Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7928 | 1 Magento | 1 Magento | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attacker could disrupt transactions between the Magento merchant and PayPal.
|
|||||
| CVE-2019-7915 | 1 Magento | 1 Magento | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve a 404 page to customers.
|
|||||
| CVE-2019-7904 | 1 Magento | 1 Magento | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
Insufficient enforcement of user access controls in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could enable a low-privileged user to make unauthorized environment configuration changes.
|
|||||
| CVE-2019-7903 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template.
|
|||||
| CVE-2019-7896 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update.
|
|||||
| CVE-2019-7895 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update.
|
|||||
| CVE-2019-7888 | 1 Magento | 1 Magento | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to create email templates could leak sensitive data via a malicious email template.
|
|||||
| CVE-2019-7876 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.
|
|||||
| CVE-2019-7848 | 3 Adobe, Linux, Microsoft | 3 Campaign, Linux Kernel, Windows | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Inadequate access control vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
|
|||||
| CVE-2019-7815 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
Adobe Acrobat and Reader versions 2019.010.20091 and earlier, 2019.010.20091 and earlier, 2017.011.30120 and earlier version, and 2015.006.30475 and earlier have a data leakage (sensitive) vulnerability. Successful exploitation could lead to information disclosure.
|
|||||
| CVE-2019-7779 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010.20099 and earlier, 2017.011.30140 and earlier, 2017.011.30138 and earlier, 2015.006.30495 and earlier, and 2015.006.30493 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
|
|||||
| CVE-2019-7745 | 1 Jio | 2 Jmr1140, Jmr1140 Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-bin/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field.
|
|||||
| CVE-2019-7739 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior. However, it might be unexpected for the user because the configuration dialog lacks an additional message to explain this.
|
|||||
| CVE-2019-7663 | 4 Canonical, Debian, Libtiff and 1 more | 4 Ubuntu Linux, Debian Linux, Libtiff and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900.
|
|||||
| CVE-2019-7651 | 1 Emsisoft | 1 Anti-malware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
EPP.sys in Emsisoft Anti-Malware prior to version 2018.12 allows an attacker to bypass ACLs because Interpreted Device Characteristics lacks FILE_DEVICE_SECURE_OPEN and therefore files and directories "inside" the \\.\EPP device are not properly protected, leading to unintended impersonation or object creation. This vulnerability has been fixed in version 2018.12 and later.
|
|||||
| CVE-2019-7620 | 1 Elastic | 1 Logstash | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding.
|
|||||
| CVE-2019-7619 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
|
|||||
| CVE-2019-7549 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.5.10, 11.6.x before 11.6.8, and 11.7.x before 11.7.3. It has Incorrect Access Control. The GitLab pipelines feature is vulnerable to authorization issues that allow unauthorized users to view job information.
|
|||||
| CVE-2019-7489 | 1 Sonicwall | 1 Email Security Appliance | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A vulnerability in SonicWall Email Security appliance allow an unauthenticated user to perform remote code execution. This vulnerability affected Email Security Appliance version 10.0.2 and earlier.
|
|||||
| CVE-2019-7441 | 1 Woocommerce | 1 Paypal Checkout Payment Gateway | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left ...
Show More |
|||||
| CVE-2019-7439 | 1 Jio | 2 Jiofi 4g M2s, Jiofi 4g M2s Firmware | 2024-11-21 | 6.1 MEDIUM | 6.5 MEDIUM |
|
cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices allows a DoS (Hang) via the mask POST parameter.
|
|||||
| CVE-2019-7386 | 2 Kaiostech, Nokia | 3 Kaios, 8810 4g, 8810 4g Firmware | 2024-11-21 | 7.1 HIGH | 6.5 MEDIUM |
|
A Denial of Service issue has been discovered in the Gecko component of KaiOS 2.5 10.05 (platform 48.0.a2) on Nokia 8810 4G devices. When a crafted web page is visited with the internal browser, the Gecko process crashes with a segfault. Successful exploitation could lead to the remote code execution on the device.
|
|||||
| CVE-2019-7309 | 1 Gnu | 1 Glibc | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.
|
|||||
| CVE-2019-7291 | 1 Apple | 1 Airport Base Station Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A denial of service issue was addressed with improved memory handling. This issue is fixed in AirPort Base Station Firmware Update 7.8.1, AirPort Base Station Firmware Update 7.9.1. An attacker in a privileged position may be able to perform a denial of service attack.
|
|||||
| CVE-2019-7288 | 1 Apple | 2 Iphone Os, Mac Os X | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The issue was addressed with improved validation on the FaceTime server. This issue is fixed in macOS Mojave 10.14.3 Supplemental Update, iOS 12.1.4. A thorough security audit of the FaceTime service uncovered an issue with Live Photos .
|
|||||
| CVE-2019-7284 | 1 Apple | 1 Iphone Os | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
This issue was addressed with improved checks. This issue is fixed in iOS 12.2. Processing a maliciously crafted mail message may lead to S/MIME signature spoofing.
|
|||||
| CVE-2019-7283 | 2 Debian, Netkit | 2 Debian Linux, Netkit | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
|
An issue was discovered in rcp in NetKit through 0.17. For an rcp operation, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned. A malicious rsh server (or Man-in-The-Middle attacker) can overwrite arbitrary files in a directory on the rcp client machine. This is similar to CVE-2019-6111.
|
|||||
| CVE-2019-7282 | 3 Debian, Fedoraproject, Netkit | 3 Debian Linux, Fedora, Netkit | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
In NetKit through 0.17, rcp.c in the rcp client allows remote rsh servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. This is similar to CVE-2018-20685.
|
|||||
| CVE-2019-7277 | 1 Optergy | 2 Enterprise, Proton | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Optergy Proton/Enterprise devices allow Unauthenticated Internal Network Information Disclosure.
|
|||||
| CVE-2019-7276 | 1 Optergy | 2 Enterprise, Proton | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.
|
|||||
| CVE-2019-7247 | 1 Amd | 1 Overdrive | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in AODDriver2.sys in AMD OverDrive. The vulnerable driver exposes a wrmsr instruction via IOCTL 0x81112ee0 and does not properly filter the Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges.
|
|||||
| CVE-2019-7246 | 1 Amd | 1 Atillk64 | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
|
An issue was discovered in atillk64.sys in AMD ATI Diagnostics Hardware Abstraction Sys/Overclocking Utility 5.11.9.0. The vulnerable driver exposes a wrmsr instruction and does not properly filter the Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges.
|
|||||
| CVE-2019-7222 | 7 Canonical, Debian, Fedoraproject and 4 more | 18 Ubuntu Linux, Debian Linux, Fedora and 15 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.
|
|||||
| CVE-2019-7216 | 1 Encodable | 1 Filechucker | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
An issue was discovered in FileChucker 4.99e-free-e02. filechucker.cgi has a filter bypass that allows a malicious user to upload any type of file by using % characters within the extension, e.g., file.%ph%p becomes file.php.
|
|||||
| CVE-2019-7176 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
|
An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting in 8.9), 9.x, 10.x, and 11.x before 11.5.9, 11.6.x before 11.6.7, and 11.7.x before 11.7.2. It has Incorrect Access Control. Guest users are able to add reaction emojis on comments to which they have no visibility.
|
|||||
| CVE-2019-7174 | 1 Roxyfileman | 1 Roxy Fileman | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Roxy Fileman 1.4.5 allows attackers to execute renamefile.php (aka Rename File), createdir.php (aka Create Directory), fileslist.php (aka Echo File List), and movefile.php (aka Move File) operations.
|
|||||
| CVE-2019-7159 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
OX App Suite 7.10.1 and earlier allows Information Exposure.
|
|||||
| CVE-2019-7158 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
OX App Suite 7.10.0 and earlier has Incorrect Access Control.
|
|||||
| CVE-2019-7107 | 3 Adobe, Apple, Microsoft | 3 Indesign, Mac Os X, Windows | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Adobe InDesign versions 14.0.1 and below have an unsafe hyperlink processing vulnerability. Successful exploitation could lead to arbitrary code execution. Fixed in versions 13.1.1 and 14.0.2.
|
|||||
| CVE-2019-7097 | 3 Adobe, Apple, Microsoft | 3 Dreamweaver, Macos, Windows | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Adobe Dreamweaver versions 19.0 and earlier have an insecure protocol implementation vulnerability. Successful exploitation could lead to sensitive data disclosure if smb request is subject to a relay attack.
|
|||||