Total
4054 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-13526 | 1 Datalogic | 2 Av7000, Av7000 Firmware | 2024-11-21 | N/A |
| Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code. | ||||
| CVE-2019-13423 | 1 Search-guard | 1 Search Guard | 2024-11-21 | 8.8 High |
| Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an authenticated Kibana user could impersonate as kibanaserver user when providing wrong credentials when all of the following conditions a-c are true: a) Kibana is configured to use Single-Sign-On as authentication method, one of Kerberos, JWT, Proxy, Client certificate. b) The kibanaserver user is configured to use HTTP Basic as the authentication method. c) Search Guard is configured to use an SSO authentication domain and HTTP Basic at the same time | ||||
| CVE-2019-13372 | 1 Dlink | 1 Central Wifimanager | 2024-11-21 | 9.8 Critical |
| /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication. | ||||
| CVE-2019-13361 | 1 Smanos | 2 W100, W100 Firmware | 2024-11-21 | 6.5 Medium |
| Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an attacker on the same Wi-Fi network. | ||||
| CVE-2019-13336 | 1 Dbell | 2 Db01-s, Db01-s Firmware | 2024-11-21 | 9.8 Critical |
| The dbell Wi-Fi Smart Video Doorbell DB01-S Gen 1 allows remote attackers to launch commands with no authentication verification via TCP port 81, because the loginuse and loginpass parameters to openlock.cgi can have arbitrary values. NOTE: the vendor's position is that this product reached end of life in 2016. | ||||
| CVE-2019-13294 | 1 Arox | 1 School-erp | 2024-11-21 | N/A |
| AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system. | ||||
| CVE-2019-13190 | 1 Eng | 1 Knowage | 2024-11-21 | N/A |
| In Knowage through 6.1.1, the sign up page does not invalidate a valid CAPTCHA token. This allows for CAPTCHA bypass in the signup page. | ||||
| CVE-2019-13188 | 1 Eng | 1 Knowage | 2024-11-21 | N/A |
| In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application. | ||||
| CVE-2019-12845 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | N/A |
| The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3. | ||||
| CVE-2019-12643 | 1 Cisco | 8 4221 Integrated Services Router, 4321 Integrated Services Router, 4331 Integrated Services Router and 5 more | 2024-11-21 | N/A |
| A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices. See the Details section for more information. | ||||
| CVE-2019-12564 | 1 Douco | 1 Douphp | 2024-11-21 | N/A |
| In DouCo DouPHP v1.5 Release 20190516, remote attackers can view the database backup file via a brute-force guessing approach for data/backup/DyyyymmddThhmmss.sql filenames. | ||||
| CVE-2019-12530 | 1 Glpi Dashboard Project | 1 Glpi Dashboard | 2024-11-21 | N/A |
| Incorrect access control was discovered in the stdonato Dashboard plugin through 0.9.7 for GLPI, affecting df.php, issue.php, load.php, mem.php, traf.php, and uptime.php in front/sh. | ||||
| CVE-2019-12440 | 1 Sitecore | 1 Rocks | 2024-11-21 | N/A |
| The Sitecore Rocks plugin before 2.1.149 for Sitecore allows an unauthenticated threat actor to inject malicious commands and code via the Sitecore Rocks Hard Rocks Service. | ||||
| CVE-2019-12419 | 3 Apache, Oracle, Redhat | 8 Cxf, Commerce Guided Search, Enterprise Manager Base Platform and 5 more | 2024-11-21 | 9.8 Critical |
| Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client. | ||||
| CVE-2019-12405 | 1 Apache | 1 Traffic Control | 2024-11-21 | 9.8 Critical |
| Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password. | ||||
| CVE-2019-12395 | 1 Dynmap Project | 1 Dynmap | 2024-11-21 | 5.3 Medium |
| In Webbukkit Dynmap 3.0-beta-3 or below, due to a missing login check in servlet/MapStorageHandler.java, an attacker can see a map image without login even if victim enables login-required in setting. | ||||
| CVE-2019-12394 | 1 Anviz | 1 Management System | 2024-11-21 | 9.8 Critical |
| Anviz access control devices allow unverified password change which allows remote attackers to change the administrator password without prior authentication. | ||||
| CVE-2019-12300 | 1 Buildbot | 1 Buildbot | 2024-11-21 | N/A |
| Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim. | ||||
| CVE-2019-12254 | 2 Gok, Tecson | 10 Smartbox 4 Lan, Smartbox 4 Lan Firmware, Smartbox 4 Lan Pro and 7 more | 2024-11-21 | 9.8 Critical |
| In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules. | ||||
| CVE-2019-11576 | 1 Gitea | 1 Gitea | 2024-11-21 | N/A |
| Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password. | ||||