Total
1333 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-15339 | 1 Lavamobiles | 2 Z60s, Z60s Firmware | 2024-08-05 | 3.3 Low |
The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
CVE-2019-15334 | 1 Lavamobiles | 2 Iris 88, Iris 88 Firmware | 2024-08-05 | 3.3 Low |
The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
CVE-2019-15340 | 1 Mi | 2 Redmi 6, Redmi 6 Firmware | 2024-08-05 | 3.3 Low |
The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201805292006) that allows any app co-located on the device to programmatically disable and enable Wi-Fi, Bluetooth, and GPS without the corresponding access permission through an exported interface. | ||||
CVE-2019-15338 | 1 Lavamobiles | 2 Iris 88, Iris 88 Firmware | 2024-08-05 | 3.3 Low |
The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
CVE-2019-15316 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2024-08-05 | N/A |
Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race condition. | ||||
CVE-2019-15335 | 1 Lavamobiles | 2 Z92, Z92 Firmware | 2024-08-05 | 3.3 Low |
The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
CVE-2019-15119 | 1 Nps Project | 1 Nps | 2024-08-05 | N/A |
lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user. | ||||
CVE-2019-15084 | 1 Maxx | 1 Waves Maxx Audio | 2024-08-05 | N/A |
Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions. As a result, a local attacker can escalate to SYSTEM. | ||||
CVE-2019-14969 | 1 Netwrix | 1 Auditor | 2024-08-05 | N/A |
Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links. | ||||
CVE-2019-14935 | 2 3cx, Microsoft | 2 3cx, Windows | 2024-08-05 | N/A |
3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link. | ||||
CVE-2019-14869 | 4 Artifex, Fedoraproject, Opensuse and 1 more | 5 Ghostscript, Fedora, Leap and 2 more | 2024-08-05 | 8.8 High |
A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. | ||||
CVE-2019-14824 | 3 Debian, Fedoraproject, Redhat | 4 Debian Linux, 389 Directory Server, Enterprise Linux and 1 more | 2024-08-05 | 6.5 Medium |
A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes. | ||||
CVE-2019-14812 | 3 Artifex, Fedoraproject, Redhat | 4 Ghostscript, Fedora, 3scale Amp and 1 more | 2024-08-05 | 7.8 High |
A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | ||||
CVE-2019-14743 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2024-08-05 | N/A |
In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITY\SYSTEM access. | ||||
CVE-2019-14629 | 1 Intel | 1 Data Analytics Acceleration Library | 2024-08-05 | 5.5 Medium |
Improper permissions in Intel(R) DAAL before version 2020 Gold may allow an authenticated user to potentially enable information disclosure via local access. | ||||
CVE-2019-14480 | 1 Adremsoft | 1 Netcrunch | 2024-08-05 | 9.8 Critical |
AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges. | ||||
CVE-2019-14395 | 1 Cpanel | 1 Cpanel | 2024-08-05 | N/A |
cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494). | ||||
CVE-2019-13679 | 2 Google, Redhat | 2 Chrome, Rhel Extras | 2024-08-04 | 3.3 Low |
Insufficient policy enforcement in PDFium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to show print dialogs via a crafted PDF file. | ||||
CVE-2019-13676 | 2 Google, Redhat | 2 Chrome, Rhel Extras | 2024-08-04 | 4.3 Medium |
Insufficient policy enforcement in Chromium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | ||||
CVE-2019-13681 | 2 Google, Redhat | 2 Chrome, Rhel Extras | 2024-08-04 | 4.3 Medium |
Insufficient data validation in downloads in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass download restrictions via a crafted HTML page. |