CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2019-11015 255 Bypass 2019-04-18 2019-04-19
2.1
None Local Low Not required Partial None None
A vulnerability was found in the MIUI OS version 10.1.3.0 that allows a physically proximate attacker to bypass Lockscreen based authentication via the Wallpaper Carousel application to obtain sensitive Clipboard data and the user's stored credentials (partially). This occurs because of paste access to a social media login page.
52 CVE-2019-10981 255 2019-05-31 2019-06-03
2.1
None Local Low Not required Partial None None
In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulnerability has been identified that may allow an authenticated local user access to Citect user credentials.
53 CVE-2019-10968 284 2019-07-24 2019-08-01
2.1
None Local Low Not required None Partial None
Philips Holter 2010 Plus, all versions. A vulnerability has been identified that may allow system options that were not purchased to be enabled.
54 CVE-2019-10926 310 2019-06-12 2019-06-19
2.6
None Remote High Not required Partial None None
A vulnerability has been identified in SIMATIC Ident MV420 family (All versions), SIMATIC Ident MV440 family (All versions). Communication with the device is not encrypted. Data transmitted between the device and the user can be obtained by an attacker in a privileged network position. The security vulnerability can be exploited by an attacker in a privileged network position which allows evesdropping the communication between the affected device and the user. The user must invoke a session. Successful exploitation of the vulnerability compromises confidentiality of the data transmitted. At the time of advisory publication no public exploitation of this security vulnerability was known.
55 CVE-2019-10917 20 2019-05-14 2019-09-13
2.1
None Local Low Not required None None Partial
A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions), SIMATIC WinCC (TIA Portal) V15 (All versions), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 11), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). An attacker with local access to the project file could cause a Denial-of-Service condition on the affected product while the project file is loaded. Successful exploitation requires access to the project file. An attacker could use the vulnerability to compromise availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known.
56 CVE-2019-10637 254 Bypass 2019-06-05 2019-06-05
2.1
None Local Low Not required None Partial None
Marvell SSD Controller (88SS1074, 88SS1079, 88SS1080, 88SS1093, 88SS1092, 88SS1095, 88SS9174, 88SS9175, 88SS9187, 88SS9188, 88SS9189, 88SS9190, 88SS1085, 88SS1087, 88SS1090, 88SS1100, 88SS1084, 88SS1088, & 88SS1098) devices are vulnerable in manipulating a combination of IO pins to bypass the secure boot protection mechanism.
57 CVE-2019-10398 522 2019-09-12 2019-09-16
2.1
None Local Low Not required Partial None None
Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
58 CVE-2019-10397 522 2019-09-12 2019-09-19
2.6
None Remote High Not required Partial None None
Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.
59 CVE-2019-10378 255 2019-08-07 2019-09-17
2.1
None Local Low Not required Partial None None
Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
60 CVE-2019-10367 532 2019-08-07 2019-08-14
2.1
None Local Low Not required Partial None None
Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.
61 CVE-2019-10364 200 +Info 2019-07-31 2019-08-01
2.1
None Local Low Not required Partial None None
Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log.
62 CVE-2019-10361 255 2019-07-31 2019-09-17
2.1
None Local Low Not required Partial None None
Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.
63 CVE-2019-10345 255 2019-07-31 2019-08-01
2.1
None Local Low Not required Partial None None
Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export.
64 CVE-2019-10343 532 2019-07-31 2019-08-01
2.1
None Local Low Not required Partial None None
Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.
65 CVE-2019-10239 255 2019-04-24 2019-04-30
2.1
None Local Low Not required Partial None None
Robotronic RunAsSpc 3.7.0.0 protects stored credentials insufficiently, which allows locally authenticated attackers (under the same user context) to obtain cleartext credentials of the stored account.
66 CVE-2019-10194 532 2019-07-11 2019-08-15
2.1
None Local Low Not required Partial None None
Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.
67 CVE-2019-10183 200 +Info 2019-07-03 2019-07-12
2.1
None Local Low Not required Partial None None
Virt-install(1) utility used to provision new virtual machines has introduced an option '--unattended' to create VMs without user interaction. This option accepts guest VM password as command line arguments, thus leaking them to others users on the system via process listing. It was introduced recently in the virt-manager v2.2.0 release.
68 CVE-2019-10165 200 +Info 2019-07-30 2019-08-08
2.1
None Local Low Not required Partial None None
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.
69 CVE-2019-10157 287 2019-06-12 2019-06-13
2.1
None Local Low Not required None None Partial
It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.
70 CVE-2019-10152 22 Dir. Trav. 2019-07-30 2019-09-01
2.6
None Local High Not required Partial Partial None
A path traversal vulnerability has been discovered in podman before version 1.4.0 in the way it handles symlinks inside containers. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
71 CVE-2019-10139 255 2019-05-17 2019-05-21
2.1
None Local Low Not required Partial None None
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.
72 CVE-2019-9824 200 +Info 2019-06-03 2019-07-02
2.1
None Local Low Not required Partial None None
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
73 CVE-2019-9706 416 DoS 2019-03-11 2019-03-29
2.1
None Local Low Not required None None Partial
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error.
74 CVE-2019-9705 400 DoS 2019-03-11 2019-03-29
2.1
None Local Low Not required None None Partial
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted.
