CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2019-10343 532 2019-07-31 2019-08-01
2.1
None Local Low Not required Partial None None
Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.
52 CVE-2019-10239 255 2019-04-24 2019-04-30
2.1
None Local Low Not required Partial None None
Robotronic RunAsSpc 3.7.0.0 protects stored credentials insufficiently, which allows locally authenticated attackers (under the same user context) to obtain cleartext credentials of the stored account.
53 CVE-2019-10194 532 2019-07-11 2019-08-15
2.1
None Local Low Not required Partial None None
Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.
54 CVE-2019-10183 200 +Info 2019-07-03 2019-07-12
2.1
None Local Low Not required Partial None None
Virt-install(1) utility used to provision new virtual machines has introduced an option '--unattended' to create VMs without user interaction. This option accepts guest VM password as command line arguments, thus leaking them to others users on the system via process listing. It was introduced recently in the virt-manager v2.2.0 release.
55 CVE-2019-10165 200 +Info 2019-07-30 2019-08-08
2.1
None Local Low Not required Partial None None
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.
56 CVE-2019-10157 287 2019-06-12 2019-06-13
2.1
None Local Low Not required None None Partial
It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.
57 CVE-2019-10152 22 Dir. Trav. 2019-07-30 2019-08-06
2.6
None Local High Not required Partial Partial None
A path traversal vulnerability has been discovered in podman before version 1.4.0 in the way it handles symlinks inside containers. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
58 CVE-2019-10139 255 2019-05-17 2019-05-21
2.1
None Local Low Not required Partial None None
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.
59 CVE-2019-9824 200 +Info 2019-06-03 2019-07-02
2.1
None Local Low Not required Partial None None
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
60 CVE-2019-9706 416 DoS 2019-03-11 2019-03-29
2.1
None Local Low Not required None None Partial
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error.
61 CVE-2019-9705 400 DoS 2019-03-11 2019-03-29
2.1
None Local Low Not required None None Partial
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted.
62 CVE-2019-9221 20 2019-05-29 2019-05-29
2.1
None Local Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 3 of 5).
63 CVE-2019-9158 287 2019-06-05 2019-06-06
2.7
None Local Network Low Single system Partial None None
Gemalto DS3 Authentication Server 2.6.1-SP01 has Broken Access Control.
64 CVE-2019-9157 200 +Info 2019-06-05 2019-06-06
2.7
None Local Network Low Single system Partial None None
Gemalto DS3 Authentication Server 2.6.1-SP01 allows Local File Disclosure.
65 CVE-2019-8934 19 2019-03-21 2019-05-17
2.1
None Local Low Not required Partial None None
hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
66 CVE-2019-8453 426 DoS 2019-04-17 2019-04-23
2.1
None Local Low Not required None None Partial
Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are taken from directories where all users have write permissions. This can allow a local attacker to replace a DLL file with a malicious one and cause Denial of Service to the client.
67 CVE-2019-8350 255 +Info 2019-05-13 2019-05-14
2.1
None Local Low Not required Partial None None
The Simple - Better Banking application 2.45.0 through 2.45.3 (fixed in 2.46.0) for Android was affected by an information disclosure vulnerability that leaked the user's password to the keyboard autocomplete functionality. Third-party Android keyboards that capture the password may store this password in cleartext, or transmit the password to third-party services for keyboard customization purposes. A compromise of any datastore that contains keyboard autocompletion caches would result in the disclosure of the user's Simple Bank password.
68 CVE-2019-8339 416 Bypass 2019-05-17 2019-05-28
2.1
None Local Low Not required None None Partial
An issue was discovered in Falco through 0.14.0. A missing indicator for insufficient resources allows local users to bypass the detection engine.
69 CVE-2019-8282 284 2019-06-07 2019-06-11
2.6
None Remote High Not required None Partial None
Gemalto Admin Control Center, all versions prior to 7.92, uses cleartext HTTP to communicate with www3.safenet-inc.com to obtain language packs. This allows attacker to do man-in-the-middle (MITM) attack and replace original language pack by malicious one.
70 CVE-2019-7317 416 2019-02-04 2019-08-01
2.6
None Remote High Not required None None Partial
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
71 CVE-2019-7231 119 Overflow 2019-06-24 2019-06-28
2.7
None Local Network Low Single system None None Partial
The ABB IDAL FTP server is vulnerable to a buffer overflow when a long string is sent by an authenticated attacker. This overflow is handled, but terminates the process. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer, causing an exception that terminates the server.
72 CVE-2019-7222 200 +Info 2019-03-21 2019-08-06
2.1
None Local Low Not required Partial None None
The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.
73 CVE-2019-6632 310 2019-07-03 2019-07-11
2.1
None Local Low Not required Partial None None
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. The attack prerequisite is direct access to encrypted configuration and/or UCS files.
74 CVE-2019-6588 79 XSS 2019-06-03 2019-06-12
2.6
None Remote High Not required None Partial None
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
75 CVE-2019-6567 255 2019-06-12 2019-06-19
2.1
None Local Low Not required Partial None None
A vulnerability has been identified in SCALANCE X-200 (All Versions < V5.2.4), SCALANCE X-200IRT (All versions), SCALANCE X-300 (All versions), SCALANCE X-414-3E (All versions). The affected devices store passwords in a recoverable format. An attacker may extract and recover device passwords from the device configuration. Successful exploitation requires access to a device configuration backup and impacts confidentiality of the stored passwords. At the time of advisory publication no public exploitation of this security vulnerability was known.
76 CVE-2019-6501 125 2019-03-21 2019-08-06
2.1
None Local Low Not required None None Partial
In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.
77 CVE-2019-6493 200 +Info 2019-04-11 2019-04-12
2.1
None Local Low Not required Partial None None
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
78 CVE-2019-6492 200 +Info 2019-03-21 2019-04-01
2.1
None Local Low Not required Partial None None
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC4 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
79 CVE-2019-6156 254 2019-04-10 2019-04-12
2.1
None Local Low Not required None Partial None
In Lenovo systems, SMM BIOS Write Protection is used to prevent writes to SPI Flash. While this provides sufficient protection, an additional layer of protection is provided by SPI Protected Range Registers (PRx). Lenovo was notified that after resuming from S3 sleep mode in various versions of BIOS for Lenovo systems, the PRx is not set. This does not impact the SMM BIOS Write Protection, which keeps systems protected.
80 CVE-2019-5804 77 2019-05-23 2019-06-28
2.1
None Local Low Not required None Partial None
Incorrect command line processing in Chrome in Google Chrome prior to 73.0.3683.75 allowed a local attacker to perform domain spoofing via a crafted domain name.
81 CVE-2019-5626 255 2019-05-22 2019-05-23
2.1
None Local Low Not required Partial None None
The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.
82 CVE-2019-5489 200 +Info 2019-01-07 2019-05-31
2.1
None Local Low Not required Partial None None
The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.
83 CVE-2019-5452 20 Bypass 2019-07-30 2019-08-08
2.1
None Local Low Not required Partial None None
Bypass lock protection in the Nextcloud Android app prior to version 3.6.2 causes leaking of thumbnails when requesting the Android content provider although the lock protection was not solved.
84 CVE-2019-5451 20 Bypass 2019-07-30 2019-08-07
2.1
None Local Low Not required Partial None None
Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the files when repeatedly opening and closing the app in a very short time.
85 CVE-2019-5306 264 Bypass 2019-06-04 2019-06-05
2.1
None Local Low Not required None Partial None
There is a Factory Reset Protection (FRP) bypass security vulnerability in P20 Huawei smart phones versions before Emily-AL00A 9.0.0.167(C00E81R1P21T8). When re-configuring the mobile phone using the FRP function, an attacker can delete the activation lock after a series of operations. As a result, the FRP function is bypassed and the attacker gains access to the smartphone.
86 CVE-2019-5297 264 Bypass 2019-06-04 2019-06-05
2.1
None Local Low Not required None Partial None
Emily-L29C Huawei phones versions earlier than 9.0.0.159 (C185E2R1P12T8) have a Factory Reset Protection (FRP) bypass security vulnerability. Before the FRP account is verified and activated during the reset process, the attacker can perform some special operations to bypass the FRP function and obtain the right to use the mobile phone.
87 CVE-2019-5283 264 Bypass 2019-06-04 2019-06-05
2.1
None Local Low Not required None Partial None
There is Factory Reset Protection (FRP) bypass security vulnerability in P20 Huawei smart phones versions earlier than Emily-AL00A 9.0.0.167 (C00E81R1P21T8). When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can login the Talkback mode and can perform some operations to access the setting page. As a result, the FRP function is bypassed.
88 CVE-2019-5281 200 +Info 2019-06-04 2019-06-05
2.1
None Local Low Not required Partial None None
There is an information leak vulnerability in some Huawei phones, versions earlier than Jackman-L21 8.2.0.155(C185R1P2). When a local attacker uses the camera of a smartphone, the attacker can exploit this vulnerability to obtain sensitive information by performing a series of operations.
89 CVE-2019-5220 275 Bypass 2019-07-10 2019-07-18
2.1
None Local Low Not required None Partial None
There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker could do a certain operation on certain step of setup wizard. Successful exploit could allow the attacker bypass the FRP protection. Affected products: Mate 20 X, versions earlier than Ever-AL00B 9.0.0.200(C00E200R2P1); Mate 20, versions earlier than Hima-AL00B/Hima-TL00B 9.0.0.200(C00E200R2P1); Honor Magic 2, versions earlier than Tony-AL00B/Tony-TL00B 9.0.0.182(C00E180R2P2).
90 CVE-2019-5217 200 +Info 2019-06-04 2019-06-05
2.1
None Local Low Not required Partial None None
There is an information disclosure vulnerability on Mate 9 Pro Huawei smartphones versions earlier than LON-AL00B9.0.1.150 (C00E61R1P8T8). An attacker could view the photos after a series of operations without unlocking the screen lock. Successful exploit could cause an information disclosure condition.
91 CVE-2019-4385 200 +Info 2019-06-19 2019-06-27
2.1
None Local Low Not required Partial None None
IBM Spectrum Protect Plus 10.1.2 may display the vSnap CIFS password in the IBM Spectrum Protect Plus Joblog. This can result in an attacker gaining access to sensitive information as well as vSnap. IBM X-Force ID: 162173.
92 CVE-2019-4381 255 +Info 2019-06-14 2019-06-18
2.1
None Local Low Not required Partial None None
IBM i 7.27.3 Clustering could allow a local attacker to obtain sensitive information, caused by the use of advanced node failure detection using the REST API to interface with the HMC. An attacker could exploit this vulnerability to obtain HMC credentials. IBM X-Force ID: 162159.
93 CVE-2019-4296 534 +Info 2019-07-01 2019-07-03
2.1
None Local Low Not required Partial None None
IBM Robotic Process Automation with Automation Anywhere 11 information disclosure could allow a local user to obtain e-mail contents from the client debug log file. IBM X-Force ID: 160759.
94 CVE-2019-4284 532 2019-08-05 2019-08-09
2.1
None Local Low Not required Partial None None
IBM Cloud Private 2.1.0 , 3.1.0, 3.1.1, and 3.1.2 could allow a local privileged user to obtain sensitive OIDC token that is printed to log files, which could be used to log in to the system as another user. IBM X-Force ID: 160512.
95 CVE-2019-4275 285 DoS 2019-08-02 2019-08-05
2.1
None Local Low Not required None None Partial
IBM Jazz for Service Management 1.1.3, 1.1.3.1, and 1.1.3.2 could allow an unauthorized local user to create unique catalog names that could cause a denial of service. IBM X-Force ID: 160296.
96 CVE-2019-4259 200 +Info 2019-05-13 2019-05-13
2.1
None Local Low Not required Partial None None
A security vulnerability has been identified in IBM Spectrum Scale 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and 5.0.0 with CES stack enabled that could allow sensitive data to be included with service snaps. IBM X-Force ID: 160011.
97 CVE-2019-4239 255 2019-06-14 2019-06-17
2.1
None Local Low Not required Partial None None
IBM MQ Advanced Cloud Pak (IBM Cloud Private 1.0.0 through 3.0.1) stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 159465.
98 CVE-2019-4236 19 2019-07-22 2019-07-24
2.1
None Local Low Not required Partial None None
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to restore or retrieve the object with incorrect ACL entries. IBM X-Force ID: 159418.
99 CVE-2019-4225 532 2019-06-26 2019-06-26
2.1
None Local Low Not required Partial None None
IBM PureApplication System 2.2.3.0 through 2.2.5.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 159242.
100 CVE-2019-4220 798 2019-06-05 2019-06-06
2.1
None Local Low Not required Partial None None
IBM InfoSphere Information Server 11.7.1.0 stores a common hard coded encryption key that could be used to decrypt sensitive information. IBM X-Force ID: 159229.
Total number of vulnerabilities : 4720   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.