Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10906 | 5 Canonical, Fedoraproject, Opensuse and 2 more | 5 Ubuntu Linux, Fedora, Leap and 2 more | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
|
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
|
|||||
| CVE-2019-10876 | 2 Openstack, Redhat | 2 Neutron, Openstack | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected.
|
|||||
| CVE-2019-10853 | 1 Computrols | 1 Computrols Building Automation Software | 2024-11-21 | 8.3 HIGH | 8.1 HIGH |
|
Computrols CBAS 18.0.0 allows Authentication Bypass.
|
|||||
| CVE-2019-10845 | 1 Uniqkey | 1 Password Manager | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in Uniqkey Password Manager 1.14. When entering new credentials to a site that isn't registered within this product, a pop-up window will appear asking the user if they want to save these new credentials. The code of the pop-up window can be read and, to some extent, manipulated by remote servers. This pop-up window will stay on any page the user visits within the browser until a decision is made. A malicious web server can forcefully manipulate the pop-up and cause it no ...
Show More |
|||||
| CVE-2019-10844 | 1 Sony | 1 Neural Network Libraries | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka nnabla) through v1.0.14 relies on the HOME environment variable, which might be untrusted.
|
|||||
| CVE-2019-10798 | 1 Rdf-graph-array Project | 1 Rdf-graph-array | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects resutling in Prototype Pollution. The rdf.Graph.prototype.add method could be tricked into adding or modifying properties of Object.prototype.
|
|||||
| CVE-2019-10760 | 1 Safer-eval Project | 1 Safer-eval | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
|
|||||
| CVE-2019-10759 | 1 Safer-eval Project | 1 Safer-eval | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
|
|||||
| CVE-2019-10724 | 1 Lenovo | 216 100e 2nd Gen, 100e 2nd Gen Firmware, 300e 2nd Gen and 213 more | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
|
There is a vulnerability with the Dolby DAX2 API system services in which a low-privileged user can terminate arbitrary processes that are running at a higher privilege. The following are affected products and versions: Legion Y520T_Z370 6.0.1.8642, AIO310-20IAP 6.0.1.8642, AIO510-22ISH 6.0.1.8642, AIO510-23ISH 6.0.1.8642, AIO520-22IKL 6.0.1.8642, AIO520-22IKU 6.0.1.8642, AIO520-24IKL 6.0.1.8642, AIO520-24IKU 6.0.1.8642, AIO520-27IKL 6.0.1.8642, AIO720-24IKB 6.0.1.8642, IdeaCentre 520S-23IKU 6.0 ...
Show More |
|||||
| CVE-2019-10711 | 1 Hisilicon | 2 Hi3510, Hi3510 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Incorrect access control in the RTSP stream and web portal on all IP cameras based on Hisilicon Hi3510 firmware (until Webware version V1.0.1) allows attackers to view an RTSP stream by connecting to the stream with hidden credentials (guest or user) that are neither displayed nor configurable in the camera's CamHi or keye mobile management application. This affects certain devices labeled as HI3510, HI3518, LOOSAFE, LEVCOECAM, Sywstoda, BESDER, WUSONGLUSAN, GADINAN, Unitoptek, ESCAM, etc.
|
|||||
| CVE-2019-10691 | 2 Dovecot, Opensuse | 2 Dovecot, Leap | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
|
|||||
| CVE-2019-10651 | 1 Ivanti | 1 Endpoint Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. In other words, the issue affects 2017.3, 2018.1, and 2018.3 installations that lack the April 2019 update.
|
|||||
| CVE-2019-10637 | 1 Marvell | 38 88ss1074, 88ss1074 Firmware, 88ss1079 and 35 more | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
|
Marvell SSD Controller (88SS1074, 88SS1079, 88SS1080, 88SS1093, 88SS1092, 88SS1095, 88SS9174, 88SS9175, 88SS9187, 88SS9188, 88SS9189, 88SS9190, 88SS1085, 88SS1087, 88SS1090, 88SS1100, 88SS1084, 88SS1088, & 88SS1098) devices are vulnerable in manipulating a combination of IO pins to bypass the secure boot protection mechanism.
|
|||||
| CVE-2019-10617 | 1 Qualcomm | 2 Qca6174, Qca6174 Firmware | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Low privilege users can access service configuration which contains registry data that admins uses to create or delete entries in the registry in QCA6174_9377.WIN.1.0 in QCA6174_9377
|
|||||
| CVE-2019-10608 | 1 Qualcomm | 6 Apq8009, Apq8009 Firmware, Msm8905 and 3 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Information disclosure issue occurs as there is no binding between the secure keypad session and the secure display session that allows user to take control of the REE to stop the secure keypad session and read the keypad input. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8009, MSM8905, MSM8909
|
|||||
| CVE-2019-10596 | 1 Qualcomm | 38 Bitra, Bitra Firmware, Nicobar and 35 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
u'Improper access control can lead signed process to guess pid of other processes and access their address space' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in Bitra, Nicobar, QCS605, QCS610, Rennell, SA6155P, Saipan, SC7180, SC8180X, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
|
|||||
| CVE-2019-10482 | 1 Qualcomm | 98 Apq8009, Apq8009 Firmware, Apq8017 and 95 more | 2024-11-21 | 7.1 HIGH | 5.9 MEDIUM |
|
Due to the use of non-time-constant comparison functions there is issue in timing side channels which can be used as a potential side channel for SUI corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, ...
