Total
2081 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-2193 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In WelcomeActivity.java and related files, there is a possible permissions bypass due to a partially provisioned Device Policy Client. This could lead to local escalation of privilege, leaving an Admin app installed with no indication to the user, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-132261064 | ||||
| CVE-2019-25071 | 1 Apple | 1 Iphone Os | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in Apple iPhone up to 12.4.1. It has been declared as critical. Affected by this vulnerability is Siri. Playing an audio or video file might be able to initiate Siri on the same device which makes it possible to execute commands remotely. Exploit details have been disclosed to the public. The existence and implications of this vulnerability are doubted by Apple even though multiple public videos demonstrating the attack exist. Upgrading to version 13.0 migt be able to address this issue. It is recommended to upgrade affected devices. NOTE: Apple claims, that after examining the report they do not see any actual security implications. | ||||
| CVE-2019-25068 | 1 Axiositalia | 1 Registro Elettronico | 2024-11-21 | 6.3 Medium |
| A vulnerability classified as critical was found in Axios Italia Axios RE 1.7.0/7.0.0. This vulnerability affects unknown code of the file REDefault.aspx of the component Connection Handler. The manipulation of the argument DBIDX leads to privilege escalation. The attack can be initiated remotely. | ||||
| CVE-2019-25066 | 1 Ajenti | 1 Ajenti | 2024-11-21 | 6.3 Medium |
| A vulnerability has been found in ajenti 2.1.31 and classified as critical. This vulnerability affects unknown code of the component API. The manipulation leads to privilege escalation. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1.32 is able to address this issue. The name of the patch is 7aa146b724e0e20cfee2c71ca78fafbf53a8767c. It is recommended to upgrade the affected component. | ||||
| CVE-2019-20886 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
| An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin. | ||||
| CVE-2019-20074 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 8.8 High |
| On Netis DL4323 devices, any user role can view sensitive information, such as a user password or the FTP password, via the form2saveConf.cgi page. | ||||
| CVE-2019-20043 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 4.3 Medium |
| In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. | ||||
| CVE-2019-1939 | 2 Cisco, Microsoft | 2 Webex Teams, Windows | 2024-11-21 | 8.8 High |
| A vulnerability in the Cisco Webex Teams client for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. This vulnerability is due to improper restrictions on software logging features used by the application on Windows operating systems. An attacker could exploit this vulnerability by convincing a targeted user to visit a website designed to submit malicious input to the affected application. A successful exploit could allow the attacker to cause the application to modify files and execute arbitrary commands on the system with the privileges of the targeted user. | ||||
| CVE-2019-1754 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 8.8 High |
| A vulnerability in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to improper validation of user privileges of web UI users. An attacker could exploit this vulnerability by submitting a malicious payload to a specific endpoint in the web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device. | ||||
| CVE-2019-1454 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 5.5 Medium |
| An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka 'Windows User Profile Service Elevation of Privilege Vulnerability'. | ||||
| CVE-2019-1177 | 1 Microsoft | 17 Windows 10, Windows 10 1507, Windows 10 1607 and 14 more | 2024-11-21 | 7 High |
| An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the rpcss.dll properly handles objects in memory. | ||||
| CVE-2019-1175 | 1 Microsoft | 7 Windows 10, Windows 10 1803, Windows 10 1809 and 4 more | 2024-11-21 | 7 High |
| An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the psmsrv.dll properly handles objects in memory. | ||||
| CVE-2019-1162 | 1 Microsoft | 17 Windows 10, Windows 10 1507, Windows 10 1607 and 14 more | 2024-11-21 | 7.8 High |
| An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to ALPC. | ||||
| CVE-2019-1007 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-11-21 | N/A |
| An elevation of privilege exists in Windows Audio Service, aka 'Windows Audio Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1021, CVE-2019-1022, CVE-2019-1026, CVE-2019-1027, CVE-2019-1028. | ||||
| CVE-2019-1000 | 1 Microsoft | 1 Azure Active Directory Connect | 2024-11-21 | N/A |
| An elevation of privilege vulnerability exists in Microsoft Azure Active Directory Connect build 1.3.20.0, which allows an attacker to execute two PowerShell cmdlets in context of a privileged account, and perform privileged actions.To exploit this, an attacker would need to authenticate to the Azure AD Connect server, aka 'Microsoft Azure AD Connect Elevation of Privilege Vulnerability'. | ||||
| CVE-2019-19783 | 5 Canonical, Cyrus, Debian and 2 more | 5 Ubuntu Linux, Imap, Debian Linux and 2 more | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c. | ||||
| CVE-2019-19728 | 3 Debian, Opensuse, Schedmd | 3 Debian Linux, Leap, Slurm | 2024-11-21 | 7.5 High |
| SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 executes srun --uid with incorrect privileges. | ||||
| CVE-2019-19726 | 1 Openbsd | 1 Openbsd | 2024-11-21 | 7.8 High |
| OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root. | ||||
| CVE-2019-19699 | 1 Centreon | 1 Centreon | 2024-11-21 | 7.2 High |
| There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration. | ||||
| CVE-2019-19585 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 7.8 High |
| An issue was discovered in rConfig 3.9.3. The install script updates the /etc/sudoers file for rconfig specific tasks. After an "rConfig specific Apache configuration" update, apache has high privileges for some binaries. This can be exploited by an attacker to bypass local security restrictions. | ||||