Total
1460 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16406 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 7.8 High |
| Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron. | ||||
| CVE-2019-16354 | 1 Beego | 1 Beego | 2024-11-21 | 4.7 Medium |
| The File Session Manager in Beego 1.10.0 allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions. | ||||
| CVE-2019-16187 | 1 Limesurvey | 1 Limesurvey | 2024-11-21 | 7.5 High |
| Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script. | ||||
| CVE-2019-15721 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.4 Medium |
| An issue was discovered in GitLab Community and Enterprise Edition 10.8 through 12.2.1. An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings. | ||||
| CVE-2019-15340 | 1 Mi | 2 Redmi 6, Redmi 6 Firmware | 2024-11-21 | 3.3 Low |
| The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201805292006) that allows any app co-located on the device to programmatically disable and enable Wi-Fi, Bluetooth, and GPS without the corresponding access permission through an exported interface. | ||||
| CVE-2019-15339 | 1 Lavamobiles | 2 Z60s, Z60s Firmware | 2024-11-21 | 3.3 Low |
| The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
| CVE-2019-15338 | 1 Lavamobiles | 2 Iris 88, Iris 88 Firmware | 2024-11-21 | 3.3 Low |
| The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
| CVE-2019-15337 | 1 Lavamobiles | 2 Z81, Z81 Firmware | 2024-11-21 | 3.3 Low |
| The Lava Z81 Android device with a build fingerprint of LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
| CVE-2019-15336 | 1 Lavamobiles | 2 Z61, Z61 Firmware | 2024-11-21 | 3.3 Low |
| The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
| CVE-2019-15335 | 1 Lavamobiles | 2 Z92, Z92 Firmware | 2024-11-21 | 3.3 Low |
| The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
| CVE-2019-15334 | 1 Lavamobiles | 2 Iris 88, Iris 88 Firmware | 2024-11-21 | 3.3 Low |
| The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
| CVE-2019-15333 | 1 Lavamobiles | 2 Flair Z1, Flair Z1 Firmware | 2024-11-21 | 3.3 Low |
| The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. | ||||
| CVE-2019-15316 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2024-11-21 | N/A |
| Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race condition. | ||||
| CVE-2019-15315 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2024-11-21 | N/A |
| Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions that lack the CVE-2019-14743 patch. | ||||
| CVE-2019-15119 | 1 Nps Project | 1 Nps | 2024-11-21 | N/A |
| lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user. | ||||
| CVE-2019-15084 | 1 Maxx | 1 Waves Maxx Audio | 2024-11-21 | N/A |
| Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions. As a result, a local attacker can escalate to SYSTEM. | ||||
| CVE-2019-14969 | 1 Netwrix | 1 Auditor | 2024-11-21 | N/A |
| Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links. | ||||
| CVE-2019-14935 | 2 3cx, Microsoft | 2 3cx, Windows | 2024-11-21 | N/A |
| 3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link. | ||||
| CVE-2019-14869 | 4 Artifex, Fedoraproject, Opensuse and 1 more | 5 Ghostscript, Fedora, Leap and 2 more | 2024-11-21 | 8.8 High |
| A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. | ||||
| CVE-2019-14812 | 3 Artifex, Fedoraproject, Redhat | 4 Ghostscript, Fedora, 3scale Amp and 1 more | 2024-11-21 | 7.8 High |
| A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. | ||||