Total
3305 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16571 | 1 Jenkins | 1 Rapiddeploy | 2024-08-05 | 4.3 Medium |
| A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server. | ||||
| CVE-2019-16574 | 1 Jenkins | 1 Alauda Devops Pipeline | 2024-08-05 | 6.5 Medium |
| A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2019-16547 | 1 Jenkins | 1 Google Compute Engine | 2024-08-05 | 4.3 Medium |
| Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment. | ||||
| CVE-2019-16236 | 4 Canonical, Debian, Dino and 1 more | 4 Ubuntu Linux, Debian Linux, Dino and 1 more | 2024-08-05 | 7.5 High |
| Dino before 2019-09-10 does not check roster push authorization in module/roster/module.vala. | ||||
| CVE-2019-16124 | 1 Youphptube | 1 Youphptube | 2024-08-05 | 9.8 Critical |
| In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code. | ||||
| CVE-2019-16097 | 1 Linuxfoundation | 1 Harbor | 2024-08-05 | 6.5 Medium |
| core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP. | ||||
| CVE-2019-15954 | 1 Totaljs | 1 Total.js Cms | 2024-08-05 | 9.9 Critical |
| An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script> | ||||
| CVE-2019-15877 | 1 Freebsd | 1 Freebsd | 2024-08-05 | 5.5 Medium |
| In FreeBSD 12.1-STABLE before r356606 and 12.1-RELEASE before 12.1-RELEASE-p3, driver specific ioctl command handlers in the ixl network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to trigger updates to the device's non-volatile memory. | ||||
| CVE-2019-15953 | 1 Totaljs | 1 Total.js Cms | 2024-08-05 | N/A |
| An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads to vertical and horizontal privilege escalation. | ||||
| CVE-2019-15932 | 1 Intesync | 1 Solismed | 2024-08-05 | 9.8 Critical |
| Intesync Solismed 3.3sp has Incorrect Access Control. | ||||
| CVE-2019-15871 | 1 Wpbrigade | 1 Loginpress | 2024-08-05 | N/A |
| The LoginPress plugin before 1.1.4 for WordPress has no capability check for updates to settings. | ||||
| CVE-2019-15876 | 1 Freebsd | 1 Freebsd | 2024-08-05 | 5.5 Medium |
| In FreeBSD 12.1-STABLE before r356089, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r356090, and 11.3-RELEASE before 11.3-RELEASE-p7, driver specific ioctl command handlers in the oce network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to send passthrough commands to the device firmware. | ||||
| CVE-2019-15850 | 1 Eq-3 | 2 Homematic Ccu3, Homematic Ccu3 Firmware | 2024-08-05 | 8.8 High |
| eQ-3 HomeMatic CCU3 firmware version 3.41.11 allows Remote Code Execution in the ReGa.runScript method. An authenticated attacker can easily execute code and compromise the system. | ||||
| CVE-2019-15723 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 5.3 Medium |
| An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1. Merge requests created by email could be used to bypass push rules in certain situations. | ||||
| CVE-2019-15648 | 1 Elearningfreak | 1 Insert Or Embed Articulate Content | 2024-08-05 | N/A |
| The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber. | ||||
| CVE-2019-15576 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 7.5 High |
| An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint. | ||||
| CVE-2019-15386 | 1 Lavamobiles | 2 Z60s, Z60s Firmware | 2024-08-05 | 5.5 Medium |
| The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. | ||||
| CVE-2019-15387 | 1 Archos | 2 Core 101, Core 101 Firmware | 2024-08-05 | 3.3 Low |
| The Archos Core 101 Android device with a build fingerprint of archos/MTKAC101CR3G_ARCHOS/ac101cr3g:7.0/NRD90M/20180611.034442:user/release-keys contains a pre-installed app with a package name of com.roco.autogen app (versionCode=1, versionName=1) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
| CVE-2019-15136 | 1 Eprosima | 1 Fast-rtps | 2024-08-05 | N/A |
| The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition. | ||||
| CVE-2019-15030 | 4 Canonical, Linux, Opensuse and 1 more | 4 Ubuntu Linux, Linux Kernel, Leap and 1 more | 2024-08-05 | 4.4 Medium |
| In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check. | ||||