| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
5601 |
CVE-2019-4058 |
254 |
|
|
2019-05-20 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM BigFix Platform 9.2 and 9.5 could allow a low-privilege user to manipulate the UI into exposing interface elements and information normally restricted to administrators. IBM X-Force ID: 156570. |
|
5602 |
CVE-2019-4057 |
264 |
|
Exec Code |
2019-07-01 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow malicious user with access to the DB2 instance account to leverage a fenced execution process to execute arbitrary code as root. IBM X-Force ID: 156567. |
|
5603 |
CVE-2019-4056 |
434 |
|
|
2019-06-05 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Maximo Asset Management 7.6 Work Centers' application does not validate file type upon upload, allowing attackers to upload malicious files. IBM X-Force ID: 156565. |
|
5604 |
CVE-2019-4055 |
20 |
|
DoS |
2019-04-19 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, and 9.1.0.0 through 9.1.1 is vulnerable to a denial of service attack within the TLS key renegotiation function. IBM X-Force ID: 156564. |
|
5605 |
CVE-2019-4052 |
200 |
|
+Info |
2019-03-22 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544. |
|
5606 |
CVE-2019-4051 |
200 |
|
+Info |
2019-04-08 |
2019-04-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Some URIs in IBM API Connect 2018.1 and 2018.4.1.3 disclose system specification information like the machine id, system uuid, filesystem paths, network interface names along with their mac addresses. An attacker can use this information in targeted attacks. IBM X-Force ID: 156542. |
|
5607 |
CVE-2019-4047 |
200 |
|
+Info |
2019-04-29 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Jazz Reporting Service (JRS) 6.0.6 could allow an authenticated user to access the execution log files as a guest user, and obtain the information of the server execution. IBM X-Force ID: 156243. |
|
5608 |
CVE-2019-4046 |
400 |
|
DoS |
2019-03-25 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. IBM X-Force ID: 156242. |
|
5609 |
CVE-2019-4045 |
20 |
|
|
2019-04-08 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Business Automation Workflow and IBM Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document. IBM X-Force ID: 156241. |
|
5610 |
CVE-2019-4043 |
611 |
|
|
2019-04-02 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 156239. |
|
5611 |
CVE-2019-4040 |
79 |
|
XSS |
2019-01-31 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM I 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 156164. |
|
5612 |
CVE-2019-4038 |
264 |
|
Bypass |
2019-02-04 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM Security Identity Manager 6.0 and 7.0 could allow an attacker to create unexpected control flow paths through the application, potentially bypassing security checks. Exploitation of this weakness can result in a limited form of code injection. IBM X-Force ID: 156162. |
|
5613 |
CVE-2019-4035 |
20 |
|
|
2019-03-22 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X-Force ID: 156001. |
|
5614 |
CVE-2019-4034 |
20 |
|
Exec Code |
2019-03-14 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM Content Navigator 3.0CD is could allow an attacker to execute arbitrary code on a user's workstation. When editing an executable file in ICN with Edit service, it will be executed on the user's workstation. IBM X-Force ID: 156000. |
|
5615 |
CVE-2019-4032 |
89 |
|
Sql |
2019-03-05 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-ForceID: 155998. |
|
5616 |
CVE-2019-4016 |
119 |
|
Exec Code Overflow |
2019-03-11 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-ForceID: 155894. |
|
5617 |
CVE-2019-4015 |
119 |
|
Exec Code Overflow |
2019-03-11 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-ForceID: 155893. |
|
5618 |
CVE-2019-4014 |
119 |
|
Exec Code Overflow |
2019-04-03 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-Force ID: 155892. |
|
5619 |
CVE-2019-4013 |
434 |
|
Exec Code |
2019-04-10 |
2019-10-07 |
9.0 |
None |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
|
IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges. IBM X-Force ID: 155887. |
|
5620 |
CVE-2019-4012 |
89 |
|
Sql |
2019-04-15 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM BigFix WebUI Profile Management 6 and Software Distribution 23 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 155886. |
|
5621 |
CVE-2019-4008 |
532 |
|
|
2019-02-07 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
