Total
31907 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10134 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded. | |||||
| CVE-2019-10104 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. The issue has been fixed in the following versions: 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7. | |||||
| CVE-2019-10065 | 1 Otrs | 1 Otrs | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Open Ticket Request System (OTRS) 7.0 through 7.0.6. An attacker who is logged into OTRS as a customer user can use the search result screens to disclose information from internal FAQ articles, a different vulnerability than CVE-2019-9753. | |||||
| CVE-2019-10058 | 1 Lexmark | 148 6500e, 6500e Firmware, C734 and 145 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Various Lexmark products have Incorrect Access Control. | |||||
| CVE-2019-10044 | 2 Microsoft, Telegram | 3 Windows, Telegram, Telegram Desktop | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Telegram Desktop before 1.5.12 on Windows, and the Telegram applications for Android, iOS, and Linux, is vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets. | |||||
| CVE-2019-10028 | 1 Netflix | 1 Dial Reference | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019. | |||||
| CVE-2019-1020017 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP. | |||||
| CVE-2019-1020015 | 1 Hasura | 1 Graphql Engine | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT. | |||||
| CVE-2019-1010221 | 1 Lineageos | 1 Lineageos | 2024-11-21 | 4.4 MEDIUM | 6.8 MEDIUM |
| LineageOS 16.0 and earlier is affected by: Incorrect Access Control. The impact is: The property checked by `adb root` can also be set in a normal adb shell session. The component is: adb shell (patches to fix this are at https://review.lineageos.org/c/LineageOS/android_system_core/+/234800, https://review.lineageos.org/c/LineageOS/android_device_lineage_sepolicy/+/234799). The attack vector is: When adb is enabled, and an attacker has physical access, `adb shell setprop service.adb.root 1` allows restarting adb as root. | |||||
| CVE-2019-1010155 | 1 Dlink | 2 Dsl-2750u, Dsl-2750u Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| D-Link DSL-2750U 1.11 is affected by: Authentication Bypass. The impact is: denial of service and information leakage. The component is: login. NOTE: Third parties dispute this issues as not being a vulnerability because although the wizard is accessible without authentication, it can't actually configure anything. Thus, there is no denial of service or information leakage | |||||
| CVE-2019-1010083 | 1 Palletsprojects | 1 Flask | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656. | |||||
| CVE-2019-1010023 | 1 Gnu | 1 Glibc | 2024-11-21 | 6.8 MEDIUM | 5.4 MEDIUM |
| GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. | |||||
| CVE-2019-1003034 | 2 Jenkins, Redhat | 2 Job Dsl, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM. | |||||
| CVE-2019-1003033 | 1 Jenkins | 1 Groovy | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. | |||||
| CVE-2019-1003032 | 1 Jenkins | 1 Email Extension | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. | |||||
| CVE-2019-1003031 | 2 Jenkins, Redhat | 2 Matrix Project, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. | |||||
| CVE-2019-1003024 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | |||||
| CVE-2019-1000021 | 1 Slixmpp Project | 1 Slixmpp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 contains an incorrect Access Control vulnerability in XEP-0223 plugin (Persistent Storage of Private Data via PubSub) options profile, used for the configuration of default access model that can result in all of the contacts of the victim can see private data having been published to a PEP node. This attack appears to be exploitable if the user of this library publishes any private data on PEP, the node isn't configured to be private. This vulnerability appears to have been fixed in commit 7cd73b594e8122dddf847953fcfc85ab4d316416 which is included in slixmpp 1.4.2. | |||||
| CVE-2019-1000014 | 1 Erlang | 1 Rebar3 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via Victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 3.8.0. | |||||
| CVE-2019-1000011 | 1 Api-platform | 1 Core | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6. | |||||