Total
1372 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12133 | 1 Zohocorp | 18 Manageengine Analytics Plus, Manageengine Browser Security Plus, Manageengine Desktop Central and 15 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus. | |||||
| CVE-2019-12102 | 1 Kentico | 1 Kentico | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions correctly. The vendor states that by default all users can read/modify/upload files, and it’s up to the administrator to decide who should have access to the media library and set the permissions accordingly. See the vendor documentation in the references for more information | |||||
| CVE-2019-12042 | 1 Pandasecurity | 6 Panda Antivirus, Panda Antivirus Pro, Panda Dome and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Insecure permissions of the section object Global\PandaDevicesAgentSharedMemory and the event Global\PandaDevicesAgentSharedMemoryChange in Panda products before 18.07.03 allow attackers to queue an event (as an encrypted JSON string) to the system service AgentSvc.exe, which leads to privilege escalation when the CmdLineExecute event is queued. This affects Panda Antivirus, Panda Antivirus Pro, Panda Dome, Panda Global Protection, Panda Gold Protection, and Panda Internet Security. | |||||
| CVE-2019-11806 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| OX App Suite 7.10.1 and earlier has Insecure Permissions. | |||||
| CVE-2019-11528 | 1 Softing | 2 Uagate Si, Uagate Si Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Softing uaGate SI 1.60.01. A system default path for executables is user writable. | |||||
| CVE-2019-11526 | 1 Softing | 2 Uagate Si, Uagate Si Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Softing uaGate SI 1.60.01. A maintenance script, that is executable via sudo, is vulnerable to file path injection. This enables the Attacker to write files with superuser privileges in specific locations. | |||||
| CVE-2019-11328 | 3 Fedoraproject, Opensuse, Sylabs | 4 Fedora, Backports, Leap and 1 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host. | |||||
| CVE-2019-11270 | 1 Pivotal Software | 3 Application Service, Cloud Foundry Uaa, Operations Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. | |||||
| CVE-2019-11244 | 3 Kubernetes, Netapp, Redhat | 3 Kubernetes, Trident, Openshift Container Platform | 2024-11-21 | 1.9 LOW | 5.0 MEDIUM |
| In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation. | |||||
| CVE-2019-11215 | 1 Combodo | 1 Itop | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during upgrade; in certain cases, an error during modification of the file from the web interface leaves the file writable (can be triggered with XSS); a race condition can be triggered by the hub-connector module (community version only from 2.4.1 to 2.6.0); or editing the file in a CLI. | |||||
| CVE-2019-11167 | 1 Intel | 1 Smart Connect Technology | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Improper file permission in software installer for Intel(R) Smart Connect Technology for Intel(R) NUC may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2019-11166 | 1 Intel | 1 Easy Streaming Wizard | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| Improper file permissions in the installer for Intel(R) Easy Streaming Wizard before version 2.1.0731 may allow an authenticated user to potentially enable escalation of privilege via local attack. | |||||
| CVE-2019-11155 | 1 Intel | 14 Dual Band Wireless-ac 3165, Dual Band Wireless-ac 3168, Dual Band Wireless-ac 7265 \(rev D\) and 11 more | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access. | |||||
| CVE-2019-11154 | 1 Intel | 14 Dual Band Wireless-ac 3165, Dual Band Wireless-ac 3168, Dual Band Wireless-ac 7265 \(rev D\) and 11 more | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access. | |||||
| CVE-2019-11121 | 2 Intel, Microsoft | 2 Media Sdk, Windows | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Improper file permissions in the installer for the Intel(R) Media SDK for Windows before version 2019 R1 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2019-10710 | 1 Hisilicon | 2 Hi3510, Hi3510 Firmware | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| Insecure permissions in the Web management portal on all IP cameras based on Hisilicon Hi3510 firmware allow authenticated attackers to receive a network's cleartext WiFi credentials via a specific HTTP request. This affects certain devices labeled as HI3510, HI3518, LOOSAFE, LEVCOECAM, Sywstoda, BESDER, WUSONGLUSAN, GADINAN, Unitoptek, ESCAM, etc. | |||||
| CVE-2019-10132 | 2 Fedoraproject, Redhat | 2 Fedora, Libvirt | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons. | |||||
| CVE-2019-10116 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Guests of a project were allowed to see Related Branches created for an issue. | |||||
| CVE-2019-10115 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The GitLab Releases feature could allow guest users access to private information like release details and code information. | |||||
| CVE-2019-10110 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The "move issue" feature may allow a user to create projects under any namespace on any GitLab instance on which they hold credentials. | |||||