Skip to main content
CVE-2019-18418 CRITICAL POC Act Now

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Session Fixation Information Disclosure Clonos
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
4.0%
CVE-2019-18413 CRITICAL POC PATCH Act Now

In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS SQLi Typestack Class Validator
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2019-18200 CRITICAL POC Act Now

An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Lx390 Firmware
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2019-13652 CRITICAL POC Act Now

TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow serviceName OS Command Injection (issue 4 of 5). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Command Injection M7350 Firmware
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2019-13651 CRITICAL POC Act Now

TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow portMappingProtocol OS Command Injection (issue 3 of 5). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Command Injection M7350 Firmware
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2019-13650 CRITICAL POC Act Now

TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow internalPort OS Command Injection (issue 2 of 5). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Command Injection M7350 Firmware
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2019-13649 CRITICAL POC Act Now

TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow externalPort OS Command Injection (issue 1 of 5). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Command Injection M7350 Firmware
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2019-18394 CRITICAL POC PATCH THREAT Act Now

A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Java SSRF Openfire
NVD GitHub
CVSS 3.1
9.8
EPSS
32.3%
CVE-2019-18417 HIGH POC This Week

Sourcecodester Restaurant Management System 1.0 allows an authenticated attacker to upload arbitrary files that can result in code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload RCE Restaurant Management System
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2019-18414 HIGH POC This Week

Sourcecodester Restaurant Management System 1.0 is affected by an admin/staff-exec.php Cross Site Request Forgery vulnerability due to a lack of CSRF protection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE CSRF Restaurant Management System
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2019-12095 HIGH POC This Week

Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF Groupware
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
1.1%
CVE-2019-18409 HIGH POC This Week

The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Ruby Parser Legacy
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2019-17596 HIGH POC PATCH This Week

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Go Debian Linux Fedora Developer Tools +7
NVD GitHub
CVSS 3.1
7.5
EPSS
4.7%
CVE-2019-18201 HIGH POC This Week

An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Lx390 Firmware
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2019-18199 MEDIUM POC This Month

An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Lx390 Firmware
NVD
CVSS 3.1
6.6
EPSS
0.4%
CVE-2019-18419 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Clonos
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2019-18416 MEDIUM POC This Month

Sourcecodester Restaurant Management System 1.0 allows XSS via the Last Name field of a member. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Restaurant Management System
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-18415 MEDIUM POC This Month

Sourcecodester Restaurant Management System 1.0 allows XSS via the "send a message" screen. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Restaurant Management System
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-12094 MEDIUM POC This Month

Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Groupware
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
1.5%
CVE-2019-15929 CRITICAL PATCH Act Now

In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Craft Cms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2019-13653 CRITICAL Act Now

TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow triggerPort OS Command Injection (issue 5 of 5). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

TP-Link Command Injection M7350 Firmware
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2019-12017 CRITICAL Act Now

A remote code execution vulnerability exists in MapR CLDB code, specifically in the JSON framework that is used in the CLDB code that handles login and ticket issuance. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java RCE Deserialization Mapr
NVD
CVSS 3.1
9.8
EPSS
2.9%
CVE-2019-18393 MEDIUM POC PATCH THREAT This Month

PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Java Path Traversal Openfire
NVD GitHub
CVSS 3.1
5.3
EPSS
13.9%
CVE-2019-5013 HIGH This Week

An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the start/stopLaunchDProcess command. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Driver
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2019-5012 HIGH This Week

An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Driver
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2019-6692 HIGH This Week

A malicious DLL preload vulnerability in Fortinet FortiClient for Windows 6.2.0 and below allows a privileged attacker to perform arbitrary code execution via forging that DLL. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Fortinet Microsoft RCE Forticlient
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2019-18408 HIGH PATCH This Week

archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Information Disclosure Memory Corruption Libarchive Debian Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
4.0%
CVE-2019-15703 HIGH This Week

An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Information Disclosure Fortios
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2019-11021 HIGH This Week

admin/app/mediamanager in Schlix CMS 2.1.8-7 allows Authenticated Unrestricted File Upload, leading to remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload RCE Cms
NVD VulDB
CVSS 3.1
7.2
EPSS
2.2%
CVE-2019-18196 MEDIUM This Month

A DLL side loading vulnerability in the Windows Service in TeamViewer versions up to 11.0.133222 (fixed in 11.0.214397), 12.0.181268 (fixed in 12.0.214399), 13.2.36215 (fixed in 13.2.36216), and. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Microsoft RCE Teamviewer
NVD
CVSS 3.1
6.7
EPSS
0.6%
CVE-2019-4397 MEDIUM PATCH This Month

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 stores sensitive information in URL parameters. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Cloud Orchestrator Cloud Orchestrator Enterprise
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2019-8080 MEDIUM This Month

Adobe Experience Manager versions 6.4 and 6.3 have a stored cross site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Privilege Escalation Adobe Experience Manager
NVD
CVSS 3.1
6.1
EPSS
1.8%
CVE-2019-8079 MEDIUM This Month

Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Information Disclosure Adobe Experience Manager
NVD
CVSS 3.1
6.1
EPSS
1.5%
CVE-2019-8078 MEDIUM This Month

Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a reflected cross site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Information Disclosure Adobe Experience Manager
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2019-17581 MEDIUM This Month

tonyy dormsystem through 1.3 allows DOM XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Dormsystem
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-4486 MEDIUM PATCH This Month

IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Maximo Asset Management Maximo For Aviation Maximo For Life Sciences +6
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-4459 MEDIUM PATCH This Month

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Cloud Orchestrator
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2019-9699 MEDIUM This Month

Symantec Messaging Gateway (prior to 10.7.0), may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data. Rated medium severity (CVSS 4.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure Messaging Gateway
NVD
CVSS 3.1
4.5
EPSS
0.5%
CVE-2019-4398 LOW PATCH Monitor

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 could allow a local user to obtain sensitive information from SessionManagement cookies. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.

IBM Path Traversal Information Disclosure Cloud Orchestrator Cloud Orchestrator Enterprise
NVD
CVSS 3.1
3.3
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy