Total
1685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-6810 | 1 Schneider-electric | 2 Bmxnor0200h, Bmxnor0200h Firmware | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| CWE-284: Improper Access Control vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions), which could cause the execution of commands by unauthorized users when using IEC 60870-5-104 protocol. | |||||
| CVE-2019-3842 | 4 Debian, Fedoraproject, Redhat and 1 more | 4 Debian Linux, Fedora, Enterprise Linux and 1 more | 2024-02-04 | 4.4 MEDIUM | 7.0 HIGH |
| In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any". | |||||
| CVE-2019-3848 | 1 Moodle | 1 Moodle | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.) | |||||
| CVE-2019-13386 | 1 Centos-webpanel | 1 Centos Web Panel | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege. | |||||
| CVE-2019-11247 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift Container Platform | 2024-02-04 | 6.5 MEDIUM | 8.1 HIGH |
| The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. | |||||
| CVE-2019-10964 | 1 Medtronic | 38 Minimed 508, Minimed 508 Firmware, Minimed Paradigm 511 and 35 more | 2024-02-04 | 5.8 MEDIUM | 8.8 HIGH |
| In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin Pumps, Versions, MiniMed 508 pump – All versions, MiniMed Paradigm 511 pump – All versions, MiniMed Paradigm 512/712 pumps – All versions, MiniMed Paradigm 712E pump–All versions, MiniMed Paradigm 515/715 pumps–All versions, MiniMed Paradigm 522/722 pumps – All versions,MiniMed Paradigm 522K/722K pumps – All versions, MiniMed Paradigm 523/723 pumps – Software versions 2.4A or lower, MiniMed Paradigm 523K/723K pumps – Software, versions 2.4A or lower, MiniMed Paradigm Veo 554/754 pumps – Software versions 2.6A or lower, MiniMed Paradigm Veo 554CM and 754CM models only – Software versions 2.7A or lower, the affected insulin pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery. | |||||
| CVE-2019-14811 | 5 Artifex, Debian, Fedoraproject and 2 more | 5 Ghostscript, Debian Linux, Fedora and 2 more | 2024-02-04 | 6.8 MEDIUM | 7.8 HIGH |
| A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | |||||
| CVE-2019-7304 | 1 Canonical | 2 Snapd, Ubuntu Linux | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1. | |||||
| CVE-2019-0678 | 1 Microsoft | 4 Edge, Windows 10, Windows Server 2016 and 1 more | 2024-02-04 | 4.0 MEDIUM | 6.8 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability, aka 'Microsoft Edge Elevation of Privilege Vulnerability'. | |||||
| CVE-2019-6582 | 1 Siemens | 5 Siveillance Video Management Software 2017 R2, Siveillance Video Management Software 2018 R1, Siveillance Video Management Software 2018 R2 and 2 more | 2024-02-04 | 5.5 MEDIUM | 7.1 HIGH |
| A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a), Siveillance VMS 2018 R3 (All versions < V12.3a), Siveillance VMS 2019 R1 (All versions < V13.1a). An attacker with network access to port 80/TCP can change user-defined event properties without proper authorization. The security vulnerability could be exploited by an authenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation compromises integrity of the user-defined event properties and the availability of corresponding functionality. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-10014 | 1 Dedecms | 1 Dedecms | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated. | |||||
| CVE-2019-1603 | 1 Cisco | 6 Nexus 3000, Nexus 3500, Nexus 3600 and 3 more | 2024-02-04 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to escalate lower-level privileges to the administrator level. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow an attacker to make configuration changes to the system as administrator. Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). | |||||
| CVE-2016-10996 | 1 Optinmonster | 1 Optinmonster | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak. | |||||
| CVE-2019-14817 | 5 Artifex, Debian, Fedoraproject and 2 more | 5 Ghostscript, Debian Linux, Fedora and 2 more | 2024-02-04 | 6.8 MEDIUM | 7.8 HIGH |
| A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | |||||
| CVE-2019-7258 | 1 Nortekcontrol | 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Linear eMerge E3-Series devices allow Privilege Escalation. | |||||
| CVE-2019-14237 | 1 Nxp | 6 Kinetis K8x, Kinetis K8x Firmware, Kinetis Kv1x and 3 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by observing CPU registers and the effect of code/instruction execution. | |||||
| CVE-2018-15754 | 1 Pivotal Software | 1 Cloud Foundry Uaa-release | 2024-02-04 | 4.0 MEDIUM | 8.8 HIGH |
| Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider. | |||||
| CVE-2018-15767 | 1 Dell | 1 Openmanage Network Manager | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
| The Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in the /etc/sudoers file. | |||||
| CVE-2019-1667 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-02-04 | 2.1 LOW | 3.3 LOW |
| A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected. | |||||
| CVE-2018-1000412 | 1 Jenkins | 1 Jira | 2024-02-04 | 4.0 MEDIUM | 8.8 HIGH |
| An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||