Total
1626 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-4862 | 1 Micasaverde | 2 Veralite, Veralite Firmware | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict access, which allows remote authenticated users to (1) update the firmware via the squashfs parameter to upgrade_step2.sh or (2) obtain hashed passwords via the cgi-bin/cmh/backup.sh page. | |||||
CVE-2011-3617 | 2 Debian, Tahoe-lafs | 2 Debian Linux, Tahoe-lafs | 2024-02-28 | 5.5 MEDIUM | 6.5 MEDIUM |
Tahoe-LAFS v1.3.0 through v1.8.2 could allow unauthorized users to delete immutable files in some cases. | |||||
CVE-2020-2097 | 1 Jenkins | 1 Sounds | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Jenkins Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation, allowing attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins. | |||||
CVE-2012-6094 | 2 Apple, Debian | 2 Cups, Debian Linux | 2024-02-28 | 6.8 MEDIUM | 9.8 CRITICAL |
cups (Common Unix Printing System) 'Listen localhost:631' option not honored correctly which could provide unauthorized access to the system | |||||
CVE-2011-2726 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL. | |||||
CVE-2019-16538 | 1 Jenkins | 1 Script Security | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
CVE-2019-17014 | 1 Mozilla | 1 Firefox | 2024-02-28 | 4.3 MEDIUM | 7.4 HIGH |
If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects Firefox < 71. | |||||
CVE-2019-4509 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to incorrect authorization in some components which could allow an authenticated user to obtain sensitive information. IBM X-Force ID: 164430. | |||||
CVE-2019-14817 | 5 Artifex, Debian, Fedoraproject and 2 more | 5 Ghostscript, Debian Linux, Fedora and 2 more | 2024-02-28 | 6.8 MEDIUM | 7.8 HIGH |
A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | |||||
CVE-2019-14811 | 5 Artifex, Debian, Fedoraproject and 2 more | 5 Ghostscript, Debian Linux, Fedora and 2 more | 2024-02-28 | 6.8 MEDIUM | 7.8 HIGH |
A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | |||||
CVE-2019-1912 | 1 Cisco | 22 Sf-220-24, Sf-220-24 Firmware, Sf220-24p and 19 more | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell. This vulnerability affects Cisco Small Business 220 Series Smart Switches running firmware versions prior to 1.1.4.4 with the web management interface enabled. The web management interface is enabled via both HTTP and HTTPS by default. | |||||
CVE-2019-2175 | 1 Google | 1 Android | 2024-02-28 | 4.4 MEDIUM | 7.8 HIGH |
In checkAccess of SliceManagerService.java in Android 9, there is a possible permissions check bypass due to incorrect order of arguments. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
CVE-2016-10996 | 1 Optinmonster | 1 Optinmonster | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak. | |||||
CVE-2019-8446 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
CVE-2018-20826 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check. | |||||
CVE-2019-1289 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-02-28 | 3.6 LOW | 5.5 MEDIUM |
An elevation of privilege vulnerability exists when the Windows Update Delivery Optimization does not properly enforce file share permissions, aka 'Windows Update Delivery Optimization Elevation of Privilege Vulnerability'. | |||||
CVE-2019-15729 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in GitLab Community and Enterprise Edition 8.18 through 12.2.1. An internal endpoint unintentionally disclosed information about the last pipeline that ran for a merge request. | |||||
CVE-2019-16114 | 1 Atutor | 1 Atutor | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php. | |||||
CVE-2019-14237 | 1 Nxp | 6 Kinetis K8x, Kinetis K8x Firmware, Kinetis Kv1x and 3 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by observing CPU registers and the effect of code/instruction execution. | |||||
CVE-2019-14813 | 5 Artifex, Debian, Fedoraproject and 2 more | 12 Ghostscript, Debian Linux, Fedora and 9 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. |