Total
9615 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13744 | 4 Debian, Fedoraproject, Google and 1 more | 7 Debian Linux, Fedora, Chrome and 4 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Insufficient policy enforcement in cookies in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
|
|||||
| CVE-2019-13737 | 4 Debian, Fedoraproject, Google and 1 more | 7 Debian Linux, Fedora, Chrome and 4 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Insufficient policy enforcement in autocomplete in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
|
|||||
| CVE-2019-13557 | 1 Philips | 2 Tasy Emr, Tasy Webportal | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Tasy EMR, Tasy WebPortal Versions 3.02.1757 and prior, there is an information exposure vulnerability which may allow a remote attacker to access system and configuration information.
|
|||||
| CVE-2019-13523 | 1 Honeywell | 118 H2w2pc1m, H2w2pc1m Firmware, H2w2per3 and 115 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, ...
Show More |
|||||
| CVE-2019-13457 | 1 Otrs | 1 Otrs | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on.
|
|||||
| CVE-2019-13421 | 1 Search-guard | 1 Search Guard | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
Search Guard versions before 23.1 had an issue that an administrative user is able to retrieve bcrypt password hashes of other users configured in the internal user database.
|
|||||
| CVE-2019-13419 | 1 Search-guard | 1 Search Guard | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Search Guard versions before 23.1 had an issue that for aggregations clear text values of anonymised fields were leaked.
|
|||||
| CVE-2019-13417 | 1 Search-guard | 1 Search Guard | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.
|
|||||
| CVE-2019-13410 | 1 Topmeeting | 1 Topmeeting | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
TOPMeeting before version 8.8 (2019/08/19) shows attendees account and password in front end page that allows an attacker to obtain sensitive information by browsing the source code of the page.
|
|||||
| CVE-2019-13314 | 1 Redhat | 1 Virt-bootstrap | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
virt-bootstrap 1.1.0 allows local users to discover a root password by listing a process, because this password may be present in the --root-password option to virt_bootstrap.py.
|
|||||
| CVE-2019-13313 | 3 Fedoraproject, Libosinfo, Redhat | 6 Fedora, Libosinfo, Enterprise Linux and 3 more | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line.
|
|||||
| CVE-2019-13075 | 1 Torproject | 1 Tor Browser | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser's language via vectors involving an IFRAME element, because text in that language is included in the title attribute of a LINK element for a non-HTML page. This is related to a behavior of Firefox before 68.
|
|||||
| CVE-2019-13055 | 1 Logitech | 4 K360, K360 Firmware, Unifying Receiver and 1 more | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
Certain Logitech Unifying devices allow attackers to dump AES keys and addresses, leading to the capability of live decryption of Radio Frequency transmissions, as demonstrated by an attack against a Logitech K360 keyboard.
|
|||||
| CVE-2019-13033 | 3 Cisofy, Debian, Fedoraproject | 3 Lynis, Debian Linux, Fedora | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by looking at the process list when a data upload is being performed. This license can be used to upload data to a central Lynis server. Although no data can be extracted by knowing the license key, it may be possible to upload the data of additional scans.
|
|||||
| CVE-2019-13023 | 1 Jetstream | 1 Jetselect | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in all versions of Bond JetSelect. Within the JetSelect Application, the web interface hides RADIUS secrets, WPA passwords, and SNMP strings from 'non administrative' users using HTML 'password field' obfuscation. By using Developer tools or similar, it is possible to change the obfuscation so that the credentials are visible.
|
|||||
| CVE-2019-12746 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.
|
|||||
| CVE-2019-12708 | 1 Cisco | 4 Spa112, Spa112 Firmware, Spa122 and 1 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to unsafe handling of user credentials. An attacker could exploit this vulnerability by viewing portions of the web-based management interface of an affected device. A successful exploit could allow the attacker to access administrative credentials and potentially ...
Show More |
|||||
| CVE-2019-12704 | 1 Cisco | 4 Spa112, Spa112 Firmware, Spa122 and 1 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to view the contents of arbitrary files on an affected device. The vulnerability is due to improper input validation in the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to retr ...
Show More |
|||||
| CVE-2019-12664 | 1 Cisco | 4 4321 Integrated Services Router, 4331 Integrated Services Router, 4351 Integrated Services Router and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability in the Dialer interface feature for ISDN connections in Cisco IOS XE Software for Cisco 4000 Series Integrated Services Routers (ISRs) could allow an unauthenticated, adjacent attacker to pass IPv4 traffic through an ISDN channel prior to successful PPP authentication. The vulnerability is due to insufficient validation of the state of the PPP IP Control Protocol (IPCP). An attacker could exploit this vulnerability by making an ISDN call to an affected device and sending traffic ...
