Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2019-16977 In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 | MEDIUM | β | 0 |
| CVE-2019-17093 An issue was discovered in Avast antivirus before 19.8 and AVG antivirus before 19.8. A DLL Preloading vulnerability allows an attacker to implant %WINDIR%\system32\wbemcomn.dll, which is loaded into ... | 7.8 | HIGH | β | 0 |
| CVE-2019-17606 The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post. | 6.1 | MEDIUM | β | 0 |
| CVE-2019-18348 An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the firs... | 6.1 | MEDIUM | β | 0 |
| CVE-2002-2439 Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts. | 7.8 | HIGH | β | 0 |
| CVE-2014-2304 A vulnerability in version 0.90 of the Open Floodlight SDN controller software could result in a denial of service attack and crashing of the controller service. This effect is the result of a flaw in... | 7.5 | HIGH | β | 0 |
| CVE-2019-18350 In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET parameter affects the authorization component, leading to execution of JavaScript code in the login after-action script. | 6.1 | MEDIUM | β | 0 |
| CVE-2019-9596 Darktrace Enterprise Immune System before 3.1 allows CSRF via the /whitelisteddomains endpoint. | 6.5 | MEDIUM | β | 0 |
| CVE-2019-9597 Darktrace Enterprise Immune System before 3.1 allows CSRF via the /config endpoint. | 6.5 | MEDIUM | β | 0 |
| CVE-2019-12415 In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local files... | 5.5 | MEDIUM | β | 0 |
| CVE-2019-18359 A buffer over-read was discovered in ReadMP3APETag in apetag.c in MP3Gain 1.6.2. The vulnerability causes an application crash, which leads to remote denial of service. | 5.5 | MEDIUM | β | 0 |
| CVE-2019-18393 PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. | 5.3 | MEDIUM | β | 0 |
| CVE-2019-18370 An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can co... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-18371 An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by ap... | 7.5 | HIGH | β | 0 |
| CVE-2019-18382 An issue was discovered on AVStar PE204 3.10.70 IP camera devices. A denial of service can occur on open TCP port 23456. After a TELNET connection, no TCP ports are open. | 7.5 | HIGH | β | 0 |
| CVE-2019-18383 An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can download backup files remotely from terramaster_TNAS-00E43A_config_backup.bin without permission. | 7.5 | HIGH | β | 0 |
| CVE-2019-18384 An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_O... | 6.5 | MEDIUM | β | 0 |
| CVE-2019-18385 An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring. | 7.5 | HIGH | β | 0 |
| CVE-2019-8236 Creative Cloud Desktop Application version 4.6.1 and earlier versions have Security Bypass vulnerability. Successful exploitation could lead to Privilege Escalation in the context of the current user. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-8237 Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and ear... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-8238 Adobe Acrobat and Reader versions 2019.010.20100 and earlier; 2019.010.20099 and earlier versions; 2017.011.30140 and earlier version; 2017.011.30138 and earlier version; 2015.006.30495 and earlier ve... | 7.5 | HIGH | β | 0 |
| CVE-2019-18212 XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote a... | 6.5 | MEDIUM | β | 0 |
| CVE-2019-18213 XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with ... | 8.8 | HIGH | β | 0 |
| CVE-2019-18387 Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit pa... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-18394 A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-4397 IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 stores sensitive information in URL parameters. This may lead to information disclosure if unau... | 6.5 | MEDIUM | β | 0 |
| CVE-2019-4398 IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 could allow a local user to obtain sensitive information from SessionManagement cookies. IBM X-... | 3.3 | LOW | β | 0 |
| CVE-2019-4459 IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaS... | 5.4 | MEDIUM | β | 0 |
| CVE-2019-4486 IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potenti... | 5.4 | MEDIUM | β | 0 |
| CVE-2019-15703 An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to th... | 7.5 | HIGH | β | 0 |
| CVE-2019-17581 tonyy dormsystem through 1.3 allows DOM XSS. | 6.1 | MEDIUM | β | 0 |
| CVE-2019-18199 An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, and because of password-based authentication, they are ... | 6.6 | MEDIUM | β | 0 |
| CVE-2019-18408 archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol. | 7.5 | HIGH | β | 0 |
| CVE-2019-18409 The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency) 4.5.0 through... | 7.8 | HIGH | β | 0 |
| CVE-2019-6692 A malicious DLL preload vulnerability in Fortinet FortiClient for Windows 6.2.0 and below allows a privileged attacker to perform arbitrary code execution via forging that DLL. | 7.8 | HIGH | β | 0 |
| CVE-2019-18415 Sourcecodester Restaurant Management System 1.0 allows XSS via the "send a message" screen. | 6.1 | MEDIUM | β | 0 |
| CVE-2019-12017 A remote code execution vulnerability exists in MapR CLDB code, specifically in the JSON framework that is used in the CLDB code that handles login and ticket issuance. An attacker can use the 'class'... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-13649 TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow externalPort OS Command Injection (issue 1 of 5). | 9.8 | CRITICAL | β | 0 |
| CVE-2019-13650 TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow internalPort OS Command Injection (issue 2 of 5). | 9.8 | CRITICAL | β | 0 |
| CVE-2019-13651 TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow portMappingProtocol OS Command Injection (issue 3 of 5). | 9.8 | CRITICAL | β | 0 |
| CVE-2019-13652 TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow serviceName OS Command Injection (issue 4 of 5). | 9.8 | CRITICAL | β | 0 |
| CVE-2019-13653 TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow triggerPort OS Command Injection (issue 5 of 5). | 9.8 | CRITICAL | β | 0 |
| CVE-2019-18200 An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, they are prone to keystroke injection attacks. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-18201 An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, an attacker is able to eavesdrop on sensitive data such... | 7.5 | HIGH | β | 0 |
| CVE-2019-11021 admin/app/mediamanager in Schlix CMS 2.1.8-7 allows Authenticated Unrestricted File Upload, leading to remote code execution. NOTE: "While inadvertently allowing a PHP file to be uploaded via Media Ma... | 7.2 | HIGH | β | 0 |
| CVE-2019-15929 In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-18196 A DLL side loading vulnerability in the Windows Service in TeamViewer versions up to 11.0.133222 (fixed in 11.0.214397), 12.0.181268 (fixed in 12.0.214399), 13.2.36215 (fixed in 13.2.36216), and 14.6.... | 6.7 | MEDIUM | β | 0 |
| CVE-2019-5012 An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. The command takes a user-supplied script argument and... | 7.8 | HIGH | β | 0 |
| CVE-2019-5013 An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the start/stopLaunchDProcess command. The command takes a user-supplied string ... | 7.8 | HIGH | β | 0 |
| CVE-2019-9282 In skia, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is need... | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.