2019 Security Vulnerability Report
CVE Statistics for 2019

The average severity was 7.3 out of 10, which was about the same as in 2018.
Products & Vendors with the most security vulnerabilities published in 2019 Vulnerabilities may exist in multiple products or vendors

By Product
By Vendor
By Weakness
#1
XSS
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.#2
Memory Corruption
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.#3
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.#4
Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.#5
Information Disclosure
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.#6
Buffer Overflow
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.#7
Dangling pointer
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.#8
SQL Injection
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.#9
Session Riding
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.#10
Directory traversal
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.#11
Shell injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.#12
authentification
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.#13
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.#14
Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution or sensitive user data.#15
Unrestricted File Upload
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.#16
AuthZ
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.#17
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.#18
Code Injection
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.#19
Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.#20
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.#21
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.#22
XXE
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.#23
Resource Exhaustion
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.#24
Marshaling, Unmarshaling
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.#25
Memory Leak
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.By Category
Fortinet FortiOS
19 vulnerabilities in 2019
Apache JSPWiki
11 vulnerabilities in 2019
Fortinet FortiClient
9 vulnerabilities in 2019
Content Management
Joomla
29 vulnerabilities in 2019
WordPress
22 vulnerabilities in 2019
Adobe Experience Manager
19 vulnerabilities in 2019
Database
Oracle MySQL
140 vulnerabilities in 2019
Oracle Database Server
25 vulnerabilities in 2019
SQLite
18 vulnerabilities in 2019
Desktop Software
Apple iTunes
93 vulnerabilities in 2019
Microsoft Office
58 vulnerabilities in 2019
Mozilla Thunderbird
58 vulnerabilities in 2019
Development Tools
Oracle Java Development Kit (JDK)
41 vulnerabilities in 2019
Jenkins
21 vulnerabilities in 2019
Microsoft Visual Studio
4 vulnerabilities in 2019
DevOps
GitLab
164 vulnerabilities in 2019
Kubernetes
13 vulnerabilities in 2019
Docker
8 vulnerabilities in 2019
Microsoft Exchange Server
12 vulnerabilities in 2019
Exim
4 vulnerabilities in 2019
Java Application Servers
Oracle Weblogic Server
40 vulnerabilities in 2019
IBM WebSphere Application Server
18 vulnerabilities in 2019
Adobe ColdFusion
10 vulnerabilities in 2019
Java Libraries
FasterXML Jackson Databind
21 vulnerabilities in 2019
Libraries
Microsoft ChakraCore
71 vulnerabilities in 2019
OpenSSL
7 vulnerabilities in 2019
Google Tensorflow
7 vulnerabilities in 2019
Operating Systems
Debian Linux
1000 vulnerabilities in 2019
Canonical Ubuntu Linux
669 vulnerabilities in 2019
Google Android
491 vulnerabilities in 2019
Runtime Environments
Oracle Java Runtime Environment (JRE)
37 vulnerabilities in 2019
PHP
30 vulnerabilities in 2019
Python
15 vulnerabilities in 2019
Server Software
Microsoft Sharepoint Server
33 vulnerabilities in 2019
Microsoft Sharepoint Enterprise Server
32 vulnerabilities in 2019
OpenBSD OpenSSH
5 vulnerabilities in 2019
Virtualization
Oracle VM VirtualBox
64 vulnerabilities in 2019
QEMU
15 vulnerabilities in 2019
Web Application Framework
Django Project Django
10 vulnerabilities in 2019
Microsoft ASP.NET Core
6 vulnerabilities in 2019
Web Applications
Apple iCloud
93 vulnerabilities in 2019
Web Browsers
Google Chrome
300 vulnerabilities in 2019
Apple Safari
166 vulnerabilities in 2019
Mozilla Firefox
108 vulnerabilities in 2019
Web Servers
Apache HTTP Server
14 vulnerabilities in 2019
2019 Known Exploited Vulnerabilities
These vulnerabilities may be considered some of the most dangerous vulnerabilities of 2019, because they are both known to have been exploited and have a high severity score. In fact 3 vulnerabilities scored the highest possible CVSS base score, of 10.

CVE-2019-11510 vulnerability in Pulse Connect Secure, disclosed on May 8, 2019

CVE-2019-7609 vulnerability in Kibana, disclosed on March 25, 2019

CVE-2019-11708 vulnerability in Firefox and Thunderbird, disclosed on July 23, 2019

CVE-2019-10758 vulnerability in mongo-express, disclosed on December 24, 2019

CVE-2019-1003030 vulnerability in Matrix Project Plugin, disclosed on March 8, 2019

CVE-2019-1003029 vulnerability in Script Security Plugin, disclosed on March 8, 2019

CVE-2019-3396 vulnerability in Atlassian Confluence Server, disclosed on March 25, 2019

CVE-2018-13379 vulnerability in FortiOS, disclosed on June 4, 2019

CVE-2019-2725 vulnerability in WebLogic Server, disclosed on April 26, 2019

CVE-2019-15107 vulnerability in Webmin, disclosed on August 16, 2019

CVE-2019-0708 vulnerability in Remote Desktop Services, disclosed on May 16, 2019

CVE-2019-19781 vulnerability in Application Delivery Controller (ADC) and Gateway, disclosed on December 27, 2019

CVE-2019-9670 vulnerability in Zimbra Collaboration Suite, disclosed on May 29, 2019

CVE-2019-0604 vulnerability in SharePoint, disclosed on March 5, 2019

CVE-2019-16759 vulnerability in vBulletin, disclosed on September 24, 2019

CVE-2019-11580 vulnerability in Crowd and Crowd Data Center, disclosed on June 3, 2019

CVE-2019-7256 vulnerability in Linear eMerge E3-Series, disclosed on July 2, 2019

CVE-2019-16278 vulnerability in nhttpd, disclosed on October 14, 2019

CVE-2019-11581 vulnerability in Jira Server and Data Center, disclosed on August 9, 2019

CVE-2019-16920 vulnerability in Multiple Routers, disclosed on September 27, 2019

CVE-2019-7192 vulnerability in Photo Station, disclosed on December 5, 2019

CVE-2019-11043 vulnerability in FastCGI Process Manager (FPM), disclosed on October 28, 2019

CVE-2019-10068 vulnerability in Xperience, disclosed on March 26, 2019

CVE-2019-16057 vulnerability in DNS-320 Storage Device, disclosed on September 16, 2019

CVE-2019-3929 vulnerability in Multiple Products, disclosed on April 30, 2019

CVE-2019-7238 vulnerability in Nexus Repository Manager, disclosed on March 21, 2019

CVE-2019-10149 vulnerability in Mail Transfer Agent (MTA), disclosed on June 5, 2019

CVE-2017-18368 vulnerability in P660HN-T1A Routers, disclosed on May 2, 2019

CVE-2019-18935 vulnerability in ASP.NET AJAX, disclosed on December 11, 2019

CVE-2018-15982 vulnerability in Flash Player, disclosed on January 18, 2019

CVE-2019-17621 vulnerability in DIR-859 Router, disclosed on December 30, 2019

CVE-2019-7194 vulnerability in Photo Station, disclosed on December 5, 2019

CVE-2018-14839 vulnerability in N1A1 NAS, disclosed on May 14, 2019

CVE-2019-7195 vulnerability in Photo Station, disclosed on December 5, 2019

CVE-2019-16928 vulnerability in Exim Internet Mailer, disclosed on September 27, 2019

CVE-2019-5544 vulnerability in ESXi, Horizon DaaS Appliances, disclosed on December 6, 2019

CVE-2019-12989 vulnerability in SD-WAN and NetScaler, disclosed on July 16, 2019

CVE-2019-4716 vulnerability in IBM Planning Analytics, disclosed on December 18, 2019

CVE-2010-5330 vulnerability in AirOS, disclosed on June 11, 2019

CVE-2019-11634 vulnerability in Workspace (for Windows), disclosed on May 22, 2019

CVE-2019-7193 vulnerability in QTS, disclosed on December 5, 2019

CVE-2017-18362 vulnerability in Virtual System/Server Administrator (VSA), disclosed on February 5, 2019

CVE-2019-16256 vulnerability in SIMalliance Toolbox (S@T) Browser, disclosed on September 12, 2019

CVE-2018-7841 vulnerability in U.motion Builder, disclosed on May 22, 2019

CVE-2018-20753 vulnerability in Virtual System/Server Administrator (VSA), disclosed on February 5, 2019

CVE-2019-0344 vulnerability in Commerce Cloud, disclosed on August 14, 2019

CVE-2019-3568 vulnerability in WhatsApp, disclosed on May 14, 2019

CVE-2019-9874 vulnerability in CMS and Experience Platform (XP), disclosed on May 31, 2019

