The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-1020019 | invenio-previewer before 1.0.0a12 allows XSS. | MEDIUM | Jul 31, 2019 |
| CVE-2019-1020018 | Discourse before v2.4.0.beta2 lacks a confirmation screen when logging in via an email link. | HIGH | Aug 1, 2019 |
| CVE-2019-1020017 | Discourse before v2.4.0.beta2 lacks a confirmation screen when logging in via a user-api OTP. | MEDIUM | Aug 1, 2019 |
| CVE-2019-1020016 | ASH-AIO before 2.0.0.3 allows an open redirect. | MEDIUM | Aug 1, 2019 |
| CVE-2019-1020015 | graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT. | MEDIUM | Aug 5, 2019 |
| CVE-2019-1020014 | docker-credential-helpers before 0.6.3 has a double free in the List functions. | LOW | Aug 5, 2019 |
| CVE-2019-1020013 | parse-server before 3.6.0 allows account enumeration. | MEDIUM | Aug 1, 2019 |
| CVE-2019-1020012 | parse-server before 3.4.1 allows DoS after any POST to a volatile class. | MEDIUM | Aug 2, 2019 |
| CVE-2019-1020011 | SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority. | MEDIUM | Aug 5, 2019 |
| CVE-2019-1020010 | Misskey before 10.102.4 allows hijacking a user\'s token. | MEDIUM | Aug 5, 2019 |
| CVE-2019-1020009 | Fleet before 2.1.2 allows exposure of SMTP credentials. | MEDIUM | Jul 31, 2019 |
| CVE-2019-1020008 | stacktable.js before 1.0.4 allows XSS. | MEDIUM | Jul 31, 2019 |
| CVE-2019-1020007 | Dependency-Track before 3.5.1 allows XSS. | LOW | Jul 30, 2019 |
| CVE-2019-1020006 | invenio-app before 1.1.1 allows host header injection. | MEDIUM | Aug 1, 2019 |
| CVE-2019-1020005 | invenio-communities before 1.0.0a20 allows XSS. | LOW | Aug 1, 2019 |
| CVE-2019-1020004 | Tridactyl before 1.16.0 allows fake key events. | MEDIUM | Aug 1, 2019 |
| CVE-2019-1020003 | invenio-records before 1.2.2 allows XSS. | LOW | Aug 1, 2019 |
| CVE-2019-1020002 | Pterodactyl before 0.7.14 with 2FA allows credential sniffing. | MEDIUM | Jul 31, 2019 |
| CVE-2019-1020001 | yard before 0.9.20 allows path traversal. | MEDIUM | Jul 29, 2019 |
| CVE-2019-1010319 | WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseWave64HeaderConfig (wave64.c:211). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe. | MEDIUM | Jul 11, 2019 |
| CVE-2019-1010318 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-11498. Reason: This candidate is a reservation duplicate of CVE-2019-11498. Notes: All CVE users should reference CVE-2019-11498 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Jul 14, 2019 |
| CVE-2019-1010317 | WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b. | MEDIUM | Jul 11, 2019 |
| CVE-2019-1010316 | pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. The impact is: False locking impression when run in a non-X11 session. The fixed version is: 0.4. | MEDIUM | Jul 14, 2019 |
| CVE-2019-1010315 | WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc. | MEDIUM | Jul 11, 2019 |
| CVE-2019-1010314 | Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim\'s browser, when the vulnerable repo page is loaded. The component is: repository\'s description. The attack vector is: victim must navigate to public and affected repo page. | MEDIUM | Jul 12, 2019 |
| CVE-2019-1010312 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-11455. Reason: This candidate is a reservation duplicate of CVE-2019-11455. Notes: All CVE users should reference CVE-2019-11455 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Jul 13, 2019 |
| CVE-2019-1010311 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-11454. Reason: This candidate is a reservation duplicate of CVE-2019-11454. Notes: All CVE users should reference CVE-2019-11454 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Jul 13, 2019 |
| CVE-2019-1010310 | GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1. | LOW | Jul 18, 2019 |
| CVE-2019-1010309 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-9686. Reason: This candidate is a reservation duplicate of CVE-2019-9686. Notes: All CVE users should reference CVE-2019-9686 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Jul 13, 2019 |
| CVE-2019-1010308 | Aquaverde GmbH Aquarius CMS prior to version 4.1.1 is affected by: Incorrect Access Control. The impact is: The access to the log file is not restricted. It contains sensitive information like passwords etc. The component is: log file. The attack vector is: open the file. | MEDIUM | Jul 22, 2019 |
