# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2019-6779 |
|
|
CSRF |
2019-01-24 |
2019-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links. |
2 |
CVE-2019-6777 |
79 |
|
XSS |
2019-01-24 |
2019-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php via the zm/index.php?view=plugin pl parameter. |
3 |
CVE-2019-6708 |
94 |
|
Sql |
2019-01-23 |
2019-01-24 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter. |
4 |
CVE-2019-6707 |
94 |
|
Sql |
2019-01-23 |
2019-01-24 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=state product_id[] parameter. |
5 |
CVE-2019-6691 |
|
|
Sql |
2019-01-23 |
2019-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=backup&c=backup&a=doback tabledb[] parameter, related to the "--backup database" option. |
6 |
CVE-2019-6510 |
352 |
|
CSRF |
2019-01-22 |
2019-01-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in creditease-sec insight through 2018-09-11. user_delete in srcpm/app/admin/views.py allows CSRF. |
7 |
CVE-2019-6509 |
352 |
|
CSRF |
2019-01-22 |
2019-01-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in creditease-sec insight through 2018-09-11. depart_delete in srcpm/app/admin/views.py allows CSRF. |
8 |
CVE-2019-6508 |
352 |
|
CSRF |
2019-01-22 |
2019-01-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in creditease-sec insight through 2018-09-11. role_perm_delete in srcpm/app/admin/views.py allows CSRF. |
9 |
CVE-2019-6507 |
352 |
|
CSRF |
2019-01-22 |
2019-01-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in creditease-sec insight through 2018-09-11. login_user_delete in srcpm/app/admin/views.py allows CSRF. |
10 |
CVE-2019-6500 |
|
|
Dir. Trav. |
2019-01-21 |
2019-01-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring. |
11 |
CVE-2019-6497 |
89 |
|
Sql |
2019-01-20 |
2019-01-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter. |
12 |
CVE-2019-6296 |
89 |
|
Sql |
2019-01-15 |
2019-01-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Cleanto 5.0 has SQL Injection via the assets/lib/export_ajax.php id parameter. |
13 |
CVE-2019-6295 |
89 |
|
Sql |
2019-01-15 |
2019-01-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Cleanto 5.0 has SQL Injection via the assets/lib/service_method_ajax.php service_id parameter. |
14 |
CVE-2019-6294 |
352 |
|
CSRF |
2019-01-15 |
2019-01-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in EasyCMS 1.5. There is CSRF via the index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent URI. |
15 |
CVE-2019-6278 |
79 |
|
XSS |
2019-01-14 |
2019-01-18 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
XSS exists in JPress v1.0.4 via Markdown input, or Markdown input with the code input option. |
16 |
CVE-2019-6267 |
79 |
|
XSS |
2019-01-14 |
2019-01-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The Premium WP Suite Easy Redirect Manager plugin 28.07-17 for WordPress has XSS via a crafted GET request that is mishandled during log viewing at the templates/admin/redirect-log.php URI. |
17 |
CVE-2019-6264 |
79 |
|
XSS |
2019-01-16 |
2019-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in mod_banners leads to a stored XSS vulnerability. |
18 |
CVE-2019-6263 |
79 |
|
XSS |
2019-01-16 |
2019-01-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS. |
19 |
CVE-2019-6262 |
79 |
|
XSS |
2019-01-16 |
2019-01-18 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration helpurl settings allowed stored XSS. |
20 |
CVE-2019-6261 |
79 |
|
XSS |
2019-01-16 |
2019-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in com_contact leads to a stored XSS vulnerability. |
21 |
CVE-2019-6259 |
89 |
|
Sql |
2019-01-14 |
2019-01-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in idreamsoft iCMS V7.0.13. There is SQL Injection via the app/article/article.admincp.php _data_id parameter. |
22 |
CVE-2019-6249 |
352 |
|
CSRF |
2019-01-13 |
2019-01-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add. |
23 |
CVE-2019-6248 |
79 |
|
XSS |
2019-01-12 |
2019-01-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the srch parameter, as demonstrated by restaurants-details.php. |
24 |
CVE-2019-6244 |
352 |
|
Exec Code CSRF |
2019-01-11 |
2019-01-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in UsualToolCMS 8.0. cmsadmin/a_sqlbackx.php?t=sql allows CSRF attacks that can execute SQL statements, and consequently execute arbitrary PHP code by writing that code into a .php file. |
25 |
CVE-2019-6243 |
79 |
|
XSS |
2019-01-11 |
2019-01-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Frog CMS 0.9.5 allows XSS via the forgot password page (aka the /admin/?/login/forgot URI). |
26 |
CVE-2019-6127 |
89 |
|
Exec Code Sql |
2019-01-11 |
2019-01-23 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
An issue was discovered in XiaoCms 20141229. It allows admin/index.php?c=database table[] SQL injection. This can be used for PHP code execution via "INTO OUTFILE" with a .php filename. |
27 |
CVE-2019-5893 |
89 |
|
Sql |
2019-01-10 |
2019-01-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter. |
28 |
CVE-2019-5887 |
22 |
|
Dir. Trav. |
2019-01-10 |
2019-01-18 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
