CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 1 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1020014 415 2019-07-29 2019-08-19
2.1
None Local Low Not required Partial None None
docker-credential-helpers before 0.6.3 has a double free in the List functions.
2 CVE-2019-1010208 119 Exec Code Overflow 2019-07-23 2019-08-05
2.1
None Local Low Not required Partial None None
IDRIX, Truecrypt Veracrypt, Truecrypt Prior to 1.23-Hotfix-1 (Veracrypt), all versions (Truecrypt) is affected by: Buffer Overflow. The impact is: Minor information disclosure of kernel stack. The component is: Veracrypt NT Driver (veracrypt.sys). The attack vector is: Locally executed code, IOCTL request to driver. The fixed version is: 1.23-Hotfix-1.
3 CVE-2019-1003048 255 2019-03-28 2019-04-01
2.1
None Local Low Not required Partial None None
A vulnerability in Jenkins PRQA Plugin 3.1.0 and earlier allows attackers with local file system access to the Jenkins home directory to obtain the unencrypted password from the plugin configuration.
4 CVE-2019-1003044 352 CSRF 2019-03-28 2019-04-02
2.1
None Remote High Single system Partial None None
A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
5 CVE-2019-14939 200 +Info 2019-08-11 2019-08-22
2.1
None Local Low Not required Partial None None
An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default.
6 CVE-2019-14783 264 2019-08-08 2019-08-16
2.1
None Local Low Not required None Partial None
On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, FotaAgent allows a malicious application to create privileged files. The Samsung ID is SVE-2019-14764.
7 CVE-2019-14671 200 +Info 2019-08-05 2019-08-09
2.1
None Local Low Not required Partial None None
Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and import/create/fints.
8 CVE-2019-14414 20 2019-07-30 2019-07-30
2.1
None Local Low Not required None Partial None
In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains (SEC-478).
9 CVE-2019-14412 134 2019-07-30 2019-07-30
2.1
None Local Low Not required None Partial None
Maketext in cPanel before 78.0.2 allows format-string injection in the DCV check_domains_via_dns UAPI (SEC-474).
10 CVE-2019-14410 134 2019-07-30 2019-07-30
2.1
None Local Low Not required None Partial None
Maketext in cPanel before 78.0.2 allows format-string injection in the Email store_filter UAPI (SEC-472).
11 CVE-2019-14409 200 +Info 2019-07-30 2019-07-30
2.1
None Local Low Not required Partial None None
cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466).
12 CVE-2019-14402 20 2019-07-30 2019-07-30
2.1
None Local Low Not required None Partial None
cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481).
13 CVE-2019-14396 20 2019-07-30 2019-07-31
2.1
None Local Low Not required None Partial None
API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495).
14 CVE-2019-14395 200 +Info 2019-07-30 2019-07-31
2.1
None Local Low Not required Partial None None
cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494).
15 CVE-2019-14394 200 +Info 2019-07-30 2019-07-31
2.1
None Local Low Not required Partial None None
cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489).
16 CVE-2019-14391 264 2019-07-30 2019-07-30
2.1
None Local Low Not required None Partial None
cPanel before 82.0.2 does not properly enforce Reseller package creation ACLs (SEC-514).
17 CVE-2019-14389 255 2019-07-30 2019-07-30
2.1
None Local Low Not required Partial None None
cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).
18 CVE-2019-14359 200 +Info 2019-08-12 2019-08-21
2.1
None Local Low Not required Partial None None
** DISPUTED ** On BC Vault devices, a side channel for the row-based SSD1309 OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover a data value. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: the vendor's position is that there is no security impact: the only potentially leaked information is the number of characters in the PIN.
19 CVE-2019-14357 200 +Info 2019-08-10 2019-08-21
1.9
None Local Medium Not required Partial None None
** DISPUTED ** On Mooltipass Mini devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: the vendor's position is that an attack is not "realistically implementable."
20 CVE-2019-14355 200 +Info 2019-08-10 2019-08-21
1.9
None Local Medium Not required Partial None None
** DISPUTED ** On ShapeShift KeepKey devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover secret data shown on the display. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: the vendor's position is that there is "insignificant risk."
21 CVE-2019-14354 200 +Info 2019-08-10 2019-08-21
1.9
None Local Medium Not required Partial None None
On Ledger Nano S and Nano X devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data.
22 CVE-2019-14353 200 +Info 2019-08-08 2019-08-19
1.9
None Local Medium Not required Partial None None
On Trezor One devices before 1.8.2, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: this CVE applies exclusively to the Trezor One, and does not refer to any issues with OLED displays on other devices.
23 CVE-2019-14337 264 2019-08-01 2019-08-09
2.1
None Local Low Not required Partial None None
An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is an ability to escape to a shell in the restricted command line interface, as demonstrated by the `/bin/sh -c wget` sequence.
24 CVE-2019-14336 20 2019-08-01 2019-08-09
2.1
None Local Low Not required Partial None None
An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated dump of all of the config files through a certain admin.cgi?action= insecure HTTP request.
25 CVE-2019-14334 295 2019-08-01 2019-08-05
2.1
None Local Low Not required Partial None None
An issue was discovered on D-Link 6600-AP, DWL-3600AP, and DWL-8610AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated Certificate and RSA Private Key extraction through an insecure sslcert-get.cgi HTTP command.
26 CVE-2019-14284 369 DoS 2019-07-26 2019-08-11
2.1
None Local Low Not required None None Partial
In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default.
27 CVE-2019-13314 255 2019-07-05 2019-07-18
2.1
None Local Low Not required Partial None None
virt-bootstrap 1.1.0 allows local users to discover a root password by listing a process, because this password may be present in the --root-password option to virt_bootstrap.py.
28 CVE-2019-13313 255 2019-07-05 2019-07-18
2.1
None Local Low Not required Partial None None
libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line.
29 CVE-2019-12919 200 +Info 2019-06-20 2019-06-27
2.1
None Local Low Not required Partial None None
On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices, an attacker on the local network has unauthenticated access to the internal SD card via the HTTP service on port 8000. The HTTP web server on the camera allows anyone to view or download the video archive recorded and saved on the external memory card attached to the device.
30 CVE-2019-12913 254 2019-07-17 2019-07-19
2.1
None Local Low Not required Partial None None
Redbrick Shift through 3.4.3 allows an attacker to extract emails of services (such as Gmail, Outlook, etc.) used in the application.
31 CVE-2019-12912 426 2019-07-17 2019-07-19
2.1
None Local Low Not required Partial None None
Redbrick Shift through 3.4.3 allows an attacker to extract emails of services (such as Gmail, Outlook, etc.) used in the application.
32 CVE-2019-12819 416 DoS 2019-06-13 2019-06-18
2.1
None Local Low Not required None None Partial
An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free. This will cause a denial of service.
33 CVE-2019-12762 264 2019-06-06 2019-06-10
1.9
None Local Medium Not required None Partial None
Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen anomalies via a radio signal between 198 kHz and 203 kHz, as demonstrated by a transmitter and antenna hidden just beneath the surface of a coffee-shop table, aka Ghost Touch.
34 CVE-2019-12732 79 XSS 2019-06-06 2019-07-16
2.6
None Remote High Not required None Partial None
The Chartkick gem through 3.1.0 for Ruby allows XSS.
35 CVE-2019-12477 22 Dir. Trav. File Inclusion 2019-06-07 2019-06-11
2.1
None Local Low Not required None Partial None
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri= URI.
36 CVE-2019-12380 388 2019-05-27 2019-07-10
2.1
None Local Low Not required None None Partial
**DISPUTED** An issue was discovered in the efi subsystem in the Linux kernel through 5.1.5. phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because ?All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it.?.
37 CVE-2019-11894 284 2019-05-29 2019-05-31
2.9
None Local Network Medium Not required Partial None None
A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in unauthorized download of a backup. In order to exploit the vulnerability, the adversary needs to download the backup directly after a backup triggered by a legitimate user has been completed.
38 CVE-2019-11885 255 2019-05-12 2019-05-16
2.1
None Local Low Not required Partial None None
eyeDisk implements the unlock feature by sending a cleartext password. The password can be discovered by sniffing USB traffic or by sending a 06 05 52 41 01 b0 00 00 00 00 00 00 SCSI command.
39 CVE-2019-11884 77 +Info 2019-05-10 2019-05-31
2.1
None Local Low Not required Partial None None
The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\0' character.
40 CVE-2019-11879 22 Dir. Trav. 2019-05-10 2019-05-13
2.1
None Local Low Not required Partial None None
** DISPUTED ** The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory. NOTE: The vendor states that this is analogous to Options FollowSymlinks in the Apache HTTP Server, and therefore it is "not a problem."
41 CVE-2019-11836 200 +Info 2019-05-09 2019-05-09
2.1
None Local Low Not required Partial None None
The Rediffmail (aka com.rediff.mail.and) application 2.2.6 for Android has cleartext mail content in file storage, persisting after a logout.
42 CVE-2019-11833 200 +Info 2019-05-15 2019-06-04
2.1
None Local Low Not required Partial None None
fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.
43 CVE-2019-11820 255 +Info 2019-05-09 2019-05-09
2.1
None Local Low Not required Partial None None
Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline.
44 CVE-2019-11271 200 +Info 2019-06-18 2019-06-21
2.1
None Local Low Not required Partial None None
Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. A local authenticated malicious user may read any credentials that are contained in a BOSH manifest.
45 CVE-2019-11244 264 2019-04-22 2019-05-09
1.9
None Local Medium Not required None Partial None
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.
46 CVE-2019-11191 362 Bypass 2019-04-11 2019-06-07
1.9
None Local Medium Not required Partial None None
The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.
47 CVE-2019-11114 20 DoS 2019-05-17 2019-05-21
2.1
None Local Low Not required None None Partial
Insufficient input validation in Intel(R) Driver & Support Assistant version 19.3.12.3 and before may allow a privileged user to potentially enable denial of service via local access.
48 CVE-2019-11095 284 2019-05-17 2019-05-21
2.1
None Local Low Not required Partial None None
Insufficient access control in Intel(R) Driver & Support Assistant version 19.3.12.3 and before may allow a privileged user to potentially enable information disclosure via local access.
49 CVE-2019-11015 255 Bypass 2019-04-18 2019-04-19
2.1
None Local Low Not required Partial None None
A vulnerability was found in the MIUI OS version 10.1.3.0 that allows a physically proximate attacker to bypass Lockscreen based authentication via the Wallpaper Carousel application to obtain sensitive Clipboard data and the user's stored credentials (partially). This occurs because of paste access to a social media login page.
50 CVE-2019-10981 255 2019-05-31 2019-06-03
2.1
None Local Low Not required Partial None None
In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulnerability has been identified that may allow an authenticated local user access to Citect user credentials.
Total number of vulnerabilities : 5637   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.