Show More |
|||||
| CVE-2019-10356 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts.
|
|||||
| CVE-2019-10306 | 1 Jenkins | 1 Ontrack | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
A sandbox bypass vulnerability in Jenkins ontrack Plugin 3.4 and earlier allowed attackers with control over ontrack DSL definitions to execute arbitrary code on the Jenkins master JVM.
|
|||||
| CVE-2019-10271 | 1 Ultimatemember | 1 Ultimate Member | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. To perform such a modification, one first needs to (for example) intercept an upload-picture request and modify the user_id parameter.
|
|||||
| CVE-2019-10256 | 1 Vivotek | 1 Camera | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An authentication bypass vulnerability in VIVOTEK IPCam versions prior to 0x13a was found.
|
|||||
| CVE-2019-10211 | 2 Microsoft, Postgresql | 2 Windows, Postgresql | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory.
|
|||||
| CVE-2019-10169 | 1 Redhat | 1 Keycloak | 2024-11-21 | 6.5 MEDIUM | 6.6 MEDIUM |
|
A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application.
|
|||||
| CVE-2019-10134 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
|
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
|
|||||
| CVE-2019-10104 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. The issue has been fixed in the following versions: 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.
|
|||||
| CVE-2019-10065 | 1 Otrs | 1 Otrs | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in Open Ticket Request System (OTRS) 7.0 through 7.0.6. An attacker who is logged into OTRS as a customer user can use the search result screens to disclose information from internal FAQ articles, a different vulnerability than CVE-2019-9753.
|
|||||
| CVE-2019-10058 | 1 Lexmark | 148 6500e, 6500e Firmware, C734 and 145 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Various Lexmark products have Incorrect Access Control.
|
|||||
| CVE-2019-10044 | 2 Microsoft, Telegram | 3 Windows, Telegram, Telegram Desktop | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Telegram Desktop before 1.5.12 on Windows, and the Telegram applications for Android, iOS, and Linux, is vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.
|
|||||
| CVE-2019-10028 | 1 Netflix | 1 Dial Reference | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019.
|
|||||
| CVE-2019-1020017 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP.
|
|||||
| CVE-2019-1020015 | 1 Hasura | 1 Graphql Engine | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT.
|
|||||
| CVE-2019-1010221 | 1 Lineageos | 1 Lineageos | 2024-11-21 | 4.4 MEDIUM | 6.8 MEDIUM |
|
LineageOS 16.0 and earlier is affected by: Incorrect Access Control. The impact is: The property checked by `adb root` can also be set in a normal adb shell session. The component is: adb shell (patches to fix this are at https://review.lineageos.org/c/LineageOS/android_system_core/+/234800, https://review.lineageos.org/c/LineageOS/android_device_lineage_sepolicy/+/234799). The attack vector is: When adb is enabled, and an attacker has physical access, `adb shell setprop service.adb.root 1` allo ...
Show More |
|||||
| CVE-2019-1010155 | 1 Dlink | 2 Dsl-2750u, Dsl-2750u Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
D-Link DSL-2750U 1.11 is affected by: Authentication Bypass. The impact is: denial of service and information leakage. The component is: login. NOTE: Third parties dispute this issues as not being a vulnerability because although the wizard is accessible without authentication, it can't actually configure anything. Thus, there is no denial of service or information leakage
|
|||||
| CVE-2019-1010083 | 1 Palletsprojects | 1 Flask | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
|
|||||
| CVE-2019-1010023 | 1 Gnu | 1 Glibc | 2024-11-21 | 6.8 MEDIUM | 5.4 MEDIUM |
|
GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.
|
|||||
| CVE-2019-1003034 | 2 Jenkins, Redhat | 2 Job Dsl, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM.
|
|||||
| CVE-2019-1003033 | 1 Jenkins | 1 Groovy | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
|
|||||
| CVE-2019-1003032 | 1 Jenkins | 1 Email Extension | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JV ...
Show More |
|||||
| CVE-2019-1003031 | 2 Jenkins, Redhat | 2 Matrix Project, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.
|
|||||
| CVE-2019-1003024 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
|
|||||