The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-13228 | deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. By winning a race condition to replace the /tmp/repo.iso symlink by an attacker controlled ISO file, further privilege escalation may be possible. | MEDIUM | Jul 11, 2019 | n/a |
| CVE-2019-13227 | In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. | MEDIUM | Jul 10, 2019 | n/a |
| CVE-2019-13226 | deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. An unprivileged user can prepare a symlink at this location to have the file system mounted in an arbitrary location. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system. | MEDIUM | Jul 10, 2019 | n/a |
| CVE-2019-13225 | A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. | Medium | Jul 11, 2019 | n/a |
| CVE-2019-13224 | A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. | High | Jul 11, 2019 | n/a |
| CVE-2019-13223 | A reachable assertion in the lookup1_values function in stb_vorbis through2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file. | MEDIUM | Aug 20, 2019 | n/a |
| CVE-2019-13222 | An out-of-bounds read of a global buffer in the draw_line function in stb_vorbis through2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file. | MEDIUM | Aug 20, 2019 | n/a |
| CVE-2019-13221 | A stack buffer overflow in the compute_codewords function in stb_vorbis through2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file. | MEDIUM | Aug 20, 2019 | n/a |
| CVE-2019-13220 | Use of uninitialized stack variables in the start_decoder function in stb_vorbis through2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file. | MEDIUM | Aug 20, 2019 | n/a |
| CVE-2019-13219 | A NULL pointer dereference in the get_window function in stb_vorbis through2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file. | MEDIUM | Aug 20, 2019 | n/a |
| CVE-2019-13218 | Division by zero in the predict_point function in stb_vorbis through2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file. | MEDIUM | Aug 20, 2019 | n/a |
| CVE-2019-13217 | A heap buffer overflow in the start_decoder function in stb_vorbis through2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file. | MEDIUM | Aug 20, 2019 | n/a |
| CVE-2019-13209 | Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster\'s Kubernetes API with the permissions and identity of the victim. | MEDIUM | Sep 6, 2019 | n/a |
| CVE-2019-13208 | WavesSysSvc in Waves MAXX Audio allows privilege escalation because the General registry key has Full Control access for the Users group, leading to DLL side loading. This affects WavesSysSvc64.exe 1.9.29.0. | MEDIUM | Jul 9, 2019 | n/a |
| CVE-2019-13207 | nsd-checkzone in NLnet Labs NSD 4.2.0 has a Stack-based Buffer Overflow in the dname_concatenate() function in dname.c. | HIGH | Jul 11, 2019 | n/a |
| CVE-2019-13206 | Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by a buffer overflow vulnerability in multiple parameters of the Document Boxes functionality of the web application that would allow an authenticated attacker to perform a Denial of Service attack, crashing the device, or potentially execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13205 | All configuration parameters of certain Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were accessible by unauthenticated users. This information was only presented in the menus when authenticated, and the pages that loaded this information were also protected. However, all files that contained the configuration parameters were accessible. These files contained sensitive information, such as users, community strings, and other passwords configured in the printer. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-13204 | Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by multiple buffer overflow vulnerabilities in the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS), and potentially execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13203 | Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by an integer overflow vulnerability in the arg3 parameter of several functionalities of the web application that would allow an authenticated attacker to perform a Denial of Service attack, crashing the device, or potentially execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13202 | Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by a buffer overflow vulnerability in the okhtmlfile and failhtmlfile parameters of several functionalities of the web application that would allow an unauthenticated attacker to perform a Denial of Service attack, crashing the device, or potentially execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13201 | Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by a buffer overflow vulnerability in the LPD service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) in the LPD service and potentially execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13200 | The web application of several Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) was affected by Reflected XSS. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions. | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-13199 | Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) did not implement any mechanism to avoid CSRF. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. | MEDIUM | Mar 18, 2020 | n/a |
| CVE-2019-13198 | The web application of several Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) was affected by Stored XSS. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-13197 | Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by a buffer overflow vulnerability in the URI paths of the web application that would allow an unauthenticated attacker to perform a Denial of Service attack, crashing the device, or potentially execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13196 | Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by a buffer overflow vulnerability in the arg4 and arg9 parameters of several functionalities of the web application that would allow an authenticated attacker to perform a Denial of Service attack, crashing the device, or potentially execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13195 | The web application of some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) was vulnerable to path traversal, allowing an unauthenticated user to retrieve arbitrary files, or check if files or folders existed within the file system. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-13194 | Some Brother printers (such as the HL-L8360CDW v1.20) were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user who visits a specific URL. | MEDIUM | Mar 19, 2020 | n/a |
| CVE-2019-13193 | Some Brother printers (such as the HL-L8360CDW v1.20) were affected by a stack buffer overflow vulnerability as the web server did not parse the cookie value properly. This would allow an attacker to execute arbitrary code on the device. | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-13192 | Some Brother printers (such as the HL-L8360CDW v1.20) were affected by a heap buffer overflow vulnerability as the IPP service did not parse attribute names properly. This would allow an attacker to execute arbitrary code on the device. | HIGH | Mar 19, 2020 | n/a |
| CVE-2019-13191 | A SQL injection vulnerability in IntraMaps MapControl 8 allows attackers to execute arbitrary SQL commands via the /ApplicationEngine/Search/Refine/Set page. | MEDIUM | Sep 5, 2019 | n/a |
| CVE-2019-13190 | In Knowage through 6.1.1, the sign up page does not invalidate a valid CAPTCHA token. This allows for CAPTCHA bypass in the signup page. | MEDIUM | Sep 6, 2019 | n/a |
| CVE-2019-13189 | In Knowage through 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page. | MEDIUM | Aug 29, 2019 | n/a |
| CVE-2019-13188 | In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application. | MEDIUM | Sep 5, 2019 | n/a |
| CVE-2019-13187 | The Rich Text Formatter (Redactor) extension through v1.1.1 for Symphony CMS has an Unauthenticated arbitrary file upload vulnerability in content.fileupload.php and content.imageupload.php. | HIGH | Sep 6, 2019 | n/a |
| CVE-2019-13186 | In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. An attacker can use it to get a user\'s cookie. This is different from CVE-2018-10296, CVE-2018-16233, and CVE-2018-20520. | MEDIUM | Jul 10, 2019 | n/a |
| CVE-2019-13183 | Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings. | MEDIUM | Jul 9, 2019 | n/a |
| CVE-2019-13182 | A stored cross-site scripting (XSS) vulnerability exists in the web UI of SolarWinds Serv-U FTP Server 15.1.7. | LOW | Dec 18, 2019 | n/a |
| CVE-2019-13181 | A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7. | MEDIUM | Dec 19, 2019 | n/a |
| CVE-2019-13179 | Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption. | MEDIUM | Jul 15, 2019 | n/a |
| CVE-2019-13178 | modules/luksbootkeyfile/main.py in Calamares versions 3.1 through 3.2.10 has a race condition between the time when the LUKS encryption keyfile is created and when secure permissions are set. | MEDIUM | Jul 12, 2019 | n/a |
| CVE-2019-13177 | verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument. | HIGH | Jul 12, 2019 | n/a |
| CVE-2019-13176 | An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS). | MEDIUM | Aug 28, 2019 | n/a |
| CVE-2019-13175 | Read the Docs before 3.5.1 has an Open Redirect if certain user-defined redirects are used. This affects private instances of Read the Docs (in addition to the public readthedocs.org web sites). | -- | Jul 3, 2019 | n/a |
| CVE-2019-13173 | fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system\'s file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable. | MEDIUM | Aug 13, 2019 | n/a |
| CVE-2019-13172 | Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the Authentication Cookie of the web application that would allow an attacker to execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13171 | Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by one or more stack-based buffer overflow vulnerabilities in the Google Cloud Print implementation that would allow an unauthenticated attacker to execute arbitrary code on the device. This was caused by an insecure handling of the register parameters, because the size used within a memcpy() function, which copied the action value into a local variable, was not checked properly. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13170 | Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement any mechanism to avoid CSRF attacks. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. | MEDIUM | Mar 17, 2020 | n/a |
| CVE-2019-13169 | Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the Content-Type HTTP Header of the web application that would allow an attacker to execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
| CVE-2019-13168 | Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the attributes parser of the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device. | HIGH | Mar 18, 2020 | n/a |
