Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11628 | 1 Qlik | 3 Qlik Analytics, Qlik Sense, Qlikview Server | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in QlikView Server before 11.20 SR19, 12.00 and 12.10 before 12.10 SR11, 12.20 before SR9, and 12.30 before SR2; and Qlik Sense Enterprise and Qlik Analytics Platform installations that lack these patch levels: February 2018 Patch 4, April 2018 Patch 3, June 2018 Patch 3, September 2018 Patch 4, November 2018 Patch 4, or February 2019 Patch 2. An authenticated user may be able to bypass intended file-read restrictions via crafted Browser requests. | |||||
| CVE-2019-1163 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2020-08-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| A security feature bypass exists when Windows incorrectly validates CAB file signatures, aka 'Windows File Signature Security Feature Bypass Vulnerability'. | |||||
| CVE-2019-11650 | 1 Microfocus | 1 Netiq Advanced Authentication | 2020-08-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| A potential Man in the Middle attack (MITM) was found in NetIQ Advanced Authentication Framework versions prior to 6.0. | |||||
| CVE-2019-11653 | 1 Microfocus | 1 Content Manager | 2020-08-24 | 5.5 MEDIUM | 5.4 MEDIUM |
| Remote Access Control Bypass in Micro Focus Content Manager. versions 9.1, 9.2, 9.3. The vulnerability could be exploited to manipulate data stored during another user’s CheckIn request. | |||||
| CVE-2019-1166 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2020-08-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering Vulnerability'. | |||||
| CVE-2019-1167 | 1 Microsoft | 1 Powershell Core | 2020-08-24 | 1.9 LOW | 4.1 MEDIUM |
| A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement, aka 'Windows Defender Application Control Security Feature Bypass Vulnerability'. | |||||
| CVE-2019-11695 | 1 Mozilla | 1 Firefox | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A custom cursor defined by scripting on a site can position itself over the addressbar to spoof the actual cursor when it should not be allowed outside of the primary web content area. This could be used by a malicious site to trick users into clicking on permission prompts, doorhanger notifications, or other buttons inadvertently if the location is spoofed over the user interface. This vulnerability affects Firefox < 67. | |||||
| CVE-2019-11699 | 1 Mozilla | 1 Firefox | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A malicious page can briefly cause the wrong name to be highlighted as the domain name in the addressbar during page navigations. This could result in user confusion of which site is currently loaded for spoofing attacks. This vulnerability affects Firefox < 67. | |||||
| CVE-2019-11700 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A hyperlink using the res: protocol can be used to open local files at a known location in Internet Explorer if a user approves execution when prompted. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 67. | |||||
| CVE-2019-11702 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A hyperlink using protocols associated with Internet Explorer, such as IE.HTTP:, can be used to open local files at a known location with Internet Explorer if a user approves execution when prompted. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 67.0.2. | |||||
| CVE-2019-11717 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2019-11718 | 1 Mozilla | 1 Firefox | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11721 | 1 Mozilla | 1 Firefox | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11724 | 1 Mozilla | 1 Firefox | 2020-08-24 | 5.8 MEDIUM | 6.1 MEDIUM |
| Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11725 | 1 Mozilla | 1 Firefox | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11728 | 1 Mozilla | 1 Firefox | 2020-08-24 | 4.3 MEDIUM | 4.7 MEDIUM |
| The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11730 | 3 Debian, Mozilla, Opensuse | 5 Debian Linux, Firefox, Firefox Esr and 2 more | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2019-11739 | 1 Mozilla | 1 Thunderbird | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 68.1 and Thunderbird < 60.9. | |||||
| CVE-2019-11748 | 1 Mozilla | 2 Firefox, Firefox Esr | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | |||||
| CVE-2019-11749 | 1 Mozilla | 2 Firefox, Firefox Esr | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification. This allows for the potential fingerprinting of users. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | |||||
| CVE-2019-11750 | 1 Mozilla | 2 Firefox, Firefox Esr | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | |||||
| CVE-2019-11754 | 1 Mozilla | 1 Firefox | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. This vulnerability affects Firefox < 69.0.1. | |||||
| CVE-2019-11761 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-24 | 5.8 MEDIUM | 5.4 MEDIUM |
| By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. | |||||
| CVE-2019-11833 | 1 Linux | 1 Linux Kernel | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem. | |||||
| CVE-2019-11836 | 1 Rediff | 1 Rediffmail | 2020-08-24 | 2.1 LOW | 4.6 MEDIUM |
| The Rediffmail (aka com.rediff.mail.and) application 2.2.6 for Android has cleartext mail content in file storage, persisting after a logout. | |||||
| CVE-2019-11844 | 1 Ricoh | 2 Sp 4520dn, Sp 4520dn Firmware | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn or entryDisplayNameIn parameter. | |||||
| CVE-2019-11845 | 1 Ricoh | 2 Sp 4510dn, Sp 4510dn Firmware | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter. | |||||
| CVE-2019-11879 | 1 Ruby-lang | 1 Webrick | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| ** DISPUTED ** The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory. NOTE: The vendor states that this is analogous to Options FollowSymlinks in the Apache HTTP Server, and therefore it is "not a problem." | |||||
| CVE-2019-11881 | 1 Rancher | 1 Rancher | 2020-08-24 | 4.3 MEDIUM | 4.7 MEDIUM |
| A vulnerability exists in Rancher 2.1.4 in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message. | |||||
| CVE-2019-11885 | 1 Eye-disk | 1 Eyedisk | 2020-08-24 | 2.1 LOW | 6.8 MEDIUM |
| eyeDisk implements the unlock feature by sending a cleartext password. The password can be discovered by sniffing USB traffic or by sending a 06 05 52 41 01 b0 00 00 00 00 00 00 SCSI command. | |||||
| CVE-2019-1192 | 1 Microsoft | 10 Edge, Internet Explorer, Windows 10 and 7 more | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins, aka 'Microsoft Browsers Security Feature Bypass Vulnerability'. | |||||
| CVE-2019-11989 | 3 Hp, Microsoft, Redhat | 5 Hp-ux, Icewall Sso Agent, Mfa Proxy and 2 more | 2020-08-24 | 7.1 HIGH | 5.9 MEDIUM |
| A security vulnerability in HPE IceWall SSO Agent Option and IceWall MFA (Agent module ) could be exploited remotely to cause a denial of service. The versions and platforms of Agent Option modules that are impacted are as follows: 10.0 for Apache 2.2 on RHEL 5 and 6, 10.0 for Apache 2.4 on RHEL 7, 10.0 for Apache 2.4 on HP-UX 11i v3, 10.0 for IIS on Windows, 11.0 for Apache 2.4 on RHEL 7, MFA Proxy 4.0 (Agent module only) for Apache 2.4 on RHEL 7. | |||||
| CVE-2019-1220 | 1 Microsoft | 10 Edge, Internet Explorer, Windows 10 and 7 more | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A security feature bypass vulnerability exists when Microsoft Browsers fail to validate the correct Security Zone of requests for specific URLs, aka 'Microsoft Browser Security Feature Bypass Vulnerability'. | |||||
| CVE-2019-12215 | 1 Matomo | 1 Matomo | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| ** DISPUTED ** A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig. NOTE: the vendor disputes the significance of this issue, stating "avoid reporting path disclosures, as we don't consider them as security vulnerabilities." | |||||
| CVE-2019-12216 | 1 Libsdl | 2 Sdl2 Image, Simple Directmedia Layer | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a heap-based buffer overflow in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c. | |||||
| CVE-2019-12245 | 1 Silverstripe | 1 Silverstripe | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension. | |||||
| CVE-2019-12252 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. | |||||
| CVE-2019-12278 | 1 Opera | 1 Opera | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| Opera through 53 on Android allows Address Bar Spoofing. Characters from several languages are displayed in Right-to-Left order, due to mishandling of several Unicode characters. The rendering mechanism, in conjunction with the "first strong character" concept, may improperly operate on a numerical IP address or an alphabetic string, leading to a spoofed URL. | |||||
| CVE-2019-1230 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2020-08-24 | 4.0 MEDIUM | 6.8 MEDIUM |
| An information disclosure vulnerability exists when the Windows Hyper-V Network Switch on a host operating system fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V Information Disclosure Vulnerability'. | |||||
| CVE-2019-13691 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient validation of untrusted input in navigation in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2019-13697 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in performance APIs in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2019-13710 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient validation of untrusted input in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | |||||
| CVE-2019-13714 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL. | |||||
| CVE-2019-13718 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient data validation in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||||
| CVE-2019-13738 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in navigation in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass site isolation via a crafted HTML page. | |||||
| CVE-2019-13739 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||||
| CVE-2019-13740 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect security UI in sharing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||||
| CVE-2019-13742 | 2 Apple, Google | 2 Iphone Os, Chrome | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |||||
| CVE-2019-13743 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect security UI in external protocol handling in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||||
| CVE-2019-13746 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||