The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-19260 | GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of 2). | MEDIUM | Jan 6, 2020 | n/a |
| CVE-2019-19259 | GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR). | MEDIUM | Jan 6, 2020 | n/a |
| CVE-2019-19258 | GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control. | MEDIUM | Jan 6, 2020 | n/a |
| CVE-2019-19257 | GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2). | MEDIUM | Jan 6, 2020 | n/a |
| CVE-2019-19256 | GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control. | MEDIUM | Jan 6, 2020 | n/a |
| CVE-2019-19255 | GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorrect Access Control. | MEDIUM | Jan 7, 2020 | n/a |
| CVE-2019-19254 | GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and later through 12.5 has Incorrect Access Control. | MEDIUM | Jan 6, 2020 | n/a |
| CVE-2019-19252 | vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a. | MEDIUM | Nov 27, 2019 | n/a |
| CVE-2019-19251 | The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts. | MEDIUM | Dec 10, 2019 | n/a |
| CVE-2019-19250 | OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js. | HIGH | Nov 25, 2019 | n/a |
| CVE-2019-19249 | Controllers/InvitationsController.cs in QueryTree before 3.0.99-beta mishandles invitations. | HIGH | Nov 25, 2019 | n/a |
| CVE-2019-19248 | Electronic Arts Origin through 10.5.x allows Elevation of Privilege (issue 2 of 2). | HIGH | Dec 13, 2019 | n/a |
| CVE-2019-19247 | Electronic Arts Origin through 10.5.x allows Elevation of Privilege (issue 1 of 2). | HIGH | Dec 13, 2019 | n/a |
| CVE-2019-19246 | Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c. | MEDIUM | Nov 25, 2019 | n/a |
| CVE-2019-19245 | NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used. | HIGH | Dec 11, 2019 | n/a |
| CVE-2019-19244 | sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage. | MEDIUM | Nov 25, 2019 | n/a |
| CVE-2019-19242 | SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c. | MEDIUM | Nov 27, 2019 | n/a |
| CVE-2019-19241 | In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context. | MEDIUM | Dec 20, 2019 | n/a |
| CVE-2019-19240 | Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests with a large Host header. The GoAhead WebsRedirect uses a static host buffer that has a limited length and can overflow. This can cause a copy of the Host header to fail, leaving that buffer uninitialized, which may leak uninitialized data in a response. | MEDIUM | Nov 22, 2019 | n/a |
| CVE-2019-19235 | AsLdrSrv.exe in ASUS ATK Package before V1.0.0061 (for Windows 10 notebook PCs) could lead to unsigned code execution with no additional execution. The user must put an application at a particular path, with a particular file name. | MEDIUM | Dec 18, 2019 | n/a |
| CVE-2019-19234 | In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash | MEDIUM | Dec 19, 2019 | n/a |
| CVE-2019-19232 | In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions | MEDIUM | Dec 19, 2019 | n/a |
| CVE-2019-19231 | An insecure file access vulnerability exists in CA Client Automation 14.0, 14.1, 14.2, and 14.3 Agent for Windows that can allow a local attacker to gain escalated privileges. | MEDIUM | Dec 21, 2019 | n/a |
| CVE-2019-19230 | An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code. | HIGH | Dec 12, 2019 | n/a |
| CVE-2019-19229 | admincgi-bin/service.fcgi on Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allows action=download&filename= Directory Traversal. | MEDIUM | Dec 4, 2019 | n/a |
| CVE-2019-19228 | Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allow attackers to bypass authentication because the password for the today account is stored in the /tmp/web_users.conf file. | MEDIUM | Dec 4, 2019 | n/a |
| CVE-2019-19227 | In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122. | LOW | Nov 22, 2019 | n/a |
| CVE-2019-19226 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to enable or disable MAC address filtering by submitting a crafted Forms/WlanMacFilter_1 POST request without being authenticated on the admin interface. | MEDIUM | Mar 5, 2020 | n/a |
| CVE-2019-19225 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to change DNS servers without being authenticated on the admin interface by submitting a crafted Forms/dns_1 POST request. | MEDIUM | Mar 5, 2020 | n/a |
| CVE-2019-19224 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to download the configuration (binary file) settings by submitting a rom-0 GET request without being authenticated on the admin interface. | MEDIUM | Mar 5, 2020 | n/a |
| CVE-2019-19223 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to reboot the router by submitting a reboot.html GET request without being authenticated on the admin interface. | HIGH | Mar 5, 2020 | n/a |
| CVE-2019-19222 | A Stored XSS issue in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a crafted Forms/wireless_autonetwork_1 POST request. | LOW | Mar 5, 2020 | n/a |
| CVE-2019-19221 | In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive. | LOW | Nov 22, 2019 | n/a |
| CVE-2019-19220 | BMC Control-M/Agent 7.0.00.000 allows OS Command Injection (issue 2 of 2). | HIGH | May 4, 2020 | n/a |
| CVE-2019-19219 | BMC Control-M/Agent 7.0.00.000 allows Arbitrary File Download. | MEDIUM | May 5, 2020 | n/a |
| CVE-2019-19218 | BMC Control-M/Agent 7.0.00.000 has Insecure Password Storage. | MEDIUM | Apr 30, 2020 | n/a |
| CVE-2019-19217 | BMC Control-M/Agent 7.0.00.000 allows OS Command Injection. | HIGH | May 5, 2020 | n/a |
| CVE-2019-19216 | BMC Control-M/Agent 7.0.00.000 has an Insecure File Copy. | HIGH | Apr 30, 2020 | n/a |
| CVE-2019-19215 | A buffer overflow vulnerability in BMC Control-M/Agent 7.0.00.000 when the On-Do action destination is Mail and the Control-M/Agent is configured to send the email, allows remote attackers to have unspecified impact via vectors related to the configured IP address or SMTP server. | MEDIUM | Apr 30, 2020 | n/a |
| CVE-2019-19214 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2019-19213 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2019-19212 | Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen). | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-19211 | Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS. | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-19210 | Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files. | LOW | Mar 18, 2020 | n/a |
| CVE-2019-19209 | Dolibarr ERP/CRM before 10.0.3 allows SQL Injection. | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-19208 | Codiad Web IDE through 2.8.4 allows PHP Code injection. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-19207 | rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. | MEDIUM | Nov 26, 2019 | n/a |
| CVE-2019-19206 | Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture. | LOW | Nov 26, 2019 | n/a |
| CVE-2019-19204 | An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read. | HIGH | Nov 22, 2019 | n/a |
| CVE-2019-19203 | An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read. | HIGH | Nov 22, 2019 | n/a |
