Jun 4, 2019 | n/a |
| CVE-2019-12176 | Privilege escalation in the \"HTC Account Service\" and \"ViveportDesktopService\" in HTC VIVEPORT before 1.0.0.36 allows local attackers to escalate privileges to SYSTEM via reconfiguration of either service. | HIGH | Jun 4, 2019 | n/a |
| CVE-2019-12175 | In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, a NULL pointer dereference in the Kerberos (aka KRB) protocol parser leads to DoS because a case-type index is mishandled. | MEDIUM | Jul 22, 2019 | n/a |
| CVE-2019-12174 | hide.me before 2.4.4 on macOS suffers from a privilege escalation vulnerability in the connectWithExecutablePath:configFilePath:configFileName method of the me_hide_vpnhelper.Helper class in the me.hide.vpnhelper macOS privilege helper tool. This method takes user-supplied input and can be used to escalate privileges, as well as obtain the ability to run any application on the system in the root context. | HIGH | Jul 9, 2019 | n/a |
| CVE-2019-12173 | MacDown 0.7.1 (870) allows remote code execution via a file:\\\\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138. | MEDIUM | May 20, 2019 | n/a |
| CVE-2019-12172 | Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137. | MEDIUM | May 21, 2019 | n/a |
| CVE-2019-12171 | Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process. | MEDIUM | Jul 11, 2019 | n/a |
| CVE-2019-12170 | ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. | HIGH | May 21, 2019 | n/a |
| CVE-2019-12169 | ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a \"..\" pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component. | MEDIUM | Jun 5, 2019 | n/a |
| CVE-2019-12168 | Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen. | HIGH | May 21, 2019 | n/a |
| CVE-2019-12167 | httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter. | MEDIUM | May 27, 2019 | n/a |
| CVE-2019-12165 | MiCollab 7.3 PR2 (7.3.0.204) and earlier, 7.2 (7.2.2.13) and earlier, and 7.1 (7.1.0.57) and earlier and MiCollab AWV 6.3 (6.3.0.103), 6.2 (6.2.2.8), 6.1 (6.1.0.28), 6.0 (6.0.0.61), and 5.0 (5.0.5.7) have a Command Execution Vulnerability. Successful exploit of this vulnerability could allow an attacker to execute arbitrary system commands. | HIGH | Jun 17, 2019 | n/a |
| CVE-2019-12164 | ubuntu-server.js in Status React Native Desktop before v0.57.8_mobile_ui allows Remote Code Execution. | HIGH | Jul 25, 2019 | n/a |
| CVE-2019-12163 | GAT-Ship Web Module through 1.30 allows remote attackers to obtain potentially sensitive information via {} in a ws/gatshipWs.asmx/SqlVersion request. | MEDIUM | May 22, 2019 | n/a |
| CVE-2019-12162 | Upwork Time Tracker 5.2.2.716 doesn\'t verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe. | MEDIUM | Jul 25, 2019 | n/a |
| CVE-2019-12161 | WPO WebPageTest 19.04 allows SSRF because ValidateURL in www/runtest.php does not consider octal encoding of IP addresses (such as 0300.0250 as a replacement for 192.168). | MEDIUM | May 21, 2019 | n/a |
| CVE-2019-12160 | GoHTTP through 2017-07-25 has a sendHeader use-after-free. | HIGH | May 20, 2019 | n/a |
| CVE-2019-12159 | GoHTTP through 2017-07-25 has a stack-based buffer over-read in the scan function (when called from getRequestType) via a long URL. | MEDIUM | May 20, 2019 | n/a |
| CVE-2019-12158 | GoHTTP through 2017-07-25 has a GetExtension heap-based buffer overflow via a long extension. | HIGH | May 20, 2019 | n/a |
| CVE-2019-12157 | In JetBrains UpSource versions before 2018.2 build 1293, there is credential disclosure via RPC commands. | High | Oct 8, 2019 | n/a |
| CVE-2019-12156 | Server metadata could be exposed because one of the error messages reflected the whole response back to the client in JetBrains TeamCity versions before 2018.2.5 and UpSource versions before 2018.2 build 1293. | MEDIUM | Oct 8, 2019 | n/a |
| CVE-2019-12155 | interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference. | Medium | May 31, 2019 | n/a |
| CVE-2019-12154 | XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file contents and/or denial of service conditions. | MEDIUM | Jun 13, 2019 | n/a |
| CVE-2019-12153 | Lack of validation in the HTML parser in RealObjects PDFreactor before 10.1.10722 leads to SSRF, allowing attackers to access network or file resources on behalf of the server by supplying malicious HTML content. | MEDIUM | Jun 17, 2019 | n/a |
