Total
1954 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20801 | 1 Readdle | 1 Documents | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application's file-transfer web server allows for cross-origin requests from any domain, and the WebSocket server lacks authorization control. Any web site can execute JavaScript code (that accesses a user's data) via cross-origin requests. | |||||
| CVE-2019-20213 | 1 Dlink | 28 Dir-818lx, Dir-818lx Firmware, Dir-822 and 25 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| D-Link DIR-859 routers before v1.07b03_beta allow Unauthenticated Information Disclosure via the AUTHORIZED_GROUP=1%0a value, as demonstrated by vpnconfig.php. | |||||
| CVE-2019-1912 | 1 Cisco | 22 Sf-220-24, Sf-220-24 Firmware, Sf220-24p and 19 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell. This vulnerability affects Cisco Small Business 220 Series Smart Switches running firmware versions prior to 1.1.4.4 with the web management interface enabled. The web management interface is enabled via both HTTP and HTTPS by default. | |||||
| CVE-2019-1667 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected. | |||||
| CVE-2019-1626 | 1 Cisco | 8 Sd-wan Firmware, Vedge-100, Vedge-1000 and 5 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected vManage device. The vulnerability is due to a failure to properly authorize certain user actions in the device configuration. An attacker could exploit this vulnerability by logging in to the vManage Web UI and sending crafted HTTP requests to vManage. A successful exploit could allow attackers to gain elevated privileges and make changes to the configuration that they would not normally be authorized to make. | |||||
| CVE-2019-1604 | 1 Cisco | 8 Nexus 3000, Nexus 3500, Nexus 3600 and 5 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the user account management interface of Cisco NX-OS Software could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to an incorrect authorization check of user accounts and their associated Group ID (GID). An attacker could exploit this vulnerability by taking advantage of a logic error that will permit the use of higher privileged commands than what is necessarily assigned. A successful exploit could allow an attacker to execute commands with elevated privileges on the underlying Linux shell of an affected device. Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 8.2(3), and 8.3(2). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). | |||||
| CVE-2019-1603 | 1 Cisco | 6 Nexus 3000, Nexus 3500, Nexus 3600 and 3 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to escalate lower-level privileges to the administrator level. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow an attacker to make configuration changes to the system as administrator. Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). | |||||
| CVE-2019-1289 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-11-21 | 3.6 LOW | 5.5 MEDIUM |
| An elevation of privilege vulnerability exists when the Windows Update Delivery Optimization does not properly enforce file share permissions, aka 'Windows Update Delivery Optimization Elevation of Privilege Vulnerability'. | |||||
| CVE-2019-1192 | 1 Microsoft | 10 Edge, Internet Explorer, Windows 10 and 7 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how affected Microsoft browsers handle different-origin requests. | |||||
| CVE-2019-19984 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed users with edit_post capabilities to manage plugin settings and email campaigns. | |||||
| CVE-2019-19681 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands | |||||
| CVE-2019-19597 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header. | |||||
| CVE-2019-19520 | 1 Openbsd | 1 Openbsd | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen. | |||||
| CVE-2019-19200 | 1 Reddoxx | 1 Maildepot | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| REDDOXX MailDepot 2032 2.2.1242 allows authenticated users to access the mailboxes of other users. | |||||
| CVE-2019-18949 | 1 Snowhaze | 1 Snowhaze | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration. | |||||
| CVE-2019-17191 | 1 Signal | 1 Private Messenger | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered, without callee user interaction, via a connect message. The existence of the call is noticeable to the callee; however, the audio channel may be open before the callee can block eavesdropping. | |||||
| CVE-2019-17190 | 1 Avast | 1 Secure Browser | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the elevated process cleans the ACL of the Update.ini file in %PROGRAMDATA%\Avast Software\Browser\Update\ and sets all privileges to group Everyone. Because any low-privileged user can create, delete, or modify the Update.ini file stored in this location, an attacker with low privileges can create a hard link named Update.ini in this folder, and make it point to a file writable by NT AUTHORITY\SYSTEM. Once AvastBrowserUpdate.exe is triggered by the update check functionality, the DACL is set to a misconfigured value on the crafted Update.ini and, consequently, to the target file that was previously not writable by the low-privileged attacker. | |||||
| CVE-2019-17014 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects Firefox < 71. | |||||
| CVE-2019-16884 | 6 Canonical, Docker, Fedoraproject and 3 more | 10 Ubuntu Linux, Docker, Fedora and 7 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. | |||||
| CVE-2019-16651 | 1 Virginmedia | 2 Super Hub 3, Super Hub 3 Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered on Virgin Media Super Hub 3 (based on ARRIS TG2492) devices. Because their SNMP commands have insufficient protection mechanisms, it is possible to use JavaScript and DNS rebinding to leak the WAN IP address of a user (if they are using certain VPN implementations, this would decloak them). | |||||