Skip to main content
CVE-2019-18935 CRITICAL POC KEV PATCH THREAT Act Now

Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability in RadAsyncUpload that allows unauthenticated remote code execution when encryption keys are known, exploited by APT groups and ransomware operators.

NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
93.6%
Threat
9.8
CVE-2019-3989 CRITICAL POC Act Now

Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when retrieving internal network configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Blink Xt2 Sync Module Firmware
NVD
CVSS 3.1
9.8
EPSS
3.7%
CVE-2019-19725 CRITICAL POC Act Now

sysstat through 12.2.0 has a double free in check_file_actlst in sa_common.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Sysstat Debian Linux Ubuntu Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2019-19374 CRITICAL POC Act Now

An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8,. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Path Traversal Information Disclosure Matrix
NVD
CVSS 3.1
9.1
EPSS
3.4%
CVE-2019-3988 HIGH POC This Week

Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Blink Xt2 Sync Module Firmware
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2019-3987 HIGH POC This Week

Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Blink Xt2 Sync Module Firmware
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2019-3986 HIGH POC This Week

Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Blink Xt2 Sync Module Firmware
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-3985 HIGH POC This Week

Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Blink Xt2 Sync Module Firmware
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2019-19720 HIGH POC This Week

Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Yabasic
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-19604 HIGH POC This Week

Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Git Debian Linux Fedora Leap
NVD
CVSS 3.1
7.8
EPSS
3.7%
CVE-2019-19729 HIGH POC This Week

An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Node.js Bson Objectid
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-19373 HIGH POC This Week

An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Deserialization Matrix
NVD
CVSS 3.1
7.5
EPSS
4.8%
CVE-2019-3983 MEDIUM POC This Month

Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary code and commands on the device due to insufficient UART protections. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Blink Xt2 Sync Module Firmware
NVD
CVSS 3.1
6.8
EPSS
1.0%
CVE-2019-10772 MEDIUM POC PATCH This Month

It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Svg Sanitizer
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-19709 MEDIUM POC PATCH This Month

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Mediawiki Debian Linux
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2019-19708 MEDIUM POC This Month

The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Visual Editor
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-0403 CRITICAL Act Now

SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Command Injection Enable Now
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2019-19649 CRITICAL Act Now

Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Java Zoho Manageengine Applications Manager
NVD
CVSS 3.1
9.8
EPSS
9.5%
CVE-2019-18960 CRITICAL Act Now

Firecracker vsock implementation buffer overflow in versions 0.18.0 and 0.19.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Firecracker
NVD GitHub
CVSS 3.1
9.8
EPSS
3.3%
CVE-2019-0398 HIGH This Week

Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP CSRF Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2019-19650 HIGH This Week

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Java Zoho Manageengine Applications Manager
NVD
CVSS 3.1
8.8
EPSS
5.7%
CVE-2019-19578 HIGH PATCH This Week

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.

Privilege Escalation Denial Of Service Xen Fedora
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2019-4715 HIGH This Week

IBM Spectrum Scale 4.2 and 5.0 could allow a remote authenticated attacker to execute arbitrary commands on the system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Command Injection Spectrum Scale
NVD
CVSS 3.1
8.8
EPSS
4.0%
CVE-2019-18245 HIGH This Week

Reliable Controls LicenseManager versions 3.4 and prior may allow an authenticated user to insert malicious code into the system root path, which may allow execution of code with elevated privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Rc Licensemanager
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2019-18232 HIGH This Week

SafeNet Sentinel LDK License Manager, all versions prior to 7.101(only Microsoft Windows versions are affected) is vulnerable when configured as a service. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Microsoft Sentinel Ldk License Manager
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2019-3667 HIGH This Week

DLL Search Order Hijacking vulnerability in the Microsoft Windows client in McAfee Tech Check 3.0.0.17 and earlier allows local users to execute arbitrary code via the local folder placed there by an. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft RCE Techcheck
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2019-17087 HIGH This Week

Unauthorized file download vulnerability in all supported versions of Micro Focus AcuToWeb. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Acutoweb
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-0405 HIGH This Week

SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Enable Now
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-0404 HIGH This Week

SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure SAP Enable Now
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-19583 HIGH PATCH This Week

An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Intel Amd Xen Fedora +2
NVD
CVSS 3.1
7.5
EPSS
2.2%
CVE-2019-19707 HIGH This Week

On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Eds G508E Firmware Eds G512E Firmware Eds G516E Firmware
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2019-5815 HIGH PATCH This Week

Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Memory Corruption Libxslt Debian Linux
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2019-14899 HIGH This Week

A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make. Rated high severity (CVSS 7.4), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Google Apple Freebsd Linux Kernel +6
NVD
CVSS 3.1
7.4
EPSS
0.8%
CVE-2019-18379 HIGH This Week

Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a server-side request forgery (SSRF) exploit, which is a type of issue that can let an attacker send crafted requests from the. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Messaging Gateway
NVD
CVSS 3.1
7.3
EPSS
1.1%
CVE-2019-19577 HIGH PATCH This Week

An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM guest OS users to cause a denial of service or possibly gain privileges by triggering data-structure access during pagetable-height. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. This Memory Leak vulnerability could allow attackers to exhaust available memory leading to denial of service.

Privilege Escalation Denial Of Service Intel Amd Xen +1
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2019-18377 HIGH This Week

Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Messaging Gateway
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-19580 MEDIUM PATCH This Month

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations, because of an. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable.

Race Condition Privilege Escalation Xen Fedora
NVD
CVSS 3.1
6.6
EPSS
1.2%
CVE-2019-0399 MEDIUM This Month

SAP Portfolio and Project Management, before versions S4CORE 102, 103, EPPM 100 and CPRXRPM 500_702, 600_740, 610_740; unintentionally allows a user to discover accounting information of the Projects. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Portfolio And Project Management
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2019-19582 MEDIUM PATCH This Month

An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because certain bit iteration is mishandled. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity.

Denial Of Service Xen Fedora
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2019-19581 MEDIUM PATCH This Month

An issue was discovered in Xen through 4.12.x allowing 32-bit Arm guest OS users to cause a denial of service (out-of-bounds access) because certain bit iteration is mishandled. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Denial Of Service Buffer Overflow Xen Fedora
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2019-15008 MEDIUM This Month

The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Atlassian Crucible Fisheye
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-19719 MEDIUM This Month

Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Microsoft Tableau Server
NVD
CVSS 3.1
6.1
EPSS
22.0%
CVE-2019-0395 MEDIUM This Month

SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-4665 MEDIUM This Month

IBM Spectrum Scale 4.2 and 5.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS IBM Spectrum Scale
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2019-14317 MEDIUM PATCH This Month

wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wolfssl
NVD
CVSS 3.1
5.3
EPSS
1.8%
CVE-2019-18378 MEDIUM This Month

Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Messaging Gateway
NVD
CVSS 3.1
4.8
EPSS
0.7%
CVE-2019-15007 MEDIUM This Month

The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Atlassian Crucible Fisheye
NVD
CVSS 3.1
4.8
EPSS
0.6%
CVE-2019-0402 MEDIUM PATCH This Month

SAP Adaptive Server Enterprise, before versions 15.7 and 16.0, under certain conditions exposes some sensitive information to the admin, leading to Information Disclosure. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Information Disclosure SAP Adaptive Server Enterprise
NVD
CVSS 3.1
4.4
EPSS
0.4%
CVE-2019-15009 MEDIUM This Month

The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Atlassian Information Disclosure Crucible Fisheye
NVD
CVSS 3.1
4.3
EPSS
0.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy