The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-14838 | A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server | MEDIUM | Oct 17, 2019 |
| CVE-2019-14837 | A flaw was found in keycloack before version 8.0.0. The owner of \'placeholder.org\' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name \'test\' the email address will be \'service-account-test@placeholder.org\'. | MEDIUM | Jan 15, 2020 |
| CVE-2019-14836 | A vulnerability was found that the 3scale dev portal does not employ mechanisms for protection against login CSRF. An attacker could use this flaw to access unauthorized information or conduct further attacks. | MEDIUM | May 26, 2021 |
| CVE-2019-14835 | A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel\'s vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host. | High | Sep 19, 2019 |
| CVE-2019-14834 | A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation. | MEDIUM | Jan 8, 2020 |
| CVE-2019-14833 | A flaw was found in Samba, all versions starting samba 4.5.0 before samba 4.9.15, samba 4.10.10, samba 4.11.2, in the way it handles a user password change or a new password for a samba user. The Samba Active Directory Domain Controller can be configured to use a custom script to check for password complexity. This configuration can fail to verify password complexity when non-ASCII characters are used in the password, which could lead to weak passwords being set for samba users, making it vulnerable to dictionary attacks. | MEDIUM | Nov 14, 2019 |
| CVE-2019-14832 | A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks. | MEDIUM | Oct 18, 2019 |
| CVE-2019-14831 | A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum\'s subscription mode was set to forced subscription, the forum\'s subscribe link contained an open redirect. | MEDIUM | Mar 20, 2021 |
| CVE-2019-14830 | A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user\'s mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is via the app). | MEDIUM | Mar 20, 2021 |
| CVE-2019-14829 | A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode. | MEDIUM | Mar 20, 2021 |
| CVE-2019-14828 | A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. | MEDIUM | Mar 20, 2021 |
| CVE-2019-14827 | A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions. | MEDIUM | May 17, 2021 |
| CVE-2019-14826 | A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session. | LOW | Oct 9, 2019 |
| CVE-2019-14825 | A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users. | MEDIUM | Nov 25, 2019 |
| CVE-2019-14824 | A flaw was found in the \'deref\' plugin of 389-ds-base where it could use the \'search\' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes. | LOW | Nov 13, 2019 |
| CVE-2019-14823 | A flaw was found in the Leaf and Chain OCSP policy implementation in JSS\' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle. | MEDIUM | Oct 25, 2019 |
| CVE-2019-14822 | A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user. | LOW | Nov 25, 2019 |
| CVE-2019-14821 | An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel\'s KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer \'struct kvm_coalesced_mmio\' object, wherein write indices \'ring->first\' and \'ring->last\' value could be supplied by a host user-space process. An unprivileged host user or process with access to \'/dev/kvm\' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system. | High | Sep 23, 2019 |
| CVE-2019-14820 | It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. | MEDIUM | Jan 8, 2020 |
| CVE-2019-14819 | A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints. | MEDIUM | Jan 10, 2020 |
| CVE-2019-14818 | A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4 and 19.x.x before 19.08.1 where a malicious master, or a container with access to vhost_user socket, can send specially crafted VRING_SET_NUM messages, resulting in a memory leak including file descriptors. This flaw could lead to a denial of service condition. | MEDIUM | Nov 14, 2019 |
| CVE-2019-14817 | A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | Medium | Sep 9, 2019 |
| CVE-2019-14816 | There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code. | High | Sep 24, 2019 |
| CVE-2019-14815 | A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver. | HIGH | Nov 25, 2019 |
| CVE-2019-14814 | There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code. | High | Sep 24, 2019 |
| CVE-2019-14813 | A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | High | Sep 9, 2019 |
| CVE-2019-14812 | A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | MEDIUM | Nov 27, 2019 |
| CVE-2019-14811 | A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | Medium | Sep 9, 2019 |
| CVE-2019-14810 | A vulnerability has been found in the implementation of the Label Distribution Protocol (LDP) protocol in EOS. Under race conditions, the LDP agent can establish an LDP session with a malicious peer potentially allowing the possibility of a Denial of Service (DoS) attack on route updates and in turn potentially leading to an Out of Memory (OOM) condition that is disruptive to traffic forwarding. Affected EOS versions include: 4.22 release train: 4.22.1F and earlier releases 4.21 release train: 4.21.0F - 4.21.2.3F, 4.21.3F - 4.21.7.1M 4.20 release train: 4.20.14M and earlier releases 4.19 release train: 4.19.12M and earlier releases End of support release trains (4.18 and 4.17) | MEDIUM | Oct 21, 2019 |
| CVE-2019-14809 | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. | High | Aug 24, 2019 |
| CVE-2019-14808 | An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials). | MEDIUM | Oct 18, 2019 |
| CVE-2019-14807 | In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/MobileSpecialPageFeed.php. | MEDIUM | Sep 25, 2019 |
| CVE-2019-14806 | Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. | MEDIUM | Aug 14, 2019 |
| CVE-2019-14805 | studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the System Name field under Sets during set editing. | LOW | Aug 14, 2019 |
| CVE-2019-14804 | studio/polyglot.php?page=etemplates in UNA 10.0.0-RC1 allows XSS via the System Name field under Emails during template editing. | LOW | Aug 14, 2019 |
| CVE-2019-14802 | HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template. | -- | Dec 27, 2022 |
| CVE-2019-14801 | The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection. | HIGH | Aug 14, 2019 |
| CVE-2019-14800 | The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1 URI. | MEDIUM | Aug 21, 2019 |
| CVE-2019-14799 | The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS. | MEDIUM | Aug 23, 2019 |
| CVE-2019-14798 | The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter. | MEDIUM | Aug 14, 2019 |
| CVE-2019-14797 | The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS. | LOW | Aug 14, 2019 |
| CVE-2019-14796 | The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin 2.0 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=update_options show_products_page_limit parameter. | LOW | Aug 20, 2019 |
| CVE-2019-14795 | The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter. | LOW | Aug 21, 2019 |
| CVE-2019-14794 | The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders. | MEDIUM | Aug 14, 2019 |
| CVE-2019-14793 | The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter. | MEDIUM | Aug 14, 2019 |
| CVE-2019-14792 | The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter. | LOW | Aug 14, 2019 |
| CVE-2019-14791 | The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter. | MEDIUM | Aug 14, 2019 |
| CVE-2019-14790 | The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter, | MEDIUM | Aug 21, 2019 |
| CVE-2019-14789 | The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter. | MEDIUM | Aug 20, 2019 |
| CVE-2019-14788 | wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value. | MEDIUM | Aug 22, 2019 |
