Skip to main content
CVE-2019-19033 CRITICAL POC Act Now

Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Jcms
NVD GitHub
CVSS 3.1
9.8
EPSS
3.3%
CVE-2019-19006 CRITICAL POC KEV THREAT Act Now

Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Freepbx
NVD
CVSS 3.1
9.8
EPSS
36.6%
CVE-2019-18349 CRITICAL POC Act Now

HotkeyP through 4.9 r96 allows privilege escalation in the privilege function in Commands.cpp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Hotkeyp
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2019-16340 CRITICAL POC PATCH THREAT Act Now

Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Linksys Information Disclosure Velop Whw0303 Firmware Velop Whw0302 Firmware Velop Whw0301 Firmware
NVD
CVSS 3.1
9.8
EPSS
19.3%
CVE-2019-19207 HIGH POC THREAT This Week

rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD
CVSS 3.1
8.8
EPSS
22.7%
CVE-2019-19202 HIGH POC PATCH This Week

In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Vtiger Crm
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2019-5087 HIGH POC This Week

An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Xcftools Debian Linux
NVD
CVSS 3.1
8.8
EPSS
3.6%
CVE-2019-5086 HIGH POC This Week

An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools, version 1.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Xcftools Debian Linux
NVD
CVSS 3.1
8.8
EPSS
3.2%
CVE-2019-19197 HIGH POC This Week

IOCTL Handling in the kyrld.sys driver in Kyrol Internet Security 9.0.6.9 allows an attacker to achieve privilege escalation, denial-of-service, and code execution via usermode because 0x9C402401. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation RCE Kyrol Internet Security
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
CVE-2019-19191 HIGH POC This Week

Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Service Provider
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2019-16406 HIGH POC This Week

Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

VMware Information Disclosure Centreon Web
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2019-5072 HIGH POC This Week

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Tenda Command Injection Ac9V1 0 Firmware
NVD
CVSS 3.1
7.8
EPSS
1.8%
CVE-2019-5071 HIGH POC This Week

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Tenda Command Injection Ac9V1 0 Firmware
NVD
CVSS 3.1
7.8
EPSS
1.7%
CVE-2019-18958 HIGH POC This Week

Nitro Pro before 13.2 creates a debug.log file in the directory where a .pdf file is located, if the .pdf document was produced by an OCR operation on the JPEG output of a scanner. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Nitro Pro
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2019-17421 HIGH POC PATCH This Week

Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Privilege Escalation Zoho Manageengine Firewall Analyzer Manageengine Opmanager
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2019-19204 HIGH POC This Week

An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Oniguruma Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
6.9%
CVE-2019-19203 HIGH POC This Week

An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Oniguruma Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
4.1%
CVE-2019-5637 HIGH POC This Week

When Beckhoff TwinCAT is configured to use the Profinet driver, a denial of service of the controller could be reached by sending a malformed UDP packet to the device.1 version 4204.0 (and prior). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Twincat
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2019-5636 HIGH POC This Week

When a Beckhoff TwinCAT Runtime receives a malformed UDP packet, the ADS Discovery Service shuts down. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Twincat
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2019-16758 HIGH POC THREAT This Week

In Lexmark Services Monitor 2.27.4.0.39 (running on TCP port 2070), a remote attacker can use a directory traversal technique using /../../../ or ..%2F..%2F..%2F to obtain local files on the host. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Services Monitor Firmware
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
16.8%
CVE-2019-10767 HIGH POC PATCH This Week

An attacker can include file contents from outside the `/adapter/xxx/` directory, where `xxx` is the name of an existent adapter like "admin". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Iobroker Js Controller
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2019-16405 HIGH POC PATCH THREAT This Week

Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Centreon Web
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
27.0%
CVE-2019-16541 CRITICAL PATCH Act Now

Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Atlassian Jenkins Information Disclosure Jira
NVD
CVSS 3.1
9.9
EPSS
1.6%
CVE-2019-18933 CRITICAL PATCH Act Now

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Google Information Disclosure Zulip Server
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2019-18889 CRITICAL PATCH Act Now

An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Symfony Fedora
NVD GitHub
CVSS 3.1
9.8
EPSS
33.2%
CVE-2019-11325 CRITICAL PATCH Act Now

An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP RCE Symfony
NVD GitHub
CVSS 3.1
9.8
EPSS
3.4%
CVE-2019-5509 CRITICAL Act Now

ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Ontap Select Deploy Administration Utility
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2019-2303 CRITICAL Act Now

