Total
2009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17235 | 1 Getigniteup | 1 Igniteup | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows information disclosure.
|
|||||
| CVE-2019-17234 | 1 Getigniteup | 1 Igniteup | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
|
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.
|
|||||
| CVE-2019-17232 | 1 Etoilewebdesign | 1 Ultimate Faq | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows unauthenticated options import.
|
|||||
| CVE-2019-17219 | 1 Vzug | 2 Combi-stream Mslq, Combi-stream Mslq Firmware | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the device does not enforce any authentication. An adjacent attacker is able to use the network interface without proper access control.
|
|||||
| CVE-2019-17186 | 1 Fiberhome | 2 Hg2201t, Hg2201t Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
/var/WEB-GUI/cgi-bin/telnet.cgi on FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication remote code execution.
|
|||||
| CVE-2019-17146 | 1 Dlink | 4 Dcs-935l, Dcs-935l Firmware, Dcs-960l and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link DCS-960L v1.07.102. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HNAP service, which listens on TCP port 80 by default. When parsing the SOAPAction request header, the process does not properly validate the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code i ...
Show More |
|||||
| CVE-2019-16907 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. It is possible to obtain a list of all valid Jira usernames without authentication/authorization via the plugins/servlet/nfj/UserFilter?searchQuery=@ URI.
|
|||||
| CVE-2019-16906 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. By using plugins/servlet/nfj/PushNotification?username= with a modified username, a different user's notifications can be read without authentication/authorization. These notifications are then no longer displayed to the normal user.
|
|||||
| CVE-2019-16893 | 1 Tp-link | 2 Tp-sg105e, Tp-sg105e Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
The Web Management of TP-Link TP-SG105E V4 1.0.0 Build 20181120 devices allows an unauthenticated attacker to reboot the device via a reboot.cgi request.
|
|||||
| CVE-2019-16879 | 1 Mysyngeryss | 2 Husky Rtu 6049-e70, Husky Rtu 6049-e70 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with firmware Versions 5.0 and prior, has a Missing Authentication for Critical Function (CWE-306) vulnerability. The affected product does not require authentication for TELNET access, which may allow an attacker to change configuration or perform other malicious activities.
|
|||||
| CVE-2019-16731 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The udpServerSys service in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to initiate firmware upgrades and alter device settings.
|
|||||
| CVE-2019-16271 | 1 Dten | 4 D5, D5 Firmware, D7 and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
DTEN D5 and D7 before 1.3.2 devices allows remote attackers to read saved whiteboard image PDF documents via storage/emulated/0/Notes/PDF on TCP port 8080 without authentication.
|
|||||
| CVE-2019-16258 | 1 Hom.ee | 2 Brain Cube, Brain Cube Core | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
|
The bootloader of the homee Brain Cube V2 through 2.23.0 allows attackers with physical access to gain root access by manipulating the U-Boot environment via the CLI after connecting to the internal UART interface.
|
|||||
| CVE-2019-16243 | 1 Alcatelmobile | 2 Cingular Flip 2, Cingular Flip 2 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocumented web API that allows unprivileged JavaScript, including JavaScript running within the KaiOS browser, to view and edit the device's firmware over-the-air update settings. (This web API is normally used by the system application to trigger firmware updates via OmaService.js.)
|
|||||
| CVE-2019-16199 | 1 Eq-3 | 4 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
|
|||||
| CVE-2019-16004 | 1 Cisco | 1 Vision Dynamic Signage Director | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
A vulnerability in the REST API endpoint of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to missing authentication on some of the API calls. An attacker could exploit this vulnerability by sending a request to one of the affected calls. A successful exploit could allow the attacker to interact with some parts of the API.
|
|||||
| CVE-2019-16003 | 1 Cisco | 1 Ucs Director | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to download system log files from an affected device. The vulnerability is due to an issue in the authentication logic of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to download log files if they were previously generated by an administrator.
|
|||||
| CVE-2019-15940 | 1 Govicture | 2 Pc530, Pc530 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Victure PC530 devices allow unauthenticated TELNET access as root.
|
|||||
| CVE-2019-15932 | 1 Intesync | 1 Solismed | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Intesync Solismed 3.3sp has Incorrect Access Control.
|
|||||
| CVE-2019-15896 | 1 Lifterlms | 1 Lifterlms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.
|
|||||
| CVE-2019-15895 | 1 Search Exclude Project | 1 Search Exclude | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
search-exclude.php in the "Search Exclude" plugin before 1.2.4 for WordPress allows unauthenticated options changes.
|
|||||
| CVE-2019-15858 | 1 Webcraftic | 1 Woody Ad Snippets | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.
|
|||||
| CVE-2019-15819 | 1 Restaurant Reservations Project | 1 Restaurant Reservations | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The nd-restaurant-reservations plugin before 1.5 for WordPress has no requirement for nd_rst_import_settings_php_function authentication.
|
|||||
| CVE-2019-15655 | 1 Dlink | 2 Dsl-2875al, Dsl-2875al Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
D-Link DSL-2875AL devices through 1.00.05 are prone to password disclosure via a simple crafted /romfile.cfg request to the web management server. This request doesn't require any authentication and will lead to saving the configuration file. The password is stored in cleartext.
|
|||||
| CVE-2019-15654 | 1 Comba | 2 Ac2400, Ac2400 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn't require any authentication and will lead to saving the DBconfig.cfg file. At the end of the file, the login information is stored in cleartext.
|
|||||
| CVE-2019-15511 | 1 Gog | 1 Galaxy | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. All GOG Galaxy versions before 1.2.60 and all corresponding versions of GOG Galaxy 2.0 Beta are affected.
|
|||||
| CVE-2019-15506 | 1 Kaseya | 1 Virtual System Administrator | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37. It has a critical information disclosure vulnerability. An unauthenticated attacker can send properly formatted requests to the web application and download sensitive files and information. For example, the /DATAREPORTS directory can be farmed for reports. Because this directory contains the results of reports such as NMAP, Patch Status, and Active Directory domain metadata, an attacker can easily collect this ...
Show More |
|||||
| CVE-2019-15282 | 1 Cisco | 1 Identity Services Engine Software | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an unauthenticated, remote attacker read tcpdump files generated on an affected device. The vulnerability is due an issue in the authentication logic of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to read a tcpdump file generated with a particular nam ...
Show More |
|||||
| CVE-2019-15129 | 1 Humanica | 1 Humatrix 7 | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_name] URI.
|
|||||
| CVE-2019-15106 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.
|
|||||
| CVE-2019-15102 | 1 Sahipro | 1 Sahi Pro | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in Tyto Sahi Pro 6.x through 8.0.0. TestRunner_Non_distributed (and distributed end points) does not have any authentication mechanism. This allow an attacker to execute an arbitrary script on the remote Sahi Pro server. There is also a password-protected web interface intended for remote access to scripts. This web interface lacks server-side validation, which allows an attacker to create/modify/delete a script remotely without any password. Chaining both of these issues ...
Show More |
|||||
| CVE-2019-15068 | 1 Gigastone | 2 Smart Battery A4, Smart Battery A4 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
A broken access control vulnerability in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 allows an attacker to get/reset administrator’s password without any authentication.
|
|||||
| CVE-2019-15064 | 1 Hinet | 2 Gpon, Gpon Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
HiNet GPON firmware version < I040GWR190731 allows an attacker login to device without any authentication.
|
|||||
| CVE-2019-15043 | 1 Grafana | 1 Grafana | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
|
|||||
| CVE-2019-15018 | 1 Zingbox | 1 Inspector | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A security vulnerability exists in the Zingbox Inspector versions 1.280 and earlier, where authentication is not required when binding the Inspector instance to a different customer tenant.
|
|||||
| CVE-2019-14984 | 1 Eq-3 | 4 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.
|
|||||
| CVE-2019-14927 | 2 Inea, Mitsubishielectric | 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote configuration download vulnerability allows an attacker to download the smartRTU's configuration file (which contains data such as usernames, passwords, and other sensitive RTU data).
|
|||||
| CVE-2019-14511 | 1 Sphinxsearch | 1 Sphinx | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only).
|
|||||
| CVE-2019-14253 | 1 Publisure | 1 Publisure | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in servletcontroller in the secure portal in Publisure 2.1.2. One can bypass authentication and perform a query on PHP forms within the /AdminDir folder that should be restricted.
|
|||||
| CVE-2019-13983 | 1 Rangerstudio | 1 Directus 7 Api | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php.
|
|||||