Total
1999 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-17631 | 2 Eclipse, Redhat | 9 Openj9, Enterprise Linux, Enterprise Linux Desktop and 6 more | 2024-08-05 | 9.1 Critical |
From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks. | ||||
CVE-2019-17202 | 1 Fasttracksoftware | 1 Admin By Request | 2024-08-05 | 7.8 High |
FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will. If a user does not have direct access to the elevation feature through group policies, they are prompted to enter a PIN code in a challenge-response manner upon attempting to elevate privileges. The challenge's response uses a simple algorithm that can be easily emulated via data (customer ID and device name) available to all users, and thus any user can elevate to Administrator privilege. | ||||
CVE-2019-17066 | 1 Ivanti | 1 Workspace Control | 2024-08-05 | 7.8 High |
In Ivanti WorkSpace Control before 10.4.40.0, a user can elevate rights on the system by hijacking certain user registries. This is possible because pwrgrid.exe first checks the Current User registry hives (HKCU) when starting an application with elevated rights. | ||||
CVE-2019-16897 | 1 K7computing | 3 K7 Antivirus Premium, K7 Total Security, K7 Ultimate Security | 2024-08-05 | 9.8 Critical |
In K7 Antivirus Premium 16.0.xxx through 16.0.0120; K7 Total Security 16.0.xxx through 16.0.0120; and K7 Ultimate Security 16.0.xxx through 16.0.0120, the module K7TSHlpr.dll improperly validates the administrative privileges of the user, allowing arbitrary registry writes in the K7AVOptn.dll module to facilitate escalation of privileges via inter-process communication with a service process. | ||||
CVE-2019-16777 | 5 Fedoraproject, Npmjs, Opensuse and 2 more | 8 Fedora, Npm, Leap and 5 more | 2024-08-05 | 7.7 High |
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. | ||||
CVE-2019-16519 | 1 Eset | 3 Cyber Security, Endpoint Antivirus, Endpoint Security | 2024-08-05 | 7.8 High |
ESET Cyber Security 6.7.900.0 for macOS allows a local attacker to execute unauthorized commands as root by abusing an undocumented feature in scheduled tasks. | ||||
CVE-2019-16202 | 1 Misp | 1 Misp | 2024-08-05 | 6.5 Medium |
MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)" message. | ||||
CVE-2019-16071 | 1 Netsas | 1 Enigma Nms | 2024-08-05 | 8.8 High |
Enigma NMS 65.0.0 and prior allows administrative users to create low-privileged accounts that do not have the ability to modify any settings in the system, only view the components. However, it is possible for a low-privileged user to perform all actions as an administrator by bypassing authorization controls and sending requests to the server in the context of an administrator. | ||||
CVE-2019-15901 | 2 Doas Project, Linux | 2 Doas, Linux Kernel | 2024-08-05 | 8.8 High |
An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. A setusercontext(3) call with flags to change the UID, primary GID, and secondary GIDs was replaced (on certain platforms: Linux and possibly NetBSD) with a single setuid(2) call. This resulted in neither changing the group id nor initializing secondary group ids. | ||||
CVE-2019-15799 | 1 Zyxel | 18 Gs1900-10hp, Gs1900-10hp Firmware, Gs1900-16 and 15 more | 2024-08-05 | 8.8 High |
An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. User accounts created through the web interface of the device, when given non-admin level privileges, have the same level of privileged access as administrators when connecting to the device via SSH (while their permissions via the web interface are in fact restricted). This allows normal users to obtain the administrative password by running the tech-support command via the CLI: this contains the encrypted passwords for all users on the device. As these passwords are encrypted using well-known and static parameters, they can be decrypted and the original passwords (including the administrator password) can be obtained. | ||||
CVE-2019-15720 | 1 Cloudberrylab | 1 Backup | 2024-08-05 | N/A |
CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pre or Post backup action. With only user-level access, a user can modify the backup plan and add a Pre backup action script that executes on behalf of NT AUTHORITY\SYSTEM. | ||||
CVE-2019-15747 | 1 Sitos | 1 Sitos Six | 2024-08-05 | 8.8 High |
SITOS six Build v6.2.1 allows a user with the user role of Seminar Coordinator to escalate their permission to the Systemadministrator role due to insufficient checks on the server side. | ||||
CVE-2019-15332 | 1 Lavamobiles | 2 Z61, Z61 Firmware | 2024-08-05 | 3.3 Low |
The Lava Z61 Android device with a build fingerprint of LAVA/Z61_2GB/Z61_2GB:8.1.0/O11019/1533889281:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
CVE-2019-14838 | 1 Redhat | 10 Data Grid, Enterprise Linux, Jboss Data Grid and 7 more | 2024-08-05 | 4.9 Medium |
A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server | ||||
CVE-2019-14819 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-08-05 | 8.8 High |
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints. | ||||
CVE-2019-14590 | 2 Intel, Netapp | 6 Graphics Driver, Cloud Backup, Data Availability Services and 3 more | 2024-08-05 | 5.5 Medium |
Improper access control in the API for the Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable information disclosure via local access. | ||||
CVE-2019-14453 | 1 Comelitgroup | 1 Away From Home | 2024-08-05 | 8.8 High |
An issue was discovered in Comelit "App lejos de casa (web)" 2.8.0. It allows privilege escalation via modified domus and logged fields, related to js/bridge.min.js and login.json. For example, an attacker can achieve high privileges (installer or administrator) for the graphical interface via a 1C000000000S value for domus, in conjunction with a zero value for logged. | ||||
CVE-2019-14220 | 3 Apple, Bluestacks, Microsoft | 3 Macos, Bluestacks, Windows | 2024-08-05 | 6.5 Medium |
An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows. BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on Windows or MacOS. Bug is in a local arbitrary file read through a system service call. The impacted method runs with System admin privilege and if given the file name as parameter returns you the content of file. A malicious app using the affected method can then read the content of any system file which it is not authorized to read | ||||
CVE-2019-13738 | 4 Debian, Fedoraproject, Google and 1 more | 8 Debian Linux, Fedora, Chrome and 5 more | 2024-08-05 | 6.5 Medium |
Insufficient policy enforcement in navigation in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass site isolation via a crafted HTML page. | ||||
CVE-2019-13702 | 3 Google, Opensuse, Redhat | 3 Chrome, Backports Sle, Rhel Extras | 2024-08-05 | 7.8 High |
Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed a local attacker to perform privilege escalation via a crafted executable. |