Weekly Vulnerabilities Reports > November 11 to 17, 2019

Overview

560 new vulnerabilities reported during this period, including 38 critical vulnerabilities and 124 high severity vulnerabilities. This weekly summary report vulnerabilities in 2883 products from 186 vendors including Microsoft, Intel, Debian, Samsung, and Google. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Information Exposure", "Out-of-bounds Write", and "Externally Controlled Reference to a Resource in Another Sphere".

  • 274 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 90 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 500 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 73 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

38 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-11-14 CVE-2019-15800 Zyxel OS Command Injection vulnerability in Zyxel products

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0.

10.0
2019-11-14 CVE-2013-3073 Netgear Path Traversal vulnerability in Netgear Wndr4700 Firmware 1.0.0.34

A Symlink Traversal vulnerability exists in NETGEAR Centria WNDR4700 Firmware 1.0.0.34.

10.0
2019-11-14 CVE-2019-8248 Adobe Out-Of-Bounds Write vulnerability in Adobe Illustrator CC

Adobe Illustrator CC versions 23.1 and earlier have a memory corruption vulnerability.

10.0
2019-11-14 CVE-2019-8247 Adobe Out-Of-Bounds Write vulnerability in Adobe Illustrator CC

Adobe Illustrator CC versions 23.1 and earlier have a memory corruption vulnerability.

10.0
2019-11-14 CVE-2019-8246 Adobe Out-Of-Bounds Write vulnerability in Adobe Media Encoder 13.0.2/13.1

Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds write vulnerability.

10.0
2019-11-14 CVE-2011-1930 Klibc Project
Debian
Remote Shell Command Execution vulnerability in klibc DHCP Options Processing

In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped.

10.0
2019-11-13 CVE-2019-5029 Exhibitor Project OS Command Injection vulnerability in Exhibitor Project Exhibitor

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1.

10.0
2019-11-13 CVE-2013-3367 Trendnet Improper Authentication vulnerability in Trendnet Tew-691Gr Firmware and Tew-692Gr Firmware

Undocumented TELNET service in TRENDnet TEW-691GR and TEW-692GR when a web page named backdoor contains an HTML parameter of password and a value of j78G¬DFdg_24Mhw3.

10.0
2019-11-13 CVE-2019-2205 Google USE After Free vulnerability in Google Android

In ProxyResolverV8::SetPacScript of proxy_resolver_v8.cc, there is a possible memory corruption due to a use after free.

10.0
2019-11-13 CVE-2019-2204 Google Out-Of-Bounds Read vulnerability in Google Android 9.0

In FindSharedFunctionInfo of objects.cc, there is a possible out of bounds read due to a mistake in AST traversal.

10.0
2019-11-13 CVE-2019-2036 Google Unspecified vulnerability in Google Android

In okToConnect of HidHostService.java, there is a possible permission bypass due to an incorrect state check.

10.0
2019-11-13 CVE-2013-4657 Netgear Path Traversal vulnerability in Netgear Wnr3500L Firmware and Wnr3500U Firmware

Symlink Traversal vulnerability in NETGEAR WNR3500U and WNR3500L due to misconfiguration in the SMB service.

10.0
2019-11-13 CVE-2013-4654 TP Link Path Traversal vulnerability in Tp-Link Tl-1043Nd Firmware and Tl-Wdr4300 Firmware

Symlink Traversal vulnerability in TP-LINK TL-WDR4300 and TL-1043ND..

10.0
2019-11-13 CVE-2013-4656 Asus Path Traversal vulnerability in Asus Rt-Ac66U Firmware and Rt-N56U Firmware

Symlink Traversal vulnerability in ASUS RT-AC66U and RT-N56U due to misconfiguration in the SMB service.

10.0
2019-11-12 CVE-2019-1449 Microsoft Unspecified vulnerability in Microsoft Office and Office 365 Proplus

A security feature bypass vulnerability exists in the way that Office Click-to-Run (C2R) components handle a specially crafted file, which could lead to a standard user, any AppContainer sandbox, and Office LPAC Protected View to escalate privileges to SYSTEM.To exploit this bug, an attacker would have to run a specially crafted file, aka 'Microsoft Office ClickToRun Security Feature Bypass Vulnerability'.

10.0
2019-11-12 CVE-2019-18655 Upredsun Out-Of-Bounds Write vulnerability in Upredsun File Sharing Wizard 1.5.0

File Sharing Wizard version 1.5.0 build 2008 is affected by a Structured Exception Handler based buffer overflow vulnerability.

10.0
2019-11-11 CVE-2019-18852 Dlink Cleartext Transmission of Sensitive Information vulnerability in Dlink products

Certain D-Link devices have a hardcoded Alphanetworks user account with TELNET access because of /etc/config/image_sign or /etc/alpha_config/image_sign.

10.0
2019-11-14 CVE-2019-15389 Haier A6 Project Unspecified vulnerability in Haier A6 Project Haier A6 Firmware

The Haier A6 Android device with a build fingerprint of Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13).

9.3
2019-11-14 CVE-2019-15388 Coolpad Code Injection vulnerability in Coolpad Mega 5 Firmware

The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13).

9.3
2019-11-14 CVE-2019-15344 Tecno Mobile Unspecified vulnerability in Tecno-Mobile Camon Iclick Firmware

The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8).

9.3
2019-11-13 CVE-2013-3366 Trendnet Cross-Site Request Forgery (CSRF) vulnerability in Trendnet Tew-812Dru Firmware

Undocumented TELNET service in TRENDnet TEW-812DRU when a web page named backdoor contains an HTML parameter of password and a value of j78G¬DFdg_24Mhw3.

9.3
2019-11-13 CVE-2010-4654 Freedesktop
Debian
Injection vulnerability in multiple products

poppler before 0.16.3 has malformed commands that may cause corruption of the internal stack.

9.3
2019-11-13 CVE-2019-2206 Google Out-Of-Bounds Write vulnerability in Google Android

In rw_i93_sm_set_read_only of rw_i93.cc, there is a possible out of bounds write due to a missing bounds check.

9.3
2019-11-13 CVE-2019-2201 Google
Canonical
Out-Of-Bounds Write vulnerability in multiple products

In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check.

9.3
2019-11-13 CVE-2019-5288 Huawei Integer Overflow OR Wraparound vulnerability in Huawei P30 Firmware

P30 smart phones with versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1) have an integer overflow vulnerability due to insufficient check on specific parameters.

9.3
2019-11-13 CVE-2019-5287 Huawei Integer Overflow OR Wraparound vulnerability in Huawei P30 Firmware

P30 smart phones with versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1) have an integer overflow vulnerability due to insufficient check on specific parameters.

9.3
2019-11-12 CVE-2019-1448 Microsoft Unspecified vulnerability in Microsoft Excel, Office and Office 365 Proplus

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.

9.3
2019-11-12 CVE-2019-1441 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Windows 7 and Windows Server 2008

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Win32k Graphics Remote Code Execution Vulnerability'.

9.3
2019-11-12 CVE-2019-1430 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

A remote code execution vulnerability exists when Windows Media Foundation improperly parses specially crafted QuickTime media files.An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, aka 'Microsoft Windows Media Foundation Remote Code Execution Vulnerability'.

9.3
2019-11-12 CVE-2019-1406 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-11-17 CVE-2019-19041 Xorur OS Command Injection vulnerability in Xorur Lpar2Rrd and Stor2Rrd

An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41.

9.0
2019-11-14 CVE-2019-15799 Zyxel Improper Privilege Management vulnerability in Zyxel products

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0.

9.0
2019-11-14 CVE-2019-18647 Untangle Command Injection vulnerability in Untangle NG Firewall 14.2.0

The Untangle NG firewall 14.2.0 is vulnerable to an authenticated command injection when logged in as an admin user.

9.0
2019-11-13 CVE-2019-18931 Western Digital Classic Buffer Overflow vulnerability in Western Digital MY Cloud EX2 Ultra Firmware 2.31.195

Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a Buffer Overflow with Extended Instruction Pointer (EIP) control via crafted GET/POST parameters.

9.0
2019-11-13 CVE-2019-18930 Western Digital Out-Of-Bounds Write vulnerability in Western Digital MY Cloud EX2 Ultra Firmware 2.31.183

Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows web users (including guest account) to remotely execute arbitrary code via a stack-based buffer overflow.

9.0
2019-11-13 CVE-2019-18929 Western Digital Out-Of-Bounds Write vulnerability in Western Digital MY Cloud EX2 Ultra Firmware 2.31.195

Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows web users (including guest accounts) to remotely execute arbitrary code via a download_mgr.cgi stack-based buffer overflow.

9.0
2019-11-12 CVE-2019-0721 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V Remote Code Execution Vulnerability'.

9.0
2019-11-12 CVE-2019-0719 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V Remote Code Execution Vulnerability'.

9.0

124 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-11-13 CVE-2019-18839 Fudforum Cross-Site Scripting vulnerability in Fudforum 3.0.9

FUDForum 3.0.9 is vulnerable to Stored XSS via the nlogin parameter.

8.5
2019-11-12 CVE-2019-18873 Fudforum Cross-Site Scripting vulnerability in Fudforum 3.0.9

FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header.

8.5
2019-11-14 CVE-2019-11182 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel Baseboard Management Controller Firmware

Memory corruption in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable denial of service via network access.

7.8
2019-11-14 CVE-2019-11180 Intel Improper Input Validation vulnerability in Intel Baseboard Management Controller Firmware

Insufficient input validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable denial of service via network access.

7.8
2019-11-14 CVE-2019-11177 Intel Improper Handling of Exceptional Conditions vulnerability in Intel Baseboard Management Controller Firmware

Unhandled exception in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable denial of service via network access.

7.8
2019-11-13 CVE-2019-2211 Google SQL Injection vulnerability in Google Android

In createProjectionMapForQuery of TvProvider.java, there is possible SQL injection.

7.8
2019-11-13 CVE-2019-2208 Google Out-Of-Bounds Read vulnerability in Google Android 9.0

In PromiseBuiltinsAssembler::NewPromiseCapability of builtins-promise.cc, there is a possible out of bounds read in v8 JIT code due to a bug in code generation.

7.8
2019-11-13 CVE-2013-4655 Belkin Link Following vulnerability in Belkin N900 Firmware

Symlink Traversal vulnerability in Belkin N900 due to misconfiguration in the SMB service.

7.8
2019-11-12 CVE-2019-1398 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'.

7.7
2019-11-12 CVE-2019-1397 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'.

7.7
2019-11-12 CVE-2019-1389 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'.

7.7
2019-11-12 CVE-2019-1429 Microsoft USE After Free vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-11-12 CVE-2019-1428 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-11-12 CVE-2019-1427 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-11-12 CVE-2019-1426 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-11-12 CVE-2019-1390 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'VBScript Remote Code Execution Vulnerability'.

7.6
2019-11-17 CVE-2019-19012 Oniguruma Project
Debian
Fedoraproject
Redhat
Out-Of-Bounds Read vulnerability in multiple products

An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker.

7.5
2019-11-16 CVE-2019-19010 Limnoria Project
Fedoraproject
Code Injection vulnerability in multiple products

Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.

7.5
2019-11-15 CVE-2019-13582 Marvell Out-Of-Bounds Write vulnerability in Marvell 88W8688 Firmware

An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module.

7.5
2019-11-15 CVE-2019-13581 Marvell Out-Of-Bounds Write vulnerability in Marvell 88W8688 Firmware

An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module.

7.5
2019-11-15 CVE-2011-0703 Gksu Polkit Project
Debian
Improper Input Validation vulnerability in multiple products

In gksu-polkit before 0.0.3, the source file for xauth may contain arbitrary commands that may allow an attacker to overtake an administrator X11 session.

7.5
2019-11-15 CVE-2009-5047 Eclipse
Debian
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Jetty 6.x through 6.1.22 suffers from an escape sequence injection vulnerability from an attack vector by means of: 1) "Cookie Dump Servlet" and 2) Http Content-Length header.

7.5
2019-11-15 CVE-2013-7088 Clamav
Debian
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

ClamAV before 0.97.7 has buffer overflow in the libclamav component

7.5
2019-11-15 CVE-2013-7087 Clamav
Debian
Fedoraproject
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

ClamAV before 0.97.7 has WWPack corrupt heap memory

7.5
2019-11-15 CVE-2019-14345 Vocabularyserver Unspecified vulnerability in Vocabularyserver Tematres 3.0

TemaTres 3.0 allows remote unprivileged users to create an administrator account

7.5
2019-11-15 CVE-2019-18981 Pimcore Inappropriate Encoding FOR Output Context vulnerability in Pimcore

Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.

7.5
2019-11-15 CVE-2019-18928 Cyrus Unspecified vulnerability in Cyrus Imap

Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

7.5
2019-11-14 CVE-2019-14678 SAS XXE vulnerability in SAS Base SAS and XML Mapper

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways.

7.5
2019-11-14 CVE-2013-4108 Cryptocat Project Security vulnerability in Cryptocat Project Cryptocat 2.0.18

Multiple unspecified vulnerabilities in Cryptocat Project Cryptocat 2.0.18 have unknown impact and attack vectors.

7.5
2019-11-14 CVE-2019-18939 HM Print Project
EQ 3
Improper Input Validation vulnerability in multiple products

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request.

7.5
2019-11-14 CVE-2019-18938 HM Email Project
EQ 3
Improper Input Validation vulnerability in multiple products

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.

7.5
2019-11-14 CVE-2019-18937 Scriptparser Project
EQ 3
Improper Input Validation vulnerability in multiple products

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser AddOn through 1.8 installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi script, which executes TCL script content from an HTTP POST request.

7.5
2019-11-14 CVE-2013-3072 Netgear Improper Authentication vulnerability in Netgear Wndr4700 Firmware 1.0.0.34

An Authentication Bypass vulnerability exists in NETGEAR Centria WNDR4700 Firmware 1.0.0.34 in http://<router_ip>/apply.cgi?/hdd_usr_setup.htm that when visited by any user, authenticated or not, causes the router to no longer require a password to access the web administration portal.

7.5
2019-11-14 CVE-2019-11171 Intel Out-Of-Bounds Write vulnerability in Intel Baseboard Management Controller Firmware

Heap corruption in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure, escalation of privilege and/or denial of service via network access.

7.5
2019-11-13 CVE-2019-18952 Sibsoft Unrestricted Upload of File With Dangerous Type vulnerability in Sibsoft Xfilesharing 2.5.1

SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload.

7.5
2019-11-13 CVE-2019-18240 Fujielectric Out-Of-Bounds Write vulnerability in Fujielectric V-Server 3.3.22.0/4.0.3.0/4.0.6

In Fuji Electric V-Server 4.0.6 and prior, several heap-based buffer overflows have been identified, which may allow an attacker to remotely execute arbitrary code.

7.5
2019-11-13 CVE-2010-4533 Debian
Offlineimap
Improper Certificate Validation vulnerability in multiple products

offlineimap before 6.3.4 added support for SSL server certificate validation but it is still possible to use SSL v2 protocol, which is a flawed protocol with multiple security deficiencies.

7.5
2019-11-13 CVE-2019-16948 Enghouse Server-Side Request Forgery (SSRF) vulnerability in Enghouse web Chat 6.1.300.31

An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31.

7.5
2019-11-12 CVE-2019-6188 Lenovo Unspecified vulnerability in Lenovo products

The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T460p, BIOS versions up to R07ET90W, and T470p, BIOS versions up to R0FET50W, which may allow for unauthorized access.

7.5
2019-11-12 CVE-2010-3438 Libpoe Component IRC Perl Project
Debian
Fedoraproject
USE of Externally-Controlled Format String vulnerability in multiple products

libpoe-component-irc-perl before v6.32 does not remove carriage returns and line feeds.

7.5
2019-11-12 CVE-2019-1373 Microsoft Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server 2013/2016/2019

A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code Execution Vulnerability'.

7.5
2019-11-12 CVE-2019-12719 AUO Unrestricted Upload of File With Dangerous Type vulnerability in AUO Sunveillance Monitoring System & Data Recorder

An issue was discovered in Picture_Manage_mvc.aspx in AUO SunVeillance Monitoring System before v1.1.9e.

7.5
2019-11-12 CVE-2019-18925 Systematic Missing Authentication FOR Critical Function vulnerability in Systematic Iris Webforms 5.4

Systematic IRIS WebForms 5.4 and its functionalities can be accessed and used without any form of authentication.

7.5
2019-11-12 CVE-2019-18658 Helm Link Following vulnerability in Helm

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks.

7.5
2019-11-12 CVE-2011-2936 Elgg SQL Injection vulnerability in Elgg

Elgg through 1.7.10 has a SQL injection vulnerability

7.5
2019-11-12 CVE-2011-2897 Gnome
Redhat
Debian
Improper Input Validation vulnerability in multiple products

gdk-pixbuf through 2.31.1 has GIF loader buffer overflow when initializing decompression tables due to an input validation flaw

7.5
2019-11-11 CVE-2019-18841 Chartkick Unspecified vulnerability in Chartkick Chartkick.Js

Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.

7.5
2019-11-15 CVE-2019-18372 Symantec Unspecified vulnerability in Symantec Endpoint Protection 11/11.0/11.0.1

Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

7.2
2019-11-15 CVE-2019-12759 Symantec Unspecified vulnerability in Symantec Endpoint Protection Manager and Mail Security

Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

7.2
2019-11-15 CVE-2019-12758 Symantec Uncontrolled Search Path Element vulnerability in Symantec Endpoint Protection 11/11.0/11.0.1

Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.

7.2
2019-11-15 CVE-2011-2910 Linux Ax25
Debian
Improper Privilege Management vulnerability in multiple products

The AX.25 daemon (ax25d) in ax25-tools before 0.0.8-13 does not check the return value of a setuid call.

7.2
2019-11-14 CVE-2019-0152 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel products

Insufficient memory protection in System Management Mode (SMM) and Intel(R) TXT for certain Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

7.2
2019-11-14 CVE-2019-0151 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel products

Insufficient memory protection in Intel(R) TXT for certain Intel(R) Core Processors and Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

7.2
2019-11-14 CVE-2019-0124 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel products

Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting TXT, may allow a privileged user to potentially enable escalation of privilege via local access.

7.2
2019-11-14 CVE-2019-0123 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel products

Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting SGX, may allow a privileged user to potentially enable escalation of privilege via local access.

7.2
2019-11-14 CVE-2019-11112 Intel Improper Privilege Management vulnerability in Intel Graphics Driver

Memory corruption in Kernel Mode Driver in Intel(R) Graphics Driver before 26.20.100.6813 (DCH) or 26.20.100.6812 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.2
2019-11-14 CVE-2019-0155 Redhat
Intel
Canonical
Improper Privilege Management vulnerability in multiple products

Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families; Intel(R) Graphics Driver for Windows before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.2
2019-11-14 CVE-2019-0145 Intel Classic Buffer Overflow vulnerability in Intel products

Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable an escalation of privilege via local access.

7.2
2019-11-14 CVE-2019-0142 Intel Improper Privilege Management vulnerability in Intel products

Insufficient access control in ilp60x64.sys driver for Intel(R) Ethernet 700 Series Controllers before version 1.33.0.0 may allow a privileged user to potentially enable escalation of privilege via local access.

7.2
2019-11-14 CVE-2019-15450 Samsung Unspecified vulnerability in Samsung Galaxy J3 POP Firmware

The Samsung j3popeltecan Android device with a build fingerprint of samsung/j3popeltevl/j3popeltecan:8.1.0/M1AJQ/J327WVLS3BSA2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

7.2
2019-11-14 CVE-2019-15442 Samsung Unspecified vulnerability in Samsung ON 7 Firmware

The Samsung on7xelteskt Android device with a build fingerprint of samsung/on7xelteskt/on7xelteskt:8.1.0/M1AJQ/G610SKSU2CSB1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

7.2
2019-11-14 CVE-2019-15429 Panasonic Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Panasonic Eluga I9 Firmware

The Panasonic ELUGA_I9 Android device with a build fingerprint of Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keys contains a pre-installed app with a package name of com.ovvi.modem app (versionCode=1, versionName=1) that allows unauthorized attacker-controlled at command via a confused deputy attack.

7.2
2019-11-14 CVE-2019-15419 Asus Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Asus X105D Firmware

The Asus ASUS_X015_1 Android device with a build fingerprint of asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack.

7.2
2019-11-14 CVE-2019-15418 Asus Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Asus Pegasus 4 MAX Firmware and Pegasus 4A Firmware

The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack.

7.2
2019-11-14 CVE-2019-15417 Tecno Unspecified vulnerability in Tecno Spark PRO Firmware

The Tecno Spark Pro Android device with a build fingerprint of TECNO/H3722/TECNO-K8:7.0/NRD90M/K8-H3722ABCDE-N-171229V96:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=7, versionName=7.0.5) that allows unauthorized dynamic code loading via a confused deputy attack.

7.2
2019-11-14 CVE-2019-15414 Asus Unspecified vulnerability in Asus Zenfone AR Firmware

The Asus ZenFone AR Android device with a build fingerprint of asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys contains a pre-installed app with a package name of com.asus.splendidcommandagent app (versionCode=1510200105, versionName=1.2.0.21_180605) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15413 Asus Unspecified vulnerability in Asus Zenfone 3 Ultra Firmware

The Asus ZenFone 3 Ultra Android device with a build fingerprint of asus/WW_Phone/ASUS_A001:7.0/NRD90M/14.1010.1804.75-20180612:user/release-keys contains a pre-installed app with a package name of com.asus.splendidcommandagent app (versionCode=1510200105, versionName=1.2.0.21_180605) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15411 Asus Unspecified vulnerability in Asus Zenfone 3 Laser Firmware

The Asus ZenFone 3 Laser Android device with a build fingerprint of asus/WW_msm8937/msm8937:7.1.1/NMF26F/WW_32.40.106.114_20180928:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15410 Asus Unspecified vulnerability in Asus Zenfone 5Q Firmware

The Asus ZenFone 5Q Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15409 Asus Unspecified vulnerability in Asus Zenfone 5Q Firmware

The Asus ZenFone 5Q Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15408 Asus Unspecified vulnerability in Asus Zenfone 5 Lite Firmware

The Asus ZenFone 5 Lite Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15407 Asus Unspecified vulnerability in Asus Zenfone 4 MAX Firmware

The Asus ASUS_X015_1 Android device with a build fingerprint of asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15406 Asus Unspecified vulnerability in Asus Zenfone 4 Selfie Firmware

The Asus ASUS_X00LD_3 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15405 Asus Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Asus Pegasus 4 MAX Firmware and Pegasus 4A Firmware

The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15404 Asus Unspecified vulnerability in Asus Zenfone 4 MAX Firmware

The Asus ZenFone Max 4 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00HD_4:7.1.1/NMF26F/14.2016.1712.367-20171225:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15403 Asus Unspecified vulnerability in Asus Zenfone 3S MAX Firmware

The Asus ZenFone 3s Max Android device with a build fingerprint of asus/IN_X00G/ASUS_X00G_1:7.0/NRD90M/IN_X00G-14.02.1807.33-20180706:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15402 Asus Unspecified vulnerability in Asus Zenfone AR Firmware

The Asus ASUS_A002_2 Android device with a build fingerprint of asus/WW_ASUS_A002_2/ASUS_A002_2:7.0/NRD90M/14.1610.1802.18-20180321:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15401 Asus Unspecified vulnerability in Asus Zenfone AR Firmware

The Asus ASUS_A002 Android device with a build fingerprint of asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15400 Asus Unspecified vulnerability in Asus Zenfone 3 Ultra Firmware

The Asus ZenFone 3 Ultra Android device with a build fingerprint of asus/WW_Phone/ASUS_A001:7.0/NRD90M/14.1010.1804.75-20180612:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15399 Asus Unspecified vulnerability in Asus Zenfone 5Q Firmware

The Asus ZenFone 5Q Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15398 Asus Unspecified vulnerability in Asus Zenfone 4 Selfie Firmware

The Asus ZenFone 4 Selfie Android device with a build fingerprint of asus/WW_Z01M/ASUS_Z01M_1:7.1.1/NMF26F/WW_user_11.40.208.77_20170922:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15397 Asus Unspecified vulnerability in Asus Zenfone MAX 4 Firmware

The Asus ZenFone Max 4 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00HD_4:7.1.1/NMF26F/14.2016.1803.373-20180308:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15396 Asus Unspecified vulnerability in Asus Zenfone 3 Firmware

The Asus ZenFone 3 Android device with a build fingerprint of asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.1708.56-20170719:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15395 Asus Unspecified vulnerability in Asus Zenfone 3S MAX Firmware

The Asus ZenFone 3s Max Android device with a build fingerprint of asus/IN_X00G/ASUS_X00G_1:7.0/NRD90M/IN_X00G-14.02.1807.33-20180706:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component.

7.2
2019-11-14 CVE-2019-15394 Asus Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Asus Zenfone 5 Selfie Firmware

The Asus ZenFone 5 Selfie Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keys contains a pre-installed app with a package name of com.asus.atd.smmitest app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.

7.2
2019-11-14 CVE-2019-15351 Tecno Mobile OS Command Injection vulnerability in Tecno-Mobile Tecno/H622/Tecno-Id5B:8.1.0/O11019/G-180829V31:User/Release-Keys Firmware

The Tecno Camon Android device with a build fingerprint of TECNO/H622/TECNO-ID5b:8.1.0/O11019/G-180829V31:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11).

7.2
2019-11-14 CVE-2019-15350 Tecno Mobile Exposure of Resource TO Wrong Sphere vulnerability in Tecno-Mobile Tecno/H622/Tecno-Id5B:8.1.0/O11019/G-180829V31:User/Release-Keys Firmware

The Tecno Camon Android device with a build fingerprint of TECNO/H622/TECNO-ID5b:8.1.0/O11019/G-180829V31:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11).

7.2
2019-11-14 CVE-2019-15349 Tecmo Mobile Exposure of Resource TO Wrong Sphere vulnerability in Tecmo-Mobile Tecno/H612/Tecno-Id5A:8.1.0/O11019/F-180828V106:User/Release-Keys Firmware

The Tecno Camon Android device with a build fingerprint of TECNO/H612/TECNO-ID5a:8.1.0/O11019/F-180828V106:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11).

7.2
2019-11-14 CVE-2019-15348 Tecno Mobile OS Command Injection vulnerability in Tecno-Mobile Tecno/H612/Tecno-Id5A:8.1.0/O11019/F-180828V106:User/Release-Keys Firmware

The Tecno Camon Android device with a build fingerprint of TECNO/H612/TECNO-ID5a:8.1.0/O11019/F-180828V106:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11).

7.2
2019-11-14 CVE-2019-15347 Tecno Mobile OS Command Injection vulnerability in Tecno-Mobile Camon Iclick 2 Firmware

The Tecno Camon iClick 2 Android device with a build fingerprint of TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11).

7.2
2019-11-14 CVE-2019-15346 Tecno Mobile Exposure of Resource TO Wrong Sphere vulnerability in Tecno-Mobile Camon Iclick 2 Firmware

The Tecno Camon iClick 2 Android device with a build fingerprint of TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11).

7.2
2019-11-14 CVE-2019-15345 Tecno Mobile Exposure of Resource TO Wrong Sphere vulnerability in Tecno-Mobile Camon Iclick Firmware

The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8).

7.2
2019-11-14 CVE-2019-15343 Tecno Mobile OS Command Injection vulnerability in Tecno-Mobile Camon Iclick Firmware

The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8).

7.2
2019-11-14 CVE-2019-15342 Tecno Mobile OS Command Injection vulnerability in Tecno-Mobile Camon Iair 2+ Firmware

The Tecno Camon iAir 2 Plus Android device with a build fingerprint of TECNO/H622/TECNO-ID3k:8.1.0/O11019/E-180914V83:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11).

7.2
2019-11-14 CVE-2019-15341 Tecno Mobile Exposure of Resource TO Wrong Sphere vulnerability in Tecno-Mobile Camon Iair 2+ Firmware

The Tecno Camon iAir 2 Plus Android device with a build fingerprint of TECNO/H622/TECNO-ID3k:8.1.0/O11019/E-180914V83:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11).

7.2
2019-11-14 CVE-2019-11181 Intel Out-Of-Bounds Read vulnerability in Intel Baseboard Management Controller Firmware

Out of bound read in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable escalation of privilege via network access.

7.2
2019-11-14 CVE-2019-11170 Intel Improper Authentication vulnerability in Intel Baseboard Management Controller Firmware

Authentication bypass in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure, escalation of privilege and/or denial of service via local access.

7.2
2019-11-14 CVE-2011-1070 V86D Project
Debian
Incorrect Authorization vulnerability in multiple products

v86d before 0.1.10 do not verify if received netlink messages are sent by the kernel.

7.2
2019-11-13 CVE-2019-9467 Google OS Command Injection vulnerability in Google Android

In the Bootloader, there is a possible kernel command injection due to missing command sanitization.

7.2
2019-11-13 CVE-2019-2210 Google Classic Buffer Overflow vulnerability in Google Android 10.0/9.0

In load_logging_config of qmi_vs_service.cc, there is a possible out of bounds write due to a heap buffer overflow.

7.2
2019-11-13 CVE-2019-2233 Google Unspecified vulnerability in Google Android 10.0

In getUserCount and getCount of UserSwitcherController.java, there is possible new user creation due to a logic error.

7.2
2019-11-13 CVE-2019-2214 Google Improper Privilege Management vulnerability in Google Android

In binder_transaction of binder.c, there is a possible out of bounds write due to a missing bounds check.

7.2
2019-11-13 CVE-2019-2207 Google Out-Of-Bounds Write vulnerability in Google Android

In nfa_hci_handle_admin_gate_rsp of nfa_hci_act.cc, there is a possible out of bound write due to missing bounds checks.

7.2
2019-11-13 CVE-2019-2203 Google Out-Of-Bounds Write vulnerability in Google Android

In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds write due to a heap buffer overflow.

7.2
2019-11-13 CVE-2019-2202 Google Out-Of-Bounds Write vulnerability in Google Android 10.0/9.0

In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds write due to a heap buffer overflow.

7.2
2019-11-13 CVE-2019-2199 Google Unspecified vulnerability in Google Android 10.0

In createSessionInternal of PackageInstallerService.java, there is a possible permissions bypass.

7.2
2019-11-13 CVE-2019-2195 Google Improper Input Validation vulnerability in Google Android

In tokenize of sqlite3_android.cpp, there is a possible attacker controlled INSERT statement due to improper input validation.

7.2
2019-11-13 CVE-2019-2193 Google Improper Privilege Management vulnerability in Google Android

In WelcomeActivity.java and related files, there is a possible permissions bypass due to a partially provisioned Device Policy Client.

7.2
2019-11-13 CVE-2019-2192 Google Improper Input Validation vulnerability in Google Android 10.0/9.0

In call of SliceProvider.java, there is a possible permissions bypass due to improper input validation.

7.2
2019-11-13 CVE-2019-3648 Mcafee Untrusted Search Path vulnerability in Mcafee products

A Privilege Escalation vulnerability in the Microsoft Windows client in McAfee Total Protection 16.0.R22 and earlier allows administrators to execute arbitrary code via carefully placing malicious files in specific locations protected by administrator permission.

7.2
2019-11-12 CVE-2019-1438 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1437 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1435 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1434 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1433 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1408 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1407 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1405 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1396 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1395 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1394 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1393 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1392 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

7.2
2019-11-12 CVE-2019-1388 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate Dialog Elevation of Privilege Vulnerability'.

7.2

266 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-11-13 CVE-2019-2213 Google USE After Free vulnerability in Google Android

In binder_free_transaction of binder.c, there is a possible use-after-free due to a race condition.

6.9
2019-11-15 CVE-2019-14869 Artifex
Fedoraproject
Opensuse
Incorrect Permission Assignment FOR Critical Resource vulnerability in multiple products

A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions.

6.8
2019-11-14 CVE-2019-11931 Whatsapp Out-Of-Bounds Write vulnerability in Whatsapp

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.

6.8
2019-11-14 CVE-2019-16110 Blade Group Unspecified vulnerability in Blade-Group Shadow 2.13.3

The network protocol of Blade Shadow though 2.13.3 allows remote attackers to take control of a Shadow instance and execute arbitrary code by only knowing the victim's IP address, because packet data can be injected into the unencrypted UDP packet stream.

6.8
2019-11-14 CVE-2011-1588 Xfce
Opensuse
Debian
USE of Externally-Controlled Format String vulnerability in multiple products

Thunar before 1.3.1 could crash when copy and pasting a file name with % format characters due to a format string error.

6.8
2019-11-13 CVE-2019-18884 Fairsketch Cross-Site Request Forgery (CSRF) vulnerability in Fairsketch Rise - Ultimate Project Manager 2.3

index.php/team_members/add_team_member in RISE Ultimate Project Manager 2.3 has CSRF for adding authorized users.

6.8
2019-11-13 CVE-2019-18279 Phoenix Unspecified vulnerability in Phoenix Securecore Technology 1.1.12.0/1.5.74.0

In Phoenix SCT WinFlash 1.1.12.0 through 1.5.74.0, the included drivers could be used by a malicious Windows application to gain elevated privileges.

6.8
2019-11-13 CVE-2019-5282 Huawei Double Free vulnerability in Huawei products

Bastet module of some Huawei smartphones with Versions earlier than Emily-AL00A 9.0.0.182(C00E82R1P21), Versions earlier than Emily-TL00B 9.0.0.182(C01E82R1P21), Versions earlier than Emily-L09C 9.0.0.203(C432E7R1P11), Versions earlier than Emily-L29C 9.0.0.203(C432E7R1P11), Versions earlier than Emily-L29C 9.0.0.202(C185E2R1P12) have a double free vulnerability.

6.8
2019-11-13 CVE-2019-18397 GNU
Debian
Classic Buffer Overflow vulnerability in multiple products

A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations.

6.8
2019-11-13 CVE-2019-5233 Huawei Improper Authentication vulnerability in Huawei Taurus-Al00B Firmware 10.0.0.41(Sp2C00E41R3P2)

Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability.

6.8
2019-11-12 CVE-2019-5228 Huawei Race Condition vulnerability in Huawei Honor V20 Firmware, P30 Firmware and P30 PRO Firmware

Certain detection module of P30, P30 Pro, Honor V20 smartphone whith Versions earlier than ELLE-AL00B 9.1.0.193(C00E190R1P21), Versions earlier than VOGUE-AL00A 9.1.0.193(C00E190R1P12), Versions earlier than Princeton-AL10B 9.1.0.233(C00E233R4P3) have a race condition vulnerability.

6.8
2019-11-12 CVE-2010-3844 Ettercap Project
Debian
Classic Buffer Overflow vulnerability in multiple products

An unchecked sscanf() call in ettercap before 0.7.5 allows an insecure temporary settings file to overflow a static-sized buffer on the stack.

6.8
2019-11-12 CVE-2010-3305 Pixelpost Cross-Site Request Forgery (CSRF) vulnerability in Pixelpost 1.7.3

Cross-site request forgery (CSRF) vulnerability in pixelpost 1.7.3 could allow remote attackers to change the admin password.

6.8
2019-11-12 CVE-2019-1457 Microsoft Incorrect Permission Assignment FOR Critical Resource vulnerability in Microsoft Office 2016/2019

A security feature bypass vulnerability exists in Microsoft Office software by not enforcing macro settings on an Excel document, aka 'Microsoft Office Excel Security Feature Bypass'.

6.8
2019-11-12 CVE-2019-1456 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts, aka 'OpenType Font Parsing Remote Code Execution Vulnerability'.

6.8
2019-11-12 CVE-2019-1424 Microsoft Unspecified vulnerability in Microsoft products

A security feature bypass vulnerability exists when Windows Netlogon improperly handles a secure communications channel, aka 'NetLogon Security Feature Bypass Vulnerability'.

6.8
2019-11-12 CVE-2019-1419 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts, aka 'OpenType Font Parsing Remote Code Execution Vulnerability'.

6.8
2019-11-12 CVE-2019-1310 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

6.8
2019-11-12 CVE-2019-1309 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

6.8
2019-11-12 CVE-2019-0712 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

6.8
2019-11-12 CVE-2019-17237 Getigniteup Cross-Site Request Forgery (CSRF) vulnerability in Getigniteup Igniteup

includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows CSRF.

6.8
2019-11-14 CVE-2019-18646 Untangle SQL Injection vulnerability in Untangle NG Firewall 14.2.0

The Untangle NG firewall 14.2.0 is vulnerable to authenticated inline-query SQL injection within the timeDataDynamicColumn parameter when logged in as an admin user.

6.5
2019-11-14 CVE-2019-3661 Mcafee SQL Injection vulnerability in Mcafee Advanced Threat Defense

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.

6.5
2019-11-13 CVE-2019-3660 Mcafee Unspecified vulnerability in Mcafee Advanced Threat Defense

Improper Neutralization of HTTP requests in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute commands on the server remotely via carefully constructed HTTP requests.

6.5
2019-11-13 CVE-2019-3651 Mcafee Information Exposure vulnerability in Mcafee Advanced Threat Defense

Information Disclosure vulnerability in McAfee Advanced Threat Defense (ATD prior to 4.8 allows remote authenticated attackers to gain access to ePO as an administrator via using the atduser credentials, which were too permissive.

6.5
2019-11-13 CVE-2019-0386 SAP Missing Authorization vulnerability in SAP ERP Sales and S4Hana Sales

Order processing in SAP ERP Sales (corrected in SAP_APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18) and S4HANA Sales (corrected in S4CORE 1.0, 1.01, 1.02, 1.03, 1.04) does not execute the required authorization checks for an authenticated user, which can result in an escalation of privileges.

6.5
2019-11-13 CVE-2019-0389 SAP Unspecified vulnerability in SAP Netweaver Application Server Java

An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and enable users to execute functions, they are not allowed to execute otherwise.

6.5
2019-11-13 CVE-2010-4664 Consolekit Project
Debian
Redhat
Improper Privilege Management vulnerability in multiple products

In ConsoleKit before 0.4.2, an intended security policy restriction bypass was found.

6.5
2019-11-13 CVE-2014-1214 Projoom Unrestricted Upload of File With Dangerous Type vulnerability in Projoom Smart Flash Header 3.0.2

views/upload.php in the ProJoom Smart Flash Header (NovaSFH) component 3.0.2 and earlier for Joomla! allows remote attackers to upload and execute arbitrary files via a crafted (1) dest parameter and (2) arbitrary extension in the Filename parameter.

6.5
2019-11-12 CVE-2019-1384 Microsoft Insufficiently Protected Credentials vulnerability in Microsoft products

A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages.To exploit this vulnerability, an attacker could send a specially crafted authentication request, aka 'Microsoft Windows Security Feature Bypass Vulnerability'.

6.5
2019-11-14 CVE-2019-15803 Zyxel Improper Authentication vulnerability in Zyxel products

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0.

6.4
2019-11-14 CVE-2019-11168 Intel Insufficient Session Expiration vulnerability in Intel Baseboard Management Controller Firmware

Insufficient session validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access.

6.4
2019-11-14 CVE-2012-1168 Moodle
Fedoraproject
Redhat
Improper Input Validation vulnerability in multiple products

Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.

6.4
2019-11-12 CVE-2019-17234 Getigniteup Improper Input Validation vulnerability in Getigniteup Igniteup

includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.

6.4
2019-11-14 CVE-2011-1136 Tesseract Project
Debian
Link Following vulnerability in multiple products

In tesseract 2.03 and 2.04, an attacker can rewrite an arbitrary user file by guessing the PID and creating a link to the user's file.

6.3
2019-11-12 CVE-2019-1385 Microsoft Link Following vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges.The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges., aka 'Windows AppX Deployment Extensions Elevation of Privilege Vulnerability'.

6.1
2019-11-14 CVE-2019-18651 3Xlogic Cross-Site Request Forgery (CSRF) vulnerability in 3Xlogic Infinias Access Control Firmware 6.6.9586.0

A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document or encoded URL to a user that the website trusts.

5.8
2019-11-14 CVE-2019-0140 Intel Classic Buffer Overflow vulnerability in Intel products

Buffer overflow in firmware for Intel(R) Ethernet 700 Series Controllers before version 7.0 may allow an unauthenticated user to potentially enable an escalation of privilege via an adjacent access.

5.8
2019-11-14 CVE-2019-11152 Intel Out-Of-Bounds Write vulnerability in Intel products

Memory corruption issues in Intel(R) WIFI Drivers before version 21.40 may allow a privileged user to potentially enable escalation of privilege, denial of service, and information disclosure via adjacent access.

5.8
2019-11-13 CVE-2019-15948 TI Classic Buffer Overflow vulnerability in TI products

Texas Instruments CC256x and WL18xx dual-mode Bluetooth controller devices, when LE scan mode is used, allow remote attackers to trigger a buffer overflow via a malformed Bluetooth Low Energy advertising packet, to cause a denial of service or potentially execute arbitrary code.

5.8
2019-11-12 CVE-2017-17224 Huawei Null Pointer Dereference vulnerability in Huawei Hg655M Firmware Harryal00C9.1.0.206(C00E205R3P1)

Some Huawei smart phones with versions earlier than Harry-AL00C 9.1.0.206(C00E205R3P1) have a null pointer dereference vulnerability.

5.8
2019-11-12 CVE-2019-1447 Microsoft Origin Validation Error vulnerability in Microsoft Office Online Server

A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications handlers correctly, aka 'Microsoft Office Online Spoofing Vulnerability'.

5.8
2019-11-12 CVE-2019-1445 Microsoft Origin Validation Error vulnerability in Microsoft Office Online Server

A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications handlers correctly, aka 'Microsoft Office Online Spoofing Vulnerability'.

5.8
2019-11-12 CVE-2019-1425 Microsoft Link Following vulnerability in Microsoft Visual Studio 2017 and Visual Studio 2019

An elevation of privilege vulnerability exists when Visual Studio fails to properly validate hardlinks while extracting archived files, aka 'Visual Studio Elevation of Privilege Vulnerability'.

5.8
2019-11-14 CVE-2019-11178 Intel Classic Buffer Overflow vulnerability in Intel Baseboard Management Controller Firmware

Stack overflow in Intel(R) Baseboard Management Controller firmware may allow an authenticated user to potentially enable information disclosure and/or denial of service via network access.

5.5
2019-11-13 CVE-2019-0396 SAP Improper Input Validation vulnerability in SAP Businessobjects Business Intelligence Platform 4.0/4.1

SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), corrected in versions 4.1 and 4.2, does not sufficiently validate an XML document accepted from an untrusted source.

5.5
2019-11-12 CVE-2019-1399 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

5.5
2019-11-17 CVE-2019-19022 Iterm2 Information Exposure vulnerability in Iterm2

iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git repositories.

5.0
2019-11-17 CVE-2019-19011 Ngiflib Project Null Pointer Dereference vulnerability in Ngiflib Project Ngiflib 0.4

MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.

5.0
2019-11-15 CVE-2019-6664 F5 Unspecified vulnerability in F5 products

On BIG-IP 15.0.0 and 14.1.0-14.1.0.6, under certain conditions, network protections on the management port do not follow current best practices.

5.0
2019-11-15 CVE-2019-6661 F5 Resource Exhaustion vulnerability in F5 Big-Ip Access Policy Manager

When the BIG-IP APM 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.4.1, or 11.5.1-11.6.5 system processes certain requests, the APD/APMD daemon may consume excessive resources.

5.0
2019-11-15 CVE-2019-6660 F5 Resource Exhaustion vulnerability in F5 products

On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service.

5.0
2019-11-15 CVE-2019-6659 F5 Unspecified vulnerability in F5 products

On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.

5.0
2019-11-15 CVE-2011-2726 Drupal
Debian
Redhat
Fedoraproject
Incorrect Authorization vulnerability in multiple products

An access bypass issue was found in Drupal 7.x before version 7.5.

5.0
2019-11-15 CVE-2016-5285 Mozilla
Debian
Redhat
Suse
Avaya
Null Pointer Dereference vulnerability in multiple products

A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime, which could let a remote malicious user cause a Denial of Service.

5.0
2019-11-15 CVE-2014-0021 Chrony Project
Debian
Fedoraproject
Remote Denial of Service vulnerability in Chrony cmdmon Protocol Amplification

Chrony before 1.29.1 has traffic amplification in cmdmon protocol

5.0
2019-11-15 CVE-2013-7089 Clamav
Debian
Fedoraproject
Information Exposure vulnerability in multiple products

ClamAV before 0.97.7: dbg_printhex possible information leak

5.0
2019-11-15 CVE-2019-18987 Mediawiki Information Exposure vulnerability in Mediawiki Abusefilter

An issue was discovered in the AbuseFilter extension through 1.34 for MediaWiki.

5.0
2019-11-15 CVE-2019-18986 Pimcore Improper Restriction of Excessive Authentication Attempts vulnerability in Pimcore

Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.

5.0
2019-11-15 CVE-2019-18985 Pimcore Improper Restriction of Excessive Authentication Attempts vulnerability in Pimcore

Pimcore before 6.2.2 lacks brute force protection for the 2FA token.

5.0
2019-11-14 CVE-2019-18980 Philips Missing Authentication FOR Critical Function vulnerability in Philips Taolight Smart Wi-Fi WIZ Connected LED Bulb 9290022656 Firmware

On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation.

5.0
2019-11-14 CVE-2019-18978 Rack Cors Project Path Traversal vulnerability in Rack-Cors Project Rack-Cors

An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby.

5.0
2019-11-14 CVE-2019-15804 Zyxel Unspecified vulnerability in Zyxel products

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0.

5.0
2019-11-14 CVE-2019-15801 Zyxel Insufficiently Protected Credentials vulnerability in Zyxel products

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0.

5.0
2019-11-14 CVE-2013-3070 Netgear Information Exposure vulnerability in Netgear Wndr4700 Firmware 1.0.0.34

An Information Disclosure vulnerability exists in Netgear WNDR4700 running firmware 1.0.0.34 in the management web interface, which discloses the PSK of the wireless LAN.

5.0
2019-11-14 CVE-2019-14818 Dpdk
Redhat
Missing Release of Resource After Effective Lifetime vulnerability in multiple products

A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4 and 19.x.x before 19.08.1 where a malicious master, or a container with access to vhost_user socket, can send specially crafted VRING_SET_NUM messages, resulting in a memory leak including file descriptors.

5.0
2019-11-14 CVE-2019-11175 Intel Improper Input Validation vulnerability in Intel Baseboard Management Controller Firmware

Insufficient input validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable denial of service via network access.

5.0
2019-11-14 CVE-2019-11174 Intel Unspecified vulnerability in Intel Baseboard Management Controller Firmware

Insufficient access control in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure via network access.

5.0
2019-11-14 CVE-2019-11172 Intel Out-Of-Bounds Read vulnerability in Intel Baseboard Management Controller Firmware

Out of bound read in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure via network access.

5.0
2019-11-14 CVE-2012-1170 Moodle
Fedoraproject
Improper Validation of Integrity Check Value vulnerability in multiple products

Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough

5.0
2019-11-14 CVE-2012-1169 Moodle
Fedoraproject
Information Exposure vulnerability in multiple products

Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs.

5.0
2019-11-14 CVE-2019-8240 Adobe Out-Of-Bounds Write vulnerability in Adobe Bridge CC 6.1/9.0.2

Adobe Bridge CC versions 9.1 and earlier have a memory corruption vulnerability.

5.0
2019-11-14 CVE-2019-8239 Adobe Out-Of-Bounds Write vulnerability in Adobe Bridge CC 6.1/9.0.2

Adobe Bridge CC versions 9.1 and earlier have a memory corruption vulnerability.

5.0
2019-11-14 CVE-2012-1156 Moodle
Fedoraproject
Redhat
Information Exposure Through LOG Files vulnerability in multiple products

Moodle before 2.2.2 has users' private files included in course backups

5.0
2019-11-14 CVE-2012-1155 Moodle
Fedoraproject
Redhat
Debian
Information Exposure vulnerability in multiple products

Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to

5.0
2019-11-14 CVE-2019-18949 Snowhaze Improper Input Validation vulnerability in Snowhaze

SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.

5.0
2019-11-14 CVE-2019-18954 Netease Exposure of Resource TO Wrong Sphere vulnerability in Netease Pomelo 2.2.5

Pomelo v2.2.5 allows external control of critical state data.

5.0
2019-11-13 CVE-2019-18951 Sibsoft Path Traversal vulnerability in Sibsoft Xfilesharing 2.5.1

SibSoft Xfilesharing through 2.5.1 allows op=page&tmpl=../ directory traversal to read arbitrary files.

5.0
2019-11-13 CVE-2019-0388 SAP Authentication Bypass BY Spoofing vulnerability in SAP UI

SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate content due to insufficient URL validation.

5.0
2019-11-13 CVE-2010-5108 Edgewall
Debian
Incorrect Default Permissions vulnerability in multiple products

Trac 0.11.6 does not properly check workflow permissions before modifying a ticket.

5.0
2019-11-13 CVE-2011-4972 Ckeditor Information Exposure vulnerability in Ckeditor 7.X1.4

hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.

5.0
2019-11-13 CVE-2010-4657 PHP
Redhat
Debian
Missing Release of Resource After Effective Lifetime vulnerability in multiple products

PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlTextWriterWriteAttribute, which are then misparsed by libxml2.

5.0
2019-11-13 CVE-2019-18844 Linux Reachable Assertion vulnerability in Linux Acrn

The Device Model in ACRN before 2019w25.5-140000p relies on assert calls in devicemodel/hw/pci/core.c and devicemodel/include/pci_core.h (instead of other mechanisms for propagating error information or diagnostic information), which might allow attackers to cause a denial of service (assertion failure) within pci core.

5.0
2019-11-13 CVE-2019-18837 Crun Project
Fedoraproject
Link Following vulnerability in multiple products

An issue was discovered in crun before 0.10.5.

5.0
2019-11-13 CVE-2019-16951 Enghouse Information Exposure vulnerability in Enghouse web Chat 6.1.300.31/6.2.284.34

A remote file include (RFI) issue was discovered in Enghouse Web Chat 6.2.284.34.

5.0
2019-11-13 CVE-2019-5294 Huawei Out-Of-Bounds Read vulnerability in Huawei products

There is an out of bound read vulnerability in some Huawei products.

5.0
2019-11-13 CVE-2019-5289 Huawei Out-Of-Bounds Read vulnerability in Huawei Manageone 6.5.0

Gauss100 OLTP database in ManageOne with versions of 6.5.0 have an out-of-bounds read vulnerability due to the insufficient checks of the specific packet length.

5.0
2019-11-12 CVE-2019-14367 Slack Chat Project Information Exposure vulnerability in Slack-Chat Project Slack-Chat 1.5.5

Slack-Chat through 1.5.5 leaks a Slack Access Token in source code.

5.0
2019-11-12 CVE-2019-14366 Slack Information Exposure vulnerability in Slack WP Slacksync

WP SlackSync plugin through 1.8.5 for WordPress leaks a Slack Access Token in source code.

5.0
2019-11-12 CVE-2019-14365 Intercom Information Exposure vulnerability in Intercom 1.2.1

The Intercom plugin through 1.2.1 for WordPress leaks a Slack Access Token in source code.

5.0
2019-11-12 CVE-2011-2335 Google Double Free vulnerability in Google Blink M11

A double-free vulnerability exists in WebKit in Google Chrome before Blink M12 in the WebCore::CSSSelector function.

5.0
2019-11-12 CVE-2010-2488 ZNC Null Pointer Dereference vulnerability in ZNC

NULL pointer dereference vulnerability in ZNC before 0.092 caused by traffic stats when there are unauthenticated connections.

5.0
2019-11-12 CVE-2019-1324 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows TCP/IP stack improperly handles IPv6 flowlabel filled in packets, aka 'Windows TCP/IP Information Disclosure Vulnerability'.

5.0
2019-11-12 CVE-2019-12720 AUO SQL Injection vulnerability in AUO Sunveillance Monitoring System & Data Recorder

AUO SunVeillance Monitoring System before v1.1.9e is vulnerable to mvc_send_mail.aspx (MailAdd parameter) SQL Injection.

5.0
2019-11-12 CVE-2019-1234 Microsoft Authentication Bypass BY Spoofing vulnerability in Microsoft Azure Stack

A spoofing vulnerability exists when Azure Stack fails to validate certain requests, aka 'Azure Stack Spoofing Vulnerability'.

5.0
2019-11-12 CVE-2019-17360 Hitachi Resource Exhaustion vulnerability in Hitachi products

A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 allows an unauthenticated remote user to trigger a denial of service (DoS) condition because of Uncontrolled Resource Consumption.

5.0
2019-11-12 CVE-2018-21026 Hitachi
Linux
Microsoft
Oracle
Information Exposure vulnerability in Hitachi products

A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.6.5-00 allows an unauthenticated remote user to read internal information.

5.0
2019-11-12 CVE-2019-18924 Systematic Path Traversal vulnerability in Systematic Iris Webforms 5.4

Systematic IRIS WebForms 5.4 is vulnerable to directory traversal.

5.0
2019-11-12 CVE-2019-17235 Getigniteup Information Exposure vulnerability in Getigniteup Igniteup

includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows information disclosure.

5.0
2019-11-12 CVE-2012-1572 Openstack
Debian
Resource Exhaustion vulnerability in multiple products

OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space

5.0
2019-11-12 CVE-2019-18848 Json JWT Project Improper Input Validation vulnerability in Json-Jwt Project Json-Jwt

The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string.

5.0
2019-11-12 CVE-2012-1109 Pediapress Improper Handling of Exceptional Conditions vulnerability in Pediapress Mwlib

mwlib 0.13 through 0.13.4 has a denial of service vulnerability when parsing #iferror magic functions

5.0
2019-11-12 CVE-2019-18817 Istio Infinite Loop vulnerability in Istio

Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_listener_filters_timeout is set to True, a related issue to CVE-2019-18836.

5.0
2019-11-12 CVE-2018-18819 Mitel Incorrect Authorization vulnerability in Mitel Micollab and Mivoice Business Express

A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creation of unauthorized chat sessions, due to insufficient access controls.

5.0
2019-11-12 CVE-2014-7143 Twistedmatrix Improper Certificate Validation vulnerability in Twistedmatrix Twisted 14.0.0

Python Twisted 14.0 trustRoot is not respected in HTTP client

5.0
2019-11-12 CVE-2019-18874 Psutil Project Double Free vulnerability in Psutil Project Psutil

psutil (aka python-psutil) through 5.6.5 can have a double free.

5.0
2019-11-11 CVE-2019-18857 SVG Sanitizer Project Cross-Site Scripting vulnerability in Svg-Sanitizer Project Svg-Sanitizer

darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript&#9;:alert substring.

5.0
2019-11-11 CVE-2019-18856 Drupal Incorrect Permission Assignment FOR Critical Resource vulnerability in Drupal SVG Sanitizer

A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.

5.0
2019-11-11 CVE-2019-18855 Safe SVG Project Unspecified vulnerability in Safe SVG Project Safe SVG

A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.

5.0
2019-11-11 CVE-2019-18854 Safe SVG Project Uncontrolled Recursion vulnerability in Safe SVG Project Safe SVG

A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ...

5.0
2019-11-11 CVE-2019-18836 Envoyproxy
Istio
Infinite Loop vulnerability in multiple products

Envoy 1.12.0 allows a remote denial of service because of resource loops, as demonstrated by a single idle TCP connection being able to keep a worker thread in an infinite busy loop when continue_on_listener_filters_timeout is used."

5.0
2019-11-15 CVE-2019-16762 Simpleledger Improper Input Validation vulnerability in Simpleledger Slpjs

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package.

4.9
2019-11-15 CVE-2019-16761 Simpleledger Improper Input Validation vulnerability in Simpleledger Slp-Validate 1.0.0

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package.

4.9
2019-11-14 CVE-2018-12207 Intel
Debian
Opensuse
Fedoraproject
Canonical
F5
Redhat
Improper Input Validation vulnerability in Intel products

Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.

4.9
2019-11-14 CVE-2019-0144 Intel Improper Handling of Exceptional Conditions vulnerability in Intel products

Unhandled exception in firmware for Intel(R) Ethernet 700 Series Controllers before version 7.0 may allow an authenticated user to potentially enable a denial of service via local access.

4.9
2019-11-14 CVE-2019-0143 Intel Improper Handling of Exceptional Conditions vulnerability in Intel products

Unhandled exception in Kernel-mode drivers for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.

4.9
2019-11-13 CVE-2019-2212 Google Out-Of-Bounds Read vulnerability in Google Android

In poisson_distribution of random, there is an out of bounds read.

4.9
2019-11-13 CVE-2019-2209 Google Out-Of-Bounds Read vulnerability in Google Android

In BTA_DmPinReply of bta_dm_api.cc, there is a possible out of bounds read due to an incorrect bounds check.

4.9
2019-11-13 CVE-2019-2198 Google SQL Injection vulnerability in Google Android

In Download Provider, there is a possible SQL injection vulnerability.

4.9
2019-11-13 CVE-2019-2196 Google SQL Injection vulnerability in Google Android

In Download Provider, there is possible SQL injection.

4.9
2019-11-12 CVE-2019-1391 Microsoft Unspecified vulnerability in Microsoft products

A denial of service vulnerability exists when Windows improperly handles objects in memory, aka 'Windows Denial of Service Vulnerability'.

4.9
2019-11-15 CVE-2019-12757 Symantec Unspecified vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

4.6
2019-11-15 CVE-2018-18368 Symantec Improper Privilege Management vulnerability in Symantec Endpoint Protection Manager

Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU1, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

4.6
2019-11-15 CVE-2014-0023 Redhat Exposure of Resource TO Wrong Sphere vulnerability in Redhat Openshift

OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code execution

4.6
2019-11-14 CVE-2019-11111 Intel Null Pointer Dereference vulnerability in Intel Graphics Driver

Pointer corruption in the Unified Shader Compiler in Intel(R) Graphics Drivers before 10.18.14.5074 (aka 15.36.x.5074) may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2019-11-14 CVE-2019-0139 Intel Improper Privilege Management vulnerability in Intel products

Insufficient access control in firmware for Intel(R) Ethernet 700 Series Controllers before version 7.0 may allow a privileged user to potentially enable an escalation of privilege, denial of service, or information disclosure via local access.

4.6
2019-11-14 CVE-2019-15465 Samsung Unspecified vulnerability in Samsung Galaxy J7 PRO Firmware

The Samsung J7 Pro Android device with a build fingerprint of samsung/j7y17lteubm/j7y17lte:8.1.0/M1AJQ/J730GMUBS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15464 Samsung Unspecified vulnerability in Samsung Galaxy J7 PRO Firmware

The Samsung J7 Pro Android device with a build fingerprint of samsung/j7y17lteub/j7y17lte:8.1.0/M1AJQ/J730GUBS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15463 Samsung Unspecified vulnerability in Samsung Galaxy J7 Prime Firmware

The Samsung j7popeltemtr Android device with a build fingerprint of samsung/j7popeltemtr/j7popeltemtr:8.1.0/M1AJQ/J727T1UVS5BSC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15462 Samsung Unspecified vulnerability in Samsung Galaxy J7 DUO Firmware

The Samsung J7 Duo Android device with a build fingerprint of samsung/j7duolteub/j7duolte:8.0.0/R16NW/J720MUBS3ASB2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15461 Samsung Unspecified vulnerability in Samsung Galaxy J7 NEO Firmware

The Samsung J7 Neo Android device with a build fingerprint of samsung/j7velteub/j7velte:8.1.0/M1AJQ/J701MUBS6BSB4:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15460 Samsung Unspecified vulnerability in Samsung Galaxy J7 NEO Firmware

The Samsung J7 Neo Android device with a build fingerprint of samsung/j7veltedx/j7velte:8.1.0/M1AJQ/J701FXVS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15459 Samsung Unspecified vulnerability in Samsung Galaxy J7 NEO Firmware

The Samsung J7 Neo Android device with a build fingerprint of samsung/j7velteub/j7velte:8.1.0/M1AJQ/J701MUBS6BSB3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15458 Samsung Unspecified vulnerability in Samsung Galaxy J7 NEO Firmware

The Samsung J7 Neo Android device with a build fingerprint of samsung/j7veltedx/j7velte:8.1.0/M1AJQ/J701FXXS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15457 Samsung Unspecified vulnerability in Samsung Galaxy J6 Firmware

The Samsung J6 Android device with a build fingerprint of samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15456 Samsung Unspecified vulnerability in Samsung Galaxy J6 Firmware

The Samsung J6 Android device with a build fingerprint of samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15455 Samsung Unspecified vulnerability in Samsung Galaxy J5 Firmware

The Samsung J5 Android device with a build fingerprint of samsung/j5y17ltexx/j5y17lte:8.1.0/M1AJQ/J530FXXU3BRL1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15454 Samsung Unspecified vulnerability in Samsung Galaxy J4 Firmware

The Samsung J4 Android device with a build fingerprint of samsung/j4lteub/j4lte:8.0.0/R16NW/J400MUBU2ARL4:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15453 Samsung Unspecified vulnerability in Samsung Galaxy J4 Firmware

The Samsung J4 Android device with a build fingerprint of samsung/j4lteub/j4lte:8.0.0/R16NW/J400MUBS2ASC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15452 Samsung Unspecified vulnerability in Samsung Galaxy J3 Firmware

The Samsung J3 Android device with a build fingerprint of samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=6010000, versionName=6.1.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15451 Samsung Unspecified vulnerability in Samsung Galaxy J3 Firmware

The Samsung J3 Android device with a build fingerprint of samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=6010000, versionName=6.1.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15449 Samsung Unspecified vulnerability in Samsung Galaxy S7 Edge Firmware

The Samsung S7 Edge Android device with a build fingerprint of samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15448 Samsung Unspecified vulnerability in Samsung Galaxy S7 Edge Firmware

The Samsung S7 Edge Android device with a build fingerprint of samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15447 Samsung Unspecified vulnerability in Samsung Galaxy S7 Edge Firmware

The Samsung S7 Edge Android device with a build fingerprint of samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15446 Samsung Unspecified vulnerability in Samsung Galaxy S7 Firmware

The Samsung S7 Android device with a build fingerprint of samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXU3ESAC:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15445 Samsung Unspecified vulnerability in Samsung Galaxy S7 Firmware

The Samsung S7 Android device with a build fingerprint of samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15444 Samsung Unspecified vulnerability in Samsung Galaxy S7 Firmware

The Samsung S7 Android device with a build fingerprint of samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15443 Samsung Unspecified vulnerability in Samsung Galaxy J7 MAX Firmware

The Samsung J7 Max Android device with a build fingerprint of samsung/j7maxlteins/j7maxlte:8.1.0/M1AJQ/G615FXXU2BSB1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15441 Samsung Unspecified vulnerability in Samsung ON 7 Firmware

The Samsung on7xeltelgt Android device with a build fingerprint of samsung/on7xeltelgt/on7xeltelgt:8.1.0/M1AJQ/G610LKLU2CSB1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15440 Samsung Unspecified vulnerability in Samsung Galaxy J5 Firmware

The Samsung J5 Android device with a build fingerprint of samsung/on5xeltedx/on5xelte:8.0.0/R16NW/G570YDXU2CRL1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=6010000, versionName=6.1.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15439 Samsung Unspecified vulnerability in Samsung Galaxy Xcover4 Firmware

The Samsung XCover4 Android device with a build fingerprint of samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15438 Samsung Unspecified vulnerability in Samsung Galaxy Xcover4 Firmware

The Samsung XCover4 Android device with a build fingerprint of samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15437 Samsung Unspecified vulnerability in Samsung Galaxy Xcover4 Firmware

The Samsung XCover4 Android device with a build fingerprint of samsung/xcover4ltexx/xcover4lte:8.1.0/M1AJQ/G390FXXU3BSA2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15436 Samsung Unspecified vulnerability in Samsung Galaxy A8+ Firmware

The Samsung A8+ Android device with a build fingerprint of samsung/jackpot2ltexx/jackpot2lte:8.0.0/R16NW/A730FXXS4BSC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15435 Samsung Unspecified vulnerability in Samsung Galaxy A7 Firmware

The Samsung A7 Android device with a build fingerprint of samsung/a7y17ltexx/a7y17lte:8.0.0/R16NW/A720FXXU7CSC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15434 Samsung Unspecified vulnerability in Samsung Galaxy A5 Firmware

The Samsung A5 Android device with a build fingerprint of samsung/a5y17ltexx/a5y17lte:8.0.0/R16NW/A520FXXS8CSC5:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15433 Samsung Unspecified vulnerability in Samsung Galaxy A3 Firmware

The Samsung A3 Android device with a build fingerprint of samsung/a3y17ltedx/a3y17lte:8.0.0/R16NW/A320YDXU4CSB3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15432 Evercoss Unspecified vulnerability in Evercoss U6 Firmware

The Evercoss U6 Android device with a build fingerprint of EVERCOSS/U6/U6:7.0/NRD90M/1504236704:user/release-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0.0_VER_32516486284094) that allows other pre-installed apps to perform system properties modification via an accessible app component.

4.6
2019-11-14 CVE-2019-15416 Sony Unspecified vulnerability in Sony Xperia XZS Firmware

The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03) that allows other pre-installed apps to perform app installation via an accessible app component.

4.6
2019-11-14 CVE-2019-15412 Asus Unspecified vulnerability in Asus Zenfone 4 Selfie Firmware

The Asus ZenFone 4 Selfie Android device with a build fingerprint of asus/WW_Z01M/ASUS_Z01M_1:7.1.1/NMF26F/WW_71.50.395.57_20180913:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component.

4.6
2019-11-14 CVE-2019-14602 Intel Incorrect Default Permissions vulnerability in Intel Nuvoton Consumer Infrared 1.02.1002

Improper permissions in the installer for the Nuvoton* CIR Driver versions 1.02.1002 and before may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2019-11-14 CVE-2019-14566 Intel Improper Input Validation vulnerability in Intel Software Guard Extensions SDK

Insufficient input validation in Intel(R) SGX SDK multiple Linux and Windows versions may allow an authenticated user to enable information disclosure, escalation of privilege or denial of service via local access.

4.6
2019-11-14 CVE-2019-14565 Intel Improper Initialization vulnerability in Intel Software Guard Extensions SDK

Insufficient initialization in Intel(R) SGX SDK Windows versions 2.4.100.51291 and earlier, and Linux versions 2.6.100.51363 and earlier, may allow an authenticated user to enable information disclosure, escalation of privilege or denial of service via local access.

4.6
2019-11-14 CVE-2019-11156 Intel Improper Privilege Management vulnerability in Intel Proset/Wireless Wifi

Logic errors in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable escalation of privilege, denial of service, and information disclosure via local access.

4.6
2019-11-14 CVE-2019-11153 Intel Out-Of-Bounds Write vulnerability in Intel Proset/Wireless Wifi

Memory corruption issues in Intel(R) PROSet/Wireless WiFi Software extension DLL before version 21.40 may allow an authenticated user to potentially enable escalation of privilege, information disclosure and a denial of service via local access.

4.6
2019-11-14 CVE-2019-11151 Intel Out-Of-Bounds Write vulnerability in Intel products

Memory corruption issues in Intel(R) WIFI Drivers before version 21.40 may allow a privileged user to potentially enable escalation of privilege, denial of service, and information disclosure via local access.

4.6
2019-11-14 CVE-2019-11137 Intel
HPE
Improper Input Validation vulnerability in multiple products

Insufficient input validation in system firmware for Intel(R) Xeon(R) Scalable Processors, Intel(R) Xeon(R) Processors D Family, Intel(R) Xeon(R) Processors E5 v4 Family, Intel(R) Xeon(R) Processors E7 v4 Family and Intel(R) Atom(R) processor C Series may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.

4.6
2019-11-14 CVE-2019-11136 Intel
HPE
Improper Privilege Management vulnerability in multiple products

Insufficient access control in system firmware for Intel(R) Xeon(R) Scalable Processors, 2nd Generation Intel(R) Xeon(R) Scalable Processors and Intel(R) Xeon(R) Processors D Family may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.

4.6
2019-11-14 CVE-2019-18895 Scanguard Incorrect Default Permissions vulnerability in Scanguard Antivirus 20191112

Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to privilege escalation via a Trojan horse executable file.

4.6
2019-11-14 CVE-2011-1145 Unixodbc
Debian
Opensuse
Redhat
Classic Buffer Overflow vulnerability in multiple products

The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.

4.6
2019-11-13 CVE-2010-4661 Udisks Project
Debian
Fedoraproject
Opensuse
Redhat
Unrestricted Upload of File With Dangerous Type vulnerability in multiple products

udisks before 1.0.3 allows a local user to load arbitrary Linux kernel modules.

4.6
2019-11-13 CVE-2019-5246 Huawei Insufficient Verification of Data Authenticity vulnerability in Huawei Elle-Al00B Firmware

Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability.

4.6
2019-11-12 CVE-2019-5229 Huawei Insufficient Verification of Data Authenticity vulnerability in Huawei P30 Firmware

P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1) have an insufficient verification vulnerability.

4.6
2019-11-12 CVE-2019-1423 Microsoft Link Following vulnerability in Microsoft Windows 10 1903

An elevation of privilege vulnerability exists in the way that the StartTileData.dll handles file creation in protected locations, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-11-12 CVE-2019-1422 Microsoft Link Following vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the iphlpsvc.dll handles file creation allowing for a file overwrite, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-11-12 CVE-2019-1420 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the dssvc.dll handles file creation allowing for a file overwrite or creation in a secured location, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2019-11-12 CVE-2019-1417 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka 'Windows Data Sharing Service Elevation of Privilege Vulnerability'.

4.6
2019-11-12 CVE-2019-1415 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations.To exploit the vulnerability, an attacker would require unprivileged execution on the victim system, aka 'Windows Installer Elevation of Privilege Vulnerability'.

4.6
2019-11-12 CVE-2019-1383 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka 'Windows Data Sharing Service Elevation of Privilege Vulnerability'.

4.6
2019-11-12 CVE-2019-1380 Microsoft Time-Of-Check Time-Of-Use (Toctou) Race Condition vulnerability in Microsoft products

A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls, aka 'Microsoft splwow64 Elevation of Privilege Vulnerability'.

4.6
2019-11-12 CVE-2019-1379 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2019

An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka 'Windows Data Sharing Service Elevation of Privilege Vulnerability'.

4.6
2019-11-12 CVE-2011-3618 Atop Project
Debian
Link Following vulnerability in multiple products

atop: symlink attack possible due to insecure tempfile handling

4.6
2019-11-11 CVE-2019-18862 GNU Unspecified vulnerability in GNU Mailutils 0.5/0.6

maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.

4.6
2019-11-14 CVE-2019-7962 Adobe Untrusted Search Path vulnerability in Adobe Illustrator CC

Adobe Illustrator CC versions 23.1 and earlier have an insecure library loading (dll hijacking) vulnerability.

4.4
2019-11-14 CVE-2019-7960 Adobe Untrusted Search Path vulnerability in Adobe Animate CC

Adobe Animate CC versions 19.2.1 and earlier have an insecure library loading (dll hijacking) vulnerability.

4.4
2019-11-12 CVE-2019-6172 Lenovo Unspecified vulnerability in Lenovo products

A potential vulnerability in the SMI callback function used in Legacy USB driver using passed parameter without sufficient checking in some Lenovo ThinkPad models may allow arbitrary code execution.

4.4
2019-11-12 CVE-2019-6170 Lenovo Unspecified vulnerability in Lenovo products

A potential vulnerability in the SMI callback function used in the Legacy USB driver using boot services structure in runtime phase in some Lenovo ThinkPad models may allow arbitrary code execution.

4.4
2019-11-12 CVE-2019-5695 Nvidia Untrusted Search Path vulnerability in Nvidia Geforce Experience and GPU Driver

NVIDIA GeForce Experience (prior to 3.20.1) and Windows GPU Display Driver (all versions) contains a vulnerability in the local service provider component in which an attacker with local system and privileged access can incorrectly load Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service or information disclosure through code execution.

4.4
2019-11-12 CVE-2019-1416 Microsoft Race Condition vulnerability in Microsoft products

An elevation of privilege vulnerability exists due to a race condition in Windows Subsystem for Linux, aka 'Windows Subsystem for Linux Elevation of Privilege Vulnerability'.

4.4
2019-11-12 CVE-2010-3359 Gargoyle Project
Debian
Improper Input Validation vulnerability in multiple products

If LD_LIBRARY_PATH is undefined in gargoyle-free before 2009-08-25, the variable will point to the current directory.

4.4
2019-11-17 CVE-2019-19040 Kairosdb Project Cross-Site Scripting vulnerability in Kairosdb Project Kairosdb

KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.

4.3
2019-11-17 CVE-2019-19035 Jhead Project Out-Of-Bounds Read vulnerability in Jhead Project Jhead 3.03

jhead 3.03 is affected by: heap-based buffer over-read.

4.3
2019-11-15 CVE-2019-6663 F5 Improper Input Validation vulnerability in F5 products

The BIG-IP 15.0.0-15.0.1, 14.0.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.1-11.6.5.1, BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1 configuration utility is vulnerable to Anti DNS Pinning (DNS Rebinding) attack.

4.3
2019-11-15 CVE-2013-4584 Horms
Debian
Improper Handling of Exceptional Conditions vulnerability in multiple products

Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server.

4.3
2019-11-15 CVE-2019-18982 Pimcore Cross-Site Scripting vulnerability in Pimcore

bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.

4.3
2019-11-14 CVE-2019-15802 Zyxel USE of Hard-Coded Credentials vulnerability in Zyxel products

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0.

4.3
2019-11-14 CVE-2013-4106 Cryptocat Project Cross-Site Scripting vulnerability in Cryptocat Project Cryptocat

A Cross-site scripting (XSS) vulnerability exists in Conversation Overview Nickname in Cryptocat before 2.0.22.

4.3
2019-11-14 CVE-2013-4109 Cryptocat Project Cross-Site Scripting vulnerability in Cryptocat Project Cryptocat 1.1.165

An unspecified cross-site scripting (XSS) vulnerability exists in Cryptocat Message Handling 1.1.165.

4.3
2019-11-14 CVE-2019-8244 Adobe Out-Of-Bounds Read vulnerability in Adobe Media Encoder 13.0.2/13.1

Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds read vulnerability.

4.3
2019-11-14 CVE-2019-8243 Adobe Out-Of-Bounds Read vulnerability in Adobe Media Encoder 13.0.2/13.1

Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds read vulnerability.

4.3
2019-11-14 CVE-2019-8242 Adobe Out-Of-Bounds Read vulnerability in Adobe Media Encoder 13.0.2/13.1

Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds read vulnerability.

4.3
2019-11-14 CVE-2019-8241 Adobe Out-Of-Bounds Read vulnerability in Adobe Media Encoder 13.0.2/13.1

Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds read vulnerability.

4.3
2019-11-14 CVE-2019-18957 Microstrategy Cross-Site Scripting vulnerability in Microstrategy Library

Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.

4.3
2019-11-14 CVE-2019-16863 ST USE of A Broken OR Risky Cryptographic Algorithm vulnerability in ST products

STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.

4.3
2019-11-14 CVE-2011-0544 Phpbb
Debian
Cross-Site Scripting vulnerability in multiple products

phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag.

4.3
2019-11-13 CVE-2019-13555 Mitsubishielectric Resource Exhaustion vulnerability in Mitsubishielectric products

In Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU: serial number 21081 and prior, Q04/06/13/26UDPVCPU: serial number 21081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 21081 and prior, MELSEC-L Series L02/06/26CPU, L26CPU-BT: serial number 21101 and prior, L02/06/26CPU-P, L26CPU-PBT: serial number 21101 and prior, and L02/06/26CPU-CM, L26CPU-BT-CM: serial number 21101 and prior, a remote attacker can cause the FTP service to enter a denial-of-service condition dependent on the timing at which a remote attacker connects to the FTP server on the above CPU modules.

4.3
2019-11-13 CVE-2019-18923 GO Camo Project Cross-Site Scripting vulnerability in Go-Camo Project Go-Camo

Insufficient content type validation of proxied resources in go-camo before 2.1.1 allows a remote attacker to serve arbitrary content from go-camo's origin.

4.3
2019-11-13 CVE-2013-3097 Actiontec Cross-Site Scripting vulnerability in Actiontec Mi424Wr-Gen3I Firmware

Unspecified Cross-site scripting (XSS) vulnerability in the Verizon FIOS Actiontec MI424WR-GEN3I router.

4.3
2019-11-13 CVE-2019-17550 Adenion Cross-Site Scripting vulnerability in Adenion Blog2Social

The Blog2Social plugin before 5.9.0 for WordPress is affected by: Cross Site Scripting (XSS).

4.3
2019-11-13 CVE-2019-17515 Cleantalk Cross-Site Scripting vulnerability in Cleantalk Spam Protection, Antispam, Firewall

The CleanTalk cleantalk-spam-protect plugin before 5.127.4 for WordPress is affected by: Cross Site Scripting (XSS).

4.3
2019-11-13 CVE-2012-5193 Bitweaver Cross-Site Scripting vulnerability in Bitweaver 2.8.1

Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 2.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) stats/index.php or (2) newsletters/edition.php or the (3) username parameter to users/remind_password.php, (4) days parameter to stats/index.php, (5) login parameter to users/register.php, or (6) highlight parameter.

4.3
2019-11-13 CVE-2019-18883 Lavalite Cross-Site Scripting vulnerability in Lavalite 5.7.0

XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field.

4.3
2019-11-13 CVE-2019-18793 Parallels Cross-Site Scripting vulnerability in Parallels Plesk Panel 9.5

Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter.

4.3
2019-11-13 CVE-2013-3516 Netgear Cross-Site Request Forgery (CSRF) vulnerability in Netgear Wnr3500L Firmware and Wnr3500U Firmware

NETGEAR WNR3500U and WNR3500L routers uses form tokens abased solely on router's current date and time, which allows attackers to guess the CSRF tokens.

4.3
2019-11-13 CVE-2010-4653 Freedesktop
Debian
Integer Overflow OR Wraparound vulnerability in multiple products

An integer overflow condition in poppler before 0.16.3 can occur when parsing CharCodes for fonts.

4.3
2019-11-13 CVE-2019-16950 Enghouse Cross-Site Scripting vulnerability in Enghouse web Chat 6.1.300.31/6.2.284.34

An XSS issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34.

4.3
2019-11-13 CVE-2010-4532 Debian
Offlineimap
Improper Certificate Validation vulnerability in multiple products

offlineimap before 6.3.2 does not check for SSL server certificate validation when "ssl = yes" option is specified which can allow man-in-the-middle attacks.

4.3
2019-11-13 CVE-2014-8167 Redhat Improper Certificate Validation vulnerability in Redhat products

vdsm and vdsclient does not validate certficate hostname from another vdsm which could facilitate a man-in-the-middle attack

4.3
2019-11-13 CVE-2012-4385 Trilexnet
Debian
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

letodms 3.3.6 has CSRF via change password

4.3
2019-11-13 CVE-2014-3655 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat Jboss Enterprise web Server and Keycloak

JBoss KeyCloak is vulnerable to soft token deletion via CSRF

4.3
2019-11-13 CVE-2014-3592 Redhat Cross-Site Scripting vulnerability in Redhat Openshift Origin

OpenShift Origin: Improperly validated team names could allow stored XSS attacks

4.3
2019-11-13 CVE-2012-4384 Trilexnet
Debian
Cross-Site Scripting vulnerability in multiple products

letodms has multiple XSS issues: Reflected XSS in Login Page, Stored XSS in Document Owner/User name, Stored XSS in Calendar

4.3
2019-11-13 CVE-2019-5279 Huawei Unspecified vulnerability in Huawei Emily-L29C Firmware

Huawei smart phones Emily-L29C with Versions earlier than 9.1.0.311(C10E2R1P13T8), Versions earlier than 9.1.0.311(C461E2R1P11T8), Versions earlier than 9.1.0.316(C635E2R1P11T8), Versions earlier than 9.1.0.311(C185E2R1P12T8), Versions earlier than 9.1.0.311(C605E2R1P12T8), Versions earlier than 9.1.0.311(C636E7R1P13T8) have an information leakage vulnerability.

4.3
2019-11-13 CVE-2019-5230 Huawei Improper Input Validation vulnerability in Huawei Mate RS Firmware, P20 Firmware and P20 PRO Firmware

P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability.

4.3
2019-11-12 CVE-2010-3857 Redhat Cross-Site Scripting vulnerability in Redhat Jboss Business Rules Management System

JBoss BRMS before 5.1.0 has a XSS vulnerability via asset=UUID parameter.

4.3
2019-11-12 CVE-2011-1803 Google Double Free vulnerability in Google Blink

An issue exists in third_party/WebKit/Source/WebCore/svg/animation/SVGSMILElement.h in WebKit in Google Chrome before Blink M11 and M12 when trying to access a removed smil element.

4.3
2019-11-12 CVE-2011-1802 Google Null Pointer Dereference vulnerability in Google Blink

WebKit in Google Chrome before Blink M11 and M12 does not properly handle counter nodes, which allows remote attackers to cause a denial of service (memory corruption).

4.3
2019-11-12 CVE-2011-2334 Google USE After Free vulnerability in Google Blink M11

Use after free vulnerability exists in WebKit in Google Chrome before Blink M12 in RenderLayerwhen removing elements with reflections.

4.3
2019-11-12 CVE-2010-3299 Rubyonrails
Debian
Missing Encryption of Sensitive Data vulnerability in multiple products

The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.

4.3
2019-11-12 CVE-2019-17332 Tibco Cross-Site Scripting vulnerability in Tibco EBX Add-Ons

The Digital Asset Manager Web Interface component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks.

4.3
2019-11-12 CVE-2019-17330 Tibco Cross-Site Scripting vulnerability in Tibco EBX

The Web server component of TIBCO Software Inc.'s TIBCO EBX contains multiple vulnerabilities that theoretically allow authenticated users to perform stored cross-site scripting (XSS) attacks, and unauthenticated users to perform reflected cross-site scripting attacks.

4.3
2019-11-12 CVE-2019-1446 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka 'Microsoft Excel Information Disclosure Vulnerability'.

4.3
2019-11-12 CVE-2019-1442 Microsoft Origin Validation Error vulnerability in Microsoft Sharepoint Server 2019

A security feature bypass vulnerability exists when Microsoft Office does not validate URLs.An attacker could send a victim a specially crafted file, which could trick the victim into entering credentials, aka 'Microsoft Office Security Feature Bypass Vulnerability'.

4.3
2019-11-12 CVE-2019-1439 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-11-12 CVE-2019-1432 Microsoft Out-Of-Bounds Read vulnerability in Microsoft products

An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory, aka 'DirectWrite Information Disclosure Vulnerability'.

4.3
2019-11-12 CVE-2019-1413 Microsoft Origin Validation Error vulnerability in Microsoft Edge

A security feature bypass vulnerability exists when Microsoft Edge improperly handles extension requests and fails to request host permission for all_urls, aka 'Microsoft Edge Security Feature Bypass Vulnerability'.

4.3
2019-11-12 CVE-2019-1411 Microsoft Out-Of-Bounds Read vulnerability in Microsoft products

An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory, aka 'DirectWrite Information Disclosure Vulnerability'.

4.3
2019-11-12 CVE-2019-1374 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory, aka 'Windows Error Reporting Information Disclosure Vulnerability'.

4.3
2019-11-12 CVE-2019-18926 Systematicinc Cross-Site Scripting vulnerability in Systematicinc Iris Standards Management 2.1

Systematic IRIS Standards Management (ISM) v2.1 SP1 89 is vulnerable to unauthenticated reflected Cross Site Scripting (XSS).

4.3
2019-11-12 CVE-2019-17236 Getigniteup Cross-Site Scripting vulnerability in Getigniteup Igniteup

includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress is vulnerable to stored XSS.

4.3
2019-11-12 CVE-2014-3599 Redhat XXE vulnerability in Redhat Hornetq

HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy

4.3
2019-11-12 CVE-2011-3370 Status Cross-Site Scripting vulnerability in Status Statusnet 0.9.6/1.0.0

statusnet before 0.9.9 has XSS

4.3
2019-11-12 CVE-2011-2935 Elgg Cross-Site Scripting vulnerability in Elgg

Elgg through 1.7.10 has XSS

4.3
2019-11-12 CVE-2019-18882 Wso2 Cross-Site Scripting vulnerability in Wso2 Identity Server 5.7.0

WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.

4.3
2019-11-12 CVE-2019-18881 Wso2 Cross-Site Scripting vulnerability in Wso2 Identity Server 5.7.0

WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.

4.3
2019-11-11 CVE-2019-18853 Imagemagick Uncontrolled Recursion vulnerability in Imagemagick

ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.

4.3
2019-11-11 CVE-2019-18849 Tnef Project Out-Of-Bounds Read vulnerability in Tnef Project Tnef

In tnef before 1.4.18, an attacker may be able to write to the victim's .ssh/authorized_keys file via an e-mail message with a crafted winmail.dat application/ms-tnef attachment, because of a heap-based buffer over-read involving strdup.

4.3
2019-11-15 CVE-2019-6662 F5 Information Exposure Through LOG Files vulnerability in F5 products

On BIG-IP 13.1.0-13.1.1.4, sensitive information is logged into the local log files and/or remote logging targets when restjavad processes an invalid request.

4.0
2019-11-14 CVE-2019-11179 Intel Improper Input Validation vulnerability in Intel Baseboard Management Controller Firmware

Insufficient input validation in Intel(R) Baseboard Management Controller firmware may allow an authenticated user to potentially enable information disclosure via network access.

4.0
2019-11-14 CVE-2012-1161 Moodle
Fedoraproject
Information Exposure vulnerability in multiple products

Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results

4.0
2019-11-14 CVE-2012-1160 Moodle
Fedoraproject
Incorrect Permission Assignment FOR Critical Resource vulnerability in multiple products

Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php

4.0
2019-11-14 CVE-2012-1159 Moodle
Fedoraproject
Information Exposure vulnerability in multiple products

Moodle before 2.2.2: Overview report allows users to see hidden courses

4.0
2019-11-14 CVE-2012-1158 Moodle
Fedoraproject
Information Exposure vulnerability in multiple products

Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export

4.0
2019-11-14 CVE-2012-1157 Moodle
Fedoraproject
Incorrect Default Permissions vulnerability in multiple products

Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default

4.0
2019-11-14 CVE-2019-3662 Mcafee Path Traversal vulnerability in Mcafee Advanced Threat Defense

Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.

4.0
2019-11-14 CVE-2019-3640 Mcafee Cleartext Transmission of Sensitive Information vulnerability in Mcafee Data Loss Prevention

Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.

4.0
2019-11-13 CVE-2019-3650 Mcafee Information Exposure vulnerability in Mcafee Advanced Threat Defense

Information Disclosure vulnerability in McAfee Advanced Threat Defense (ATD prior to 4.8 allows remote authenticated attackers to gain access to the atduser credentials via carefully constructed GET request extracting insecurely information stored in the database.

4.0
2019-11-13 CVE-2019-3649 Mcafee Information Exposure vulnerability in Mcafee Advanced Threat Defense

Information Disclosure vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attackers to gain access to hashed credentials via carefully constructed POST request extracting incorrectly recorded data from log files.

4.0
2019-11-13 CVE-2019-0393 SAP SQL Injection vulnerability in SAP Quality Management

An SQL Injection vulnerability in SAP Quality Management (corrected in S4CORE versions 1.0, 1.01, 1.02, 1.03) allows an attacker to carry out targeted database queries that can read individual fields of historical inspection results.

4.0
2019-11-13 CVE-2019-0391 SAP Unspecified vulnerability in SAP Netweaver Application Server Java

Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted.

4.0
2019-11-13 CVE-2019-0390 SAP Information Exposure vulnerability in SAP Diagnostics Agent 7.2

Under certain conditions SAP Data Hub (corrected in DH_Foundation version 2) allows an attacker to access information which would otherwise be restricted.

4.0
2019-11-13 CVE-2019-16949 Enghouse Improper Input Validation vulnerability in Enghouse web Chat 6.1.300.31/6.2.284.34

An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34.

4.0
2019-11-13 CVE-2019-5293 Huawei Missing Release of Resource After Effective Lifetime vulnerability in Huawei products

Some Huawei products have a memory leak vulnerability when handling some messages.

4.0
2019-11-12 CVE-2010-3439 COR Entertainment
Debian
Fedoraproject
Improper Input Validation vulnerability in multiple products

It is possible to cause a DoS condition by causing the server to crash in alien-arena 7.33 by supplying various invalid parameters to the download command.

4.0
2019-11-12 CVE-2019-1443 Microsoft Unrestricted Upload of File With Dangerous Type vulnerability in Microsoft products

An information disclosure vulnerability exists in Microsoft SharePoint when an attacker uploads a specially crafted file to the SharePoint Server.An authenticated attacker who successfully exploited this vulnerability could potentially leverage SharePoint functionality to obtain SMB hashes.The security update addresses the vulnerability by correcting how SharePoint checks file content., aka 'Microsoft SharePoint Information Disclosure Vulnerability'.

4.0
2019-11-12 CVE-2019-15815 Zyxel Authorization Bypass Through User-Controlled KEY vulnerability in Zyxel 2.00(Abbx.3)

ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges.

4.0

132 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-11-14 CVE-2019-11173 Intel Session Fixation vulnerability in Intel Baseboard Management Controller Firmware

Insufficient session validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via local access.

3.6
2019-11-14 CVE-2019-11155 Intel Incorrect Default Permissions vulnerability in Intel Proset/Wireless Wifi

Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.

3.6
2019-11-14 CVE-2019-11154 Intel Incorrect Default Permissions vulnerability in Intel Proset/Wireless Wifi

Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.

3.6
2019-11-13 CVE-2010-4817 Pithos Project
Debian
Link Following vulnerability in multiple products

pithos before 0.3.5 allows overwrite of arbitrary files via symlinks.

3.6
2019-11-12 CVE-2019-4652 IBM Incorrect Default Permissions vulnerability in IBM Spectrum Protect Plus

IBM Spectrum Protect Plus 10.1.0 through 10.1.4 uses insecure file permissions on restored files and directories in Windows which could allow a local user to obtain sensitive information or perform unauthorized actions.

3.6
2019-11-15 CVE-2019-14343 Vocabularyserver Cross-Site Scripting vulnerability in Vocabularyserver Tematres 3.0

TemaTres 3.0 has stored XSS via the value parameter to the vocab/admin.php?vocabulario_id=list URI.

3.5
2019-11-14 CVE-2019-18649 Untangle Cross-Site Scripting vulnerability in Untangle NG Firewall 14.2.0

When logged in as an admin user, the Title input field (under Reports) within Untangle NG firewall 14.2.0 is vulnerable to stored XSS.

3.5
2019-11-14 CVE-2019-18648 Untangle Cross-Site Scripting vulnerability in Untangle NG Firewall 14.2.0

When logged in as an admin user, the Untangle NG firewall 14.2.0 is vulnerable to reflected XSS at multiple places and specific user input fields.

3.5
2019-11-13 CVE-2019-0385 SAP Cross-Site Scripting vulnerability in SAP Enable NOW 1902

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

3.5
2019-11-13 CVE-2019-0382 SAP Cross-Site Scripting vulnerability in SAP Businessobjects Business Intelligence Platform

A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Business Intelligence Platform (Web Intelligence-Publication related pages); corrected in version 4.2.

3.5
2019-11-13 CVE-2013-4275 ZEN Project Cross-Site Scripting vulnerability in ZEN Project ZEN

Cross-site scripting (XSS) vulnerability in the zen_breadcrumb function in template.php in the Zen theme 6.x-1.x, 7.x-3.x before 7.x-3.2, and 7.x-5.x before 7.x-5.4 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via the breadcrumb separator field.

3.5
2019-11-13 CVE-2013-3517 Netgear Cross-Site Scripting vulnerability in Netgear Wnr3500L Firmware and Wnr3500U Firmware

Cross-site scripting (XSS) vulnerability in NETGEAR WNR3500U and WNR3500L.

3.5
2019-11-13 CVE-2019-17524 Technicolor Cross-Site Scripting vulnerability in Technicolor Tc7300.B0 Firmware Stfa.51.20

An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows remote attackers to inject arbitrary web script via the "Connected Clients" field to /wlanAccess.asp.

3.5
2019-11-13 CVE-2019-17523 Technicolor Cross-Site Scripting vulnerability in Technicolor Tc7300.B0 Firmware Stfa.51.20

An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows remote attackers to inject arbitrary web script via the FileName parameter to /FTPDiag.asp.

3.5
2019-11-13 CVE-2019-3641 Mcafee Unspecified vulnerability in Mcafee Threat Intelligence Exchange Server 3.0.0

Abuse of Authorization vulnerability in APIs exposed by TIE server in McAfee Threat Intelligence Exchange Server (TIE Server) 3.0.0 allows remote authenticated users to modify stored reputation data via specially crafted messages.

3.5
2019-11-12 CVE-2019-17331 Tibco Cross-Site Scripting vulnerability in Tibco EBX Add-Ons 3.20.13/4.1.0

The Data Exchange Web Interface component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks.

3.5
2019-11-13 CVE-2019-3420 ZTE Information Exposure vulnerability in ZTE Zxhn H108N Firmware 2.5.0Eg1T5Ted

All versions up to V2.5.0_EG1T5_TED of ZTE ZXHN H108N product are impacted by an information leak vulnerability.

3.3
2019-11-12 CVE-2010-3440 Babiloo Project
Debian
Download of Code Without Integrity Check vulnerability in multiple products

babiloo 2.0.9 before 2.0.11 creates temporary files with predictable names when downloading and unpacking dictionary files, allowing a local attacker to overwrite arbitrary files.

3.3
2019-11-12 CVE-2010-3095 Mailscanner Link Following vulnerability in Mailscanner

mailscanner before 4.79.11-2.1 might allow local users to overwrite arbitrary files via a symlink attack on certain temporary files.

3.3
2019-11-12 CVE-2011-5271 Clusterlabs Link Following vulnerability in Clusterlabs Pacemaker

Pacemaker before 1.1.6 configure script creates temporary files insecurely

3.3
2019-11-15 CVE-2011-2916 Qtnx Project Cleartext Storage of Sensitive Information vulnerability in Qtnx Project Qtnx 0.9

qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file.

2.1
2019-11-15 CVE-2019-12756 Symantec Unspecified vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection (SEP), prior to 14.2 RU2 may be susceptible to a password protection bypass vulnerability whereby the secondary layer of password protection could by bypassed for individuals with local administrator rights.

2.1
2019-11-14 CVE-2019-17391 Espressif Improper Handling of Exceptional Conditions vulnerability in Espressif products

An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2.

2.1
2019-11-14 CVE-2019-14591 Intel Improper Input Validation vulnerability in Intel Graphics Driver

Improper input validation in the API for Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable denial of service via local access.

2.1
2019-11-14 CVE-2019-14590 Intel Unspecified vulnerability in Intel Graphics Driver

Improper access control in the API for the Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable information disclosure via local access.

2.1
2019-11-14 CVE-2019-14574 Intel Out-Of-Bounds Read vulnerability in Intel Graphics Driver

Out of bounds read in a subsystem for Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable denial of service via local access.

2.1
2019-11-14 CVE-2019-11113 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel Graphics Driver

Buffer overflow in Kernel Mode module for Intel(R) Graphics Driver before version 25.20.100.6618 (DCH) or 21.20.x.5077 (aka15.45.5077) may allow a privileged user to potentially enable information disclosure via local access.

2.1
2019-11-14 CVE-2019-11089 Intel Improper Input Validation vulnerability in Intel Graphics Driver

Insufficient input validation in Kernel Mode module for Intel(R) Graphics Driver before version 25.20.100.6519 may allow an authenticated user to potentially enable denial of service via local access.

2.1
2019-11-14 CVE-2019-0184 Intel Unspecified vulnerability in Intel products

Insufficient access control in protected memory subsystem for Intel(R) TXT for 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 Families; Intel(R) Xeon(R) E-2100 and E-2200 Processor Families with Intel(R) Processor Graphics and Intel(R) TXT may allow a privileged user to potentially enable information disclosure via local access.

