CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 9 and 10)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2019-12735 78 Exec Code 2019-06-05 2019-06-13
9.3
None Remote Medium Not required Complete Complete Complete
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
52 CVE-2019-12725 78 Exec Code 2019-07-19 2019-07-22
10.0
None Remote Low Not required Complete Complete Complete
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
53 CVE-2019-12618 284 2019-08-12 2019-08-16
10.0
None Remote Low Not required Complete Complete Complete
HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver.
54 CVE-2019-12574 426 Exec Code 2019-07-11 2019-07-16
9.3
None Remote Medium Not required Complete Complete Complete
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA client is vulnerable to a DLL injection vulnerability during the software update process. The updater loads several libraries from a folder that authenticated users have write access to. A low privileged user can leverage this vulnerability to execute arbitrary code as SYSTEM.
55 CVE-2019-12569 426 Exec Code 2019-06-02 2019-06-03
9.3
None Remote Medium Not required Complete Complete Complete
A vulnerability in Viber before 10.7.0 for Desktop (Windows) could allow an attacker to execute arbitrary commands on a targeted system. This vulnerability is due to unsafe search paths used by the application URI. An attacker could exploit this vulnerability by convincing a targeted user to follow a malicious link. Successful exploitation could cause the application to load libraries from the directory targeted by the URI link. The attacker could use this behavior to execute arbitrary commands on the system with the privileges of the targeted user, if the attacker can place a crafted library in a directory that is accessible to the vulnerable system.
56 CVE-2019-12550 798 2019-06-17 2019-06-19
10.0
None Remote Low Not required Complete Complete Complete
WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded users and passwords that can be used to login via SSH and TELNET.
57 CVE-2019-12549 798 2019-06-17 2019-06-19
10.0
None Remote Low Not required Complete Complete Complete
WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches the embedded private key.
58 CVE-2019-12502 352 CSRF 2019-05-31 2019-05-31
9.3
None Remote Medium Not required Complete Complete Complete
There is a lack of CSRF countermeasures on MOBOTIX S14 MX-V4.2.1.61 cameras, as demonstrated by adding an admin account via the /admin/access URI.
59 CVE-2019-12499 20 2019-05-31 2019-05-31
9.3
None Remote Medium Not required Complete Complete Complete
Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail binary on the host by running exploit code inside a firejail sandbox and having the sandbox terminated. To succeed, certain conditions need to be fulfilled: The jail (with the exploit code inside) needs to be started as root, and it also needs to be terminated as root from the host (either by stopping it ungracefully (e.g., SIGKILL), or by using the --shutdown control command). This is similar to CVE-2019-5736.
60 CVE-2019-12449 275 2019-05-29 2019-07-07
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable.
61 CVE-2019-12328 77 2019-07-22 2019-07-29
9.0
None Remote Low Single system Complete Complete Complete
A command injection (missing input validation) issue in the remote phonebook configuration URI in the web interface of the Atcom A10W VoIP phone with firmware 2.6.1a2421 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request.
62 CVE-2019-12327 798 2019-07-22 2019-07-29
10.0
None Remote Low Not required Complete Complete Complete
Hardcoded credentials in the Akuvox R50P VoIP phone 50.0.6.156 allow an attacker to get access to the device via telnet. The telnet service is running on port 2323; it cannot be turned off and the credentials cannot be changed.
63 CVE-2019-12326 434 Exec Code 2019-07-22 2019-08-02
10.0
None Remote Low Not required Complete Complete Complete
Missing file and path validation in the ringtone upload function of the Akuvox R50P VoIP phone 50.0.6.156 allows an attacker to upload a manipulated ringtone file, with an executable payload (shell commands within the file) and trigger code execution.
64 CVE-2019-12325 119 Exec Code Overflow 2019-07-22 2019-07-23
9.0
None Remote Low Single system Complete Complete Complete
The Htek UC902 VoIP phone web management interface contains several buffer overflow vulnerabilities in the firmware version 2.0.4.4.46, which allow an attacker to crash the device (DoS) without authentication or execute code (authenticated as a user) to spawn a remote shell as a root user.
65 CVE-2019-12324 77 2019-07-22 2019-08-05
9.0
None Remote Low Single system Complete Complete Complete
A command injection (missing input validation) issue in the IP address field for the logging server in the configuration web interface on the Akuvox R50P VoIP phone with firmware 50.0.6.156 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request.
66 CVE-2019-12301 287 2019-05-23 2019-05-24
10.0
None Remote Low Not required Complete Complete Complete
The Percona Server 5.6.44-85.0-1 packages for Debian and Ubuntu suffered an issue where the server would reset the root password to a blank value upon an upgrade. This was fixed in 5.6.44-85.0-2.
67 CVE-2019-12289 287 Exec Code 2019-05-23 2019-05-28
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in upgrade_firmware.cgi on VStarcam 100T (C7824WIP) CH-sys-48.53.75.119~123 and 200V (C38S) CH-sys-48.53.203.119~123 devices. A remote command can be executed through a system firmware update without authentication. The attacker can modify the files within the internal firmware or even steal account information by executing a command.
68 CVE-2019-12185 77 Exec Code 2019-05-19 2019-05-20
9.0
None Remote Low Single system Complete Complete Complete
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
69 CVE-2019-12177 426 2019-06-03 2019-06-04
9.3
None Remote Medium Not required Complete Complete Complete
Privilege escalation due to insecure directory permissions affecting ViveportDesktopService in HTC VIVEPORT before 1.0.0.36 allows local attackers to escalate privileges via DLL hijacking.
70 CVE-2019-12170 434 Exec Code 2019-05-17 2019-08-05
9.0
None Remote Low Single system Complete Complete Complete
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
71 CVE-2019-12168 77 Exec Code 2019-05-17 2019-05-21
9.0
None Remote Low Single system Complete Complete Complete
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
72 CVE-2019-12104 77 2019-08-14 2019-08-19
9.0
None Remote Low Single system Complete Complete Complete
The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by several post-authentication command injection vulnerabilities.
73 CVE-2019-12103 77 2019-08-14 2019-08-19
10.0
None Remote Low Not required Complete Complete Complete
The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability.
74 CVE-2019-12099 264 Exec Code 2019-05-14 2019-05-16
9.0
None Remote Low Single system Complete Complete Complete
In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.
75 CVE-2019-12042 264 2019-05-23 2019-05-28
10.0
None Remote Low Not required Complete Complete Complete
Insecure permissions of the section object Global\PandaDevicesAgentSharedMemory and the event Global\PandaDevicesAgentSharedMemoryChange in Panda products before 18.07.03 allow attackers to queue an event (as an encrypted JSON string) to the system service AgentSvc.exe, which leads to privilege escalation when the CmdLineExecute event is queued. This affects Panda Antivirus, Panda Antivirus Pro, Panda Dome, Panda Global Protection, Panda Gold Protection, and Panda Internet Security.
76 CVE-2019-11991 200 +Info 2019-07-09 2019-07-16
9.7
None Remote Low Not required Partial Complete Complete
HPE has identified a vulnerability in HPE 3PAR Service Processor (SP) version 4.1 through 4.4. HPE 3PAR Service Processor (SP) version 4.1 through 4.4 has a remote information disclosure vulnerability which can allow for the disruption of the confidentiality, integrity and availability of the Service Processor and any managed 3PAR arrays.
77 CVE-2019-11990 284 2019-07-19 2019-07-24
9.0
None Remote Low Single system Complete Complete Complete
Security vulnerabilities in HPE UIoT versions 1.6, 1.5, 1.4.2, 1.4.1, 1.4.0, and 1.2.4.2 could allow unauthorized remote access and access to sensitive data. HPE has addressed this issue in HPE UIoT: * For customers with release UIoT 1.6, fixes are made available with 1.6 RP603 * For customers with release UIoT 1.5, fixes are made available with 1.5 RP503 HF3 * For customers with release older than 1.5, such as 1.4.0, 1.4.1, 1.4.2 and 1.2.4.2, the resolution will be to upgrade to 1.5 RP503 HF3 or 1.6 RP603 Customers are requested to upgrade to the updated versions or contact HPE support for further assistance.
78 CVE-2019-11986 77 Exec Code 2019-06-05 2019-06-06
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
79 CVE-2019-11985 77 Exec Code 2019-06-05 2019-06-06
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
80 CVE-2019-11984 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
81 CVE-2019-11980 20 2019-06-05 2019-06-06
9.0
None Remote Low Single system Complete Complete Complete
A remote code exection vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
82 CVE-2019-11979 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
83 CVE-2019-11978 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
84 CVE-2019-11977 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
85 CVE-2019-11976 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
86 CVE-2019-11975 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
87 CVE-2019-11974 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
88 CVE-2019-11973 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
89 CVE-2019-11972 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
90 CVE-2019-11971 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
91 CVE-2019-11970 89 Exec Code Sql 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
92 CVE-2019-11969 74 Exec Code 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
93 CVE-2019-11968 20 Exec Code 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
94 CVE-2019-11967 20 Exec Code 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
95 CVE-2019-11966 264 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A remote privilege escalation vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
96 CVE-2019-11965 74 Exec Code 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
97 CVE-2019-11964 74 Exec Code 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
98 CVE-2019-11963 74 Exec Code 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
99 CVE-2019-11962 74 Exec Code 2019-06-05 2019-06-06
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
100 CVE-2019-11961 74 Exec Code 2019-06-05 2019-06-06
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.