LiveActive security incident?Get immediate response
CVE archive

December 2019

Browse CVE records published in December 2019, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1489 matching CVEs · Page 1 of 30.

Medium · CVSS 6.5

CVE-2019-25221: Responsive Filterable Portfolio <=1.0.8 - Authenticated (Admin+) SQL Injection

The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published Dec 13, 2024 · Updated Apr 8, 2026

High · CVSS 8.8

CVE-2019-25254: KYOCERA Net Admin 3.4.0906 Cross-Site Request Forgery via User Administration

KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page.

Published Dec 24, 2025 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2019-25245: Ross Video DashBoard 8.5.1 Privilege Escalation via Insecure Permissions

Ross Video DashBoard 8.5.1 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files due to improper permission settings. Attackers can exploit the 'M' or 'C' flags for 'Authenticated Users' group to replace the DashBoard.exe binary with a malicious executable.

Published Dec 24, 2025 · Updated Mar 5, 2026

High · CVSS 7.5

CVE-2019-25258: LogicalDOC Enterprise 7.7.4 Multiple Post-Authentication Directory Traversal Vulnerabilities

LogicalDOC Enterprise 7.7.4 contains multiple post-authentication file disclosure vulnerabilities that allow attackers to read arbitrary files through unverified 'suffix' and 'fileVersion' parameters. Attackers can exploit directory traversal techniques in /thumbnail and /convertpdf endpoints to access sensitive system files like win.ini and /etc/passwd by manipulating path traversal sequences.

Published Dec 24, 2025 · Updated Mar 5, 2026

High · CVSS 8.7

CVE-2019-25257: LogicalDOC Enterprise 7.7.4 Authenticated Command Execution via Binary Path Manipulation

LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges.

Published Dec 24, 2025 · Updated Mar 5, 2026

Medium · CVSS 5.1

CVE-2019-25252: Teradek VidiU Pro 3.0.3 Cross-Site Request Forgery via Password Change

Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page.

Published Dec 24, 2025 · Updated Mar 5, 2026

Medium · CVSS 5.1

CVE-2019-25242: FaceSentry Access Control System 6.4.8 Cross-Site Request Forgery via Web Interface

FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage.

Published Dec 24, 2025 · Updated Mar 5, 2026

Critical · CVSS 9.8

CVE-2019-25235: Smartwares HOME easy 1.0.9 Client-Side Authentication Bypass via Web Pages

Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information.

Published Dec 24, 2025 · Updated Mar 5, 2026

Medium · CVSS 6.9

CVE-2019-25251: Teradek VidiU Pro 3.0.3 Server-Side Request Forgery via RTMP Settings

Teradek VidiU Pro 3.0.3 contains a server-side request forgery vulnerability in the management interface that allows attackers to manipulate GET parameters 'url' and 'xml_url'. Attackers can exploit this flaw to bypass firewalls, initiate network enumeration, and potentially trigger external HTTP requests to arbitrary destinations.

Published Dec 24, 2025 · Updated Jan 26, 2026

Medium · CVSS 5.1

CVE-2019-25262: elinicksic Razgover Chat Message send.php cross site scripting

A security vulnerability has been detected in elinicksic Razgover up to db37dfc5c82f023a40f2f7834ded6633fb2b5262. This affects an unknown part of the file Chattify/send.php of the component Chat Message Handler. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is 995dd89d0e3ec5522966724be23a5d58ca1bdac3. Applying a patch is advised to resolve this issue. This vulnerability only affects products that are no longer supported by the maintainer.

Published Dec 31, 2025 · Updated Jan 2, 2026

Critical · CVSS 9.8

CVE-2019-25241: FaceSentry Access Control System 6.4.8 Remote SSH Root Access

FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication.

Published Dec 24, 2025 · Updated Dec 31, 2025

Medium · CVSS 5.3

CVE-2019-25230: Kentico Xperience <= 12.0.0 User Widget Information Disclosure

An information disclosure vulnerability in Kentico Xperience allows authenticated users to view sensitive system objects through the live site widget properties dialog. Attackers can exploit this vulnerability to access unauthorized system information without proper access controls.

Published Dec 18, 2025 · Updated Dec 27, 2025

Medium · CVSS 5.3

CVE-2019-25228: Kentico Xperience <= 12.0.47 Virtual Context Information Disclosure

An information disclosure vulnerability in Kentico Xperience allows attackers to leak virtual context URLs via the HTTP Referer header when users interact with third-party domains. Sensitive virtual context information can be exposed to external domains through page builder interactions and link/image loading.

Published Dec 18, 2025 · Updated Dec 27, 2025

Medium · CVSS 5.3

CVE-2019-25233: AVE DOMINAplus 1.10.x Cross-Site Request Forgery and XSS Vulnerabilities

AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions.

Published Dec 24, 2025 · Updated Dec 24, 2025

Medium · CVSS 5.3

CVE-2019-25234: Carlo Gavazzi SmartHouse Webapp 6.5.33 Cross-Site Request Forgery and XSS

SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or injecting malicious scripts into various application parameters.

Published Dec 24, 2025 · Updated Dec 24, 2025

Critical · CVSS 9.8

CVE-2019-25236: iSeeQ Hybrid DVR WH-H4 1.03R Unauthenticated Live Stream Disclosure

iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication.

Published Dec 24, 2025 · Updated Dec 24, 2025

Critical · CVSS 9.8

CVE-2019-25237: V-SOL GPON/EPON OLT Platform 2.03 Privilege Escalation via User Role Parameter

V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with 'user_role_mod' set to integer value '1' to elevate their privileges.

Published Dec 24, 2025 · Updated Dec 24, 2025

Medium · CVSS 5.1

CVE-2019-25238: V-SOL GPON/EPON OLT Platform 2.03 Cross-Site Request Forgery Vulnerability

V-SOL GPON/EPON OLT Platform 2.03 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to create admin users, enable SSH, or modify system settings by tricking authenticated administrators into loading a specially crafted page.

Published Dec 24, 2025 · Updated Dec 24, 2025

High · CVSS 8.7

CVE-2019-25239: V-SOL GPON/EPON OLT Platform 2.03 Unauthenticated Configuration Download

V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access.

Published Dec 24, 2025 · Updated Dec 24, 2025

Critical · CVSS 9.8

CVE-2019-25240: Rifatron 5brid DVR 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504) Unauthenticated Live Stream Disclosure via animate.cgi

Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication.

Published Dec 24, 2025 · Updated Dec 24, 2025

High · CVSS 8.8

CVE-2019-25243: FaceSentry 6.4.8 Authenticated Remote Command Injection via Ping Test

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.

Published Dec 24, 2025 · Updated Dec 24, 2025

Medium · CVSS 5.3

CVE-2019-25244: Legrand BTicino Driver Manager F454 1.0.51 CSRF and Stored XSS Vulnerabilities

Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvalidated GET parameters.

Published Dec 24, 2025 · Updated Dec 24, 2025

High · CVSS 8.8

CVE-2019-25246: Beward N100 H.264 VGA IP Camera M2.1.6 Authenticated File Disclosure

Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths.

Published Dec 24, 2025 · Updated Dec 24, 2025

Medium · CVSS 5.3

CVE-2019-25247: Beward N100 H.264 VGA IP Camera M2.1.6 CSRF Add Admin Vulnerability

Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a logged-in user into submitting the form.

Published Dec 24, 2025 · Updated Dec 24, 2025

High · CVSS 8.7

CVE-2019-25248: Beward N100 M2.1.6 Unauthenticated RTSP Video Stream Disclosure

Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera's RTSP stream by exploiting the lack of authentication in the video access mechanism.

Published Dec 24, 2025 · Updated Dec 24, 2025

Critical · CVSS 9.8

CVE-2019-25249: devolo dLAN 500 AV Wireless+ 3.1.0-1 Remote Code Execution via htmlmgr

devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters.

Published Dec 24, 2025 · Updated Dec 24, 2025

Medium · CVSS 5.3

CVE-2019-25250: Devolo dLAN 500 AV Wireless+ 3.1.0-1 Cross-Site Request Forgery

Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site.

Published Dec 24, 2025 · Updated Dec 24, 2025

High · CVSS 7.5

CVE-2019-25253: KYOCERA Net Admin 3.4.0906 Unauthenticated XML External Entity Injection

KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack.

Published Dec 24, 2025 · Updated Dec 24, 2025

High · CVSS 7.1

CVE-2019-25256: VideoFlow Digital Video Protection DVP 2.10 Authenticated Directory Traversal

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests.

Published Dec 24, 2025 · Updated Dec 24, 2025

High · CVSS 8.8

CVE-2019-25229: Kentico Xperience <= 12.0.29 MVC Forms Unrestricted File Upload

An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads.

Published Dec 18, 2025 · Updated Dec 18, 2025

Unknown · CVSS Not scored

CVE-2019-1387: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2...

An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

Published Dec 18, 2019 · Updated Nov 4, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2019-18935: Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in t...

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Published Dec 11, 2019 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2019-8506: A type confusion issue was addressed with improved memory handling.

A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.2, tvOS 12.2, watchOS 5.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.11. Processing maliciously crafted web content may lead to arbitrary code execution.

Published Dec 18, 2019 · Updated Oct 21, 2025