An issue was discovered in ShopXO 1.2.0. In the UnlinkDir method of the FileUtil.php file, the input parameters are not checked, resulting in input mishandling by the rmdir method. Attackers can delete arbitrary files by using "../" directory traversal. |
29 |
CVE-2019-5720 |
|
|
Sql |
2019-01-08 |
2019-01-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via the void_transaction.php filterType parameter. |
30 |
CVE-2019-5488 |
|
|
Sql |
2019-01-07 |
2019-01-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
EARCLINK ESPCMS-P8 has SQL injection in the install_pack/index.php?ac=Member&at=verifyAccount verify_key parameter. install_pack/espcms_public/espcms_db.php may allow retrieving sensitive information from the ESPCMS database. |
31 |
CVE-2019-5311 |
79 |
|
XSS |
2019-01-04 |
2019-01-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in YUNUCMS V1.1.8. app/index/controller/Show.php has an XSS vulnerability via the index.php/index/show/index cw parameter. |
32 |
CVE-2019-5310 |
79 |
|
XSS |
2019-01-04 |
2019-01-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
YUNUCMS 1.1.8 has XSS in app/admin/controller/System.php because crafted data can be written to the sys.php file, as demonstrated by site_title in an admin/system/basic POST request. |
33 |
CVE-2019-3580 |
|
|
Dir. Trav. |
2019-01-02 |
2019-01-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
OpenRefine through 3.1 allows arbitrary file write because Directory Traversal can occur during the import of a crafted project file. |
34 |
CVE-2019-3577 |
|
|
Sql |
2019-01-02 |
2019-01-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An issue was discovered in Waimai Super Cms 20150505. web/Lib/Action/ProductAction.class.php allows blind SQL Injection via the id[0] parameter to the /product URI. |
35 |
CVE-2019-3576 |
|
|
Sql |
2019-01-02 |
2019-01-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
inxedu through 2018-12-24 has a SQL Injection vulnerability that can lead to information disclosure via the deleteFaveorite/ PATH_INFO. The vulnerable code location is com.inxedu.os.edu.controller.user.UserController#deleteFavorite (aka deleteFavorite in com/inxedu/os/edu/controller/user/UserController.java), where courseFavoritesService.deleteCourseFavoritesById is mishandled during use of MyBatis. NOTE: UserController.java has a spelling variation in an annotation: a @RequestMapping("/deleteFaveorite/{ids}") line followed by a "public ModelAndView deleteFavorite" line. |
36 |
CVE-2019-3501 |
79 |
|
XSS |
2019-01-02 |
2019-01-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile. |
37 |
CVE-2019-3494 |
89 |
|
Sql |
2019-01-01 |
2019-01-16 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Simply-Blog through 2019-01-01 has SQL Injection via the admin/deleteCategories.php delete parameter. |
38 |
CVE-2019-1668 |
|
|
Exec Code XSS |
2019-01-24 |
2019-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability in the chat feed feature of Cisco SocialMiner could allow an unauthenticated, remote attacker to perform cross-site scripting (XSS) attacks against a user of the web-based user interface of an affected system. This vulnerability is due to insufficient sanitization of user-supplied input delivered to the chat feed as part of an HTTP request. An attacker could exploit this vulnerability by persuading a user to follow a link to attacker-controlled content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. |
39 |
CVE-2019-1658 |
|
|
CSRF |
2019-01-24 |
2019-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections in the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious, customized link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device via a web browser and with the privileges of the user. |
40 |
CVE-2019-1655 |
|
|
Exec Code XSS |
2019-01-24 |
2019-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability in the web-based management interface of Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. |
41 |
CVE-2019-1643 |
79 |
|
Exec Code XSS |
2019-01-23 |
2019-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. |
42 |
CVE-2019-1642 |
79 |
|
Exec Code XSS |
2019-01-23 |
2019-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. |
43 |
CVE-2019-0646 |
79 |
|
XSS |
2019-01-17 |
2019-01-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team. |
44 |
CVE-2019-0558 |
79 |
|
XSS |
2019-01-08 |
2019-01-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint, Microsoft Business Productivity Servers. This CVE ID is unique from CVE-2019-0556, CVE-2019-0557. |
45 |
CVE-2019-0557 |
79 |
|
XSS |
2019-01-08 |
2019-01-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0556, CVE-2019-0558. |
46 |
CVE-2019-0556 |
79 |
|
XSS |
2019-01-08 |
2019-01-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0557, CVE-2019-0558. |
47 |
CVE-2019-0245 |
79 |
|
XSS |
2019-01-08 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
48 |
CVE-2019-0244 |
79 |
|
XSS |
2019-01-08 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
49 |
CVE-2019-0238 |
79 |
|
XSS |
2019-01-08 |
2019-01-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
50 |
CVE-2019-0027 |
79 |
|
XSS |
2019-01-15 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
A persistent cross-site scripting (XSS) vulnerability in the Snort Rules configuration of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. |