CVE-2019-9082 vulnerability in ThinkPHP, disclosed on February 24, 2019

CVE-2019-3398 vulnerability in Confluence, disclosed on April 18, 2019

CVE-2019-13720 vulnerability in Chrome, disclosed on November 25, 2019

CVE-2019-15949 vulnerability in Nagios XI, disclosed on September 5, 2019

CVE-2019-12991 vulnerability in SD-WAN and NetScaler, disclosed on July 16, 2019

CVE-2019-11707 vulnerability in Firefox and Thunderbird, disclosed on July 23, 2019

CVE-2019-0541 vulnerability in MSHTML engine, disclosed on January 8, 2019

CVE-2019-1297 vulnerability in Excel, disclosed on September 11, 2019

CVE-2019-0903 vulnerability in Graphics Device Interface (GDI), disclosed on May 16, 2019

CVE-2019-3010 vulnerability in Solaris, disclosed on October 16, 2019

CVE-2019-8506 vulnerability in Multiple Products, disclosed on December 18, 2019

CVE-2019-9875 vulnerability in CMS and Experience Platform (XP), disclosed on May 31, 2019

CVE-2019-15271 vulnerability in RV Series Routers, disclosed on November 26, 2019

CVE-2019-6340 vulnerability in Core, disclosed on February 21, 2019

CVE-2019-1579 vulnerability in PAN-OS, disclosed on July 19, 2019

CVE-2018-20250 vulnerability in WinRAR, disclosed on February 5, 2019

CVE-2019-1458 vulnerability in Win32k, disclosed on December 10, 2019

CVE-2019-0211 vulnerability in HTTP Server, disclosed on April 8, 2019

CVE-2019-0841 vulnerability in Windows, disclosed on April 9, 2019

CVE-2019-0803 vulnerability in Win32k, disclosed on April 9, 2019

CVE-2019-13272 vulnerability in Kernel, disclosed on July 17, 2019

CVE-2019-15752 vulnerability in Desktop Community Edition, disclosed on August 28, 2019

CVE-2019-1405 vulnerability in Windows, disclosed on November 12, 2019

CVE-2019-0808 vulnerability in Windows, disclosed on April 9, 2019

CVE-2019-2215 vulnerability in Android OS, disclosed on October 11, 2019

CVE-2019-1322 vulnerability in Windows, disclosed on October 10, 2019

CVE-2019-1069 vulnerability in Task Scheduler, disclosed on June 12, 2019

CVE-2019-1132 vulnerability in Win32k, disclosed on July 15, 2019

CVE-2019-1253 vulnerability in Windows, disclosed on September 11, 2019

CVE-2019-1064 vulnerability in Windows, disclosed on June 12, 2019

CVE-2019-0863 vulnerability in Windows, disclosed on May 16, 2019

CVE-2019-1214 vulnerability in Windows, disclosed on September 11, 2019

CVE-2019-0859 vulnerability in Win32k, disclosed on April 9, 2019

CVE-2019-8605 vulnerability in Multiple Products, disclosed on December 18, 2019

CVE-2019-1129 vulnerability in Windows, disclosed on July 15, 2019

CVE-2019-1315 vulnerability in Windows, disclosed on October 10, 2019

CVE-2019-1130 vulnerability in Windows, disclosed on July 15, 2019

CVE-2019-7287 vulnerability in iOS, disclosed on December 18, 2019

CVE-2019-0797 vulnerability in Win32k, disclosed on April 9, 2019

CVE-2019-0543 vulnerability in Windows, disclosed on January 8, 2019

CVE-2019-1388 vulnerability in Windows, disclosed on November 12, 2019

CVE-2019-1215 vulnerability in Windows, disclosed on September 11, 2019

CVE-2019-7286 vulnerability in Multiple Products, disclosed on December 18, 2019

CVE-2019-0880 vulnerability in Windows, disclosed on July 15, 2019

CVE-2018-4344 vulnerability in Multiple Products, disclosed on April 3, 2019

CVE-2019-1385 vulnerability in Windows, disclosed on November 12, 2019

CVE-2019-8526 vulnerability in macOS, disclosed on December 18, 2019

CVE-2019-17558 vulnerability in Solr, disclosed on December 30, 2019

CVE-2019-1653 vulnerability in RV320 and RV325 Routers, disclosed on January 24, 2019

CVE-2019-7481 vulnerability in SMA100, disclosed on December 17, 2019

CVE-2019-20085 vulnerability in NVMS-1000, disclosed on December 30, 2019

CVE-2019-0752 vulnerability in Internet Explorer, disclosed on April 9, 2019
Report Last Updated: July 5, 2025