Skip to main content
CVE-2019-15060 HIGH POC This Week

The traceroute function on the TP-Link TL-WR840N v4 router with firmware through 0.9.1 3.16 is vulnerable to remote code execution via a crafted payload in an IP address input field. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

TP-Link RCE Command Injection Tl Wr840N Firmware
NVD
CVSS 3.0
8.8
EPSS
4.0%
CVE-2019-12385 HIGH POC This Week

An issue was discovered in Ampache through 3.9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Ampache
NVD
CVSS 3.0
8.8
EPSS
1.6%
CVE-2019-15324 HIGH POC This Week

The ad-inserter plugin before 2.4.22 for WordPress has remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE Ad Inserter
NVD
CVSS 3.0
8.8
EPSS
3.6%
CVE-2019-13139 HIGH POC PATCH This Week

In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Docker Command Injection
NVD GitHub
CVSS 3.0
8.4
EPSS
2.0%
CVE-2019-9154 HIGH POC PATCH This Week

Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Jwt Attack Information Disclosure Openpgpjs
NVD GitHub
CVSS 3.0
7.5
EPSS
1.6%
CVE-2019-9153 HIGH POC PATCH This Week

Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Jwt Attack Information Disclosure Openpgpjs
NVD GitHub
CVSS 3.0
7.5
EPSS
2.0%
CVE-2019-14751 HIGH POC PATCH This Week

NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Nltk
NVD GitHub
CVSS 3.0
7.5
EPSS
5.8%
CVE-2019-14511 HIGH POC This Week

Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Sphinx
NVD
CVSS 3.0
7.5
EPSS
2.0%
CVE-2019-11013 MEDIUM POC THREAT This Month

Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nimble Streamer
NVD Exploit-DB
CVSS 3.0
6.5
EPSS
24.0%
CVE-2019-9155 MEDIUM POC PATCH This Month

A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Openpgpjs
NVD GitHub
CVSS 3.0
5.9
EPSS
1.5%
CVE-2019-11031 CRITICAL Act Now

Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-update feature of IDVRUpdateService2 in DVRServer.exe. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Mirasys Vms
NVD
CVSS 3.0
9.8
EPSS
1.9%
CVE-2019-11030 CRITICAL Act Now

Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mirasys Vms
NVD
CVSS 3.0
9.8
EPSS
2.0%
CVE-2019-15322 CRITICAL Act Now

The shortcode-factory plugin before 2.8 for WordPress has Local File Inclusion. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Shortcode Factory
NVD
CVSS 3.0
9.8
EPSS
2.0%
CVE-2019-15321 CRITICAL Act Now

The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization Optiontree
NVD
CVSS 3.0
9.8
EPSS
2.1%
CVE-2019-15320 CRITICAL Act Now

The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization Optiontree
NVD
CVSS 3.0
9.8
EPSS
2.1%
CVE-2019-15319 CRITICAL Act Now

The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization Optiontree
NVD
CVSS 3.0
9.8
EPSS
2.1%
CVE-2019-15318 CRITICAL Act Now

The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection WordPress RCE Easy Forms For Mailchimp
NVD
CVSS 3.0
9.8
EPSS
2.2%
CVE-2019-12386 MEDIUM POC This Month

An issue was discovered in Ampache through 3.9.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Ampache
NVD
CVSS 3.0
5.4
EPSS
0.8%
CVE-2019-15317 MEDIUM POC This Month

The give plugin before 2.4.7 for WordPress has XSS via a donor name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Givewp
NVD
CVSS 3.0
5.4
EPSS
1.2%
CVE-2019-15314 MEDIUM POC This Month

tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Tikiwiki Cms Groupware
NVD
CVSS 3.0
5.4
EPSS
0.9%
CVE-2019-15329 HIGH This Week

The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPress has CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Import Users From Csv With Meta
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2019-15326 HIGH This Week

The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPress has directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal WordPress Import Users From Csv With Meta
NVD
CVSS 3.0
7.5
EPSS
2.3%
CVE-2019-15325 HIGH This Week

In GalliumOS 3.0, CONFIG_SECURITY_YAMA is disabled but /etc/sysctl.d/10-ptrace.conf tries to set /proc/sys/kernel/yama/ptrace_scope to 1, which might increase risk because of the appearance that a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Galliumos
NVD GitHub
CVSS 3.0
7.5
EPSS
1.3%
CVE-2019-15330 HIGH This Week

The webp-express plugin before 0.14.11 for WordPress has insufficient protection against arbitrary file reading. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Webp Express
NVD
CVSS 3.0
7.5
EPSS
1.8%
CVE-2019-11029 HIGH This Week

Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Download() method of AutoUpdateService in SMServer.exe, leading to Directory Traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Mirasys Vms
NVD
CVSS 3.0
7.5
EPSS
2.5%
CVE-2019-5635 HIGH This Week

A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hickory Smart Ethernet Bridge Firmware
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2019-15323 HIGH This Week

The ad-inserter plugin before 2.4.20 for WordPress has path traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal WordPress Ad Inserter
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2019-7617 HIGH PATCH This Week

When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Python Information Disclosure Apm Agent
NVD
CVSS 3.0
7.2
EPSS
1.5%
CVE-2019-15328 MEDIUM This Month

The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPress has XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Import Users From Csv With Meta
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2019-15327 MEDIUM This Month

The import-users-from-csv-with-meta plugin before 1.14.1.3 for WordPress has XSS via imported data. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Import Users From Csv With Meta
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2019-15331 MEDIUM This Month

The wp-support-plus-responsive-ticket-system plugin before 9.1.2 for WordPress has HTML injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Wp Support Plus Responsive Ticket System
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2019-5633 MEDIUM This Month

An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure Hickory Smart
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2019-5632 MEDIUM This Month

An insecure storage of sensitive information vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure Hickory Smart
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2019-14469 MEDIUM This Month

In Nexus Repository Manager before 3.18.0, users with elevated privileges can create stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Nexus Repository Manager
NVD
CVSS 3.0
5.4
EPSS
1.1%
CVE-2019-5634 MEDIUM This Month

An inclusion of sensitive information in log files vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Rated medium severity (CVSS 4.3), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure Hickory Smart
NVD
CVSS 3.0
4.3
EPSS
0.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy