Total
1057 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16061 | 1 Netsas | 1 Enigma Network Management Solution | 2024-08-05 | 8.8 High |
| A number of files on the NETSAS Enigma NMS server 65.0.0 and prior are granted weak world-readable and world-writable permissions, allowing any low privileged user with access to the system to read sensitive data (e.g., .htpasswd) and create/modify/delete content (e.g., under /var/www/html/docs) within the operating system. | ||||
| CVE-2019-15716 | 1 Wtfutil | 1 Wtf | 2024-08-05 | N/A |
| WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults. | ||||
| CVE-2019-14861 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2024-08-05 | 5.3 Medium |
| All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer. | ||||
| CVE-2019-14737 | 1 Ubisoft | 1 Uplay | 2024-08-05 | 7.8 High |
| Ubisoft Uplay 92.0.0.6280 has Insecure Permissions. | ||||
| CVE-2019-14718 | 1 Verifone | 2 Mx900, Mx900 Firmware | 2024-08-05 | 6.7 Medium |
| Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have Insecure Permissions, with resultant svc_netcontrol arbitrary command injection and privilege escalation. | ||||
| CVE-2019-14602 | 2 Intel, Microsoft | 2 Nuvoton Consumer Infrared, Windows | 2024-08-05 | 7.8 High |
| Improper permissions in the installer for the Nuvoton* CIR Driver versions 1.02.1002 and before may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2019-14605 | 1 Intel | 1 Setup And Configuration Software Platform Discovery Utility | 2024-08-05 | 7.8 High |
| Improper permissions in the installer for the Intel(R) SCS Platform Discovery Utility, all versions, may allow an authenticated user to potentially enable escalation of privilege via local attack. | ||||
| CVE-2019-14601 | 1 Intel | 1 Raid Web Console 3 | 2024-08-05 | 7.8 High |
| Improper permissions in the installer for Intel(R) RWC 3 for Windows before version 7.010.009.000 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2019-14568 | 1 Intel | 1 Rapid Storage Technology | 2024-08-05 | 7.8 High |
| Improper permissions in the executable for Intel(R) RST before version 17.7.0.1006 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2019-14603 | 1 Intel | 1 Quartus Prime | 2024-08-05 | 7.8 High |
| Improper permissions in the installer for the License Server software for Intel® Quartus® Prime Pro Edition before version 19.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2019-14510 | 1 Kaseya | 1 Vsa | 2024-08-05 | 6.7 Medium |
| An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.) | ||||
| CVE-2019-14326 | 1 Andyroid | 1 Andy Os | 2024-08-05 | 7.8 High |
| An issue was discovered in AndyOS Andy versions up to 46.11.113. By default, it starts telnet and ssh (ports 22 and 23) with root privileges in the emulated Android system. This can be exploited by remote attackers to gain full access to the device, or by malicious apps installed inside the emulator to perform privilege escalation from a normal user to root (unlike with standard methods of getting root privileges on Android - e.g., the SuperSu program - the user is not asked for consent). There is no authentication performed - access to a root shell is given upon a successful connection. NOTE: although this was originally published with a slightly different CVE ID number, the correct ID for this Andy vulnerability has always been CVE-2019-14326. | ||||
| CVE-2019-14002 | 1 Qualcomm | 58 Apq8053, Apq8053 Firmware, Apq8096au and 55 more | 2024-08-05 | 7.8 High |
| APKs without proper permission may bind to CallEnhancementService and can lead to unauthorized access to call status in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ8096AU, APQ8098, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6574AU, QCS605, QM215, SA6155P, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SM6150, SM8150, SM8250, SXR2130 | ||||
| CVE-2019-13662 | 2 Google, Redhat | 2 Chrome, Rhel Extras | 2024-08-04 | 6.5 Medium |
| Insufficient policy enforcement in navigations in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | ||||
| CVE-2019-12795 | 2 Gnome, Redhat | 2 Gvfs, Enterprise Linux | 2024-08-04 | N/A |
| daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.) | ||||
| CVE-2019-12752 | 1 Symantec | 1 Sonar | 2024-08-04 | 6.1 Medium |
| The Symantec SONAR component, prior to 12.0.2, may be susceptible to a tamper protection bypass vulnerability which could potentially allow an attacker to circumvent the existing tamper protection in use on the resident system. | ||||
| CVE-2019-12450 | 6 Canonical, Debian, Fedoraproject and 3 more | 10 Ubuntu Linux, Debian Linux, Fedora and 7 more | 2024-08-04 | 9.8 Critical |
| file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. | ||||
| CVE-2019-11765 | 1 Mozilla | 1 Firefox | 2024-08-04 | 6.5 Medium |
| A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70. | ||||
| CVE-2019-11097 | 1 Intel | 1 Trusted Execution Engine Firmware | 2024-08-04 | 7.8 High |
| Improper directory permissions in the installer for Intel(R) Management Engine Consumer Driver for Windows before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45,13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2019-10679 | 1 Thomsonreuters | 1 Eikon | 2024-08-04 | 7.8 High |
| Thomson Reuters Eikon 4.0.42144 allows all local users to modify the service executable file because of weak %PROGRAMFILES(X86)%\Thomson Reuters\Eikon permissions. | ||||