Total
3707 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15046 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. | |||||
| CVE-2019-14985 | 1 Eq-3 | 4 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28. | |||||
| CVE-2019-14909 | 1 Redhat | 1 Keycloak | 2024-11-21 | 7.5 HIGH | 8.3 HIGH |
| A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted. | |||||
| CVE-2019-14870 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2024-11-21 | 6.4 MEDIUM | 5.4 MEDIUM |
| All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set. | |||||
| CVE-2019-14856 | 2 Opensuse, Redhat | 4 Backports Sle, Leap, Ansible and 1 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None | |||||
| CVE-2019-14705 | 1 Microdigital | 6 Mdc-n2190v, Mdc-n2190v Firmware, Mdc-n4090 and 3 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An Incorrect Access Control issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5 because any valid cookie can be used to make requests as an admin. | |||||
| CVE-2019-14598 | 2 Intel, Netapp | 2 Converged Security Management Engine Firmware, Steelstore Cloud Integrated Storage | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| Improper Authentication in subsystem in Intel(R) CSME versions 12.0 through 12.0.48 (IOT only: 12.0.56), versions 13.0 through 13.0.20, versions 14.0 through 14.0.10 may allow a privileged user to potentially enable escalation of privilege, denial of service or information disclosure via local access. | |||||
| CVE-2019-14553 | 1 Tianocore | 1 Edk2 | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access. | |||||
| CVE-2019-14510 | 1 Kaseya | 1 Vsa | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.) | |||||
| CVE-2019-14432 | 1 Loom | 1 Loom | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Incorrect authentication of application WebSocket connections in Loom Desktop for Mac up to 0.16.0 allows remote code execution from either malicious JavaScript in a browser or hosts on the same network, during periods in which a user is recording a video with the application. The same attack vector can be used to crash the application at any time. | |||||
| CVE-2019-14239 | 1 Nxp | 6 Kinetis K8x, Kinetis K8x Firmware, Kinetis Kv1x and 3 more | 2024-11-21 | 4.6 MEDIUM | 6.6 MEDIUM |
| On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by leveraging a load instruction inside the execute-only region to expose the protected code into a CPU register. | |||||
| CVE-2019-14238 | 1 St | 12 Stm32f4, Stm32f4 Firmware, Stm32f7 and 9 more | 2024-11-21 | 4.6 MEDIUM | 6.6 MEDIUM |
| On STMicroelectronics STM32F7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated with a debug probe via the Instruction Tightly Coupled Memory (ITCM) bus. | |||||
| CVE-2019-13526 | 1 Datalogic | 2 Av7000, Av7000 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code. | |||||
| CVE-2019-13372 | 1 Dlink | 1 Central Wifimanager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication. | |||||
| CVE-2019-13361 | 1 Smanos | 2 W100, W100 Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an attacker on the same Wi-Fi network. | |||||
| CVE-2019-13336 | 1 Dbell | 2 Db01-s, Db01-s Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The dbell Wi-Fi Smart Video Doorbell DB01-S Gen 1 allows remote attackers to launch commands with no authentication verification via TCP port 81, because the loginuse and loginpass parameters to openlock.cgi can have arbitrary values. NOTE: the vendor's position is that this product reached end of life in 2016. | |||||
| CVE-2019-13294 | 1 Arox | 1 School-erp | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system. | |||||
| CVE-2019-13190 | 1 Eng | 1 Knowage | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Knowage through 6.1.1, the sign up page does not invalidate a valid CAPTCHA token. This allows for CAPTCHA bypass in the signup page. | |||||
| CVE-2019-13188 | 1 Eng | 1 Knowage | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application. | |||||
| CVE-2019-12845 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3. | |||||