API Connect V2018.1 through 2018.4.1.1 is impacted by access token leak. Authorization tokens in some URLs can result in the tokens being written to log files. IBM X-Force ID: 155626. |
|
5622 |
CVE-2019-3975 |
120 |
|
Exec Code Overflow |
2019-09-10 |
2019-09-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows a remote, unauthenticated attacker to execute arbitrary code via a crafted IOCTL 70603 RPC message. |
|
5623 |
CVE-2019-3974 |
284 |
|
DoS |
2019-08-15 |
2019-08-27 |
8.5 |
None |
Remote |
Low |
Single system |
None |
Complete |
Complete |
|
Nessus 8.5.2 and earlier on Windows platforms were found to contain an issue where certain system files could be overwritten arbitrarily, potentially creating a denial of service condition. |
|
5624 |
CVE-2019-3973 |
787 |
|
DoS |
2019-07-17 |
2019-07-23 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Comodo Antivirus versions 11.0.0.6582 and below are vulnerable to Denial of Service affecting CmdGuard.sys via its filter port "cmdServicePort". A low privileged process can crash CmdVirth.exe to decrease the port's connection count followed by process hollowing a CmdVirth.exe instance with malicious code to obtain a handle to "cmdServicePort". Once this occurs, a specially crafted message can be sent to "cmdServicePort" using "FilterSendMessage" API. This can trigger an out-of-bounds write if lpOutBuffer parameter in FilterSendMessage API is near the end of specified buffer bounds. The crash occurs when the driver performs a memset operation which uses a size beyond the size of buffer specified, causing kernel crash. |
|
5625 |
CVE-2019-3969 |
264 |
|
Bypass |
2019-07-17 |
2019-07-23 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to Local Privilege Escalation due to CmdAgent's handling of COM clients. A local process can bypass the signature check enforced by CmdAgent via process hollowing which can then allow the process to invoke sensitive COM methods in CmdAgent such as writing to the registry with SYSTEM privileges. |
|
5626 |
CVE-2019-3968 |
77 |
|
Exec Code |
2019-08-20 |
2019-08-27 |
9.0 |
None |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
|
In OpenEMR 5.0.1 and earlier, an authenticated attacker can execute arbitrary commands on the host system via the Scanned Forms interface when creating a new form. |
|
5627 |
CVE-2019-3967 |
22 |
|
Dir. Trav. |
2019-08-20 |
2019-08-27 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In OpenEMR 5.0.1 and earlier, the patient file download interface contains a directory traversal flaw that allows authenticated attackers to download arbitrary files from the host system. |
|
5628 |
CVE-2019-3966 |
79 |
|
Exec Code XSS |
2019-08-20 |
2019-08-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the foreign_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. |
|
5629 |
CVE-2019-3965 |
79 |
|
Exec Code XSS |
2019-08-20 |
2019-08-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. |
|
5630 |
CVE-2019-3964 |
79 |
|
Exec Code XSS |
2019-08-20 |
2019-08-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the doc_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. |
|
5631 |
CVE-2019-3963 |
79 |
|
Exec Code XSS |
2019-08-20 |
2019-08-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the patient_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. |
|
5632 |
CVE-2019-3962 |
74 |
|
|
2019-07-01 |
2019-07-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Content Injection vulnerability in Tenable Nessus prior to 8.5.0 may allow an authenticated, local attacker to exploit this vulnerability by convincing another targeted Nessus user to view a malicious URL and use Nessus to send fraudulent messages. Successful exploitation could allow the authenticated adversary to inject arbitrary text into the feed status, which will remain saved post session expiration. |
|
5633 |
CVE-2019-3961 |
79 |
|
Exec Code XSS |
2019-06-25 |
2019-06-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browser session. |
|
5634 |
CVE-2019-3960 |
434 |
|
Exec Code |
2019-07-31 |
2019-08-06 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file. |
|
5635 |
CVE-2019-3959 |
352 |
|
CSRF |
2019-07-31 |
2019-08-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery in WallacePOS 1.4.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. |
|
5636 |
CVE-2019-3957 |
125 |
|
+Info |
2019-06-07 |
2019-06-09 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
