Skip to main content
CVE-2019-11839 CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.push after a resize, related to njs_array_prototype_push in njs/njs_array.c, because of njs_array_expand size. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption Njs
NVD GitHub
CVSS 3.0
9.8
EPSS
1.6%
CVE-2019-11838 CRITICAL POC Act Now

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.splice after a resize, related to njs_array_prototype_splice in njs/njs_array.c, because of njs_array_expand size. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Nginx Memory Corruption Njs
NVD GitHub
CVSS 3.0
9.8
EPSS
1.6%
CVE-2019-11353 CRITICAL POC Act Now

The EnGenius EWS660AP router with firmware 2.0.284 allows an attacker to execute arbitrary commands using the built-in ping and traceroute utilities by using different payloads and injecting multiple. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ews660Ap Firmware
NVD
CVSS 3.0
9.8
EPSS
3.1%
CVE-2019-11835 CRITICAL POC PATCH Act Now

cJSON before 1.7.11 allows out-of-bounds access, related to multiline comments. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Cjson Timesten In Memory Database
NVD GitHub
CVSS 3.1
9.8
EPSS
2.6%
CVE-2019-11834 CRITICAL POC PATCH Act Now

cJSON before 1.7.11 allows out-of-bounds access, related to \x00 in a string literal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Cjson Timesten In Memory Database
NVD GitHub
CVSS 3.1
9.8
EPSS
2.5%
CVE-2019-7652 HIGH POC This Week

TheHive Project UnshortenLink analyzer before 1.1, included in Cortex-Analyzers before 1.15.2, has SSRF. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Cortex Analyzers
NVD Exploit-DB
CVSS 3.0
7.7
EPSS
5.2%
CVE-2019-7181 HIGH POC This Week

Buffer Overflow vulnerability in myQNAPcloud Connect 1.3.3.0925 and earlier could allow remote attackers to crash the program. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Myqnapcloud
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
9.8%
CVE-2019-11837 HIGH POC This Week

njs through 0.3.1, used in NGINX, has a segmentation fault in String.prototype.toBytes for negative arguments, related to nxt_utf8_next in nxt/nxt_utf8.h and njs_string_offset in njs/njs_string.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Njs
NVD GitHub
CVSS 3.0
7.5
EPSS
1.4%
CVE-2019-11869 MEDIUM POC This Month

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Yuzo
NVD
CVSS 3.0
6.1
EPSS
5.3%
CVE-2019-6548 CRITICAL Act Now

GE Communicator, all versions prior to 4.0.517, contains two backdoor accounts with hardcoded credentials, which may allow control over the database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Ge Communicator
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2019-11831 CRITICAL PATCH Act Now

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Deserialization Pharstreamwrapper Debian Linux Fedora +2
NVD GitHub
CVSS 3.1
9.8
EPSS
5.6%
CVE-2019-11830 CRITICAL PATCH Act Now

PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Pharstreamwrapper
NVD GitHub
CVSS 3.0
9.8
EPSS
2.7%
CVE-2019-4071 HIGH This Week

IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Spectrum Control Tivoli Storage Productivity Center
NVD
CVSS 3.1
8.8
EPSS
4.3%
CVE-2019-11836 MEDIUM POC This Month

The Rediffmail (aka com.rediff.mail.and) application 2.2.6 for Android has cleartext mail content in file storage, persisting after a logout. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Information Disclosure Rediffmail
NVD
CVSS 3.0
4.6
EPSS
0.3%
CVE-2019-6566 HIGH This Week

GE Communicator, all versions prior to 4.0.517, allows a non-administrative user to replace the uninstaller with a malicious version, which could allow an attacker to gain administrator privileges to. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Ge Communicator
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2019-6564 HIGH This Week

GE Communicator, all versions prior to 4.0.517, allows a non-administrative user to place malicious files within the installer file directory, which may allow an attacker to gain administrative. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ge Communicator
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2019-6546 HIGH This Week

GE Communicator, all versions prior to 4.0.517, allows an attacker to place malicious files within the working directory of the program, which may allow an attacker to manipulate widgets and UI. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ge Communicator
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2019-9847 HIGH This Week

A vulnerability in LibreOffice hyperlink processing allows an attacker to construct documents containing hyperlinks pointing to the location of an executable on the target users file system. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Apple Information Disclosure Libreoffice
NVD
CVSS 3.0
7.8
EPSS
1.0%
CVE-2019-11842 HIGH PATCH This Week

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sydent Synapse
NVD
CVSS 3.0
7.5
EPSS
1.8%
CVE-2019-11832 HIGH PATCH This Week

TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Typo3
NVD
CVSS 3.0
7.5
EPSS
3.9%
CVE-2019-11840 MEDIUM PATCH This Month

An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Crypto Debian Linux
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
2.1%
CVE-2019-4072 MEDIUM This Month

IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) allows users to remain idle within the application even when a user has logged out. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Information Disclosure Spectrum Control Tivoli Storage Productivity Center
NVD
CVSS 3.1
6.3
EPSS
0.8%
CVE-2019-11870 MEDIUM This Month

Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Serendipity
NVD GitHub
CVSS 3.0
6.1
EPSS
1.3%
CVE-2019-1568 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Palo Alto Networks Demisto 4.5 build 40249 may allow an unauthenticated attacker to run arbitrary JavaScript or HTML. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Paloalto XSS Demisto
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2019-11323 MEDIUM This Month

HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Haproxy
NVD
CVSS 3.1
5.9
EPSS
1.2%
CVE-2019-6544 MEDIUM This Month

GE Communicator, all versions prior to 4.0.517, has a service running with system privileges that may allow an unprivileged user to perform certain administrative actions, which may allow the. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Microsoft Ge Communicator
NVD
CVSS 3.1
5.6
EPSS
1.2%
CVE-2019-11820 MEDIUM This Month

Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Synology Information Disclosure Calendar
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2019-0226 MEDIUM PATCH This Month

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Apache Karaf
NVD
CVSS 3.0
4.9
EPSS
1.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy