LiveActive security incident?Get immediate response
CVE archive

March 2019

Browse CVE records published in March 2019, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1600 matching CVEs · Page 1 of 32.

High · CVSS 7.5

CVE-2019-18336: A vulnerability has been identified in SIMATIC S7-300 CPU family (incl.

A vulnerability has been identified in SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions < V3.X.17), SIMATIC TDC CP51M1 (All versions < V1.1.8), SIMATIC TDC CPU555 (All versions < V1.1.1), SINUMERIK 840D sl (All versions < V4.8.6), SINUMERIK 840D sl (All versions < V4.94). Specially crafted packets sent to port 102/tcp (Profinet) could cause the affected device to go into defect mode. A restart is required in order to recover the system. Successful exploitation requires an attacker to have network access to port 102/tcp, with no authentication. No user interation is required. At the time of advisory publication no public exploitation of this security vulnerability was known.

Published Mar 10, 2020 · Updated Jun 2, 2026

Medium · CVSS 6.1

CVE-2019-25502: Simple Job Script Cross-Site Scripting via job_type_value Parameter

Simple Job Script contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the job_type_value parameter in the jobs endpoint. Attackers can craft requests with SVG payload injection to execute arbitrary JavaScript in victim browsers and steal session cookies or perform unauthorized actions.

Published Mar 4, 2026 · Updated May 24, 2026

High · CVSS 7.7

CVE-2019-25652: UniFi Network Controller Improper Certificate Validation Leading to Credential Theft via MITM

UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate during SMTP connections. Attackers can intercept SMTP traffic and obtain credentials by exploiting the insecure SSL host verification mechanism in the SMTP certificate validation process.

Published Mar 27, 2026 · Updated May 14, 2026

Medium · CVSS 4.9

CVE-2019-25222: Thumbnail carousel slider <= 1.0.4 - Authenticated (Admin+) SQL Injection

The Thumbnail carousel slider plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published Mar 15, 2025 · Updated Apr 8, 2026

High · CVSS 8.8

CVE-2019-25507: Ashop Shopping Cart Software Lastest SQL Injection via index.php

Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. Attackers can send GET requests to index.php with malicious 'shop' values using UNION-based SQL injection to extract sensitive database information.

Published Mar 4, 2026 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2019-25506: FreeSMS 2.1.2 Authentication Bypass via SQL Injection

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.

Published Mar 4, 2026 · Updated Apr 7, 2026

High · CVSS 7.1

CVE-2019-25505: Tradebox 5.4 SQL Injection via symbol Parameter

Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the symbol parameter. Attackers can send POST requests to the monthly_deposit endpoint with malicious symbol values using boolean-based blind, time-based blind, error-based, or union-based SQL injection techniques to extract sensitive database information.

Published Mar 4, 2026 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2019-25504: NCrypted Jobgator Lastest SQL Injection via agents Find-Jobs

NCrypted Jobgator contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the experience parameter. Attackers can send POST requests to the agents Find-Jobs endpoint with malicious experience values to extract sensitive database information.

Published Mar 4, 2026 · Updated Apr 7, 2026

High · CVSS 7.1

CVE-2019-25503: PHPads 2.0 SQL Injection via click.php3 bannerID

PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. Attackers can submit crafted bannerID values using SQL comment syntax and functions like extractvalue to extract sensitive database information such as the current database name.

Published Mar 4, 2026 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2019-25501: Simple Job Script SQL Injection via delete_application_ajax.php

Simple Job Script contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the app_id parameter. Attackers can send POST requests to delete_application_ajax.php with crafted payloads to extract sensitive data, bypass authentication, or modify database contents.

Published Mar 4, 2026 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2019-25500: Simple Job Script SQL Injection via register-recruiters endpoint

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter. Attackers can send POST requests to the register-recruiters endpoint with time-based SQL injection payloads to extract sensitive data or modify database contents.

Published Mar 4, 2026 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2019-25499: Simple Job Script SQL Injection via get_job_applications_ajax.php

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. Attackers can send POST requests to get_job_applications_ajax.php with malicious job_id values to bypass authentication, extract sensitive data, or modify database contents.

Published Mar 4, 2026 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2019-25498: Simple Job Script SQL Injection via searched Endpoint

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. Attackers can send POST requests to the searched endpoint with malicious SQL payloads to bypass authentication and extract sensitive database information.

Published Mar 4, 2026 · Updated Apr 7, 2026

Critical · CVSS 9.8

CVE-2019-25487: SAPIDO RB-1732 V2.0.43 Remote Command Execution via formSysCmd

SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute code on the device with router privileges.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2019-25486: Varient 1.6.1 SQL Injection via user_id Parameter

Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. Attackers can submit POST requests with crafted SQL payloads in the user_id field to bypass authentication and extract sensitive database information.

Published Mar 11, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2019-25485: R 3.4.4 Windows x64 Buffer Overflow SEH DEP ASLR Bypass

R 3.4.4 on Windows x64 contains a buffer overflow vulnerability in the GUI Preferences language menu field that allows local attackers to bypass DEP and ASLR protections. Attackers can inject a crafted payload through the Language for menus preference to trigger a structured exception handler chain pivot and execute arbitrary shellcode with application privileges.

Published Mar 11, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2019-25484: WinMPG iPod Convert 3.0 Register Field Buffer Overflow DoS

WinMPG iPod Convert 3.0 contains a buffer overflow vulnerability in the Register dialog that allows local attackers to crash the application by supplying an oversized payload. Attackers can paste a large string of characters into the User Name and User Code field to trigger a denial of service condition.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.6

CVE-2019-25483: Comtrend AR-5310 GE31-412SSG-C01_R10.A2pG039u.d24k Restricted Shell Escape

Comtrend AR-5310 GE31-412SSG-C01_R10.A2pG039u.d24k contains a restricted shell escape vulnerability that allows local users to bypass command restrictions by using the command substitution operator $( ). Attackers can inject arbitrary commands through the $( ) syntax when passed as arguments to allowed commands like ping to execute unrestricted shell access.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2019-25480: ARMBot Unrestricted File Upload via upload.php

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../public_html/ to write executable code to the web root and achieve remote code execution.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2019-25478: GetGo Download Manager 6.2.2.3300 Buffer Overflow DoS

GetGo Download Manager 6.2.2.3300 contains a buffer overflow vulnerability that allows remote attackers to cause denial of service by sending HTTP responses with excessively long headers. Attackers can craft malicious HTTP responses with oversized header values to crash the application and make it unavailable.

Published Mar 11, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2019-25477: RAR Password Recovery 1.80 Denial of Service Buffer Overflow

RAR Password Recovery 1.80 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload in the registration dialog. Attackers can craft a malicious input string exceeding 6000 bytes and paste it into the User Name and Registration Code field to trigger an application crash.

Published Mar 11, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2019-25476: Outlook Password Recovery 2.10 Denial of Service Buffer Overflow

Outlook Password Recovery 2.10 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload. Attackers can create a malicious text file containing 6000 bytes of data and paste it into the User Name and Registration Code field to trigger a denial of service condition.

Published Mar 11, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2019-25475: SQL Server Password Changer 1.90 Denial of Service Buffer Overflow

SQL Server Password Changer 1.90 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload. Attackers can inject 6000 bytes of data into the User Name and Registration Code field to trigger a denial of service condition.

Published Mar 11, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2019-25474: Easy MP3 Downloader 4.7.8.8 Denial of Service Buffer Overflow

Easy MP3 Downloader 4.7.8.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long unlock code. Attackers can generate a file containing 6000 'A' characters and paste the contents into the Unlock Code field during application startup to trigger a denial of service condition.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2019-25472: IntelBras Telefone IP TIP200/200 LITE Arbitrary File Read via dumpConfigFile

IntelBras Telefone IP TIP200 and 200 LITE contain an unauthenticated arbitrary file read vulnerability in the dumpConfigFile function accessible via the cgiServer.exx endpoint. Attackers can send GET requests to /cgi-bin/cgiServer.exx with the command parameter containing dumpConfigFile() to read sensitive files including /etc/shadow and configuration files without proper authorization.

Published Mar 11, 2026 · Updated Apr 7, 2026

Critical · CVSS 9.8

CVE-2019-25471: FileThingie 2.5.7 Arbitrary File Upload via ft2.php

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2019-25470: eWON Firmware 12.2-13.0 Authentication Bypass via wsdReadForm

eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded partial credentials and a crafted wsdList parameter to extract encrypted passwords for all users, which can be decrypted using a hardcoded XOR key.

Published Mar 11, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2019-25469: Folder Lock 7.7.9 Denial of Service via Serial Number Field

Folder Lock 7.7.9 contains a buffer overflow vulnerability in the serial number registration field that allows local attackers to crash the application by submitting an oversized payload. Attackers can paste a 6000-byte buffer of arbitrary data into the 'Serial Number and Registration Key' field to trigger a denial of service condition.

Published Mar 11, 2026 · Updated Apr 7, 2026

Critical · CVSS 9.8

CVE-2019-25468: NetGain EM Plus 10.1.68 Remote Code Execution via script_test.jsp

NetGain EM Plus 10.1.68 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious parameters to the script_test.jsp endpoint. Attackers can send POST requests with shell commands embedded in the 'content' parameter to execute code and retrieve command output.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.6

CVE-2019-25467: Verypdf docPrint Pro 8.0 Local SEH Buffer Overflow

Verypdf docPrint Pro 8.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized alphanumeric encoded payload in the User Password or Master Password fields. Attackers can craft a malicious payload with encoded shellcode and SEH chain manipulation to bypass protections and execute a MessageBox proof-of-concept when the password fields are processed during PDF encryption.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.6

CVE-2019-25466: Easy File Sharing Web Server 7.2 Local SEH Overflow

Easy File Sharing Web Server 7.2 contains a local structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by creating a malicious username. Attackers can craft a username with a payload containing 4059 bytes of padding followed by a nseh value and seh pointer to trigger the overflow when adding a new user account.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2019-25465: Hisilicon HiIpcam V100R003 Information Disclosure via Directory Traversal

Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. Attackers can request the getadslattr.cgi endpoint to retrieve ADSL credentials and network configuration parameters including usernames, passwords, and DNS settings.

Published Mar 11, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.7

CVE-2019-25464: InputMapper 1.6.10 Local Denial of Service via Username Field

InputMapper 1.6.10 contains a buffer overflow vulnerability in the username field that allows local attackers to crash the application by entering an excessively long string. Attackers can trigger a denial of service by copying a large payload into the username field and double-clicking to process it, causing the application to crash.

Published Mar 11, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2019-25463: SpotIE Internet Explorer Password Recovery 2.9.5 Key Field DoS

SpotIE Internet Explorer Password Recovery 2.9.5 contains a denial of service vulnerability in the registration key input field that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a 256-character payload into the Key field during registration to trigger a buffer overflow and crash the application.

Published Mar 11, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2019-25651: Ubiquiti UniFi Devices Use of AES-CBC Allows Key Recovery and Unauthorized Device Control

Ubiquiti UniFi Network Controller prior to 5.10.12 (excluding 5.6.42), UAP FW prior to 4.0.6, UAP-AC, UAP-AC v2, and UAP-AC Outdoor FW prior to 3.8.17, USW FW prior to 4.0.6, USG FW prior to 4.4.34 uses AES-CBC encryption for device-to-controller communication, which contains cryptographic weaknesses that allow attackers to recover encryption keys from captured traffic. Attackers with adjacent network access can capture sufficient encrypted traffic and exploit AES-CBC mode vulnerabilities to derive the encryption keys, enabling unauthorized control and management of network devices.

Published Mar 27, 2026 · Updated Mar 30, 2026

Medium · CVSS 6.9

CVE-2019-25655: Device Monitoring Studio 8.10.00.8925 Denial of Service

Device Monitoring Studio 8.10.00.8925 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the server connection dialog. Attackers can trigger the crash by entering a malformed server name or address containing repeated characters through the Tools menu Connect to New Server interface.

Published Mar 30, 2026 · Updated Mar 30, 2026

High · CVSS 8.7

CVE-2019-25654: Core FTP/SFTP Server 1.2 Denial of Service via Buffer Overflow

Core FTP/SFTP Server 1.2 contains a buffer overflow vulnerability that allows attackers to crash the service by supplying an excessively long string in the User domain field. Attackers can paste a malicious payload containing 7000 bytes of data into the domain configuration to trigger an application crash and deny service.

Published Mar 30, 2026 · Updated Mar 30, 2026

Medium · CVSS 6.9

CVE-2019-25653: Navicat for Oracle 12.1.15 Password Field Denial of Service

Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.

Published Mar 30, 2026 · Updated Mar 30, 2026

Medium · CVSS 6.9

CVE-2019-25648: MyVideoConverter Pro 3.14 Denial of Service Buffer Overflow

MyVideoConverter Pro 3.14 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying an excessively long string to the registration code input field. Attackers can paste a malicious payload containing 10000 bytes into the 'Copy and Paste Registration Code' field to trigger a denial of service condition.

Published Mar 26, 2026 · Updated Mar 26, 2026

High · CVSS 8.6

CVE-2019-25650: River Past CamDo 3.7.6 Structured Exception Handler Buffer Overflow

River Past CamDo 3.7.6 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the Lame_enc.dll name field. Attackers can craft a payload with a 280-byte buffer, NSEH jump instruction, and SEH handler address pointing to a pop-pop-ret gadget to trigger code execution and establish a bind shell on port 3110.

Published Mar 26, 2026 · Updated Mar 26, 2026

Medium · CVSS 6.8

CVE-2019-25649: River Past Audio Converter 7.7.16 Local Buffer Overflow DoS

River Past Audio Converter 7.7.16 contains a local buffer overflow vulnerability in the activation code field that allows local attackers to crash the application by supplying an oversized input string. Attackers can paste a large payload of repeated characters into the 'E-Mail and Activation Code' field and click 'Activate' to trigger a denial of service condition.

Published Mar 26, 2026 · Updated Mar 26, 2026

High · CVSS 8.8

CVE-2019-25578: phpTransformer 2016.9 SQL Injection via GeneratePDF.php

phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries.

Published Mar 21, 2026 · Updated Mar 26, 2026

High · CVSS 8.8

CVE-2019-25630: PhreeBooks ERP 5.2.3 Arbitrary File Upload via Image Manager

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint. Attackers can upload PHP files through the imgFile parameter to the bizuno/image/manager endpoint and execute them via the bizunoFS.php script for remote code execution.

Published Mar 24, 2026 · Updated Mar 26, 2026

Medium · CVSS 6.9

CVE-2019-25644: WinMPG Video Convert 9.3.5 Buffer Overflow Local Denial of Service

WinMPG Video Convert 9.3.5 and older versions contain a buffer overflow vulnerability in the registration dialog that allows local attackers to crash the application by supplying oversized input. Attackers can paste a large payload of 6000 bytes into the Name and Registration Code field to trigger a denial of service condition.

Published Mar 24, 2026 · Updated Mar 26, 2026

High · CVSS 7.1

CVE-2019-25638: Meeplace Business Review Script Lastest SQL Injection via addclick.php

Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the addclick.php endpoint with crafted SQL payloads in the 'id' parameter to extract sensitive database information or cause denial of service.

Published Mar 24, 2026 · Updated Mar 26, 2026

Medium · CVSS 6.9

CVE-2019-25632: phpFileManager 1.7.8 Local File Inclusion via index.php

phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Attackers can send GET requests to index.php with crafted parameter values to access sensitive files like /etc/passwd from the server.

Published Mar 24, 2026 · Updated Mar 26, 2026

High · CVSS 8.6

CVE-2019-25626: River Past Cam Do 3.7.6 Local Buffer Overflow in Activation Code

River Past Cam Do 3.7.6 contains a local buffer overflow vulnerability in the activation code input field that allows local attackers to execute arbitrary code by supplying a malicious activation code string. Attackers can craft a buffer containing 608 bytes of junk data followed by shellcode and SEH chain overwrite values to trigger code execution when the activation dialog processes the input.

Published Mar 24, 2026 · Updated Mar 26, 2026

Medium · CVSS 6.9

CVE-2019-25621: Pixel Studio 2.17 Denial of Service via Malformed Input

Pixel Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters, causing the application to become unresponsive or terminate abnormally.

Published Mar 23, 2026 · Updated Mar 25, 2026

High · CVSS 8.6

CVE-2019-25615: Lavavo CD Ripper 4.20 Local SEH Buffer Overflow

Lavavo CD Ripper 4.20 contains a structured exception handling (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Activation Name field. Attackers can craft a payload with controlled buffer data, NSEH jump instructions, and SEH handler addresses to trigger code execution and establish a bind shell on port 3110.

Published Mar 22, 2026 · Updated Mar 25, 2026

High · CVSS 8.6

CVE-2019-25609: JetAudio jetCast Server 2.0 Local SEH Buffer Overflow

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration field that allows local attackers to overwrite structured exception handling pointers. Attackers can inject alphanumeric encoded shellcode through the Log Directory field to trigger an SEH exception handler and execute arbitrary code with application privileges.

Published Mar 22, 2026 · Updated Mar 25, 2026