| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-1020019 |
79 |
|
XSS |
2019-07-29 |
2019-07-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
invenio-previewer before 1.0.0a12 allows XSS. |
|
2 |
CVE-2019-1020018 |
287 |
|
|
2019-07-29 |
2022-04-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via an email link. |
|
3 |
CVE-2019-1020017 |
|
|
|
2019-07-29 |
2023-03-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP. |
|
4 |
CVE-2019-1020016 |
601 |
|
|
2019-07-29 |
2019-08-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
ASH-AIO before 2.0.0.3 allows an open redirect. |
|
5 |
CVE-2019-1020015 |
20 |
|
|
2019-07-29 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT. |
|
6 |
CVE-2019-1020014 |
415 |
|
|
2019-07-29 |
2022-10-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
docker-credential-helpers before 0.6.3 has a double free in the List functions. |
|
7 |
CVE-2019-1020013 |
209 |
|
|
2019-07-29 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
parse-server before 3.6.0 allows account enumeration. |
|
8 |
CVE-2019-1020012 |
444 |
|
|
2019-07-29 |
2019-08-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
parse-server before 3.4.1 allows DoS after any POST to a volatile class. |
|
9 |
CVE-2019-1020011 |
669 |
|
|
2019-07-29 |
2022-04-18 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority. |
|
10 |
CVE-2019-1020010 |
79 |
|
XSS |
2019-07-29 |
2019-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Misskey before 10.102.4 allows hijacking a user's token. |
|
11 |
CVE-2019-1020009 |
522 |
|
|
2019-07-29 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Fleet before 2.1.2 allows exposure of SMTP credentials. |
|
12 |
CVE-2019-1020008 |
79 |
|
XSS |
2019-07-29 |
2019-07-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
stacktable.js before 1.0.4 allows XSS. |
|
13 |
CVE-2019-1020007 |
79 |
|
XSS |
2019-07-29 |
2020-02-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Dependency-Track before 3.5.1 allows XSS. |
|
14 |
CVE-2019-1020006 |
74 |
|
|
2019-07-29 |
2019-08-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
invenio-app before 1.1.1 allows host header injection. |
|
15 |
CVE-2019-1020005 |
79 |
|
XSS |
2019-07-29 |
2019-08-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
invenio-communities before 1.0.0a20 allows XSS. |
|
16 |
CVE-2019-1020004 |
320 |
|
|
2019-07-29 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Tridactyl before 1.16.0 allows fake key events. |
|
17 |
CVE-2019-1020003 |
79 |
|
XSS |
2019-07-29 |
2019-08-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
invenio-records before 1.2.2 allows XSS. |
|
18 |
CVE-2019-1020002 |
203 |
|
|
2019-07-29 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Pterodactyl before 0.7.14 with 2FA allows credential sniffing. |
|
19 |
CVE-2019-1020001 |
21 |
|
|
2019-07-29 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
yard before 0.9.20 allows path traversal. |
|
20 |
CVE-2019-1010319 |
908 |
|
|
2019-07-11 |
2021-02-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseWave64HeaderConfig (wave64.c:211). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe. |
|
21 |
CVE-2019-1010318 |
|
|
|
2019-07-11 |
2019-07-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: WavpackSetConfiguration64 (pack_utils.c:198). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4. |
|
22 |
CVE-2019-1010317 |
908 |
|
|
2019-07-11 |
2022-10-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b. |
|
23 |
CVE-2019-1010316 |
284 |
|
|
2019-07-11 |
2019-07-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. The impact is: False locking impression when run in a non-X11 session. The fixed version is: 0.4. |
|
24 |
CVE-2019-1010315 |
369 |
|
|
2019-07-11 |
2022-10-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc. |
|
25 |
CVE-2019-1010314 |
79 |
|
XSS |
2019-07-11 |
2019-07-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page. |
|
26 |
CVE-2019-1010312 |
|
|
DoS |
2019-07-12 |
2019-07-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Tildeslash Monit Version 5.25.2 and earlier is affected by: Buffer Over-read. The impact is: Disclosure of memory contents in an HTTP response, and Denial of Service. The component is: In function Util_urlDecode() on lines 1553 -1563 in Monit/src/util.c, a crafted POST parameter can cause the buffer index to increment to a value greater than the length of the buffer. The attack vector is: An authenticated remote attacker can exploit the vulnerability by sending a HTTP POST request that contains a maliciously crafted body parameter. The fixed version is: Version 5.25.3 and later. |
|
27 |
CVE-2019-1010311 |
|
|
XSS |
2019-07-12 |
2019-07-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Tildeslash Monit Version 5.25.2 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Execute javascript in a victim s browser; disable all monitoring for a particular host or service. The component is: In function do_viewlog() on line 910 in Monit/src/http/cervlet.c, an attacker controlled log file is copied into an HTTP response without any HTML escaping. The attack vector is: An authenticated remote attacker can exploit the vulnerability over a network. The fixed version is: Version 5.25.3 and later. |
|
28 |
CVE-2019-1010310 |
74 |
|
|
2019-07-12 |
2020-08-24 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1. |
|
29 |
CVE-2019-1010309 |
|
|
Exec Code Dir. Trav. |
2019-07-12 |
2019-07-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