SNDCP module may access array out side its boundary when it receives malformed XID message. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Qualcomm Information Disclosure Apq8009 Firmware Apq8017 Firmware +53
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2019-2289 CRITICAL Act Now

Lack of integrity check allows MODEM to accept any NAS messages which can result into authentication bypass of NAS in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Qualcomm Apq8009 Firmware Apq8017 Firmware Apq8053 Firmware +52
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2019-2271 CRITICAL Act Now

Buffer over read can happen while parsing downlink session management OTA messages if network sends un-intended values in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Qualcomm Information Disclosure Apq8009 Firmware Apq8017 Firmware +53
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2019-2268 CRITICAL PATCH Act Now

Possible OOB read issue in P2P action frames while handling WLAN management frame in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Qualcomm Information Disclosure Apq8009 Firmware Apq8017 Firmware +24
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2019-10627 CRITICAL Act Now

Integer overflow to buffer overflow vulnerability in PostScript image handling code used by the PostScript- and PDF-compatible interpreters due to incorrect buffer size calculation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Ips D9l63a Firmware D9l64a Firmware T0g70a Firmware +38
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2019-19221 MEDIUM POC PATCH This Month

In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Libarchive Debian Linux Fedora +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.7%
CVE-2019-19037 MEDIUM POC This Month

ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Linux Linux Kernel
NVD GitHub
CVSS 3.1
5.5
EPSS
1.9%
CVE-2019-19039 MEDIUM POC This Month

__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Linux Information Disclosure Linux Kernel Debian Linux Ubuntu Linux
NVD GitHub
CVSS 3.1
5.5
EPSS
0.7%
CVE-2019-19036 MEDIUM POC This Month

btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Linux Linux Kernel
NVD GitHub
CVSS 3.1
5.5
EPSS
1.8%
CVE-2019-16548 HIGH PATCH This Week

A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Jenkins CSRF Google Compute Engine
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2019-16544 HIGH PATCH This Week

Jenkins QMetry for JIRA - Test Management Plugin 1.12 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Atlassian Jenkins Information Disclosure Jenkins Qmetry For Jira
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2019-16538 HIGH PATCH This Week

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins RCE Script Security
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2019-18887 HIGH PATCH This Week

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Symfony Fedora
NVD GitHub
CVSS 3.1
8.1
EPSS
1.3%
CVE-2019-15511 HIGH This Week

An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Privilege Escalation Galaxy
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2019-17650 HIGH This Week

An Improper Neutralization of Special Elements used in a Command vulnerability in one of FortiClient for Mac OS root processes, may allow a local user of the system on which FortiClient is running to. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Fortinet Command Injection Forticlient
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2019-2339 HIGH This Week

Out of bound access due to lack of check of whiltelist array size while reading the image elf segments. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Qualcomm Information Disclosure Mdm9205 Firmware Qcs404 Firmware Qcs605 Firmware +12
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2019-2329 HIGH This Week

Use after free issue in cleanup routine due to missing pointer sanitization for a failed start of a trusted application. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Use After Free Qualcomm Memory Corruption Mdm9205 Firmware +12
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2019-2315 HIGH This Week

While invoking the API to copy from fd or local buffer to the secure buffer, Parameters being populated are from non secure environment. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Qualcomm Information Disclosure Apq8009 Firmware Apq8017 Firmware Apq8053 Firmware +40
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2019-2297 HIGH PATCH This Week

Buffer overflow can occur while processing non-standard NAN message from user space. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Buffer Overflow Qualcomm Apq8009 Firmware Apq8017 Firmware Apq8053 Firmware +27
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2019-2266 HIGH PATCH This Week

Possible double free issue in kernel while handling the camera sensor and its sub modules power sequence in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Qualcomm Information Disclosure Apq8053 Firmware Ipq4019 Firmware Ipq8064 Firmware +13
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2019-2251 HIGH This Week

If a bitmap file is loaded from any un-authenticated source, there is a possibility that the bitmap can potentially cause stack buffer overflow. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Qualcomm Memory Corruption Apq8016 Firmware Apq8096Au Firmware +25
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2019-10617 HIGH This Week

Low privilege users can access service configuration which contains registry data that admins uses to create or delete entries in the registry in QCA6174_9377.WIN.1.0 in QCA6174_9377. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Qca6174 Firmware
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2019-10566 HIGH PATCH This Week

Buffer overflow can occur in wlan module if supported rates or extended rates element length is greater than max rate set length in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow Qualcomm Apq8017 Firmware Apq8053 Firmware Apq8096Au Firmware +23
NVD
CVSS 3.1
7.8
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy