Skip to main content
CVE-2019-13475 HIGH POC This Week

In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Mobaxterm
NVD
CVSS 3.0
8.8
EPSS
4.1%
CVE-2019-13280 HIGH POC This Week

TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains a stack-based buffer overflow while returning an error message to the user about failure to resolve a hostname during a ping or. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Memory Corruption Tew 827Dru Firmware
NVD GitHub
CVSS 3.0
8.8
EPSS
2.1%
CVE-2019-13277 HIGH POC This Week

TRENDnet TEW-827DRU with firmware up to and including 2.04B03 allows an unauthenticated attacker to execute setup wizard functionality, giving this attacker the ability to change configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Tew 827Dru Firmware
NVD GitHub
CVSS 3.0
7.5
EPSS
1.5%
CVE-2019-13464 HIGH POC This Week

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Owasp Modsecurity Core Rule Set
NVD GitHub
CVSS 3.0
7.5
EPSS
1.5%
CVE-2019-13461 HIGH POC This Week

In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Prestashop
NVD
CVSS 3.0
7.5
EPSS
1.7%
CVE-2019-9149 MEDIUM POC This Month

Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Jwt Attack Information Disclosure Mailvelope
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2019-13454 MEDIUM POC PATCH This Month

ImageMagick 7.0.1-0 to 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Imagemagick Debian Linux Ubuntu Linux Leap
NVD GitHub
CVSS 3.1
6.5
EPSS
4.4%
CVE-2019-13450 MEDIUM POC This Month

In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple Ringcentral Zoom
NVD
CVSS 3.0
6.5
EPSS
3.5%
CVE-2019-13449 MEDIUM POC This Month

In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Apple Zoom
NVD
CVSS 3.0
6.5
EPSS
2.0%
CVE-2019-13472 MEDIUM POC This Month

PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Phpwind
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2019-8920 MEDIUM POC This Month

iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Xampp
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2019-13478 CRITICAL Act Now

The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Yoast Seo
NVD GitHub
CVSS 3.1
9.8
EPSS
3.3%
CVE-2019-13470 CRITICAL Act Now

MatrixSSL before 4.2.1 has an out-of-bounds read during ASN.1 handling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Matrixssl
NVD GitHub
CVSS 3.0
9.8
EPSS
1.6%
CVE-2019-11512 CRITICAL PATCH Act Now

Contao 4.x allows SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Contao
NVD
CVSS 3.0
9.8
EPSS
1.5%
CVE-2019-11991 CRITICAL Act Now

HPE has identified a vulnerability in HPE 3PAR Service Processor (SP) version 4.1 through 4.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure 3Par Service Processor Firmware
NVD
CVSS 3.0
9.8
EPSS
4.7%
CVE-2019-3950 CRITICAL Act Now

Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Vmb3010 Firmware Vmb4000 Firmware Vmb3500 Firmware Vmb4500 Firmware +1
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2019-3949 CRITICAL Act Now

Arlo Basestation firmware 1.12.0.1_27940 and prior firmware contain a networking misconfiguration that allows access to restricted network interfaces. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Vmb3010 Firmware Vmb4000 Firmware Vmb3500 Firmware Vmb4500 Firmware +1
NVD
CVSS 3.0
9.8
EPSS
1.2%
CVE-2019-13070 MEDIUM POC This Month

A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Powerpanel
NVD Exploit-DB
CVSS 3.0
5.4
EPSS
0.8%
CVE-2019-13146 MEDIUM POC PATCH This Month

The field_test gem 0.3.0 for Ruby has unvalidated input. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Field Test
NVD GitHub
CVSS 3.0
5.3
EPSS
1.4%
CVE-2019-12747 HIGH PATCH This Week

TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Typo3
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2019-9148 MEDIUM POC This Month

Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mailvelope
NVD GitHub
CVSS 3.1
4.3
EPSS
1.4%
CVE-2019-12782 HIGH This Week

An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Thoughtspot
NVD
CVSS 3.0
8.1
EPSS
1.1%
CVE-2019-13338 HIGH This Week

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD GitHub
CVSS 3.0
7.5
EPSS
1.8%
CVE-2019-13337 HIGH This Week

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD GitHub
CVSS 3.0
7.5
EPSS
1.4%
CVE-2019-11020 HIGH This Week

Lack of authentication in file-viewing components in DDRT Dashcom Live 2019-05-09 allows anyone to remotely access all claim details by visiting easily guessable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Dashcom Live Firmware
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2019-11019 HIGH This Week

Lack of authentication in case-exporting components in DDRT Dashcom Live through 2019-05-08 allows anyone to remotely access all claim details by visiting easily guessable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass PHP Dashcom Live Firmware
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2019-11890 HIGH This Week

Sony Bravia Smart TV devices allow remote attackers to cause a denial of service (device hang or reboot) via a SYN flood attack over a wired or Wi-Fi LAN. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Bravia Firmware
NVD
CVSS 3.0
7.5
EPSS
4.4%
CVE-2019-11889 HIGH This Week

Sony BRAVIA Smart TV devices allow remote attackers to cause a denial of service (device hang) via a crafted web page over HbbTV. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Bravia Firmware
NVD
CVSS 3.0
7.5
EPSS
3.5%
CVE-2019-13380 MEDIUM This Month

KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Hashicorp Team Password Manager
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2019-13397 MEDIUM This Month

Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via arbitrary file extension while creating a support ticket. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Osticket
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2019-12748 MEDIUM PATCH This Month

TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Typo3
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-13142 MEDIUM This Month

The RzSurroundVADStreamingService (RzSurroundVADStreamingService.exe) in Razer Surround 1.1.63.0 runs as the SYSTEM user using an executable located in %PROGRAMDATA%\Razer\Synapse\Devices\Razer. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Surround
NVD
CVSS 3.0
5.5
EPSS
0.3%
CVE-2019-9150 MEDIUM This Month

Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mailvelope
NVD GitHub
CVSS 3.0
5.3
EPSS
1.4%
CVE-2019-9147 MEDIUM This Month

Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mailvelope
NVD GitHub
CVSS 3.0
4.3
EPSS
1.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy