Total
299317 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19767 | 1 Linux | 1 Linux Kernel | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163. | |||||
| CVE-2019-19766 | 1 Bitwarden | 1 Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Bitwarden server through 1.32.0 has a potentially unwanted KDF. | |||||
| CVE-2019-19758 | 1 Lenovo | 4 Ez Media \& Backup Center Ix2, Ez Media \& Backup Center Ix2-dl, Ez Media \& Backup Center Ix2-dl Firmware and 1 more | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page. | |||||
| CVE-2019-19757 | 1 Lenovo | 1 Xclarity Administrator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself. | |||||
| CVE-2019-19756 | 1 Lenovo | 1 Xclarity Administrator | 2024-11-21 | 3.6 LOW | 7.9 HIGH |
| An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA. | |||||
| CVE-2019-19755 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| ethOS through 1.3.3 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-12-01, the vendor indicated that they plan to fix this. | |||||
| CVE-2019-19754 | 2024-11-21 | N/A | 5.7 MEDIUM | ||
| HiveOS through 0.6-102@191212 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-09-26, the vendor indicated that they would consider fixing this. | |||||
| CVE-2019-19753 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| SimpleMiningOS through v1259 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: the vendor indicated that they have no plans to fix this, and discourage deployment using public IPv4. | |||||
| CVE-2019-19750 | 1 Minerstat | 1 Msos | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| minerstat msOS before 2019-10-23 does not have a unique SSH key for each instance of the product. | |||||
| CVE-2019-19748 | 1 Brizoit | 1 Work Time Calendar | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Work Time Calendar app before 4.7.1 for Jira allows XSS. | |||||
| CVE-2019-19747 | 1 Neuvector | 1 Neuvector | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| NeuVector 3.1 when configured to allow authentication via Active Directory, does not enforce non-empty passwords which allows an attacker with access to the Neuvector portal to authenticate as any valid LDAP user by providing a valid username and an empty password (provided that the active directory server has not been configured to reject empty passwords). | |||||
| CVE-2019-19746 | 1 Fig2dev Project | 1 Fig2dev | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type. | |||||
| CVE-2019-19745 | 1 Contao | 1 Contao | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server. | |||||
| CVE-2019-19743 | 1 Dlink | 2 Dir-615 T1, Dir-615 T1 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| On D-Link DIR-615 devices, a normal user is able to create a root(admin) user from the D-Link portal. | |||||
| CVE-2019-19742 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| On D-Link DIR-615 devices, the User Account Configuration page is vulnerable to blind XSS via the name field. | |||||
| CVE-2019-19741 | 1 Ea | 1 Origin | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Electronic Arts Origin 10.5.55.33574 is vulnerable to local privilege escalation due to arbitrary directory DACL manipulation, a different issue than CVE-2019-19247 and CVE-2019-19248. When Origin.exe connects to the named pipe OriginClientService, the privileged service verifies the client's executable file instead of its in-memory process (which can be significantly different from the executable file due to, for example, DLL injection). Data transmitted over the pipe is encrypted using a static key. Instead of hooking the pipe communication directly via WriteFileEx(), this can be bypassed by hooking the EVP_EncryptUpdate() function of libeay32.dll. The pipe takes the command CreateDirectory to create a directory and adjust the directory DACL. Calls to this function can be intercepted, the directory and the DACL can be replaced, and the manipulated DACL is written. Arbitrary DACL write is further achieved by creating a hardlink in a user-controlled directory that points to (for example) a service binary. The DACL is then written to this service binary, which results in escalation of privileges. | |||||
| CVE-2019-19740 | 1 Octeth | 1 Oempro | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable. | |||||
| CVE-2019-19739 | 1 Mfscripts | 1 Yetishare | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| MFScripts YetiShare 3.5.2 through 4.5.3 does not set the Secure flag on session cookies, allowing the cookie to be sent over cleartext channels. | |||||
| CVE-2019-19738 | 1 Mfscripts | 1 Yetishare | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the lFile parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. | |||||
| CVE-2019-19737 | 1 Mfscripts | 1 Yetishare | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks. | |||||