Dameware Remote Mini Control version 12.1.0.34 and prior contains an unauthenticated remote buffer over-read due to the server not properly validating RsaSignatureLen during key negotiation, which could crash the application or leak sensitive information. |
|
5637 |
CVE-2019-3956 |
125 |
|
+Info |
2019-06-07 |
2019-06-09 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
Dameware Remote Mini Control version 12.1.0.34 and prior contains an unauthenticated remote buffer over-read due to the server not properly validating CltDHPubKeyLen during key negotiation, which could crash the application or leak sensitive information. |
|
5638 |
CVE-2019-3955 |
119 |
|
DoS Overflow |
2019-06-07 |
2019-06-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Dameware Remote Mini Control version 12.1.0.34 and prior contains a unauthenticated remote heap overflow due to the server not properly validating RsaPubKeyLen during key negotiation. An unauthenticated remote attacker can cause a heap buffer overflow by specifying a large RsaPubKeyLen, which could cause a denial of service. |
|
5639 |
CVE-2019-3954 |
119 |
|
Exec Code Overflow |
2019-06-18 |
2019-06-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call. |
|
5640 |
CVE-2019-3953 |
119 |
|
Exec Code Overflow |
2019-06-18 |
2019-06-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call. |
|
5641 |
CVE-2019-3950 |
798 |
|
|
2019-07-09 |
2019-07-11 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to. |
|
5642 |
CVE-2019-3949 |
16 |
|
Exec Code |
2019-07-09 |
2019-07-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Arlo Basestation firmware 1.12.0.1_27940 and prior firmware contain a networking misconfiguration that allows access to restricted network interfaces. This could allow an attacker to upload or download arbitrary files and possibly execute malicious code on the device. |
|
5643 |
CVE-2019-3948 |
287 |
|
|
2019-07-29 |
2019-08-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and DH-IPC-HX863X V2.622.0000000.7.R, Dahua DH-SD4XXXXX V2.623.0000000.7.R, Dahua DH-SD5XXXXX V2.623.0000000.1.R, Dahua DH-SD6XXXXX V2.640.0000000.2.R and V2.623.0000000.1.R, Dahua NVR5XX-4KS2 V3.216.0000006.0.R, Dahua NVR4XXX-4KS2 V3.216.0000006.0.R, and NVR2XXX-4KS2 do not require authentication to access the HTTP endpoint /videotalk. An unauthenticated, remote person can connect to this endpoint and potentionally listen to the audio of the capturing device. |
|
5644 |
CVE-2019-3947 |
255 |
|
|
2019-06-12 |
2019-06-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Fuji Electric V-Server before 6.0.33.0 stores database credentials in project files as plaintext. An attacker that can gain access to the project file can recover the database credentials and gain access to the database server. |
|
5645 |
CVE-2019-3946 |
190 |
|
DoS Overflow |
2019-06-12 |
2019-06-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Fuji Electric V-Server before 6.0.33.0 is vulnerable to denial of service via a crafted UDP message sent to port 8005. An unauthenticated, remote attacker can crash vserver.exe due to an integer overflow in the UDP message handling logic. |
|
5646 |
CVE-2019-3943 |
22 |
|
Dir. Trav. |
2019-04-10 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Single system |
Complete |
Partial |
None |
|
MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 and below, and Testing 6.44beta75 and below are vulnerable to an authenticated, remote directory traversal via the HTTP or Winbox interfaces. An authenticated, remote attack can use this vulnerability to read and write files outside of the sandbox directory (/rw/disk). |
|
5647 |
CVE-2019-3941 |
284 |
|
|
2019-04-09 |
2019-05-06 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Advantech WebAccess 8.3.4 allows unauthenticated, remote attackers to delete arbitrary files via IOCTL 10005 RPC. |
|
5648 |
CVE-2019-3940 |
434 |
|
Exec Code |
2019-04-09 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Advantech WebAccess 8.3.4 is vulnerable to file upload attacks via unauthenticated RPC call. An unauthenticated, remote attacker can use this vulnerability to execute arbitrary code. |
|
5649 |
CVE-2019-3939 |
798 |
|
+Priv |
2019-04-30 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 use default credentials admin/admin and moderator/moderator for the web interface. An unauthenticated, remote attacker can use these credentials to gain privileged access to the device. |
|
5650 |
CVE-2019-3936 |
20 |
|
DoS |
2019-04-30 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow. |