| CVE-2019-1010307 | GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the \"Link Tickets\" feature, 3- a request to the endpoint fetches js and executes it. | LOW | Jul 18, 2019 |
| CVE-2019-1010306 | Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact is: A remote attacker can execute arbitrary commands by sending a crafted request to the server. The component is: Message handler & request validator. The attack vector is: Remote unauthenticated. The fixed version is: after commit 5267b455caeb2e055cccf0d2b6a22727c111f5c3. | HIGH | Jul 30, 2019 |
| CVE-2019-1010305 | libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. | MEDIUM | Jul 15, 2019 |
| CVE-2019-1010304 | Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop\'s revenue data. The fixed version is: 2.3.1. | MEDIUM | Jul 30, 2019 |
| CVE-2019-1010302 | jhead 3.03 is affected by: Incorrect Access Control. The impact is: Denial of service. The component is: iptc.c Line 122 show_IPTC(). The attack vector is: the victim must open a specially crafted JPEG file. | MEDIUM | Jul 17, 2019 |
| CVE-2019-1010301 | jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file. | MEDIUM | Jul 17, 2019 |
| CVE-2019-1010300 | mz-automation libiec61850 1.3.2 1.3.1 1.3.0 is affected by: Buffer Overflow. The impact is: Software crash. The component is: server_example_complex_array. The attack vector is: Send a specific MMS protocol packet. | MEDIUM | Jul 22, 2019 |
| CVE-2019-1010299 | The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d. | MEDIUM | Jul 18, 2019 |
| CVE-2019-1010298 | Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in the context of TEE core (kernel). The component is: optee_os. The fixed version is: 3.4.0 and later. | HIGH | Jul 16, 2019 |
| CVE-2019-1010297 | Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Execution of code in TEE core (kernel) context. The component is: optee_os. The fixed version is: 3.4.0 and later. | HIGH | Jul 16, 2019 |
| CVE-2019-1010296 | Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in context of TEE core (kernel). The component is: optee_os. The fixed version is: 3.4.0 and later. | HIGH | Jul 16, 2019 |
| CVE-2019-1010295 | Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Memory corruption and disclosure of memory content. The component is: optee_os. The fixed version is: 3.4.0 and later. | HIGH | Jul 16, 2019 |
| CVE-2019-1010294 | Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Rounding error. The impact is: Potentially leaking code and/or data from previous Trusted Application. The component is: optee_os. The fixed version is: 3.4.0 and later. | MEDIUM | Jul 16, 2019 |
| CVE-2019-1010293 | Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Boundary crossing. The impact is: Memory corruption of the TEE itself. The component is: optee_os. The fixed version is: 3.4.0 and later. | HIGH | Jul 16, 2019 |
| CVE-2019-1010292 | Linaro/OP-TEE OP-TEE Prior to version v3.4.0 is affected by: Boundary checks. The impact is: This could lead to corruption of any memory which the TA can access. The component is: optee_os. The fixed version is: v3.4.0. | HIGH | Jul 22, 2019 |
| CVE-2019-1010290 | Babel: Multilingual site Babel All is affected by: Open Redirection. The impact is: Redirection to any URL, which is supplied to redirect.php in a \"newurl\" parameter. The component is: redirect.php. The attack vector is: The victim must open a link created by an attacker. Attacker may use any legitimate site using Babel to redirect user to a URL of his/her choosing. | MEDIUM | Jul 19, 2019 |
| CVE-2019-1010287 | Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a \"redirect\" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url. | MEDIUM | Jul 22, 2019 |
| CVE-2019-1010283 | Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later. | MEDIUM | Jul 22, 2019 |
| CVE-2019-1010279 | Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65fb142b738a186b). The attack vector is: An attacker can trigger the vulnerability by a specifically crafted network TCP session. The fixed version is: 4.1.3. | MEDIUM | Jul 18, 2019 |
| CVE-2019-1010275 | helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2. | HIGH | Jul 24, 2019 |
