Skip to main content
CVE-2019-19576 CRITICAL POC PATCH THREAT Act Now

class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 26.2%.

File Upload PHP Verot K2
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
26.2%
Threat
4.2
CVE-2019-19228 CRITICAL POC Act Now

Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allow attackers to bypass authentication because the password for the today account is stored in the /tmp/web_users.conf file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Datamanager Box 2 0 Firmware Eco 25 0 3 S Firmware Eco 27 0 3 S Firmware Galvo 1 5 1 Firmware +62
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2019-18346 HIGH POC This Week

A CSRF issue was discovered in DAViCal through 1.1.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Davical
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2019-19364 HIGH POC This Week

A weak malicious user can escalate its privilege whenever CatalystProductionSuite.2019.1.exe (version 1.1.0.21) and CatalystBrowseSuite.2019.1.exe (version 1.1.0.21) installers run. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Catalyst Browse Catalyst Production Suite
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2019-16753 HIGH POC This Week

An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Jwt Attack Information Disclosure Decentralized Anonymous Payment System Private Instant Verified Transactions
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2019-11216 MEDIUM POC This Month

BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE File Upload Remedy Smart Reporting
NVD
CVSS 3.1
6.5
EPSS
1.8%
CVE-2019-19229 MEDIUM POC This Month

admincgi-bin/service.fcgi on Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allows action=download&filename= Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Datamanager Box 2 0 Firmware Eco 25 0 3 S Firmware Eco 27 0 3 S Firmware Galvo 1 5 1 Firmware +62
NVD
CVSS 3.1
6.5
EPSS
2.3%
CVE-2019-19133 MEDIUM POC This Month

The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a csshero_action=edit_page request because it fails to sufficiently sanitize user-supplied input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Csshero
NVD
CVSS 3.1
6.1
EPSS
1.9%
CVE-2019-17556 CRITICAL PATCH Act Now

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Olingo
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2019-11940 CRITICAL PATCH Act Now

In the course of decompressing HPACK inside the HTTP2 protocol, an unexpected sequence of header table resize operations can place the header table into a corrupted state, leading to a use-after-free. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Information Disclosure Memory Corruption Proxygen
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2019-11936 CRITICAL PATCH Act Now

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2019-11935 CRITICAL PATCH Act Now

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2019-11934 CRITICAL PATCH Act Now

Improper handling of close_notify alerts can result in an out-of-bounds read in AsyncSSLSocket.11.04.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Information Disclosure Folly
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2019-11930 CRITICAL PATCH Act Now

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Hhvm
NVD GitHub
CVSS 3.1
9.8
EPSS
3.2%
CVE-2019-19555 MEDIUM POC This Month

read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based buffer overflow because of an incorrect sscanf. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Xfig
NVD
CVSS 3.1
5.5
EPSS
1.1%
CVE-2019-17554 MEDIUM POC PATCH THREAT This Month

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Apache Deserialization Olingo
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
12.2%
CVE-2019-18347 MEDIUM POC This Month

A stored XSS issue was discovered in DAViCal through 1.1.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Davical
NVD
CVSS 3.1
5.4
EPSS
1.1%
CVE-2019-14909 HIGH This Week

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
CVSS 3.1
8.3
EPSS
1.1%
CVE-2019-7201 HIGH This Week

An unquoted service path vulnerability is reported to affect the service QVssService in QNAP NetBak Replicator. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Qnap RCE Netbak Replicator
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2019-15638 HIGH This Week

COPA-DATA zenone32 zenon Editor through 8.10 has an Uncontrolled Search Path Element. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zenon
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2019-17555 HIGH PATCH This Week

The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Olingo
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2019-11937 HIGH PATCH This Week

In Mcrouter prior to v0.41.0, a large struct input provided to the Carbon protocol reader could result in stack exhaustion and denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Mcrouter
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2019-11923 HIGH PATCH This Week

In Mcrouter prior to v0.41.0, the deprecated ASCII parser would allocate a buffer to a user-specified length with no maximum length enforced, allowing for resource exhaustion or denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Mcrouter
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2019-18850 HIGH This Week

TrevorC2 v1.1/v1.2 fails to prevent fingerprinting primarily via a discrepancy between response headers when responding to different HTTP methods, also via predictible responses when accessing and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Trevorc2
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2019-19579 MEDIUM This Month

An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device (and assignable-add is not. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Xen Fedora
NVD
CVSS 3.1
6.8
EPSS
0.5%
CVE-2019-7197 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability has been reported to affect multiple versions of QTS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Qnap Qts
NVD
CVSS 3.1
4.8
EPSS
1.2%
CVE-2019-16752 MEDIUM This Month

An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Dash Core Decentralized Anonymous Payment System Private Instant Verified Transactions
NVD
CVSS 3.1
4.3
EPSS
0.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy