Search
Total
6686 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7896 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update. | |||||
| CVE-2019-7915 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve a 404 page to customers. | |||||
| CVE-2019-7928 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attacker could disrupt transactions between the Magento merchant and PayPal. | |||||
| CVE-2019-7957 | 3 Adobe, Apple, Microsoft | 3 Creative Cloud, Mac Os X, Windows | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Creative Cloud Desktop Application versions 4.6.1 and earlier have a security bypass vulnerability. Successful exploitation could lead to denial of service. | |||||
| CVE-2019-8081 | 1 Adobe | 1 Experience Manager | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have an authentication bypass vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2019-8091 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution. | |||||
| CVE-2019-8110 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code. | |||||
| CVE-2019-8111 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code. | |||||
| CVE-2019-8119 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution. | |||||
| CVE-2019-8122 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution. | |||||
| CVE-2019-8125 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. An authenticated admin user can modify configuration parameters via crafted support configuration. The modification can lead to remote code execution. | |||||
| CVE-2019-8137 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update. | |||||
| CVE-2019-8150 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout. | |||||
| CVE-2019-8229 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates. | |||||
| CVE-2019-8230 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path. | |||||
| CVE-2019-8231 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification. | |||||
| CVE-2019-8336 | 1 Hashicorp | 1 Consul | 2020-08-24 | 6.8 MEDIUM | 8.1 HIGH |
| HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is used in unusual circumstances. | |||||
| CVE-2019-8392 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead. | |||||
| CVE-2019-8418 | 1 Seacms | 1 Seacms | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| SeaCMS 7.2 mishandles member.php?mod=repsw4 requests. | |||||
| CVE-2019-8442 | 1 Atlassian | 1 Jira | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. | |||||
| CVE-2019-8514 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2, watchOS 5.2. An application may be able to gain elevated privileges. | |||||
| CVE-2019-8590 | 1 Apple | 1 Mac Os X | 2020-08-24 | 9.3 HIGH | 7.8 HIGH |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Mojave 10.14.5. An application may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2019-8659 | 1 Apple | 1 Watchos | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| This issue was addressed with improved checks. This issue is fixed in watchOS 5.3. Users removed from an iMessage conversation may still be able to alter state. | |||||
| CVE-2019-8699 | 1 Apple | 1 Iphone Os | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A logic issue existed in the handling of answering phone calls. The issue was addressed with improved state management. This issue is fixed in iOS 12.4. The initiator of a phone call may be able to cause the recipient to answer a simultaneous Walkie-Talkie connection. | |||||
| CVE-2019-9122 | 1 D-link | 2 Dir-825 Rev.b, Dir-825 Rev.b Firmware | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the ntp_server parameter in an ntp_sync.cgi POST request. | |||||
| CVE-2019-9146 | 1 Jamf | 1 Self Service | 2020-08-24 | 7.9 HIGH | 7.5 HIGH |
| Jamf Self Service 10.9.0 allows man-in-the-middle attackers to obtain a root shell by leveraging the "publish Bash shell scripts" feature to insert "/Applications/Utilities/Terminal app/Contents/MacOS/Terminal" into the TCP data stream. | |||||
| CVE-2019-9196 | 1 Aware | 1 Knomi | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The Face authentication component in Aware mobile liveness 2.2.1 sdk 2.2.0 for Knomi allows a Biometrical Liveness authentication bypass via parameter tampering of the /knomi/analyze security_level field. | |||||
| CVE-2019-9202 | 1 Nagios | 1 Incident Manager | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues. | |||||
| CVE-2019-9228 | 1 Audiocodes | 8 Median 500-msbr, Median 500-msbr Firmware, Median 500l-msbr and 5 more | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A at least to 7.20A.252.062. The (1) management SSH and (2) management TELNET features allow remote attackers to cause a denial of service (connection slot exhaustion) via 5 unauthenticated connection attempts, because the maximum number of unauthenticated clients that can be configured is 5. NOTE: the vendor's position is that this is a "design choice." | |||||
| CVE-2019-9345 | 1 Google | 1 Android | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| In the Android kernel in sdcardfs there is a possible violation of the separation of data between profiles due to shared mapping of obb files. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2019-9407 | 1 Google | 1 Android | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| In notification management of the service manager, there is a possible permissions bypass. This could lead to local escalation of privilege by preventing user notification, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112434609 | |||||
| CVE-2019-9463 | 1 Google | 1 Android | 2020-08-24 | 4.4 MEDIUM | 7.3 HIGH |
| In Platform, there is a possible bypass of user interaction requirements due to background app interception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113584607 | |||||
| CVE-2019-9490 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| A vulnerability in Trend Micro InterScan Web Security Virtual Appliance version 6.5 SP2 could allow an non-authorized user to disclose administrative credentials. An attacker must be an authenticated user in order to exploit the vulnerability. | |||||
| CVE-2019-9582 | 1 Eq-3 | 2 Homematic Ccu2, Homematic Ccu2 Firmware | 2020-08-24 | 7.8 HIGH | 7.5 HIGH |
| eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service. CCU2 affected versions: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. | |||||
| CVE-2019-9632 | 1 Esafenet | 1 Electronic Document Security Management System | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability via the fileName parameter in download.jsp because the InstallationPack parameter is mishandled in a /CDGServer3/ClientAjax request. | |||||
| CVE-2019-9694 | 1 Symantec | 1 Endpoint Encryption | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| Symantec Endpoint Encryption prior to SEE 11.2.1 MP1 may be susceptible to a Privilege Escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | |||||
| CVE-2019-9702 | 1 Symantec | 1 Endpoint Encryption | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. | |||||
| CVE-2019-9703 | 1 Symantec | 1 Endpoint Encryption | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. | |||||
| CVE-2019-9730 | 1 Synaptics | 1 Sound Device | 2020-08-24 | 7.2 HIGH | 8.8 HIGH |
| Incorrect access control in the CxUtilSvc component of the Synaptics Sound Device drivers prior to version 2.29 allows a local attacker to increase access privileges to the Windows Registry via an unpublished API. | |||||
| CVE-2019-9920 | 1 Harmistechnology | 1 Je Messenger | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to perform an action within the context of the account of another user. | |||||
| CVE-2019-9939 | 1 Ushareit | 1 Shareit | 2020-08-24 | 5.8 MEDIUM | 8.8 HIGH |
| The SHAREit application before 4.0.36 for Android allows a remote attacker (on the same network or joining public "open" Wi-Fi hotspots created by the application when file transfer is initiated) to bypass authentication by trying to fetch a non-existing page. When the non-existing page is requested, the application responds with a 200 status code and empty page, and adds the requesting client device into the list of recognized devices. | |||||
| CVE-2017-11396 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2020-08-19 | 9.0 HIGH | 7.2 HIGH |
| Vulnerability issues with the web service inspection of input parameters in Trend Micro Web Security Virtual Appliance 6.5 may allow potential attackers who already have administration rights to the console to implement remote code injections. | |||||
| CVE-2020-17497 | 1 Intel | 1 Inet Wireless Daemon | 2020-08-19 | 4.8 MEDIUM | 8.1 HIGH |
| eapol.c in iNet wireless daemon (IWD) through 1.8 allows attackers to trigger a PTK reinstallation by retransmitting EAPOL Msg4/4. | |||||
| CVE-2020-13291 | 1 Gitlab | 1 Gitlab | 2020-08-17 | 5.5 MEDIUM | 8.1 HIGH |
| In GitLab before 13.2.3, project sharing could temporarily allow too permissive access. | |||||
| CVE-2017-18270 | 1 Linux | 1 Linux Kernel | 2020-08-14 | 3.6 LOW | 7.1 HIGH |
| In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service. | |||||
| CVE-2019-17339 | 1 Tibco | 1 Silver Fabric | 2020-08-14 | 5.8 MEDIUM | 8.1 HIGH |
| The VirtualRouter component of TIBCO Software Inc.'s TIBCO Silver Fabric contains a vulnerability that theoretically allows an attacker to inject scripts via URLs. The attacker could theoretically social engineer an authenticated user into submitting the URL, thus executing the script on the affected system with the privileges of the user. Affected releases are TIBCO Software Inc.'s TIBCO Silver Fabric: versions 6.0.0 and below. | |||||
| CVE-2010-2524 | 4 Canonical, Linux, Suse and 1 more | 5 Ubuntu Linux, Linux Kernel, Suse Linux Enterprise Desktop and 2 more | 2020-08-14 | 4.6 MEDIUM | 7.8 HIGH |
| The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals. | |||||
| CVE-2010-2537 | 3 Canonical, Linux, Suse | 5 Ubuntu Linux, Linux Kernel, Linux Enterprise High Availability Extension and 2 more | 2020-08-13 | 6.6 MEDIUM | 7.1 HIGH |
| The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a (1) BTRFS_IOC_CLONE or (2) BTRFS_IOC_CLONE_RANGE ioctl call that specifies this file as a donor. | |||||
| CVE-2020-8574 | 1 Netapp | 1 Active Iq Unified Manager | 2020-08-12 | 4.6 MEDIUM | 7.8 HIGH |
| Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users. | |||||
| CVE-2020-4486 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2020-08-11 | 5.5 MEDIUM | 8.1 HIGH |
| IBM QRadar 7.2.0 thorugh 7.2.9 could allow an authenticated user to overwrite or delete arbitrary files due to a flaw after WinCollect installation. IBM X-Force ID: 181861. | |||||