Total
3551 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1666 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by sending crafted requests to the Graphite service. A successful exploit could allow the attacker to retrieve any statistics from the Graphite service. Versions prior to 3.5(2a) are affected. | |||||
| CVE-2019-1664 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster. This vulnerability affects Cisco HyperFlex Software Releases prior to 3.5(2a). | |||||
| CVE-2019-1662 | 1 Cisco | 1 Prime Collaboration Assurance | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
| A vulnerability in the Quality of Voice Reporting (QOVR) service of Cisco Prime Collaboration Assurance (PCA) Software could allow an unauthenticated, remote attacker to access the system as a valid user. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the QOVR service with a valid username. A successful exploit could allow the attacker to perform actions with the privileges of the user that is used for access. This vulnerability affects Cisco PCA Software Releases prior to 12.1 SP2. | |||||
| CVE-2019-19982 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for unauthenticated option creation. In order to exploit this vulnerability, an attacker would need to send a /wp-admin/admin-post.php?es_skip=1&option_name= request. | |||||
| CVE-2019-19857 | 1 Serpico Project | 1 Serpico | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password screen. Thus, requiring the admin to enter an Old Password value on the Change Password screen does not enhance security. This is problematic in conjunction with XSS. | |||||
| CVE-2019-19825 | 1 Totolink | 16 A3002ru, A3002ru Firmware, A702r and 13 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0. | |||||
| CVE-2019-19598 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the device's /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function. | |||||
| CVE-2019-19562 | 1 Harman | 1 Hermes | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information. | |||||
| CVE-2019-19560 | 1 Harman | 1 Hermes | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| An authentication bypass in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with physical access to device hardware to obtain system information. | |||||
| CVE-2019-19521 | 1 Openbsd | 1 Openbsd | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c). | |||||
| CVE-2019-19519 | 1 Openbsd | 1 Openbsd | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c. | |||||
| CVE-2019-19518 | 1 Broadcom | 1 Ca Automic Sysload | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| CA Automic Sysload 5.6.0 through 6.1.2 contains a vulnerability, related to a lack of authentication on the File Server port, that potentially allows remote attackers to execute arbitrary commands. | |||||
| CVE-2019-19507 | 1 Json Pattern Validator Project | 1 Json Pattern Validator | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In jpv (aka Json Pattern Validator) before 2.1.1, compareCommon() can be bypassed because certain internal attributes can be overwritten via a conflicting name, as demonstrated by 'constructor': {'name':'Array'}. This affects validate(). Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result. | |||||
| CVE-2019-19006 | 1 Sangoma | 1 Freepbx | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. | |||||
| CVE-2019-18906 | 2 Opensuse, Suse | 3 Cryptctl, Linux Enterprise Server, Manager Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Improper Authentication vulnerability in cryptctl of SUSE Linux Enterprise Server for SAP 12-SP5, SUSE Manager Server 4.0 allows attackers with access to the hashed password to use it without having to crack it. This issue affects: SUSE Linux Enterprise Server for SAP 12-SP5 cryptctl versions prior to 2.4. SUSE Manager Server 4.0 cryptctl versions prior to 2.4. | |||||
| CVE-2019-18848 | 2 Debian, Json-jwt Project | 2 Debian Linux, Json-jwt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string. | |||||
| CVE-2019-18823 | 3 Debian, Fedoraproject, Wisc | 3 Debian Linux, Fedora, Htcondor | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| HTCondor up to and including stable series 8.8.6 and development series 8.9.4 has Incorrect Access Control. It is possible to use a different authentication method to submit a job than the administrator has specified. If the administrator has configured the READ or WRITE methods to include CLAIMTOBE, then it is possible to impersonate another user to the condor_schedd. (For example to submit or remove jobs) | |||||
| CVE-2019-18661 | 1 Fastweb | 2 Fastgate, Fastgate Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Fastweb FASTGate 1.0.1b devices allow partial authentication bypass by changing a certain check_pwd return value from 0 to 1. An attack does not achieve administrative control of a device; however, the attacker can view all of the web pages of the administration console. | |||||
| CVE-2019-18380 | 1 Symantec | 1 Industrial Control System Protection | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| Symantec Industrial Control System Protection (ICSP), versions 6.x.x, may be susceptible to an unauthorized access issue that could potentially allow a threat actor to create or modify application user accounts without proper authentication. | |||||
| CVE-2019-18374 | 1 Broadcom | 1 Symantec Critical System Protection | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Symantec Critical System Protection (CSP), versions 8.0, 8.0 HF1 & 8.0 MP1, may be susceptible to an authentication bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing authentication controls. | |||||