Search
Total
21119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8137 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update. | |||||
| CVE-2019-8144 | 1 Magento | 1 Magento | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods. | |||||
| CVE-2019-8150 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout. | |||||
| CVE-2019-8229 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates. | |||||
| CVE-2019-8230 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path. | |||||
| CVE-2019-8231 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification. | |||||
| CVE-2019-8336 | 1 Hashicorp | 1 Consul | 2020-08-24 | 6.8 MEDIUM | 8.1 HIGH |
| HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is used in unusual circumstances. | |||||
| CVE-2019-8387 | 1 Barni | 2 Master Ip Camera01, Master Ip Camera01 Firmware | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| MASTER IPCAMERA01 3.3.4.2103 devices allow Remote Command Execution, related to the thttpd component. | |||||
| CVE-2019-8392 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead. | |||||
| CVE-2019-8408 | 1 Onefilecms | 1 Onefilecms | 2020-08-24 | 4.0 MEDIUM | 4.9 MEDIUM |
| OneFileCMS 3.6.13 allows remote attackers to modify onefilecms.php by clicking the Copy button twice. | |||||
| CVE-2019-8418 | 1 Seacms | 1 Seacms | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| SeaCMS 7.2 mishandles member.php?mod=repsw4 requests. | |||||
| CVE-2019-8442 | 1 Atlassian | 1 Jira | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. | |||||
| CVE-2019-8514 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2, watchOS 5.2. An application may be able to gain elevated privileges. | |||||
| CVE-2019-8521 | 1 Apple | 2 Iphone Os, Mac Os X | 2020-08-24 | 5.8 MEDIUM | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4. A malicious application may be able to overwrite arbitrary files. | |||||
| CVE-2019-8530 | 1 Apple | 3 Iphone Os, Mac Os X, Tvos | 2020-08-24 | 5.8 MEDIUM | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2. A malicious application may be able to overwrite arbitrary files. | |||||
| CVE-2019-8554 | 1 Apple | 1 Iphone Os | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A permissions issue existed in the handling of motion and orientation data. This issue was addressed with improved restrictions. This issue is fixed in iOS 12.2. A website may be able to access sensor information without user consent. | |||||
| CVE-2019-8589 | 1 Apple | 1 Mac Os X | 2020-08-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in macOS Mojave 10.14.5. A malicious application may bypass Gatekeeper checks. | |||||
| CVE-2019-8590 | 1 Apple | 1 Mac Os X | 2020-08-24 | 9.3 HIGH | 7.8 HIGH |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Mojave 10.14.5. An application may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2019-8617 | 1 Apple | 1 Iphone Os | 2020-08-24 | 6.8 MEDIUM | 9.6 CRITICAL |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 12.3. A sandboxed process may be able to circumvent sandbox restrictions. | |||||
| CVE-2019-8659 | 1 Apple | 1 Watchos | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| This issue was addressed with improved checks. This issue is fixed in watchOS 5.3. Users removed from an iMessage conversation may still be able to alter state. | |||||
| CVE-2019-8663 | 1 Apple | 2 Iphone Os, Mac Os X | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6. A remote attacker may be able to leak memory. | |||||
| CVE-2019-8667 | 1 Apple | 1 Mac Os X | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Mojave 10.14.6. The encryption status of a Time Machine backup may be incorrect. | |||||
| CVE-2019-8699 | 1 Apple | 1 Iphone Os | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A logic issue existed in the handling of answering phone calls. The issue was addressed with improved state management. This issue is fixed in iOS 12.4. The initiator of a phone call may be able to cause the recipient to answer a simultaneous Walkie-Talkie connection. | |||||
| CVE-2019-8770 | 1 Apple | 1 Mac Os X | 2020-08-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| The issue was addressed with improved permissions logic. This issue is fixed in macOS Catalina 10.15. A malicious application may be able to access recent documents. | |||||
| CVE-2019-8917 | 1 Solarwinds | 1 Orion Network Performance Monitor | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user. | |||||
| CVE-2019-9122 | 1 D-link | 2 Dir-825 Rev.b, Dir-825 Rev.b Firmware | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the ntp_server parameter in an ntp_sync.cgi POST request. | |||||
| CVE-2019-8988 | 1 Tibco | 2 Data Science For Aws, Spotfire Data Science | 2020-08-24 | 5.5 MEDIUM | 6.5 MEDIUM |
| The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site contains a vulnerability that theoretically allows a user to escalate their privileges on the affected system, in a way that may allow for data modifications and deletions that should be denied. Affected releases are TIBCO Software Inc.'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0. | |||||
| CVE-2019-9010 | 1 Codesys | 10 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 7 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System. | |||||
| CVE-2019-9708 | 1 Mahara | 1 Mahara | 2020-08-24 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can suspend the system user (root), causing all users to be locked out from the system. | |||||
| CVE-2019-9146 | 1 Jamf | 1 Self Service | 2020-08-24 | 7.9 HIGH | 7.5 HIGH |
| Jamf Self Service 10.9.0 allows man-in-the-middle attackers to obtain a root shell by leveraging the "publish Bash shell scripts" feature to insert "/Applications/Utilities/Terminal app/Contents/MacOS/Terminal" into the TCP data stream. | |||||
| CVE-2019-9196 | 1 Aware | 1 Knomi | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The Face authentication component in Aware mobile liveness 2.2.1 sdk 2.2.0 for Knomi allows a Biometrical Liveness authentication bypass via parameter tampering of the /knomi/analyze security_level field. | |||||
| CVE-2019-9202 | 1 Nagios | 1 Incident Manager | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues. | |||||
| CVE-2019-9203 | 1 Nagios | 1 Incident Manager | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Authorization bypass in Nagios IM (component of Nagios XI) before 2.2.7 allows closing incidents in IM via the API. | |||||
| CVE-2019-9217 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. Its User Interface has a Misrepresentation of Critical Information. | |||||
| CVE-2019-9218 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 1 of 5). | |||||
| CVE-2019-9228 | 1 Audiocodes | 8 Median 500-msbr, Median 500-msbr Firmware, Median 500l-msbr and 5 more | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A at least to 7.20A.252.062. The (1) management SSH and (2) management TELNET features allow remote attackers to cause a denial of service (connection slot exhaustion) via 5 unauthenticated connection attempts, because the maximum number of unauthenticated clients that can be configured is 5. NOTE: the vendor's position is that this is a "design choice." | |||||
| CVE-2019-9280 | 1 Google | 1 Android | 2020-08-24 | 2.1 LOW | 3.3 LOW |
| In keyguard, there is a possible escalation of privilege due to improper permission checks. This could lead to a local bypass of the keyguard under limited circumstances, with User execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-119322269 | |||||
| CVE-2019-9345 | 1 Google | 1 Android | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| In the Android kernel in sdcardfs there is a possible violation of the separation of data between profiles due to shared mapping of obb files. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2019-9384 | 1 Google | 1 Android | 2020-08-24 | 7.2 HIGH | 6.7 MEDIUM |
| In LockPatternUtils, there is a possible escalation of privilege due to an improper permissions check. This could lead to local bypass of the Lockguard with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120568007 | |||||
| CVE-2019-9407 | 1 Google | 1 Android | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| In notification management of the service manager, there is a possible permissions bypass. This could lead to local escalation of privilege by preventing user notification, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112434609 | |||||
| CVE-2019-9436 | 1 Google | 1 Android | 2020-08-24 | 4.6 MEDIUM | 6.7 MEDIUM |
| In the Android kernel in the bootloader there is a possible secure boot bypass. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2019-9463 | 1 Google | 1 Android | 2020-08-24 | 4.4 MEDIUM | 7.3 HIGH |
| In Platform, there is a possible bypass of user interaction requirements due to background app interception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-113584607 | |||||
| CVE-2019-9465 | 1 Google | 1 Android | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| In the Titan M handling of cryptographic operations, there is a possible information disclosure due to an unusual root cause. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-133258003 | |||||
| CVE-2019-9485 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions. | |||||
| CVE-2019-9490 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| A vulnerability in Trend Micro InterScan Web Security Virtual Appliance version 6.5 SP2 could allow an non-authorized user to disclose administrative credentials. An attacker must be an authenticated user in order to exploit the vulnerability. | |||||
| CVE-2019-9548 | 1 Citrix | 1 Application Delivery Management | 2020-08-24 | 7.5 HIGH | 10.0 CRITICAL |
| Citrix Application Delivery Management (ADM) 12.1.x before 12.1.50.33 has Incorrect Access Control. | |||||
| CVE-2019-9565 | 1 Druide | 1 Antidote | 2020-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| Druide Antidote RX, HD, 8 before 8.05.2287, 9 before 9.5.3937 and 10 before 10.1.2147 allows remote attackers to steal NTLM hashes or perform SMB relay attacks upon a direct launch of the product, or upon an indirect launch via an integration such as Chrome, Firefox, Word, Outlook, etc. This occurs because the product attempts to access a share with the PLUG-INS subdomain name; an attacker may be able to use Active Directory Domain Services to register that name. | |||||
| CVE-2019-9582 | 1 Eq-3 | 2 Homematic Ccu2, Homematic Ccu2 Firmware | 2020-08-24 | 7.8 HIGH | 7.5 HIGH |
| eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service. CCU2 affected versions: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. | |||||
| CVE-2019-9632 | 1 Esafenet | 1 Electronic Document Security Management System | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability via the fileName parameter in download.jsp because the InstallationPack parameter is mishandled in a /CDGServer3/ClientAjax request. | |||||
| CVE-2019-9698 | 1 Symantec | 1 Antivirus Engine | 2020-08-24 | 3.6 LOW | 5.5 MEDIUM |
| Symantec AV Engine, prior to 13.0.9r17, may be susceptible to an arbitrary file deletion issue, which is a type of vulnerability that could allow an attacker to delete files on the resident system without elevated privileges. | |||||