pacman prior to version 5.1.3 is affected by: Directory Traversal. The impact is: arbitrary file placement potentially leading to arbitrary root code execution. The component is: installing a remote package via a specified URL "pacman -U <url>". The problem was located in function curl_download_internal in lib/libalpm/dload.c line 535. The attack vector is: the victim must install a remote package via a specified URL from a malicious server (or a network MitM if downloading over HTTP). The fixed version is: 5.1.3 via commit 9702703633bec2c007730006de2aeec8587dfc84. |
|
30 |
CVE-2019-1010308 |
522 |
|
|
2019-07-15 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Aquaverde GmbH Aquarius CMS prior to version 4.1.1 is affected by: Incorrect Access Control. The impact is: The access to the log file is not restricted. It contains sensitive information like passwords etc. The component is: log file. The attack vector is: open the file. |
|
31 |
CVE-2019-1010307 |
79 |
|
XSS |
2019-07-15 |
2019-07-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the "Link Tickets" feature, 3- a request to the endpoint fetches js and executes it. |
|
32 |
CVE-2019-1010306 |
502 |
|
Exec Code |
2019-07-15 |
2020-08-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact is: A remote attacker can execute arbitrary commands by sending a crafted request to the server. The component is: Message handler & request validator. The attack vector is: Remote unauthenticated. The fixed version is: after commit 5267b455caeb2e055cccf0d2b6a22727c111f5c3. |
|
33 |
CVE-2019-1010305 |
119 |
|
Overflow |
2019-07-15 |
2021-11-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. |
|
34 |
CVE-2019-1010304 |
862 |
|
|
2019-07-15 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1. |
|
35 |
CVE-2019-1010302 |
119 |
|
DoS Overflow |
2019-07-15 |
2023-02-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
jhead 3.03 is affected by: Incorrect Access Control. The impact is: Denial of service. The component is: iptc.c Line 122 show_IPTC(). The attack vector is: the victim must open a specially crafted JPEG file. |
|
36 |
CVE-2019-1010301 |
787 |
|
DoS Overflow |
2019-07-15 |
2022-04-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file. |
|
37 |
CVE-2019-1010300 |
119 |
|
Overflow |
2019-07-15 |
2019-07-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
mz-automation libiec61850 1.3.2 1.3.1 1.3.0 is affected by: Buffer Overflow. The impact is: Software crash. The component is: server_example_complex_array. The attack vector is: Send a specific MMS protocol packet. |
|
38 |
CVE-2019-1010299 |
908 |
|
|
2019-07-15 |
2020-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d. |
|
39 |
CVE-2019-1010298 |
119 |
|
Exec Code Overflow |
2019-07-15 |
2021-07-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in the context of TEE core (kernel). The component is: optee_os. The fixed version is: 3.4.0 and later. |
|
40 |
CVE-2019-1010297 |
119 |
|
Exec Code Overflow |
2019-07-15 |
2021-07-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Execution of code in TEE core (kernel) context. The component is: optee_os. The fixed version is: 3.4.0 and later. |
|
41 |
CVE-2019-1010296 |
119 |
|
Exec Code Overflow |
2019-07-15 |
2021-07-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in context of TEE core (kernel). The component is: optee_os. The fixed version is: 3.4.0 and later. |
|
42 |
CVE-2019-1010295 |
119 |
|
Overflow Mem. Corr. |
2019-07-15 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Memory corruption and disclosure of memory content. The component is: optee_os. The fixed version is: 3.4.0 and later. |
|
43 |
CVE-2019-1010294 |
189 |
|
|
2019-07-15 |
2019-07-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Rounding error. The impact is: Potentially leaking code and/or data from previous Trusted Application. The component is: optee_os. The fixed version is: 3.4.0 and later. |
|
44 |
CVE-2019-1010293 |
787 |
|
Mem. Corr. |
2019-07-15 |
2020-08-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Boundary crossing. The impact is: Memory corruption of the TEE itself. The component is: optee_os. The fixed version is: 3.4.0 and later. |
|
45 |
CVE-2019-1010292 |
119 |
|
Overflow Mem. Corr. |
2019-07-16 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Linaro/OP-TEE OP-TEE Prior to version v3.4.0 is affected by: Boundary checks. The impact is: This could lead to corruption of any memory which the TA can access. The component is: optee_os. The fixed version is: v3.4.0. |
|
46 |
CVE-2019-1010290 |
601 |
|
|
2019-07-16 |
2019-07-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Babel: Multilingual site Babel All is affected by: Open Redirection. The impact is: Redirection to any URL, which is supplied to redirect.php in a "newurl" parameter. The component is: redirect.php. The attack vector is: The victim must open a link created by an attacker. Attacker may use any legitimate site using Babel to redirect user to a URL of his/her choosing. |
|
47 |
CVE-2019-1010287 |
79 |
|
Exec Code XSS |
2019-07-17 |
2019-07-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a "redirect" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url. |
|
48 |
CVE-2019-1010283 |
200 |
|
+Info |
2019-07-17 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later. |
|
49 |
CVE-2019-1010279 |
347 |
|
DoS Bypass |
2019-07-18 |
2019-08-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65fb142b738a186b). The attack vector is: An attacker can trigger the vulnerability by a specifically crafted network TCP session. The fixed version is: 4.1.3. |
|
50 |
CVE-2019-1010275 |
295 |
|
|
2019-07-17 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2. |
