Total
1587 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19086 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2).
|
|||||
| CVE-2019-18958 | 1 Gonitro | 1 Nitro Pro | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Nitro Pro before 13.2 creates a debug.log file in the directory where a .pdf file is located, if the .pdf document was produced by an OCR operation on the JPEG output of a scanner. Reportedly, this can have a security risk if debug.log is later edited and then executed.
|
|||||
| CVE-2019-18895 | 2 Microsoft, Scanguard | 2 Windows, Scanguard Antivirus | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to privilege escalation via a Trojan horse executable file.
|
|||||
| CVE-2019-18856 | 1 Drupal | 1 Svg Sanitizer | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.
|
|||||
| CVE-2019-18577 | 1 Dell | 1 Xtremio Management Server | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
|
Dell EMC XtremIO XMS versions prior to 6.3.0 contain an incorrect permission assignment vulnerability. A malicious local user with XtremIO xinstall privileges may exploit this vulnerability to gain root access.
|
|||||
| CVE-2019-18463 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition through 12.4. It has Insecure Permissions (issue 4 of 4).
|
|||||
| CVE-2019-18462 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4. It has Insecure Permissions.
|
|||||
| CVE-2019-18459 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 in the protected environments feature. It has Insecure Permissions (issue 3 of 4).
|
|||||
| CVE-2019-18456 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. It has Insecure Permissions (issue 1 of 4).
|
|||||
| CVE-2019-18453 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. It has Insecure Permissions.
|
|||||
| CVE-2019-18452 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions.
|
|||||
| CVE-2019-18450 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. It has Insecure Permissions.
|
|||||
| CVE-2019-18449 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2).
|
|||||
| CVE-2019-18447 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Insecure Permissions.
|
|||||
| CVE-2019-18446 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.5 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. It has Insecure Permissions (issue 1 of 2).
|
|||||
| CVE-2019-18422 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-11-21 | 8.5 HIGH | 8.8 HIGH |
|
An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicio ...
Show More |
|||||
| CVE-2019-18409 | 1 Zenspider | 1 Ruby Parser-legacy | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used, a local user can insert malicious code into the ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.
|
|||||
| CVE-2019-18255 | 1 Ge | 1 Ifix | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through section objects. This may allow privilege escalation.
|
|||||
| CVE-2019-18243 | 1 Ge | 1 Ifix | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through the registry. This may allow privilege escalation.
|
|||||
| CVE-2019-18192 | 1 Gnu | 1 Guix | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365.
|
|||||
| CVE-2019-17388 | 4 Aviatrix, Freebsd, Linux and 1 more | 4 Vpn Client, Freebsd, Linux Kernel and 1 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.
|
|||||
| CVE-2019-17051 | 1 Evernote | 1 Evernote | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
Evernote before 7.13 GA on macOS allows code execution because the com.apple.quarantine attribute is not used for attachment files, as demonstrated by a one-click attack involving a drag-and-drop operation on a crafted Terminal file.
|
|||||
| CVE-2019-16784 | 2 Microsoft, Pyinstaller | 2 Windows, Pyinstaller | 2024-11-21 | 4.4 MEDIUM | 7.0 HIGH |
|
In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at least more than the current one) which have his "TempPath" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\Windows\Temp). In order to be exploitable the ...
Show More |
|||||
| CVE-2019-16406 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.
|
|||||
| CVE-2019-16354 | 1 Beego | 1 Beego | 2024-11-21 | 1.9 LOW | 4.7 MEDIUM |
|
The File Session Manager in Beego 1.10.0 allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions.
|
|||||
| CVE-2019-16187 | 1 Limesurvey | 1 Limesurvey | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script.
|
|||||
| CVE-2019-15721 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 10.8 through 12.2.1. An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings.
|
|||||
| CVE-2019-15340 | 1 Mi | 2 Redmi 6, Redmi 6 Firmware | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201805292006) that allows any app co-located on the device to programmatically disable and enable Wi-Fi, Bluetooth, and GPS without the corresponding access permission through an exported interface.
|
|||||
| CVE-2019-15339 | 1 Lavamobiles | 2 Z60s, Z60s Firmware | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
|
|||||
| CVE-2019-15338 | 1 Lavamobiles | 2 Iris 88, Iris 88 Firmware | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
|
|||||
| CVE-2019-15337 | 1 Lavamobiles | 2 Z81, Z81 Firmware | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
The Lava Z81 Android device with a build fingerprint of LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
|
|||||
| CVE-2019-15336 | 1 Lavamobiles | 2 Z61, Z61 Firmware | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
|
|||||
| CVE-2019-15335 | 1 Lavamobiles | 2 Z92, Z92 Firmware | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
|
|||||
| CVE-2019-15334 | 1 Lavamobiles | 2 Iris 88, Iris 88 Firmware | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
|
|||||
| CVE-2019-15333 | 1 Lavamobiles | 2 Flair Z1, Flair Z1 Firmware | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
|
|||||
| CVE-2019-15316 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2024-11-21 | 6.9 MEDIUM | 7.0 HIGH |
|
Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race condition.
|
|||||
| CVE-2019-15315 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions that lack the CVE-2019-14743 patch.
|
|||||
| CVE-2019-15084 | 1 Maxx | 1 Waves Maxx Audio | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions. As a result, a local attacker can escalate to SYSTEM.
|
|||||
| CVE-2019-14969 | 1 Netwrix | 1 Auditor | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
|
Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Bi ...
Show More |
|||||
| CVE-2019-14935 | 2 3cx, Microsoft | 2 3cx, Windows | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.
|
|||||