Total
3294 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-5162 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. | |||||
| CVE-2019-5136 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An exploitable privilege escalation vulnerability exists in the iw_console functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. | |||||
| CVE-2019-5036 | 1 Google | 2 Nest Cam Iq Indoor, Nest Cam Iq Indoor Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially crafted packet to trigger this vulnerability. | |||||
| CVE-2019-5014 | 1 Wincofireworks | 2 Fw-1007, Fw-1007 Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| An exploitable improper access control vulnerability exists in the bluetooth low energy functionality of Winco Fireworks FireFly FW-1007 V2.0. An attacker can connect to the device to trigger this vulnerability. | |||||
| CVE-2019-3942 | 1 Advantech | 1 Webaccess | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password. | |||||
| CVE-2019-3936 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow. | |||||
| CVE-2019-3935 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to act as a moderator to a slide show via crafted HTTP POST requests to conference.cgi. A remote, unauthenticated attacker can use this vulnerability to start, stop, and disconnect active slideshows. | |||||
| CVE-2019-3934 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code. | |||||
| CVE-2019-3933 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code. | |||||
| CVE-2019-3928 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allow any user to obtain the presentation passcode via the iso.3.6.1.4.1.3212.100.3.2.7.4 OIDs. A remote, unauthenticated attacker can use this vulnerability to access a restricted presentation or to become the presenter. | |||||
| CVE-2019-3927 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 anyone can change the administrator and moderator passwords via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. A remote, unauthenticated attacker can use this vulnerability to change the admin or moderator user's password and gain access to restricted areas on the HTTP interface. | |||||
| CVE-2019-3895 | 2 Openstack, Redhat | 2 Octavia, Openstack | 2024-11-21 | 6.8 MEDIUM | 8.0 HIGH |
| An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image. | |||||
| CVE-2019-3845 | 1 Redhat | 1 Satellite | 2024-11-21 | 5.2 MEDIUM | 8.0 HIGH |
| A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent in versions before Satellite 6.2, Satellite 6.1 optional and Satellite Capsule 6.1. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands. | |||||
| CVE-2019-3794 | 1 Pivotal Software | 1 Cloud Foundry Uaa | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites. | |||||
| CVE-2019-3779 | 1 Cloudfoundry | 1 Container Runtime | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA (Certificate Authority) to sign and trust certs for ETCD as used by the Kubernetes API. This could allow a user authenticated with a cluster to request a signed certificate leveraging the Kubernetes CSR capability to obtain a credential that could escalate privilege access to ETCD. | |||||
| CVE-2019-3653 | 1 Mcafee | 1 Endpoint Security | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| Improper access control vulnerability in Configuration tool in McAfee Endpoint Security (ENS) Prior to 10.6.1 October 2019 Update allows local user to gain access to security configuration via unauthorized use of the configuration tool. | |||||
| CVE-2019-3567 | 1 Linuxfoundation | 1 Osquery | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| In some configurations an attacker can inject a new executable path into the extensions.load file for osquery and hard link a parent folder of a malicious binary to a folder with known 'safe' permissions. Under those circumstances osquery will load said malicious executable with SYSTEM permissions. The solution is to migrate installations to the 'Program Files' directory on Windows which restricts unprivileged write access. This issue affects osquery prior to v3.4.0. | |||||
| CVE-2019-3566 | 1 Whatsapp | 2 Whatsapp, Whatsapp Business | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38. | |||||
| CVE-2019-2729 | 1 Oracle | 9 Communications Diameter Signaling Router, Communications Network Integrity, Hyperion Infrastructure Technology and 6 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2019-25157 | 1 Ethex | 1 Ethex Contracts | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Ethex Contracts. It has been classified as critical. This affects an unknown part of the file EthexJackpot.sol of the component Monthly Jackpot Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 6b8664b698d3d953e16c284fadc6caeb9e58e3db. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248271. | |||||