ReportizFlow
Filtered by vendor
Subscriptions
Total
648 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-8934 | 2 Opensuse, Qemu | 2 Leap, Qemu | 2024-11-21 | 3.3 Low |
| hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. | ||||
| CVE-2019-8779 | 1 Apple | 2 Ipados, Iphone Os | 2024-11-21 | 10.0 Critical |
| A logic issue applied the incorrect restrictions. This issue was addressed by updating the logic to apply the correct restrictions. This issue is fixed in iOS 13.1.1 and iPadOS 13.1.1. Third party app extensions may not receive the correct sandbox restrictions. | ||||
| CVE-2019-8702 | 1 Apple | 3 Iphone Os, Mac Os X, Tvos | 2024-11-21 | 5.5 Medium |
| This issue was addressed with a new entitlement. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, iOS 12.4, tvOS 12.4. A local user may be able to read a persistent account identifier. | ||||
| CVE-2019-8308 | 3 Debian, Flatpak, Redhat | 9 Debian Linux, Flatpak, Enterprise Linux and 6 more | 2024-11-21 | N/A |
| Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file. | ||||
| CVE-2019-5159 | 1 Wago | 1 E\!cockpit | 2024-11-21 | 7.8 High |
| An exploitable improper input validation vulnerability exists in the firmware update functionality of WAGO e!COCKPIT automation software v1.6.0.7. A specially crafted firmware update file can allow an attacker to write arbitrary files to arbitrary locations on WAGO controllers as a part of executing a firmware update, potentially resulting in code execution. An attacker can create a malicious firmware update package file using any zip utility. The user must initiate a firmware update through e!COCKPIT and choose the malicious wup file using the file browser to trigger the vulnerability. | ||||
| CVE-2019-4633 | 1 Ibm | 1 Security Secret Server | 2024-11-21 | 4.3 Medium |
| IBM Security Secret Server 10.7 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 170007. | ||||
| CVE-2019-4306 | 1 Ibm | 1 Security Guardium Big Data Intelligence | 2024-11-21 | 6.5 Medium |
| IBM Security Guardium Big Data Intelligence (SonarG) 4.0 specifies permissions for a security-critical resource which could lead to the exposure of sensitive information or the modification of that resource by unintended parties. IBM X-Force ID: 160986. | ||||
| CVE-2019-3970 | 1 Comodo | 1 Antivirus | 2024-11-21 | N/A |
| Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to Arbitrary File Write due to Cavwp.exe handling of Comodo's Antivirus database. Cavwp.exe loads Comodo antivirus definition database in unsecured global section objects, allowing a local low privileged process to modify this data directly and change virus signatures. | ||||
| CVE-2019-3682 | 1 Suse | 1 Caas Platform | 2024-11-21 | 8.4 High |
| The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node. | ||||
| CVE-2019-3569 | 1 Facebook | 1 Hhvm | 2024-11-21 | 7.5 High |
| HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series. | ||||
| CVE-2019-20853 | 1 Mattermost | 1 Mattermost Packages | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Mattermost Packages before 5.16.3. A Droplet could allow Internet access to a service that has a remote code execution problem. | ||||
| CVE-2019-20149 | 2 Kind-of Project, Redhat | 2 Kind-of, Acm | 2024-11-21 | 7.5 High |
| ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result. | ||||
| CVE-2019-1848 | 1 Cisco | 1 Digital Network Architecture Center | 2024-11-21 | N/A |
| A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, adjacent attacker to bypass authentication and access critical internal services. The vulnerability is due to insufficient access restriction to ports necessary for system operation. An attacker could exploit this vulnerability by connecting an unauthorized network device to the subnet designated for cluster services. A successful exploit could allow an attacker to reach internal services that are not hardened for external access. | ||||
| CVE-2019-19015 | 1 Titanhq | 1 Webtitan | 2024-11-21 | 9.8 Critical |
| An issue was discovered in TitanHQ WebTitan before 5.18. The proxy service (which is typically exposed to all users) allows connections to the internal PostgreSQL database of the appliance. By connecting to the database through the proxy (without password authentication), an attacker is able to fully control the appliance database. Through this, several different paths exist to gain further access, or execute code. | ||||
| CVE-2019-18954 | 1 Netease | 1 Pomelo | 2024-11-21 | 5.3 Medium |
| Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can manipulate internal attributes by adding additional attributes to user input. | ||||
| CVE-2019-16541 | 2 Jenkins, Redhat | 2 Jira, Openshift | 2024-11-21 | 9.9 Critical |
| Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. | ||||
| CVE-2019-16518 | 1 Vandyvape | 2 Swell Kit Mod, Swell Kit Mod Firmware | 2024-11-21 | 4.3 Medium |
| An issue was discovered on Swell Kit Mod devices that use the Vandy Vape platform. An attacker may be able to trigger an unintended temperature in the victim's mouth and throat via Bluetooth Low Energy (BLE) packets that specify large power or voltage values. | ||||
| CVE-2019-16387 | 1 Pega | 1 Pega Platform | 2024-11-21 | 8.1 High |
| PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect | ||||
| CVE-2019-16241 | 1 Alcatelmobile | 2 Cingular Flip 2 Firmware, Cingularl Flip 2 | 2024-11-21 | 6.8 Medium |
| On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, PIN authentication can be bypassed by creating a special file within the /data/local/tmp/ directory. The System application that implements the lock screen checks for the existence of a specific file and disables PIN authentication if it exists. This file would typically be created via Android Debug Bridge (adb) over USB. | ||||
| CVE-2019-15689 | 1 Kaspersky | 4 Kaspersky Internet Security, Secure Connection, Security Cloud and 1 more | 2024-11-21 | 6.7 Medium |
| Kaspersky Secure Connection, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud prior to version 2020 patch E have bug that allows a local user to execute arbitrary code via execution compromised file placed by an attacker with administrator rights. No privilege escalation. Possible whitelisting bypass some of the security products | ||||