75 CVE-2019-9455 200 +Info 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in the video driver there is a kernel pointer leak due to a WARN_ON statement. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
76 CVE-2019-9453 20 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in F2FS touch driver there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.
77 CVE-2019-9452 125 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in SEC_TS touch driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
78 CVE-2019-9449 125 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in FingerTipS touchscreen driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.
79 CVE-2019-9445 125 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.
80 CVE-2019-9444 200 +Info 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in sync debug fs driver there is a kernel pointer leak due to the usage of printf with %p. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.
81 CVE-2019-9245 125 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in the f2fs driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
82 CVE-2019-9221 20 2019-05-29 2019-05-29
2.1
None Local Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 3 of 5).
83 CVE-2019-9158 287 2019-06-05 2019-06-06
2.7
None Local Network Low Single system Partial None None
Gemalto DS3 Authentication Server 2.6.1-SP01 has Broken Access Control.
84 CVE-2019-9157 200 +Info 2019-06-05 2019-06-06
2.7
None Local Network Low Single system Partial None None
Gemalto DS3 Authentication Server 2.6.1-SP01 allows Local File Disclosure.
85 CVE-2019-8934 19 2019-03-21 2019-05-17
2.1
None Local Low Not required Partial None None
hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
86 CVE-2019-8453 426 DoS 2019-04-17 2019-04-23
2.1
None Local Low Not required None None Partial
Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are taken from directories where all users have write permissions. This can allow a local attacker to replace a DLL file with a malicious one and cause Denial of Service to the client.
87 CVE-2019-8350 255 +Info 2019-05-13 2019-05-14
2.1
None Local Low Not required Partial None None
The Simple - Better Banking application 2.45.0 through 2.45.3 (fixed in 2.46.0) for Android was affected by an information disclosure vulnerability that leaked the user's password to the keyboard autocomplete functionality. Third-party Android keyboards that capture the password may store this password in cleartext, or transmit the password to third-party services for keyboard customization purposes. A compromise of any datastore that contains keyboard autocompletion caches would result in the disclosure of the user's Simple Bank password.
88 CVE-2019-8339 416 Bypass 2019-05-17 2019-05-28
2.1
None Local Low Not required None None Partial
An issue was discovered in Falco through 0.14.0. A missing indicator for insufficient resources allows local users to bypass the detection engine.
89 CVE-2019-8282 284 2019-06-07 2019-06-11
2.6
None Remote High Not required None Partial None
Gemalto Admin Control Center, all versions prior to 7.92, uses cleartext HTTP to communicate with www3.safenet-inc.com to obtain language packs. This allows attacker to do man-in-the-middle (MITM) attack and replace original language pack by malicious one.
90 CVE-2019-7317 416 2019-02-04 2019-08-01
2.6
None Remote High Not required None None Partial
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
91 CVE-2019-7231 119 Overflow 2019-06-24 2019-06-28
2.7
None Local Network Low Single system None None Partial
The ABB IDAL FTP server is vulnerable to a buffer overflow when a long string is sent by an authenticated attacker. This overflow is handled, but terminates the process. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer, causing an exception that terminates the server.
92 CVE-2019-7222 200 +Info 2019-03-21 2019-08-06
2.1
None Local Low Not required Partial None None
The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.
93 CVE-2019-6632 310 2019-07-03 2019-07-11
2.1
None Local Low Not required Partial None None
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. The attack prerequisite is direct access to encrypted configuration and/or UCS files.
94 CVE-2019-6588 79 XSS 2019-06-03 2019-06-12
2.6
None Remote High Not required None Partial None
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
95 CVE-2019-6567 255 2019-06-12 2019-06-19
2.1
None Local Low Not required Partial None None
A vulnerability has been identified in SCALANCE X-200 (All Versions < V5.2.4), SCALANCE X-200IRT (All versions), SCALANCE X-300 (All versions), SCALANCE X-414-3E (All versions). The affected devices store passwords in a recoverable format. An attacker may extract and recover device passwords from the device configuration. Successful exploitation requires access to a device configuration backup and impacts confidentiality of the stored passwords. At the time of advisory publication no public exploitation of this security vulnerability was known.
96 CVE-2019-6501 125 2019-03-21 2019-08-06
2.1
None Local Low Not required None None Partial
In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.
97 CVE-2019-6493 200 +Info 2019-04-11 2019-04-12
2.1
None Local Low Not required Partial None None
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
98 CVE-2019-6492 200 +Info 2019-03-21 2019-04-01
2.1
None Local Low Not required Partial None None
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC4 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
99 CVE-2019-6156 254 2019-04-10 2019-04-12
2.1
None Local Low Not required None Partial None
In Lenovo systems, SMM BIOS Write Protection is used to prevent writes to SPI Flash. While this provides sufficient protection, an additional layer of protection is provided by SPI Protected Range Registers (PRx). Lenovo was notified that after resuming from S3 sleep mode in various versions of BIOS for Lenovo systems, the PRx is not set. This does not impact the SMM BIOS Write Protection, which keeps systems protected.
100 CVE-2019-5804 77 2019-05-23 2019-06-28
2.1
None Local Low Not required None Partial None
Incorrect command line processing in Chrome in Google Chrome prior to 73.0.3683.75 allowed a local attacker to perform domain spoofing via a crafted domain name.
Total number of vulnerabilities : 4765   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.