Total
3869 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-15046 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 7.5 High |
| Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. | ||||
| CVE-2019-14985 | 1 Eq-3 | 4 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 1 more | 2024-11-21 | N/A |
| eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28. | ||||
| CVE-2019-14910 | 1 Redhat | 1 Keycloak | 2024-11-21 | 9.8 Critical |
| A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | ||||
| CVE-2019-14909 | 1 Redhat | 1 Keycloak | 2024-11-21 | 8.3 High |
| A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted. | ||||
| CVE-2019-14880 | 1 Moodle | 1 Moodle | 2024-11-21 | 9.1 Critical |
| A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise. | ||||
| CVE-2019-14870 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2024-11-21 | 5.4 Medium |
| All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set. | ||||
| CVE-2019-14856 | 2 Opensuse, Redhat | 5 Backports Sle, Leap, Ansible and 2 more | 2024-11-21 | 6.5 Medium |
| ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None | ||||
| CVE-2019-14705 | 1 Microdigital | 6 Mdc-n2190v, Mdc-n2190v Firmware, Mdc-n4090 and 3 more | 2024-11-21 | N/A |
| An Incorrect Access Control issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5 because any valid cookie can be used to make requests as an admin. | ||||
| CVE-2019-14598 | 2 Intel, Netapp | 2 Converged Security Management Engine Firmware, Steelstore Cloud Integrated Storage | 2024-11-21 | 6.7 Medium |
| Improper Authentication in subsystem in Intel(R) CSME versions 12.0 through 12.0.48 (IOT only: 12.0.56), versions 13.0 through 13.0.20, versions 14.0 through 14.0.10 may allow a privileged user to potentially enable escalation of privilege, denial of service or information disclosure via local access. | ||||
| CVE-2019-14553 | 1 Tianocore | 1 Edk2 | 2024-11-21 | 4.9 Medium |
| Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access. | ||||
| CVE-2019-14510 | 1 Kaseya | 1 Vsa | 2024-11-21 | 6.7 Medium |
| An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.) | ||||
| CVE-2019-14432 | 1 Loom | 1 Loom | 2024-11-21 | N/A |
| Incorrect authentication of application WebSocket connections in Loom Desktop for Mac up to 0.16.0 allows remote code execution from either malicious JavaScript in a browser or hosts on the same network, during periods in which a user is recording a video with the application. The same attack vector can be used to crash the application at any time. | ||||
| CVE-2019-14239 | 1 Nxp | 6 Kinetis K8x, Kinetis K8x Firmware, Kinetis Kv1x and 3 more | 2024-11-21 | 6.6 Medium |
| On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by leveraging a load instruction inside the execute-only region to expose the protected code into a CPU register. | ||||
| CVE-2019-14238 | 1 St | 12 Stm32f4, Stm32f4 Firmware, Stm32f7 and 9 more | 2024-11-21 | 6.6 Medium |
| On STMicroelectronics STM32F7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated with a debug probe via the Instruction Tightly Coupled Memory (ITCM) bus. | ||||
| CVE-2019-13526 | 1 Datalogic | 2 Av7000, Av7000 Firmware | 2024-11-21 | N/A |
| Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code. | ||||
| CVE-2019-13423 | 1 Search-guard | 1 Search Guard | 2024-11-21 | 8.8 High |
| Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an authenticated Kibana user could impersonate as kibanaserver user when providing wrong credentials when all of the following conditions a-c are true: a) Kibana is configured to use Single-Sign-On as authentication method, one of Kerberos, JWT, Proxy, Client certificate. b) The kibanaserver user is configured to use HTTP Basic as the authentication method. c) Search Guard is configured to use an SSO authentication domain and HTTP Basic at the same time | ||||
| CVE-2019-13372 | 1 Dlink | 1 Central Wifimanager | 2024-11-21 | 9.8 Critical |
| /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication. | ||||
| CVE-2019-13361 | 1 Smanos | 2 W100, W100 Firmware | 2024-11-21 | 6.5 Medium |
| Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an attacker on the same Wi-Fi network. | ||||
| CVE-2019-13336 | 1 Dbell | 2 Db01-s, Db01-s Firmware | 2024-11-21 | 9.8 Critical |
| The dbell Wi-Fi Smart Video Doorbell DB01-S Gen 1 allows remote attackers to launch commands with no authentication verification via TCP port 81, because the loginuse and loginpass parameters to openlock.cgi can have arbitrary values. NOTE: the vendor's position is that this product reached end of life in 2016. | ||||
| CVE-2019-13294 | 1 Arox | 1 School-erp | 2024-11-21 | N/A |
| AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system. | ||||