Show More |
|||||
| CVE-2019-12497 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes.
|
|||||
| CVE-2019-12432 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Non-member users who subscribed to issue notifications could access the title of confidential issues through the unsubscription page. It allows Information Disclosure.
|
|||||
| CVE-2019-12414 | 1 Apache | 1 Superset | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab
|
|||||
| CVE-2019-11991 | 1 Hp | 2 3par Service Processor, 3par Service Processor Firmware | 2024-11-21 | 9.7 HIGH | 9.8 CRITICAL |
|
HPE has identified a vulnerability in HPE 3PAR Service Processor (SP) version 4.1 through 4.4. HPE 3PAR Service Processor (SP) version 4.1 through 4.4 has a remote information disclosure vulnerability which can allow for the disruption of the confidentiality, integrity and availability of the Service Processor and any managed 3PAR arrays.
|
|||||
| CVE-2019-11658 | 1 Microfocus | 1 Content Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3. This vulnerability when configured to use an Oracle database, allows valid system users to gain access to a limited subset of records they would not normally be able to access when the system is in an undisclosed abnormal state.
|
|||||
| CVE-2019-11648 | 1 Netiq | 1 Self Service Password Reset | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An information leakage exists in Micro Focus NetIQ Self Service Password Reset Software all versions prior to version 4.4. The vulnerability could be exploited to expose sensitive information.
|
|||||
| CVE-2019-11633 | 1 Honeypress Project | 1 Honeypress | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
HoneyPress through 2016-09-27 can be fingerprinted by attackers because of the ingrained unique www.atxsec.com and ayylmao.wpengine.com hostnames within the fake WordPress templates. This allows attackers to discover and avoid this honeypot system.
|
|||||
| CVE-2019-11605 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in GitLab Community and Enterprise Edition 11.8.x before 11.8.10, 11.9.x before 11.9.11, and 11.10.x before 11.10.3. It allows Information Disclosure. A small number of GitLab API endpoints would disclose project information when using a read_user scoped token.
|
|||||
| CVE-2019-11545 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community Edition 11.9.x before 11.9.10 and 11.10.x before 11.10.2. It allows Information Disclosure. When an issue is moved to a private project, the private project namespace is leaked to unauthorized users with access to the original issue.
|
|||||
| CVE-2019-11407 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
|
app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 suffers from an information disclosure vulnerability due to excessive debug information, which allows authenticated administrative attackers to obtain credentials and other sensitive information.
|
|||||
| CVE-2019-11403 | 1 Gradle | 2 Build Cache Node, Enterprise | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.
|
|||||
| CVE-2019-11294 | 1 Cloudfoundry | 2 Capi-release, Cf-deployment | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins.
|
|||||
| CVE-2019-11282 | 2 Cloudfoundry, Pivotal Software | 2 Cf-deployment, Cloud Foundry Uaa | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.
|
|||||
| CVE-2019-11268 | 1 Pivotal Software | 1 Cloud Foundry Uaa-release | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones.
|
|||||
| CVE-2019-11233 | 1 Eic | 1 Biyan | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
EXCELLENT INFOTEK BiYan v1.57 ~ v2.8 allows an attacker to leak user information without being authenticated, by sending a LOGIN_ID element to the auth/main/asp/check_user_login_info.aspx URI, and then reading the response, as demonstrated by the KW_EMAIL or KW_TEL field.
|
|||||
| CVE-2019-11064 | 2 Androvideo, Geovision | 6 Vd 1, Vd 1 Firmware, Gv-vd8700 and 3 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
A vulnerability of remote credential disclosure was discovered in Advan VD-1 firmware versions up to 230. An attacker can export system configuration which is not encrypted to get the administrator’s account and password in plain text via cgibin/ExportSettings.cgi?Export=1 without any authentication.
|
|||||
| CVE-2019-10667 | 1 Librenms | 1 Librenms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in LibreNMS through 1.47. Information disclosure can occur: an attacker can fingerprint the exact code version installed and disclose local file paths.
|
|||||
| CVE-2019-10523 | 1 Qualcomm | 46 Apq8009, Apq8009 Firmware, Apq8053 and 43 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Target specific data is being sent to remote server and leads to information exposure in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8053, APQ8096AU, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6574AU, QCS605, Rennell, SDA660, SDM429W, SDM439, SDM450, SDM710, SDM845, SM7150, SM8150, SM8250, SXR2130
|
|||||
| CVE-2019-10407 | 1 Jenkins | 1 Project Inheritance | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin.
|
|||||
| CVE-2019-10247 | 4 Debian, Eclipse, Netapp and 1 more | 26 Debian Linux, Jetty, Element and 23 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it p ...
Show More |
|||||
| CVE-2019-10246 | 4 Eclipse, Microsoft, Netapp and 1 more | 26 Jetty, Windows, Element and 23 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
|
|||||