Total
161 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-17644 | 1 Centreon | 1 Centreon | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Centreon before 2.8-30, 18.10-8, 19.04-5, and 19.10-2.. It provides sensitive information via an unauthenticated direct request for include/configuration/configObject/host/refreshMacroAjax.php. | |||||
CVE-2019-17503 | 1 Kirona | 1 Dynamic Resource Scheduling | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly: it contains sensitive information about the database through the SQL queries within this batch file. This file exposes SQL database information such as database version, table name, column name, etc. | |||||
CVE-2019-17645 | 1 Centreon | 1 Centreon | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Centreon before 2.8.31, 18.10.9, 19.04.6, and 19.10.3. It provides sensitive information via an unauthenticated direct request for include/configuration/configObject/service/refreshMacroAjax.php. | |||||
CVE-2020-8439 | 1 Monstra | 1 Monstra | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI. | |||||
CVE-2019-17646 | 1 Centreon | 1 Centreon | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Centreon before 18.10.8, 19.04.5, and 19.10.2. It provides sensitive information via an unauthenticated direct request for api/external.php?object=centreon_metric&action=listByService. | |||||
CVE-2020-10248 | 1 Meinbwa | 2 Direx-pro, Direx-pro Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
BWA DiREX-Pro 1.2181 devices allow remote attackers to discover passwords via a direct request to val_users.php3. | |||||
CVE-2019-16340 | 1 Linksys | 6 Velop Whw0301, Velop Whw0301 Firmware, Velop Whw0302 and 3 more | 2024-02-28 | 6.4 MEDIUM | 9.8 CRITICAL |
Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI. | |||||
CVE-2019-3933 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code. | |||||
CVE-2019-1220 | 1 Microsoft | 10 Edge, Internet Explorer, Windows 10 and 7 more | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
A security feature bypass vulnerability exists when Microsoft Browsers fail to validate the correct Security Zone of requests for specific URLs, aka 'Microsoft Browser Security Feature Bypass Vulnerability'. | |||||
CVE-2019-3917 | 1 Nokia | 2 I-240w-q Gpon Ont, I-240w-q Gpon Ont Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 allows a remote, unauthenticated attacker to enable telnetd on the router via a crafted HTTP request. | |||||
CVE-2019-3934 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code. | |||||
CVE-2019-1899 | 1 Cisco | 6 Rv110w, Rv110w Firmware, Rv130w and 3 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability in the web interface of Cisco RV110W, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to acquire the list of devices that are connected to the guest network. The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing a specific URI on the web interface of the router. | |||||
CVE-2019-9884 | 1 Eclass | 1 Eclass Ip | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
eClass platform < ip.2.5.10.2.1 allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page. | |||||
CVE-2018-18862 | 1 Bmc | 2 Remedy Action Request System, Remedy Mid-tier | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has Incorrect Access Control in ITAM forms, as demonstrated by TLS%3APLR-Configuration+Details/Default+Admin+View/, AST%3AARServerConnection/Default+Admin+View/, and AR+System+Administration%3A+Server+Information/Default+Admin+View/. | |||||
CVE-2019-9584 | 1 Eq-3 | 4 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 1 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages. | |||||
CVE-2019-13030 | 1 Mediola | 1 Neo Server | 2024-02-28 | 6.4 MEDIUM | 8.2 HIGH |
eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details. This is related to improper access control for addons configuration pages and a missing check in rc.d/97NeoServer. | |||||
CVE-2019-1898 | 1 Cisco | 6 Rv110w, Rv110w Firmware, Rv130w and 3 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability in the web-based management interface of Cisco RV110W, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to access the syslog file on an affected device. The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing the URL for the syslog file. A successful exploit could allow the attacker to access the information contained in the file. | |||||
CVE-2019-14347 | 1 Schben | 1 Adive | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unprivileged users (editor or developer) to create an administrator account via admin/user/add, as demonstrated by a Python PoC script. | |||||
CVE-2019-13981 | 1 Rangerstudio | 1 Directus 7 Api | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer. | |||||
CVE-2019-12583 | 1 Zyxel | 28 Uag2100, Uag2100 Firmware, Uag4100 and 25 more | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service. |