Total
3177 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19937 | 1 Jfrog | 1 Artifactory | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results." | |||||
| CVE-2019-19899 | 1 Pebbletemplates | 1 Pebble Templates | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Pebble Templates 3.1.2 allows attackers to bypass a protection mechanism (intended to block access to instances of java.lang.Class) because getClass is accessible via the public static java.lang.Class java.lang.Class.forName(java.lang.Module,java.lang.String) signature. | |||||
| CVE-2019-19885 | 1 Bender | 12 Com465dp, Com465dp Firmware, Com465id and 9 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Bender COMTRAXX, user authorization is validated for most, but not all, routes in the system. A user with knowledge about the routes can read and write configuration data without prior authorization. This affects COM465IP, COM465DP, COM465ID, CP700, CP907, and CP915 devices before 4.2.0. | |||||
| CVE-2019-19802 | 1 Gallagher | 1 Command Centre | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Gallagher Command Centre Server v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an authenticated user connecting to OPCUA can view all data that would be replicated in a multi-server setup without privilege checks being applied. | |||||
| CVE-2019-19604 | 4 Debian, Fedoraproject, Git-scm and 1 more | 4 Debian Linux, Fedora, Git and 1 more | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. | |||||
| CVE-2019-18790 | 2 Debian, Digium | 3 Debian Linux, Asterisk, Certified Asterisk | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before 16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport. | |||||
| CVE-2019-18674 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure. | |||||
| CVE-2019-18610 | 2 Debian, Digium | 3 Debian Linux, Asterisk, Certified Asterisk | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands. | |||||
| CVE-2019-18581 | 1 Dell | 6 Emc Data Protection Advisor, Emc Idpa Dp4400, Emc Idpa Dp5800 and 3 more | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands. This may lead to arbitrary OS command execution as the regular user runs the DPA service on the affected system. | |||||
| CVE-2019-18383 | 1 Terra-master | 2 Fs-210, Fs-210 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can download backup files remotely from terramaster_TNAS-00E43A_config_backup.bin without permission. | |||||
| CVE-2019-17055 | 6 Canonical, Debian, Fedoraproject and 3 more | 8 Ubuntu Linux, Debian Linux, Fedora and 5 more | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. | |||||
| CVE-2019-16909 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14_J8 for Jira. It is possible to obtain a list of all Jira projects (with authentication as a Jira user, but without authorization for specific projects) via the plugins/servlet/nfj/NotificationSettings URI. | |||||
| CVE-2019-16907 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. It is possible to obtain a list of all valid Jira usernames without authentication/authorization via the plugins/servlet/nfj/UserFilter?searchQuery=@ URI. | |||||
| CVE-2019-16906 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. By using plugins/servlet/nfj/PushNotification?username= with a modified username, a different user's notifications can be read without authentication/authorization. These notifications are then no longer displayed to the normal user. | |||||
| CVE-2019-16738 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. | |||||
| CVE-2019-16698 | 1 Dkd | 1 Direct Mail | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter. | |||||
| CVE-2019-16576 | 1 Jenkins | 1 Alauda Kubernetes Support | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account token or credentials stored in Jenkins. | |||||
| CVE-2019-16574 | 1 Jenkins | 1 Alauda Devops Pipeline | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-16571 | 1 Jenkins | 1 Rapiddeploy | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server. | |||||
| CVE-2019-16567 | 1 Jenkins | 1 Team Concert | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||