| CVE-2019-12150 | Karamasoft UltimateEditor 1 does not ensure that an uploaded file is an image or document (neither file types nor extensions are restricted). The attacker must use the Attach icon to perform an upload. An uploaded file is accessible under the UltimateEditorInclude/UserFiles/ URI. | HIGH | May 30, 2019 | n/a |
| CVE-2019-12149 | SQL injection vulnerability in silverstripe/restfulserver module 1.0.x before 1.0.9, 2.0.x before 2.0.4, and 2.1.x before 2.1.2 and silverstripe/registry module 2.1.x before 2.1.1 and 2.2.x before 2.2.1 allows attackers to execute arbitrary SQL commands. | HIGH | Jun 12, 2019 | n/a |
| CVE-2019-12148 | The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device\'s admin web portal without providing any credentials. This affects /var/webconfig/gui/Webconfig.inc.php. | HIGH | Oct 30, 2019 | n/a |
| CVE-2019-12147 | The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the system (either via the web interface or via SSH) to achieve complete compromise of the device. This affects /var/webconfig/gui/Webconfig.inc.php and /usr/local/sng/bin/sng-user-mgmt. | MEDIUM | Oct 30, 2019 | n/a |
| CVE-2019-12146 | A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. Attackers have the ability to abuse a flaw in the SCP listener by crafting strings using specific patterns to write files and create directories outside of their authorized directory. | MEDIUM | Jun 12, 2019 | n/a |
| CVE-2019-12145 | A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. An attacker can supply a string using special patterns via the SCP protocol to disclose path names on the host operating system. | MEDIUM | Jun 12, 2019 | n/a |
| CVE-2019-12144 | An issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. Attackers have the ability to abuse a path traversal vulnerability using the SCP protocol. Attackers who leverage this flaw could also obtain remote code execution by crafting a payload that abuses the SITE command feature. | HIGH | Jun 12, 2019 | n/a |
| CVE-2019-12143 | A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. An attacker can supply a string using special patterns via the SCP protocol to disclose WS_FTP usernames as well as filenames. | MEDIUM | Jun 12, 2019 | n/a |
| CVE-2019-12139 | An XSS issue was discovered in the Admin UI in eZ Platform 2.x. This affects ezplatform-admin-ui 1.3.x before 1.3.5 and 1.4.x before 1.4.4, and ezplatform-page-builder 1.1.x before 1.1.5 and 1.2.x before 1.2.4. | MEDIUM | May 17, 2019 | n/a |
| CVE-2019-12138 | MacDown 0.7.1 allows directory traversal, for execution of arbitrary programs, via a file:/// or ../ substring in a shared note. | MEDIUM | May 16, 2019 | n/a |
| CVE-2019-12137 | Typora 0.9.9.24.6 on macOS allows directory traversal, for execution of arbitrary programs, via a file:/// or ../ substring in a shared note. | MEDIUM | May 28, 2019 | n/a |
| CVE-2019-12136 | There is XSS in BoostIO Boostnote 0.11.15 via a label named mermaid, as demonstrated by a crafted SRC attribute of an IFRAME element. | -- | May 16, 2019 | n/a |
| CVE-2019-12135 | An unspecified vulnerability in the application server in PaperCut MF and NG versions 18.3.8 and earlier and versions 19.0.3 and earlier allows remote attackers to execute arbitrary code via an unspecified vector. | HIGH | Jun 10, 2019 | n/a |
| CVE-2019-12134 | CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export. | MEDIUM | Jun 11, 2019 | n/a |
| CVE-2019-12133 | Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus. | HIGH | Jun 20, 2019 | n/a |
| CVE-2019-12132 | An issue was discovered in ONAP SDNC before Dublin. By executing sla/dgUpload with a crafted filename parameter, an unauthenticated attacker can execute an arbitrary command. All SDC setups that include admportal are affected. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-12131 | An issue was detected in ONAP APPC through Dublin and SDC through Dublin. By setting a USER_ID parameter in an HTTP header, an attacker may impersonate an arbitrary existing user without any authentication. All APPC and SDC setups are affected. | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-12130 | In ONAP CLI through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-12129 | In ONAP MSB through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-12128 | In ONAP SO through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-12127 | In ONAP OOM through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-12126 | In ONAP DCAE through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-12125 | In ONAP Logging through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | HIGH | Mar 19, 2020 | n/a |
