Total
1525 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-12373 | 1 Ivanti | 1 Landesk Management Suite | 2024-11-21 | N/A |
| Improper access control and open directories in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to remote disclosure of administrator passwords. | ||||
| CVE-2019-12270 | 2 Microsoft, Opentext | 2 Windows, Brava\! | 2024-11-21 | N/A |
| OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The share is used to retrieve documents for processing, and to store processed documents for display in the browser. The only required share level access is read/write by the JobProcessor service account. At the local filesystem level, the only additional required permissions would be read/write from the servlet engine, such as Tomcat. (The affected server components are not installed with Content Server by default, and must be installed separately.) NOTE: the vendor's position is that customers are not supposed to use this default setting without consulting the documentation. | ||||
| CVE-2019-12245 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 5.3 Medium |
| SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension. | ||||
| CVE-2019-12133 | 1 Zohocorp | 18 Manageengine Analytics Plus, Manageengine Browser Security Plus, Manageengine Desktop Central and 15 more | 2024-11-21 | N/A |
| Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus. | ||||
| CVE-2019-12102 | 1 Kentico | 1 Kentico | 2024-11-21 | N/A |
| Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions correctly. The vendor states that by default all users can read/modify/upload files, and it’s up to the administrator to decide who should have access to the media library and set the permissions accordingly. See the vendor documentation in the references for more information | ||||
| CVE-2019-12042 | 1 Pandasecurity | 6 Panda Antivirus, Panda Antivirus Pro, Panda Dome and 3 more | 2024-11-21 | N/A |
| Insecure permissions of the section object Global\PandaDevicesAgentSharedMemory and the event Global\PandaDevicesAgentSharedMemoryChange in Panda products before 18.07.03 allow attackers to queue an event (as an encrypted JSON string) to the system service AgentSvc.exe, which leads to privilege escalation when the CmdLineExecute event is queued. This affects Panda Antivirus, Panda Antivirus Pro, Panda Dome, Panda Global Protection, Panda Gold Protection, and Panda Internet Security. | ||||
| CVE-2019-11806 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | N/A |
| OX App Suite 7.10.1 and earlier has Insecure Permissions. | ||||
| CVE-2019-11748 | 2 Mozilla, Redhat | 3 Firefox, Firefox Esr, Enterprise Linux | 2024-11-21 | 6.5 Medium |
| WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | ||||
| CVE-2019-11528 | 1 Softing | 2 Uagate Si, Uagate Si Firmware | 2024-11-21 | 7.5 High |
| An issue was discovered in Softing uaGate SI 1.60.01. A system default path for executables is user writable. | ||||
| CVE-2019-11526 | 1 Softing | 2 Uagate Si, Uagate Si Firmware | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Softing uaGate SI 1.60.01. A maintenance script, that is executable via sudo, is vulnerable to file path injection. This enables the Attacker to write files with superuser privileges in specific locations. | ||||
| CVE-2019-11328 | 3 Fedoraproject, Opensuse, Sylabs | 4 Fedora, Backports, Leap and 1 more | 2024-11-21 | 8.8 High |
| An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host. | ||||
| CVE-2019-11270 | 1 Pivotal Software | 3 Application Service, Cloud Foundry Uaa, Operations Manager | 2024-11-21 | 7.5 High |
| Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. | ||||
| CVE-2019-11244 | 3 Kubernetes, Netapp, Redhat | 4 Kubernetes, Trident, Openshift and 1 more | 2024-11-21 | 5.0 Medium |
| In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation. | ||||
| CVE-2019-11215 | 1 Combodo | 1 Itop | 2024-11-21 | 8.1 High |
| In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during upgrade; in certain cases, an error during modification of the file from the web interface leaves the file writable (can be triggered with XSS); a race condition can be triggered by the hub-connector module (community version only from 2.4.1 to 2.6.0); or editing the file in a CLI. | ||||
| CVE-2019-11167 | 1 Intel | 1 Smart Connect Technology | 2024-11-21 | 7.8 High |
| Improper file permission in software installer for Intel(R) Smart Connect Technology for Intel(R) NUC may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2019-11166 | 1 Intel | 1 Easy Streaming Wizard | 2024-11-21 | 6.7 Medium |
| Improper file permissions in the installer for Intel(R) Easy Streaming Wizard before version 2.1.0731 may allow an authenticated user to potentially enable escalation of privilege via local attack. | ||||
| CVE-2019-11155 | 1 Intel | 14 Dual Band Wireless-ac 3165, Dual Band Wireless-ac 3168, Dual Band Wireless-ac 7265 \(rev D\) and 11 more | 2024-11-21 | 7.1 High |
| Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access. | ||||
| CVE-2019-11154 | 1 Intel | 14 Dual Band Wireless-ac 3165, Dual Band Wireless-ac 3168, Dual Band Wireless-ac 7265 \(rev D\) and 11 more | 2024-11-21 | 7.1 High |
| Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access. | ||||
| CVE-2019-11121 | 2 Intel, Microsoft | 2 Media Sdk, Windows | 2024-11-21 | 7.8 High |
| Improper file permissions in the installer for the Intel(R) Media SDK for Windows before version 2019 R1 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2019-10710 | 1 Hisilicon | 2 Hi3510, Hi3510 Firmware | 2024-11-21 | N/A |
| Insecure permissions in the Web management portal on all IP cameras based on Hisilicon Hi3510 firmware allow authenticated attackers to receive a network's cleartext WiFi credentials via a specific HTTP request. This affects certain devices labeled as HI3510, HI3518, LOOSAFE, LEVCOECAM, Sywstoda, BESDER, WUSONGLUSAN, GADINAN, Unitoptek, ESCAM, etc. | ||||