Skip to main content
CVE-2019-18387 CRITICAL POC Act Now

Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Hotel And Lodge Management System
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2019-18370 CRITICAL POC THREAT Act Now

An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Millet Router 3G Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
40.3%
CVE-2019-18344 CRITICAL POC Act Now

Sourcecodester Online Grading System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the student, instructor, department, room,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Online Grading System
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2019-18213 HIGH POC PATCH This Week

XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE SSRF Red Hat Xml Server Project Wild Web Developer +1
NVD GitHub
CVSS 3.1
8.8
EPSS
2.0%
CVE-2019-18280 HIGH POC This Week

Sourcecodester Online Grading System 1.0 is affected by a Cross Site Request Forgery vulnerability due to a lack of CSRF protection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE CSRF Online Grading System
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2019-17093 HIGH POC This Week

An issue was discovered in Avast antivirus before 19.8 and AVG antivirus before 19.8. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Antivirus Anti Virus
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2019-18278 HIGH POC This Week

When executing VideoLAN VLC media player 3.0.8 with libqt on Windows, Data from a Faulting Address controls Code Flow starting at libqt_plugin!vlc_entry_license__3_0_0f+0x00000000003b9aba. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Vlc Media Player
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2019-18385 HIGH POC This Week

An issue was discovered on TerraMaster FS-210 4.0.19 devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Fs 210 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
1.9%
CVE-2019-18382 HIGH POC This Week

An issue was discovered on AVStar PE204 3.10.70 IP camera devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Pe204 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-18371 HIGH POC THREAT This Week

An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nginx Millet Router 3G Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
55.9%
CVE-2019-18277 HIGH POC THREAT This Week

A flaw was found in HAProxy before 2.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Information Disclosure Haproxy
NVD
CVSS 3.1
7.5
EPSS
10.0%
CVE-2019-18212 MEDIUM POC PATCH This Month

XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Java Path Traversal Red Hat Xml Server Project Wild Web Developer +1
NVD GitHub
CVSS 3.1
6.5
EPSS
2.8%
CVE-2019-18384 MEDIUM POC This Month

An issue was discovered on TerraMaster FS-210 4.0.19 devices. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Fs 210 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2019-9597 MEDIUM POC This Month

Darktrace Enterprise Immune System before 3.1 allows CSRF via the /config endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Enterprise Immune System
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2019-9596 MEDIUM POC This Month

Darktrace Enterprise Immune System before 3.1 allows CSRF via the /whitelisteddomains endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Enterprise Immune System
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2019-18350 MEDIUM POC This Month

In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET parameter affects the authorization component, leading to execution of JavaScript code in the login after-action script. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ant Design Pro
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2019-10475 MEDIUM POC THREAT This Month

A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Jenkins Build Metrics
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
57.7%
CVE-2019-8237 CRITICAL PATCH Act Now

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Adobe Acrobat Dc Acrobat Reader Dc
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2019-8236 CRITICAL Act Now

Creative Cloud Desktop Application version 4.6.1 and earlier versions have Security Bypass vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Creative Cloud
NVD
CVSS 3.1
9.8
EPSS
3.4%
CVE-2019-18355 CRITICAL Act Now

An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Secret Server
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2019-11933 CRITICAL Act Now

A heap buffer overflow bug in libpl_droidsonroids_gif before 1.2.19, as used in WhatsApp for Android before version 2.19.291 could allow remote attackers to execute arbitrary code or cause a denial. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Buffer Overflow Denial Of Service RCE Libpl Droidsonroids Gif +1
NVD
CVSS 3.1
9.8
EPSS
4.1%
CVE-2019-18359 MEDIUM POC This Month

A buffer over-read was discovered in ReadMP3APETag in apetag.c in MP3Gain 1.6.2. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Information Disclosure Mp3Gain
NVD
CVSS 3.1
5.5
EPSS
1.4%
CVE-2019-11283 HIGH This Week

Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Cf Deployment Cloud Foundry Smb Volume
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2019-18220 HIGH This Week

Sitemagic CMS 4.4.1 is affected by a Cross-Site-Request-Forgery (CSRF) issue as it doesn't implement any method to validate incoming requests, allowing the execution of critical functionalities via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Sitemagic
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.1%
CVE-2019-10471 HIGH PATCH This Week

A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Libvirt Slaves
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2019-10468 HIGH This Week

A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Kubernetes CSRF Kubernetes Ci
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2019-10464 HIGH This Week

A cross-site request forgery vulnerability in Jenkins Deploy WebLogic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Oracle CSRF Deploy Weblogic
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2019-10466 HIGH This Week

An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SSRF Jenkins 360 Fireline
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2019-10462 HIGH PATCH This Week

A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Dynatrace Application Monitoring
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2019-10476 HIGH PATCH This Week

Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Jenkins Information Disclosure Zulip
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2019-10461 HIGH PATCH This Week

Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Jenkins Information Disclosure Dynatrace Application Monitoring
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2019-10460 HIGH PATCH This Week

Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Jenkins Information Disclosure Bitbucket Oauth
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2019-8238 HIGH PATCH This Week

Adobe Acrobat and Reader versions 2019.010.20100 and earlier; 2019.010.20099 and earlier versions; 2017.011.30140 and earlier version; 2017.011.30138 and earlier version; 2015.006.30495 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Information Disclosure Adobe Acrobat Dc Acrobat Reader Dc
NVD
CVSS 3.1
7.5
EPSS
4.7%
CVE-2019-18383 HIGH This Week

An issue was discovered on TerraMaster FS-210 4.0.19 devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Fs 210 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2019-6144 MEDIUM PATCH This Month

This vulnerability allows a normal (non-admin) user to disable the Forcepoint One Endpoint (versions 19.04 through 19.08) and bypass DLP and Web protection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass One Endpoint
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2019-3982 MEDIUM This Month

Nessus versions 8.6.0 and earlier were found to contain a Denial of Service vulnerability due to improper validation of specific imported scan types. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Nessus
NVD
CVSS 3.1
6.5
EPSS
1.8%
CVE-2019-10472 MEDIUM PATCH This Month

A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jenkins Libvirt Slaves
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2019-10470 MEDIUM This Month

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jenkins Kubernetes Kubernetes Ci
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2019-10469 MEDIUM This Month

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jenkins Kubernetes Kubernetes Ci
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2019-10467 MEDIUM PATCH This Month

Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Sonar Gerrit
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2019-10463 MEDIUM PATCH This Month

A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jenkins Dynatrace Application Monitoring
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2019-10459 MEDIUM PATCH This Month

Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mattermost Jenkins Information Disclosure Mattermost Notification
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2019-14276 MEDIUM PATCH This Month

WUSTL XNAT 1.7.5.3 allows XXE attacks via a POST request body. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Xnat
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2019-18357 MEDIUM This Month

An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secret Server
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2019-18356 MEDIUM This Month

An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 1 of 2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secret Server
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2019-18348 MEDIUM This Month

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Python
NVD
CVSS 3.1
6.1
EPSS
3.5%
CVE-2019-17606 MEDIUM PATCH This Month

The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Hexo Admin
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2019-16977 MEDIUM PATCH This Month

In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Fusionpbx
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-16975 MEDIUM PATCH This Month

In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Fusionpbx
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-16976 MEDIUM PATCH This Month

In FusionPBX up to 4.5.7, the file app\destinations\destination_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Fusionpbx
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy