Total
657 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-17050 | 1 Thecontrolgroup | 1 Voyager | 2024-08-05 | 7.2 High |
| An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment. | ||||
| CVE-2019-16723 | 1 Cacti | 1 Cacti | 2024-08-05 | 4.3 Medium |
| In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. | ||||
| CVE-2019-16546 | 1 Jenkins | 1 Google Compute Engine | 2024-08-05 | 5.9 Medium |
| Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. | ||||
| CVE-2019-16403 | 1 Webkul | 1 Bagisto | 2024-08-05 | 8.8 High |
| In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers. | ||||
| CVE-2019-15913 | 1 Mi | 10 Dgnwg03lm, Dgnwg03lm Firmware, Mccgq01lm and 7 more | 2024-08-05 | 9.8 Critical |
| An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Because of insecure key transport in ZigBee communication, causing attackers to gain sensitive information and denial of service attack, take over smart home devices, and tamper with messages. | ||||
| CVE-2019-15815 | 1 Zyxel | 2 2.00\(abbx.3\), P-1302-t10d | 2024-08-05 | 6.5 Medium |
| ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges. | ||||
| CVE-2019-15725 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 7.5 High |
| An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. An IDOR in the epic notes API that could result in disclosure of private milestones, labels, and other information. | ||||
| CVE-2019-15581 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 5.3 Medium |
| An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules. | ||||
| CVE-2019-15582 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 5.3 Medium |
| An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment. | ||||
| CVE-2019-15310 | 1 Linkplay | 1 Linkplay | 2024-08-05 | 9.8 Critical |
| An issue was discovered on various devices via the Linkplay firmware. There is WAN remote code execution without user interaction. An attacker could retrieve the AWS key from the firmware and obtain full control over Linkplay's AWS estate, including S3 buckets containing device firmware. When combined with an OS command injection vulnerability within the XML Parsing logic of the firmware update process, an attacker would be able to gain code execution on any device that attempted to update. Note that by default all devices tested had automatic updates enabled. | ||||
| CVE-2019-14932 | 1 Humanica | 1 Humatrix 7 | 2024-08-05 | N/A |
| The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates' information on the website via a modified selApp variable to personalData/resumeDetail.cfm. This includes personal information and other sensitive data. | ||||
| CVE-2019-14721 | 1 Control-webpanel | 1 Webpanel | 2024-08-05 | 6.5 Medium |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to remove a target user from phpMyAdmin via an attacker account. | ||||
| CVE-2019-14724 | 1 Control-webpanel | 1 Webpanel | 2024-08-05 | 7.5 High |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to edit an e-mail forwarding destination of a victim's account via an attacker account. | ||||
| CVE-2019-14725 | 1 Control-webpanel | 1 Webpanel | 2024-08-05 | 4.3 Medium |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail usage value of a victim account via an attacker account. | ||||
| CVE-2019-14245 | 1 Centos-webpanel | 1 Centos Web Panel | 2024-08-05 | 6.5 Medium |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account. | ||||
| CVE-2019-14246 | 1 Centos-webpanel | 1 Centos Web Panel | 2024-08-05 | 6.5 Medium |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account. | ||||
| CVE-2019-13605 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | N/A |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is different from CVE-2019-13360. | ||||
| CVE-2019-13461 | 1 Prestashop | 1 Prestashop | 2024-08-04 | N/A |
| In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444. | ||||
| CVE-2019-13360 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | N/A |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username. | ||||
| CVE-2019-13337 | 1 Weseek | 1 Growi | 2024-08-04 | N/A |
| In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required. | ||||