Total
2473 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-12794 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
| An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host organization creates lower-privilege organization admins instead of the usual site admins. Also, only organization admins of the same organization as the site admin could abuse this. | ||||
| CVE-2019-12775 | 1 Enttec | 8 Datagate Mk2, Datagate Mk2 Firmware, E-streamer Mk2 and 5 more | 2024-11-21 | N/A |
| An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They allow high-privileged root access by www-data via sudo without requiring appropriate access control. (Furthermore, the user account that controls the web application service is granted full access to run any system commands with elevated privilege, without the need for password authentication. Should vulnerabilities be identified and exploited within the web application, it may be possible for a threat actor to create or run high-privileged binaries or executables that are available within the operating system of the device.) | ||||
| CVE-2019-12731 | 2 Microsoft, Mikogo | 2 Windows, Mikogo | 2024-11-21 | N/A |
| The Windows versions of Snapview Mikogo, versions before 5.10.2 are affected by insecure implementations which allow local attackers to escalate privileges. | ||||
| CVE-2019-12618 | 1 Hashicorp | 1 Nomad | 2024-11-21 | N/A |
| HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver. | ||||
| CVE-2019-12522 | 1 Squid-cache | 1 Squid | 2024-11-21 | 4.5 Medium |
| An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root. | ||||
| CVE-2019-12183 | 1 Safescan | 14 Ta-8010, Ta-8010 Firmware, Ta-8015 and 11 more | 2024-11-21 | 7.5 High |
| Incorrect Access Control in Safescan Timemoto TM-616 and TA-8000 series allows remote attackers to read any file via the administrative API. | ||||
| CVE-2019-12176 | 1 Htc | 1 Viveport | 2024-11-21 | N/A |
| Privilege escalation in the "HTC Account Service" and "ViveportDesktopService" in HTC VIVEPORT before 1.0.0.36 allows local attackers to escalate privileges to SYSTEM via reconfiguration of either service. | ||||
| CVE-2019-11896 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2024-11-21 | 7.1 High |
| A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction. | ||||
| CVE-2019-11893 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2024-11-21 | 8.0 High |
| A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app with restricted permissions, which required user interaction. | ||||
| CVE-2019-11891 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2024-11-21 | 8.0 High |
| A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary's choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack. | ||||
| CVE-2019-11888 | 2 Golang, Microsoft | 2 Go, Windows | 2024-11-21 | N/A |
| Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. | ||||
| CVE-2019-11847 | 1 Sierrawireless | 13 Airlink Es440, Airlink Es450, Airlink Gx400 and 10 more | 2024-11-21 | 7.3 High |
| An improper privilege management vulnerabitlity exists in ALEOS before 4.11.0, 4.9.4 and 4.4.9. An authenticated user can escalate to root via the command shell. | ||||
| CVE-2019-11632 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-11-21 | N/A |
| In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.) | ||||
| CVE-2019-11553 | 1 Code42 | 1 Code42 | 2024-11-21 | N/A |
| In Code42 for Enterprise through 6.8.4, an administrator without web restore permission but with the ability to manage users in an organization can impersonate a user with web restore permission. When requesting the token to do a web restore, an administrator with permission to manage a user could request the token of that user. If the administrator was not authorized to perform web restores but the user was authorized to perform web restores, this would allow the administrator to impersonate the user with greater permissions. In order to exploit this vulnerability, the user would have to be an administrator with access to manage an organization with a user with greater permissions than themselves. | ||||
| CVE-2019-11551 | 1 Code42 | 2 Code42 For Enterprise, Crashplan For Small Business | 2024-11-21 | N/A |
| In Code42 Enterprise and Crashplan for Small Business through Client version 6.9.1, an attacker can craft a restore request to restore a file through the Code42 app to a location they do not have privileges to write. | ||||
| CVE-2019-11521 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | N/A |
| OX App Suite 7.10.1 allows Content Spoofing. | ||||
| CVE-2019-11288 | 1 Pivotal | 2 Tc Runtimes, Tc Server | 2024-11-21 | 7.0 High |
| In Pivotal tc Server, 3.x versions prior to 3.2.19 and 4.x versions prior to 4.0.10, and Pivotal tc Runtimes, 7.x versions prior to 7.0.99.B, 8.x versions prior to 8.5.47.A, and 9.x versions prior to 9.0.27.A, when a tc Runtime instance is configured with the JMX Socket Listener, a local attacker without access to the tc Runtime process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance. | ||||
| CVE-2019-11280 | 1 Pivotal Software | 1 Pivotal Application Service | 2024-11-21 | 8.8 High |
| Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to. | ||||
| CVE-2019-11270 | 1 Pivotal Software | 3 Application Service, Cloud Foundry Uaa, Operations Manager | 2024-11-21 | 7.5 High |
| Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. | ||||
| CVE-2019-10940 | 1 Siemens | 1 Sinema Server | 2024-11-21 | 9.9 Critical |
| A vulnerability has been identified in SINEMA Server (All versions < V14.0 SP2 Update 1). Incorrect session validation could allow an attacker with a valid session, with low privileges, to perform firmware updates and other administrative operations on connected devices. The security vulnerability could be exploited by an attacker with network access to the affected system. An attacker must have access to a low privileged account in order to exploit the vulnerability. An attacker could use the vulnerability to compromise confidentiality, integrity, and availability of the affected system and underlying components. At the time of advisory publication no public exploitation of this security vulnerability was known. | ||||