Total
1051 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-14870 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2024-11-21 | 5.4 Medium |
| All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set. | ||||
| CVE-2019-14828 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.3 Medium |
| A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. | ||||
| CVE-2019-14809 | 3 Debian, Golang, Redhat | 4 Debian Linux, Go, Devtools and 1 more | 2024-11-21 | N/A |
| net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. | ||||
| CVE-2019-13554 | 1 Ge | 1 Mark Vie Control System | 2024-11-21 | 8.8 High |
| GE Mark VIe Controller has an unsecured Telnet protocol that may allow a user to create an authenticated session using generic default credentials. GE recommends that users disable the Telnet service. | ||||
| CVE-2019-13550 | 1 Advantech | 1 Webaccess | 2024-11-21 | 9.8 Critical |
| In WebAccess, versions 8.4.1 and prior, an improper authorization vulnerability may allow an attacker to disclose sensitive information, cause improper control of generation of code, which may allow remote code execution or cause a system crash. | ||||
| CVE-2019-13528 | 1 Tridium | 7 Edge 10, Jace-8000, Jace 3e and 4 more | 2024-11-21 | 4.4 Medium |
| A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10). | ||||
| CVE-2019-13416 | 1 Search-guard | 1 Search Guard | 2024-11-21 | 6.5 Medium |
| Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s). | ||||
| CVE-2019-13415 | 1 Search-guard | 1 Search Guard | 2024-11-21 | 6.5 Medium |
| Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see. | ||||
| CVE-2019-12795 | 2 Gnome, Redhat | 2 Gvfs, Enterprise Linux | 2024-11-21 | N/A |
| daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.) | ||||
| CVE-2019-12671 | 1 Cisco | 30 4321\/k9-rf Integrated Services Router, 4321\/k9-ws Integrated Services Router, 4321\/k9 Integrated Services Router and 27 more | 2024-11-21 | 7.8 High |
| A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to gain shell access on an affected device and execute commands on the underlying operating system (OS). The vulnerability is due to insufficient enforcement of the consent token in authorizing shell access. An attacker could exploit this vulnerability by authenticating to the CLI and requesting shell access on an affected device. A successful exploit could allow the attacker to gain shell access on the affected device and execute commands on the underlying OS. | ||||
| CVE-2019-11725 | 2 Mozilla, Opensuse | 2 Firefox, Leap | 2024-11-21 | 6.5 Medium |
| When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections. This vulnerability affects Firefox < 68. | ||||
| CVE-2019-11724 | 2 Mozilla, Opensuse | 2 Firefox, Leap | 2024-11-21 | 6.1 Medium |
| Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects Firefox < 68. | ||||
| CVE-2019-10159 | 1 Redhat | 3 Cfme-gemset, Cloudforms, Cloudforms Managementengine | 2024-11-21 | 4.3 Medium |
| cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available. | ||||
| CVE-2019-10154 | 1 Moodle | 1 Moodle | 2024-11-21 | 7.5 High |
| A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations. | ||||
| CVE-2019-0816 | 3 Canonical, Microsoft, Redhat | 3 Ubuntu Linux, Azure, Enterprise Linux | 2024-11-21 | N/A |
| A security feature bypass exists in Azure SSH Keypairs, due to a change in the provisioning logic for some Linux images that use cloud-init, aka 'Azure SSH Keypairs Security Feature Bypass Vulnerability'. | ||||
| CVE-2019-0212 | 1 Apache | 1 Hbase | 2024-11-21 | N/A |
| In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server. | ||||
| CVE-2018-9867 | 1 Sonicwall | 2 Sonicos, Sonicosv | 2024-11-21 | 5.5 Medium |
| In SonicWall SonicOS, administrators without full permissions can download imported certificates. Occurs when administrators who are not in the SonicWall Administrators user group attempt to download imported certificates. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2, 6.5.3.1, 6.2.7.8, 6.4.0.0, 6.5.1.8, 6.0.5.3-86o and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V). | ||||
| CVE-2018-3829 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-11-21 | 5.3 Medium |
| In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data. | ||||
| CVE-2018-3778 | 1 Aedes Project | 1 Aedes | 2024-11-21 | 5.3 Medium |
| Improper authorization in aedes version <0.35.0 will publish a LWT in a channel when a client is not authorized. | ||||
| CVE-2018-20945 | 1 Cpanel | 1 Cpanel | 2024-11-21 | N/A |
| bin/csvprocess in cPanel before 68.0.27 allows insecure file operations (SEC-354). | ||||