Total
3373 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13526 | 1 Datalogic | 2 Av7000, Av7000 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code. | |||||
| CVE-2019-13372 | 1 Dlink | 1 Central Wifimanager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication. | |||||
| CVE-2019-13361 | 1 Smanos | 2 W100, W100 Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an attacker on the same Wi-Fi network. | |||||
| CVE-2019-13336 | 1 Dbell | 2 Db01-s, Db01-s Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The dbell Wi-Fi Smart Video Doorbell DB01-S Gen 1 allows remote attackers to launch commands with no authentication verification via TCP port 81, because the loginuse and loginpass parameters to openlock.cgi can have arbitrary values. NOTE: the vendor's position is that this product reached end of life in 2016. | |||||
| CVE-2019-13294 | 1 Arox | 1 School-erp | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system. | |||||
| CVE-2019-13190 | 1 Eng | 1 Knowage | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Knowage through 6.1.1, the sign up page does not invalidate a valid CAPTCHA token. This allows for CAPTCHA bypass in the signup page. | |||||
| CVE-2019-13188 | 1 Eng | 1 Knowage | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application. | |||||
| CVE-2019-12845 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3. | |||||
| CVE-2019-12664 | 1 Cisco | 4 4321 Integrated Services Router, 4331 Integrated Services Router, 4351 Integrated Services Router and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the Dialer interface feature for ISDN connections in Cisco IOS XE Software for Cisco 4000 Series Integrated Services Routers (ISRs) could allow an unauthenticated, adjacent attacker to pass IPv4 traffic through an ISDN channel prior to successful PPP authentication. The vulnerability is due to insufficient validation of the state of the PPP IP Control Protocol (IPCP). An attacker could exploit this vulnerability by making an ISDN call to an affected device and sending traffic through the ISDN channel prior to successful PPP authentication. Alternatively, an unauthenticated, remote attacker could exploit this vulnerability by sending traffic through an affected device that is configured to exit via an ISDN connection for which both the Dialer interface and the Basic Rate Interface (BRI) have been configured, but the Challenge Handshake Authentication Protocol (CHAP) password for PPP does not match the remote end. A successful exploit could allow the attacker to pass IPv4 traffic through an unauthenticated ISDN connection for a few seconds, from initial ISDN call setup until PPP authentication fails. | |||||
| CVE-2019-12643 | 1 Cisco | 8 4221 Integrated Services Router, 4321 Integrated Services Router, 4331 Integrated Services Router and 5 more | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices. See the Details section for more information. | |||||
| CVE-2019-12564 | 1 Douco | 1 Douphp | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| In DouCo DouPHP v1.5 Release 20190516, remote attackers can view the database backup file via a brute-force guessing approach for data/backup/DyyyymmddThhmmss.sql filenames. | |||||
| CVE-2019-12530 | 1 Glpi Dashboard Project | 1 Glpi Dashboard | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Incorrect access control was discovered in the stdonato Dashboard plugin through 0.9.7 for GLPI, affecting df.php, issue.php, load.php, mem.php, traf.php, and uptime.php in front/sh. | |||||
| CVE-2019-12440 | 1 Sitecore | 1 Rocks | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Sitecore Rocks plugin before 2.1.149 for Sitecore allows an unauthenticated threat actor to inject malicious commands and code via the Sitecore Rocks Hard Rocks Service. | |||||
| CVE-2019-12405 | 1 Apache | 1 Traffic Control | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password. | |||||
| CVE-2019-12395 | 1 Dynmap Project | 1 Dynmap | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Webbukkit Dynmap 3.0-beta-3 or below, due to a missing login check in servlet/MapStorageHandler.java, an attacker can see a map image without login even if victim enables login-required in setting. | |||||
| CVE-2019-12394 | 1 Anviz | 1 Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Anviz access control devices allow unverified password change which allows remote attackers to change the administrator password without prior authentication. | |||||
| CVE-2019-12300 | 1 Buildbot | 1 Buildbot | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim. | |||||
| CVE-2019-12254 | 2 Gok, Tecson | 10 Smartbox 4 Lan, Smartbox 4 Lan Firmware, Smartbox 4 Lan Pro and 7 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules. | |||||
| CVE-2019-11733 | 1 Mozilla | 2 Firefox, Firefox Esr | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2. | |||||
| CVE-2019-11576 | 1 Gitea | 1 Gitea | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password. | |||||