Total
4011 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-20360 | 1 Givewp | 1 Givewp | 2024-11-21 | 7.5 High |
| A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information (PII) including names, addresses, IP addresses, and email addresses. Once an API key has been set to any meta key value from the wp_usermeta table, and the token is set to the corresponding MD5 hash of the meta key selected, one can make a request to the restricted endpoints, and thus access sensitive donor data. | ||||
| CVE-2019-20062 | 1 Mfscripts | 1 Yetishare | 2024-11-21 | 9.8 Critical |
| MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash (the hash never expires until used). | ||||
| CVE-2019-20046 | 1 S3india | 2 Husky Rtu 6049-e70, Husky Rtu 6049-e70 Firmware | 2024-11-21 | 9.8 Critical |
| The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior. The affected product does not require adequate authentication, which may allow an attacker to read sensitive information or execute arbitrary code. This is a different issue than CVE-2019-16879 and CVE-2019-20045. | ||||
| CVE-2019-20033 | 1 Nec | 2 Sv8100, Sv8100 Firmware | 2024-11-21 | 9.8 Critical |
| On Aspire-derived NEC PBXes, including all versions of SV8100 devices, a set of documented, static login credentials may be used to access the DIM interface. | ||||
| CVE-2019-20027 | 1 Nec | 8 Sl1100, Sl1100 Firmware, Sl2100 and 5 more | 2024-11-21 | 9.8 Critical |
| Aspire-derived NEC PBXes, including the SV8100, SV9100, SL1100 and SL2100 with software releases 7.0 or higher contain the possibility if incorrectly configured to allow a blank username and password combination to be entered as a valid, successfully authenticating account. | ||||
| CVE-2019-1974 | 1 Cisco | 3 Integrated Management Controller Supervisor, Ucs Director, Ucs Director Express For Big Data | 2024-11-21 | N/A |
| A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to bypass user authentication and gain access as an administrative user. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to gain full administrative access to the affected device. | ||||
| CVE-2019-1946 | 1 Cisco | 1 Enterprise Network Function Virtualization Infrastructure | 2024-11-21 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and get limited access to the web-based management interface. The vulnerability is due to an incorrect implementation of authentication in the web-based management interface. An attacker could exploit this vulnerability by sending a crafted authentication request to the web-based management interface on an affected system. A successful exploit could allow the attacker to view limited configuration details and potentially upload a virtual machine image. | ||||
| CVE-2019-1938 | 1 Cisco | 2 Ucs Director, Ucs Director Express For Big Data | 2024-11-21 | N/A |
| A vulnerability in the web-based management interface of Cisco UCS Director and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system. The vulnerability is due to improper authentication request handling. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an unprivileged attacker to access and execute arbitrary actions through certain APIs. | ||||
| CVE-2019-1937 | 1 Cisco | 3 Integrated Management Controller Supervisor, Ucs Director, Ucs Director Express For Big Data | 2024-11-21 | N/A |
| A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device. | ||||
| CVE-2019-1917 | 1 Cisco | 1 Vision Dynamic Signage Director | 2024-11-21 | N/A |
| A vulnerability in the REST API interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on the affected system. The REST API is enabled by default and cannot be disabled. | ||||
| CVE-2019-1867 | 1 Cisco | 1 Elastic Services Controller | 2024-11-21 | N/A |
| A vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API. The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system. | ||||
| CVE-2019-1759 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 5.3 Medium |
| A vulnerability in access control list (ACL) functionality of the Gigabit Ethernet Management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the Gigabit Ethernet Management interface. The vulnerability is due to a logic error that was introduced in the Cisco IOS XE Software 16.1.1 Release, which prevents the ACL from working when applied against the management interface. An attacker could exploit this issue by attempting to access the device via the management interface. | ||||
| CVE-2019-1724 | 1 Cisco | 4 Rv320 Dual Gigabit Wan Vpn Router, Rv320 Dual Gigabit Wan Vpn Router Software, Rv325 Dual Wan Gigabit Vpn Router and 1 more | 2024-11-21 | 8.8 High |
| A vulnerability in the session management functionality of the web-based interface for Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to hijack a valid user session on an affected system. An attacker could use this impersonated session to create a new user account or otherwise control the device with the privileges of the hijacked session. The vulnerability is due to a lack of proper session management controls. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted device. A successful exploit could allow the attacker to take control of an existing user session on the device. Exploitation of the vulnerability requires that an authorized user session is active and that the attacker can craft an HTTP request to impersonate that session. | ||||
| CVE-2019-1666 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 5.3 Medium |
| A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by sending crafted requests to the Graphite service. A successful exploit could allow the attacker to retrieve any statistics from the Graphite service. Versions prior to 3.5(2a) are affected. | ||||
| CVE-2019-1664 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 7.8 High |
| A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster. This vulnerability affects Cisco HyperFlex Software Releases prior to 3.5(2a). | ||||
| CVE-2019-1662 | 1 Cisco | 1 Prime Collaboration Assurance | 2024-11-21 | N/A |
| A vulnerability in the Quality of Voice Reporting (QOVR) service of Cisco Prime Collaboration Assurance (PCA) Software could allow an unauthenticated, remote attacker to access the system as a valid user. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the QOVR service with a valid username. A successful exploit could allow the attacker to perform actions with the privileges of the user that is used for access. This vulnerability affects Cisco PCA Software Releases prior to 12.1 SP2. | ||||
| CVE-2019-19982 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-11-21 | 5.3 Medium |
| The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for unauthenticated option creation. In order to exploit this vulnerability, an attacker would need to send a /wp-admin/admin-post.php?es_skip=1&option_name= request. | ||||
| CVE-2019-19857 | 1 Serpico Project | 1 Serpico | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password screen. Thus, requiring the admin to enter an Old Password value on the Change Password screen does not enhance security. This is problematic in conjunction with XSS. | ||||
| CVE-2019-19825 | 1 Totolink | 16 A3002ru, A3002ru Firmware, A702r and 13 more | 2024-11-21 | 9.8 Critical |
| On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0. | ||||
| CVE-2019-19783 | 5 Canonical, Cyrus, Debian and 2 more | 5 Ubuntu Linux, Imap, Debian Linux and 2 more | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c. | ||||