ReportizFlow
Filtered by vendor
Subscriptions
Total
3891 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-19982 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-11-21 | 5.3 Medium |
| The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for unauthenticated option creation. In order to exploit this vulnerability, an attacker would need to send a /wp-admin/admin-post.php?es_skip=1&option_name= request. | ||||
| CVE-2019-19857 | 1 Serpico Project | 1 Serpico | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password screen. Thus, requiring the admin to enter an Old Password value on the Change Password screen does not enhance security. This is problematic in conjunction with XSS. | ||||
| CVE-2019-19825 | 1 Totolink | 16 A3002ru, A3002ru Firmware, A702r and 13 more | 2024-11-21 | 9.8 Critical |
| On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0. | ||||
| CVE-2019-19783 | 5 Canonical, Cyrus, Debian and 2 more | 5 Ubuntu Linux, Imap, Debian Linux and 2 more | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c. | ||||
| CVE-2019-19598 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2024-11-21 | 8.8 High |
| D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the device's /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function. | ||||
| CVE-2019-19562 | 1 Harman | 1 Hermes | 2024-11-21 | 4.6 Medium |
| An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information. | ||||
| CVE-2019-19560 | 1 Harman | 1 Hermes | 2024-11-21 | 4.6 Medium |
| An authentication bypass in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with physical access to device hardware to obtain system information. | ||||
| CVE-2019-19521 | 1 Openbsd | 1 Openbsd | 2024-11-21 | 9.8 Critical |
| libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c). | ||||
| CVE-2019-19519 | 1 Openbsd | 1 Openbsd | 2024-11-21 | 7.8 High |
| In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c. | ||||
| CVE-2019-19518 | 1 Broadcom | 1 Ca Automic Sysload | 2024-11-21 | 9.8 Critical |
| CA Automic Sysload 5.6.0 through 6.1.2 contains a vulnerability, related to a lack of authentication on the File Server port, that potentially allows remote attackers to execute arbitrary commands. | ||||
| CVE-2019-19507 | 1 Json Pattern Validator Project | 1 Json Pattern Validator | 2024-11-21 | 5.3 Medium |
| In jpv (aka Json Pattern Validator) before 2.1.1, compareCommon() can be bypassed because certain internal attributes can be overwritten via a conflicting name, as demonstrated by 'constructor': {'name':'Array'}. This affects validate(). Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result. | ||||
| CVE-2019-19104 | 2 Abb, Busch-jaeger | 4 Tg\/s3.2, Tg\/s3.2 Firmware, 6186\/11 and 1 more | 2024-11-21 | 9.1 Critical |
| The web server in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway allows access to different endpoints of the application without authenticating by accessing a specific uniform resource locator (URL) , violating the access-control (ACL) rules. This issue allows obtaining sensitive information that may aid in further attacks and privilege escalation. | ||||
| CVE-2019-19006 | 1 Sangoma | 1 Freepbx | 2024-11-21 | 9.8 Critical |
| Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. | ||||
| CVE-2019-18928 | 4 Cyrus, Debian, Fedoraproject and 1 more | 4 Imap, Debian Linux, Fedora and 1 more | 2024-11-21 | 9.8 Critical |
| Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection. | ||||
| CVE-2019-18906 | 2 Opensuse, Suse | 3 Cryptctl, Linux Enterprise Server, Manager Server | 2024-11-21 | 9.8 Critical |
| A Improper Authentication vulnerability in cryptctl of SUSE Linux Enterprise Server for SAP 12-SP5, SUSE Manager Server 4.0 allows attackers with access to the hashed password to use it without having to crack it. This issue affects: SUSE Linux Enterprise Server for SAP 12-SP5 cryptctl versions prior to 2.4. SUSE Manager Server 4.0 cryptctl versions prior to 2.4. | ||||
| CVE-2019-18848 | 2 Debian, Json-jwt Project | 2 Debian Linux, Json-jwt | 2024-11-21 | 7.5 High |
| The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string. | ||||
| CVE-2019-18823 | 3 Debian, Fedoraproject, Wisc | 3 Debian Linux, Fedora, Htcondor | 2024-11-21 | 9.8 Critical |
| HTCondor up to and including stable series 8.8.6 and development series 8.9.4 has Incorrect Access Control. It is possible to use a different authentication method to submit a job than the administrator has specified. If the administrator has configured the READ or WRITE methods to include CLAIMTOBE, then it is possible to impersonate another user to the condor_schedd. (For example to submit or remove jobs) | ||||
| CVE-2019-18661 | 1 Fastweb | 2 Fastgate, Fastgate Firmware | 2024-11-21 | 7.5 High |
| Fastweb FASTGate 1.0.1b devices allow partial authentication bypass by changing a certain check_pwd return value from 0 to 1. An attack does not achieve administrative control of a device; however, the attacker can view all of the web pages of the administration console. | ||||
| CVE-2019-18380 | 1 Symantec | 1 Industrial Control System Protection | 2024-11-21 | 6.5 Medium |
| Symantec Industrial Control System Protection (ICSP), versions 6.x.x, may be susceptible to an unauthorized access issue that could potentially allow a threat actor to create or modify application user accounts without proper authentication. | ||||
| CVE-2019-18374 | 1 Broadcom | 1 Symantec Critical System Protection | 2024-11-21 | 9.8 Critical |
| Symantec Critical System Protection (CSP), versions 8.0, 8.0 HF1 & 8.0 MP1, may be susceptible to an authentication bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing authentication controls. | ||||