Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14883 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.
|
|||||
| CVE-2019-14822 | 4 Canonical, Ibus Project, Oracle and 1 more | 4 Ubuntu Linux, Ibus, Zfs Storage Appliance Kit and 1 more | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
|
A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.
|
|||||
| CVE-2019-14793 | 1 Metabox | 1 Meta Box | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter.
|
|||||
| CVE-2019-14786 | 1 Rankmath | 1 Seo | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter.
|
|||||
| CVE-2019-14544 | 1 Gogs | 1 Gogs | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
|
|||||
| CVE-2019-14475 | 1 Eq-3 | 4 Ccu2, Ccu2 Firmware, Ccu3 and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID from CVE-2019-9583, resulting in the ability to read the service messages, clear the system protocol, create a new user in the system, or modify/delete internal programs.
|
|||||
| CVE-2019-14473 | 1 Eq-3 | 4 Ccu2, Ccu2 Firmware, Ccu3 and 1 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but lack authorization checks. Consequently, a valid guest level or user level account can create a new admin level account, read the service messages, clear the system protocol or modify/delete internal programs, etc. pp.
|
|||||
| CVE-2019-14116 | 1 Qualcomm | 2 Ipq6018, Ipq6018 Firmware | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Privilege escalation by using an altered debug policy image can occur as the XPU protecting the debug policy regions are disabled during the crash dump boot flow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ6018
|
|||||
| CVE-2019-13748 | 4 Debian, Fedoraproject, Google and 1 more | 7 Debian Linux, Fedora, Chrome and 4 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
|
|||||
| CVE-2019-13673 | 1 Google | 1 Chrome | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
|
Insufficient data validation in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
|
|||||
| CVE-2019-13547 | 1 Advantech | 1 Wise-paas\/rmm | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. There is an unsecured function that allows anyone who can access the IP address to use the function without authentication.
|
|||||
| CVE-2019-13450 | 2 Ringcentral, Zoom | 2 Ringcentral, Zoom | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/. ...
Show More |
|||||
| CVE-2019-13408 | 2 Androvideo, Geovision | 6 Vd 1, Vd 1 Firmware, Gv-vd8700 and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230. It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication.
|
|||||
| CVE-2019-13047 | 1 Toaruos Project | 1 Toaruos | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
kernel/sys/syscall.c in ToaruOS through 1.10.9 has incorrect access control in sys_sysfunc case 9 for TOARU_SYS_FUNC_SETHEAP, allowing arbitrary kernel pages to be mapped into user land, leading to root access.
|
|||||
| CVE-2019-13013 | 2 Apple, Obdev | 2 Macos, Little Snitch | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
|
Little Snitch versions 4.3.0 to 4.3.2 have a local privilege escalation vulnerability in their privileged helper tool. The privileged helper tool implements an XPC interface which is available to any process and allows directory listings and copying files as root.
|
|||||
| CVE-2019-12944 | 1 Gluehome | 2 Glue Smart Lock, Glue Smart Lock Firmware | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
Glue Smart Lock 2.7.8 devices do not properly block guest access in certain situations where the network connection is unavailable.
|
|||||
| CVE-2019-12942 | 1 Ttlock | 1 Ttlock | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
TTLock devices do not properly block guest access in certain situations where the network connection to the cloud is unavailable.
|
|||||
| CVE-2019-12926 | 1 Mailenable | 1 Mailenable | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
MailEnable Enterprise Premium 10.23 did not use appropriate access control checks in a number of areas. As a result, it was possible to perform a number of actions, when logged in as a user, that that user should not have had permission to perform. It was also possible to gain access to areas within the application for which the accounts used were supposed to have insufficient access.
|
|||||
| CVE-2019-12875 | 1 Alpinelinux | 1 Abuild | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Alpine Linux abuild through 3.4.0 allows an unprivileged member of the abuild group to add an untrusted package via a --keys-dir option that causes acceptance of an untrusted signing key.
|
|||||
| CVE-2019-12734 | 1 Sitevision | 1 Sitevision | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
SiteVision 4 has Incorrect Access Control.
|
|||||
| CVE-2019-12498 | 1 3cx | 1 Live Chat | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism.
|
|||||
| CVE-2019-12470 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
|
|||||
| CVE-2019-12469 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
|
|||||
| CVE-2019-12274 | 1 Suse | 1 Rancher | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
|
|||||
| CVE-2019-12168 | 1 Four-faith | 2 F3x24, F3x24 Firmware | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
|
|||||
| CVE-2019-11875 | 1 Blueprism | 1 Robotic Process Automation | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In AutomateAppCore.dll in Blue Prism Robotic Process Automation 6.4.0.8445, a vulnerability in access control can be exploited to escalate privileges. The vulnerability allows for abusing the application for fraud or unauthorized access to certain information. The attack requires a valid user account to connect to the Blue Prism server, but the roles associated to this account are not required to have any permissions. First of all, the application files are modified to grant full permissions on ...
Show More |
|||||
| CVE-2019-11785 | 1 Odoo | 1 Odoo | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.
|
|||||
| CVE-2019-11784 | 1 Odoo | 1 Odoo | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.
|
|||||
| CVE-2019-11783 | 1 Odoo | 1 Odoo | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited.
|
|||||
| CVE-2019-11761 | 2 Canonical, Mozilla | 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.
|
|||||
| CVE-2019-11702 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A hyperlink using protocols associated with Internet Explorer, such as IE.HTTP:, can be used to open local files at a known location with Internet Explorer if a user approves execution when prompted. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 67.0.2.
|
|||||
| CVE-2019-11700 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A hyperlink using the res: protocol can be used to open local files at a known location in Internet Explorer if a user approves execution when prompted. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 67.
|
|||||
| CVE-2019-11611 | 1 Doorgets | 1 Doorgets Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/download.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.
|
|||||
| CVE-2019-11610 | 1 Doorgets | 1 Doorgets Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/downloaddir.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.
|
|||||
| CVE-2019-11609 | 1 Doorgets | 1 Doorgets Cms | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/movefile.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information or make the server unserviceable.
|
|||||
| CVE-2019-11608 | 1 Doorgets | 1 Doorgets Cms | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/renamefile.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information or make the server unserviceable.
|
|||||
| CVE-2019-11607 | 1 Doorgets | 1 Doorgets Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/copydir.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.
|
|||||
| CVE-2019-11606 | 1 Doorgets | 1 Doorgets Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/copyfile.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.
|
|||||
| CVE-2019-11248 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
|
|||||
| CVE-2019-10868 | 2 Debian, Tryton | 2 Debian Linux, Trytond | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.
|
|||||