Total
310143 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15516 | 1 Cuberite | 1 Cuberite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Cuberite before 2019-06-11 allows webadmin directory traversal via ....// because the protection mechanism simply removes one ../ substring. | |||||
| CVE-2019-15515 | 1 Discourse | 1 Discourse | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Discourse 2.3.2 sends the CSRF token in the query string. | |||||
| CVE-2019-15514 | 1 Telegram | 1 Telegram | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region's assigned phone numbers. | |||||
| CVE-2019-15513 | 2 Motorola, Openwrt | 5 C1 Mwr03, C1 Mwr03 Firmware, Cx2l Mwr04l and 2 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in OpenWrt libuci (aka Library for the Unified Configuration Interface) before 15.05.1 as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang. | |||||
| CVE-2019-15511 | 1 Gog | 1 Galaxy | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. All GOG Galaxy versions before 1.2.60 and all corresponding versions of GOG Galaxy 2.0 Beta are affected. | |||||
| CVE-2019-15510 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. | |||||
| CVE-2019-15508 | 1 Octopus | 2 Server, Tentacle | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7. | |||||
| CVE-2019-15507 | 1 Octopus | 1 Server | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8. | |||||
| CVE-2019-15506 | 1 Kaseya | 1 Virtual System Administrator | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37. It has a critical information disclosure vulnerability. An unauthenticated attacker can send properly formatted requests to the web application and download sensitive files and information. For example, the /DATAREPORTS directory can be farmed for reports. Because this directory contains the results of reports such as NMAP, Patch Status, and Active Directory domain metadata, an attacker can easily collect this critical information and parse it for information. There are a number of directories affected. | |||||
| CVE-2019-15505 | 1 Linux | 1 Linux Kernel | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir). | |||||
| CVE-2019-15504 | 1 Linux | 1 Linux Kernel | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir). | |||||
| CVE-2019-15503 | 1 Altavoz | 1 Prontuscms | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| cgi-cpn/xcoding/prontus_videocut.cgi in AltaVoz Prontus (aka ProntusCMS) through 12.0.3.0 has "Improper Neutralization of Special Elements used in an OS Command," allowing attackers to execute OS commands via an HTTP GET parameter. | |||||
| CVE-2019-15502 | 1 Teamspeak | 1 Teamspeak | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The TeamSpeak client before 3.3.2 allows remote servers to trigger a crash via the 0xe2 0x81 0xa8 0xe2 0x81 0xa7 byte sequence, aka Unicode characters U+2068 (FIRST STRONG ISOLATE) and U+2067 (RIGHT-TO-LEFT ISOLATE). | |||||
| CVE-2019-15501 | 1 Lsoft | 1 Listserv | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter. | |||||
| CVE-2019-15499 | 2 Apple, Hackmd | 2 Safari, Codimd | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| CodiMD 1.3.1, when Safari is used, allows XSS via an IFRAME element with allow-top-navigation in the sandbox attribute, in conjunction with a data: URL. | |||||
| CVE-2019-15498 | 1 Getvera | 2 Vera Edge, Vera Edge Firmware | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh. | |||||
| CVE-2019-15497 | 2 Blackbox, Onelan | 4 Icompel, Icompel Firmware, Net-top-box and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Black Box iCOMPEL 9.2.3 through 11.1.4, as used in ONELAN Net-Top-Box 9.2.3 through 11.1.4 and other products, has default credentials that allow remote attackers to access devices remotely via SSH, HTTP, HTTPS, and FTP. | |||||
| CVE-2019-15496 | 1 Manageyourteam | 1 Myt Project Management | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| MyT Project Management 1.5.1 lacks CSRF protection and, for example, allows a user/create CSRF attack. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page. | |||||
| CVE-2019-15494 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. | |||||
| CVE-2019-15493 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
| openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21. | |||||