{"id":"CVE-2019-12816","details":"Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-admin users to escalate privileges and execute arbitrary code by loading a module with a crafted name.","modified":"2026-04-16T04:33:22.083594158Z","published":"2019-06-15T16:29:00.210Z","related":["openSUSE-SU-2019:1775-1","openSUSE-SU-2019:1859-1","openSUSE-SU-2024:11542-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00017.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4O24TQOB73X57GACLZVMRVUK4UKHLE5G/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00018.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHR6OD52FQAG5ZPZ42NJM2T765C3V2XC/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEESIGRNFLZUWXZPDGXAZ7JZTHYBDJ7G/"},{"type":"WEB","url":"https://usn.ubuntu.com/4044-1/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00037.html"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Jun/23"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201908-15"},{"type":"FIX","url":"https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311"},{"type":"FIX","url":"https://github.com/znc/znc/compare/be1b6bc...d1997d6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/znc/znc","events":[{"introduced":"0"},{"last_affected":"be1b6bcd4cafbc57ebc298d89a5402ae7df55a8a"},{"fixed":"8de9e376ce531fe7f3c8b0aa4876d15b479b7311"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.7.3"}]}}],"versions":["znc-0.023","znc-0.025","znc-0.027","znc-0.028","znc-0.029","znc-0.030","znc-0.033","znc-0.034","znc-0.035","znc-0.036","znc-0.037","znc-0.038","znc-0.039","znc-0.040","znc-0.041","znc-0.043","znc-0.044","znc-0.045","znc-0.047","znc-0.050","znc-0.052","znc-0.054","znc-0.054-rc1","znc-0.054-rc2","znc-0.054-rc3","znc-0.056","znc-0.058","znc-0.060","znc-0.062","znc-0.064","znc-0.066","znc-0.068","znc-0.070","znc-0.072","znc-0.094","znc-0.096","znc-0.098","znc-0.200","znc-1.0","znc-1.2","znc-1.6.0","znc-1.7.0","znc-1.7.1","znc-1.7.1-rc1","znc-1.7.2","znc-1.7.2-rc1","znc-1.7.3","znc-1.7.3-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12816.json","vanir_signatures":[{"id":"CVE-2019-12816-1290c1b3","digest":{"line_hashes":["174486753964754430516916736730871383050","29275778477837198611450992203257197893","307319530049013881402330522505066602242","82494158934045587906733452887499443976","160053286842728736588820086884220847764","287617424539222821611460032335993242581","209833765287222228824183705683832732667","95297945510039220468508204114214847500","236450068995647934809680474209327232539","95912614378945415831535891127074118283","219679646820246493502379246107279975593","300337625527040063029589176392118851540","204297166171023547714016822031300809515","73956343658827535355290124036992016914","18051496777745318297934926575655174890","239034098034606290967669952118796928569","295334044853165642485678087140871457774","45729926670722493656673669137202336290","571798546533859822310861521896058965","211380172655941171035773268297891516276","331984331098265596437389312867452663890","259182456096102161138887388896962333935","278816252438430496865286650787102721943","225602893450083304814145166244640416013","154036182678273576774730331226380439075","252388954425318239832020560689011993945","274893726036052713575377647643003236381"],"threshold":0.9},"signature_version":"v1","target":{"file":"src/Modules.cpp"},"source":"https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311","deprecated":false,"signature_type":"Line"},{"deprecated":false,"signature_version":"v1","digest":{"length":1917,"function_hash":"95122950786339445404760154917654623114"},"target":{"function":"CModules::LoadModule","file":"src/Modules.cpp"},"source":"https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311","signature_type":"Function","id":"CVE-2019-12816-3fbc7f94"},{"deprecated":false,"digest":{"length":288,"function_hash":"323292578912875305148883135426334201462"},"signature_version":"v1","target":{"function":"CModules::GetModPathInfo","file":"src/Modules.cpp"},"source":"https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311","signature_type":"Function","id":"CVE-2019-12816-48abef31"},{"deprecated":false,"signature_version":"v1","digest":{"line_hashes":["195477839036768438441414840661911920399","210936151725103424132817371752203593323","101777677667273448383554422736045543017","302797354415093651132654681454522280047"],"threshold":0.9},"target":{"file":"include/znc/Modules.h"},"source":"https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311","signature_type":"Line","id":"CVE-2019-12816-54fbb26a"},{"deprecated":false,"signature_version":"v1","digest":{"length":397,"function_hash":"76020489109695436136136009632747957875"},"target":{"function":"CModules::GetModInfo","file":"src/Modules.cpp"},"source":"https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311","signature_type":"Function","id":"CVE-2019-12816-b44be469"},{"id":"CVE-2019-12816-d5a0c88d","signature_version":"v1","digest":{"length":1924,"function_hash":"29121335711093038551819019924020777549"},"target":{"function":"CModules::OpenModule","file":"src/Modules.cpp"},"source":"https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311","deprecated":false,"signature_type":"Function"}],"vanir_signatures_modified":"2026-04-11T08:55:50Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}