2.1
2019-11-14 CVE-2019-0117 Intel Unspecified vulnerability in Intel products

Insufficient access control in protected memory subsystem for Intel(R) SGX for 6th, 7th, 8th, 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Xeon(R) Processor E3-1500 v5, v6 Families; Intel(R) Xeon(R) E-2100 & E-2200 Processor Families with Intel(R) Processor Graphics may allow a privileged user to potentially enable information disclosure via local access.

2.1
2019-11-14 CVE-2019-11139 Opensuse
Intel
Improper Check FOR Unusual OR Exceptional Conditions vulnerability in multiple products

Improper conditions check in the voltage modulation interface for some Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable denial of service via local access.

2.1
2019-11-14 CVE-2019-11135 Opensuse
Fedoraproject
Slackware
HP
Intel
Canonical
TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.
2.1
2019-11-14 CVE-2019-0185 Intel Unspecified vulnerability in Intel products

Insufficient access control in protected memory subsystem for SMM for 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor families; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 families; Intel(R) Xeon(R) E-2100 and E-2200 Processor families with Intel(R) Processor Graphics may allow a privileged user to potentially enable information disclosure via local access.

2.1
2019-11-14 CVE-2019-0154 Canonical
Intel
Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100 Processor Families may allow an authenticated user to potentially enable denial of service via local access.
2.1
2019-11-14 CVE-2019-0150 Intel Unspecified vulnerability in Intel products

Insufficient access control in firmware Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2019-11-14 CVE-2019-0149 Intel Improper Input Validation vulnerability in Intel products

Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access.

2.1
2019-11-14 CVE-2019-0148 Intel Missing Release of Resource After Effective Lifetime vulnerability in Intel products

Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.

2.1
2019-11-14 CVE-2019-0147 Intel Improper Input Validation vulnerability in Intel products

Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.

2.1
2019-11-14 CVE-2019-0146 Intel Missing Release of Resource After Effective Lifetime vulnerability in Intel products

Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access.

2.1
2019-11-14 CVE-2019-15744 Sony Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Sony Xperia XZS Firmware

The Sony Xperia Xperia XZs Android device with a build fingerprint of Sony/keyaki_softbank/keyaki_softbank:7.1.1/TONE3-3.0.0-SOFTBANK-170517-0323/1:user/dev-keys contains a pre-installed app with a package name of jp.softbank.mb.tdrl app (versionCode=1413005, versionName=1.3.0) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15743 Sony Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Sony Xperia Touch Firmware

The Sony Xperia Touch Android device with a build fingerprint of Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys contains a pre-installed app with a package name of com.sonymobile.android.maintenancetool.testmic app (versionCode=24, versionName=7.0) that allows unauthorized microphone audio recording via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15475 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI A3 Firmware

The Xiaomi Mi A3 Android device with a build fingerprint of xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15474 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI Cepheus Firmware

The Xiaomi Cepheus Android device with a build fingerprint of Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15473 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI A2 Lite Firmware

The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/jasmine/jasmine_sprout:9/PKQ1.180904.001/V10.0.2.0.PDIMIFJ:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15472 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI A2 Lite Firmware

The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15471 MI Unspecified vulnerability in MI MIX 2S Firmware

The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component.

2.1
2019-11-14 CVE-2019-15470 MI Unspecified vulnerability in MI Redmi Note 6 PRO Firmware

The Xiaomi Redmi Note 6 Pro Android device with a build fingerprint of xiaomi/tulip/tulip:8.1.0/OPM1.171019.011/V10.2.2.0.OEKMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component.

2.1
2019-11-14 CVE-2019-15469 MI Unspecified vulnerability in MI PAD 4 Firmware

The Xiaomi Mi Pad 4 Android device with a build fingerprint of Xiaomi/clover/clover:8.1.0/OPM1.171019.019/V9.6.26.0.ODJCNFD:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component.

2.1
2019-11-14 CVE-2019-15468 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI A2 Lite Firmware

The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812071953) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15467 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI MIX 2S Firmware

The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=A2060_201801032053) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15466 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI Redmi 6 PRO Firmware

The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V10.2.6.0.ODMMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812191721) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15431 Evercoss Unspecified vulnerability in Evercoss U50A MAX Firmware

The Evercoss U50A Android device with a build fingerprint of EVERCOSS/U50A./EVERCOSS:7.0/NRD90M/1499911028:eng/test-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0_VER_2017.04.21_17:55:55) that allows other pre-installed apps to perform system properties modification via an accessible app component.

2.1
2019-11-14 CVE-2019-15430 Bluboo D3 PRO Project Unspecified vulnerability in Bluboo D3 PRO Project Bluboo D3 PRO Firmware

The Bluboo D3 Pro Android device with a build fingerprint of BLUBOO/Bluboo_D2_Pro/Bluboo_D2_Pro:7.0/NRD90M/1510370501:user/release-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0.0_VER_32516508295515) that allows other pre-installed apps to perform system properties modification via an accessible app component.

2.1
2019-11-14 CVE-2019-15428 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI Note 2 Firmware

The Xiaomi Mi Note 2 Android device with a build fingerprint of Xiaomi/scorpio/scorpio:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15427 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI MIX Firmware

The Xiaomi Mi Mix Android device with a build fingerprint of Xiaomi/lithium/lithium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15426 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI 5S Plus Firmware

The Xiaomi 5S Plus Android device with a build fingerprint of Xiaomi/natrium/natrium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15425 Katadigital Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Katadigital M4S Firmware

The Kata M4s Android device with a build fingerprint of alps/full_hct6750_66_n/hct6750_66_n:7.0/NRD90M/1495624556:user/test-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15424 Doogee Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Doogee Bl5000 Firmware

The Doogee BL5000 Android device with a build fingerprint of DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15423 Bluboo S1 Project Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Bluboo S1 Project Blueboo S1 Firmware

The Bluboo Bluboo_S1 Android device with a build fingerprint of BLUBOO/Bluboo_S1/Bluboo_S1:7.0/NRD90M/1495809471:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15422 Doogee Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Doogee MIX Firmware

The Doogee Mix Android device with a build fingerprint of DOOGEE/MIX/MIX:7.0/NRD90M/1495809471:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15421 Blackview Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Blackview Bv7000 PRO Firmware

The Blackview BV7000_Pro Android device with a build fingerprint of Blackview/BV7000_Pro/BV7000_Pro:7.0/NRD90M/1493011204:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15420 Blackview Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Blackview Bv9000Pro-F Firmware

The Blackview BV9000Pro-F Android device with a build fingerprint of Blackview/BV9000Pro-F/BV9000Pro-F:7.1.1/N4F26M/1514363110:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15415 MI Externally Controlled Reference TO A Resource in Another Sphere vulnerability in MI Redmi 5 Firmware

The Xiaomi Redmi 5 Android device with a build fingerprint of xiaomi/vince/vince:7.1.2/N2G47H/V9.5.4.0.NEGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1711_201803291645) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15393 Asus Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Asus Zenfone Live (L1) Firmware

The Asus ZenFone Live Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys contains a pre-installed app with a package name of com.asus.atd.smmitest app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack.

2.1
2019-11-14 CVE-2019-15392 Asus Unspecified vulnerability in Asus Zenfone 4 Selfie Firmware

The Asus ZenFone 4 Selfie Android device with a build fingerprint of Android/sdm660_64/sdm660_64:8.1.0/OPM1/14.2016.1802.247-20180419:user/release-keys contains a pre-installed app with a package name of com.log.logservice app (versionCode=1, versionName=1) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15391 Asus Unspecified vulnerability in Asus Zenfone 4 Selfie Firmware

The Asus ZenFone 4 Selfie Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_1:8.1.0/OPM1.171019.011/15.0400.1809.405-0:user/release-keys contains a pre-installed app with a package name of com.log.logservice app (versionCode=1, versionName=1) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15390 Haier G8 Project Unspecified vulnerability in Haier G8 Project Haier G8 Firmware

The Haier G8 Android device with a build fingerprint of Haier/HM-G559-FL/G8:8.1.0/O11019/1522294799:user/release-keys contains a pre-installed app with a package name of com.qiku.service.container app (versionCode=5, versionName=1.03.00_VER_32525983298984) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15387 Archos Missing Authorization vulnerability in Archos Core 101 Firmware

The Archos Core 101 Android device with a build fingerprint of archos/MTKAC101CR3G_ARCHOS/ac101cr3g:7.0/NRD90M/20180611.034442:user/release-keys contains a pre-installed app with a package name of com.roco.autogen app (versionCode=1, versionName=1) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-15386 Lavamobiles Missing Authorization vulnerability in Lavamobiles Z60S Firmware

The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15385 Infinixmobility Unspecified vulnerability in Infinixmobility Note 5 Firmware

The Infinix Note 5 Android device with a build fingerprint of Infinix/H633B/Infinix-X604_sprout:8.1.0/O11019/L-IN-180206V64:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15384 Elephone Unspecified vulnerability in Elephone A4 Firmware

The Elephone A4 Android device with a build fingerprint of Elephone/A4/A4:8.1.0/O11019/20180530.143559:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15383 Allviewmobile Unspecified vulnerability in Allviewmobile Soul X5 Firmware

The Allview X5 Android device with a build fingerprint of ALLVIEW/X5_Soul_Mini/X5_Soul_Mini:8.1.0/O11019/1522468763:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15382 Cubot Unspecified vulnerability in Cubot Nova Firmware

The Cubot Nova Android device with a build fingerprint of CUBOT/CUBOT_NOVA/CUBOT_NOVA:8.1.0/O11019/1527060122:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15381 BQ Unspecified vulnerability in BQ 5515L Firmware

The BQ 5515L Android device with a build fingerprint of BQru/BQru-5515L/BQru-5515L:8.1.0/O11019/20180409.195525:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15380 FLY Phone Unspecified vulnerability in Fly-Phone Photo PRO Firmware

The Fly Photo Pro Android device with a build fingerprint of Fly/PhotoPro/Photo_Pro:8.1.0/O11019/1528117003:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15379 Waltonbd Unspecified vulnerability in Waltonbd Primo G3 Firmware

The Walton Primo G3 Android device with a build fingerprint of WALTON/Primo_GM3/Primo_GM3:8.1.0/O11019/1522737198:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15378 Panasonic Unspecified vulnerability in Panasonic Eluga RAY 600 Firmware

The Panasonic Eluga Ray 600 Android device with a build fingerprint of Panasonic/ELUGA_Ray_600/ELUGA_Ray_600:8.1.0/O11019/1532692680:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15377 Cherrymobile Unspecified vulnerability in Cherrymobile Flare S7 Firmware

The Cherry Flare S7 Android device with a build fingerprint of Cherry_Mobile/Flare_S7_Deluxe/Flare_S7_Deluxe:8.1.0/O11019/1533920920:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15376 Panasonic Unspecified vulnerability in Panasonic Eluga RAY 530 Firmware

The Panasonic Eluga Ray 530 Android device with a build fingerprint of Panasonic/ELUGA_Ray_530/ELUGA_Ray_530:8.1.0/O11019/1531828974:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15375 Haier Unspecified vulnerability in Haier G8 Firmware

The Haier G8 Android device with a build fingerprint of Haier/HM-G559-FL/G8:8.1.0/O11019/1522294799:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15374 Lavamobiles Unspecified vulnerability in Lavamobiles Iris 88 Lite Firmware

The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15373 Symphony Mobile Unspecified vulnerability in Symphony-Mobile I95 Lite Firmware

The Symphony i95 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15372 Hisense Unspecified vulnerability in Hisense Infinity F17 Firmware

The Hisense F17 Android device with a build fingerprint of Hisense/F17_4G/HS6739MT:8.1.0/O11019/Hisense_F17_4G_00_S01:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15371 Symphony Mobile Unspecified vulnerability in Symphony-Mobile G100 Firmware

The Symphony G100 Android device with a build fingerprint of Symphony/G100/G100:8.1.0/O11019/1530618779:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15370 Haier G8 Project Unspecified vulnerability in Haier G8 Project Haier G8 Firmware

The Haier G8 Android device with a build fingerprint of Haier/HM-G559-FL/G8:8.1.0/O11019/1526527761:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15369 Lavamobiles Unspecified vulnerability in Lavamobiles Z61 Turbo Firmware

The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15368 Coolpad Unspecified vulnerability in Coolpad Mega 5 Firmware

The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15367 Haier P10 Project Unspecified vulnerability in Haier P10 Project Haier P10 Firmware

The Haier P10 Android device with a build fingerprint of Haier/P10/P10:8.1.0/O11019/1532662449:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15366 Infinixmobility Unspecified vulnerability in Infinixmobility Note 5 Firmware

The Infinix Note 5 Android device with a build fingerprint of Infinix/H633IJL/Infinix-X604_sprout:8.1.0/O11019/IJL-180531V181:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15365 Lavamobiles Unspecified vulnerability in Lavamobiles Z92 Firmware

The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15364 Dexp Unspecified vulnerability in Dexp Bl250 Firmware

The Dexp BL250 Android device with a build fingerprint of DEXP/BL250/BL250:8.1.0/O11019/1530858027:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15363 Legaoo Unspecified vulnerability in Legaoo Power 5 Firmware

The Leagoo Power 5 Android device with a build fingerprint of LEAGOO/Power_5/Power_5:8.1.0/O11019/1532686195:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15362 Lavamobiles Unspecified vulnerability in Lavamobiles Iris 88 Firmware

The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15361 Infinixmobility Unspecified vulnerability in Infinixmobility Note 5 Firmware

The Infinix Note 5 Android device with a build fingerprint of Infinix/H632C/Infinix-X605_sprout:8.1.0/O11019/CE-180914V59:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15360 Hisense Unspecified vulnerability in Hisense Infinity U965 Firmware

The Hisense U965 Android device with a build fingerprint of Hisense/U965_4G_10/HS6739MT:8.1.0/O11019/Hisense_U965_4G_10_S01:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15359 Haier Unspecified vulnerability in Haier A6 Firmware

The Haier A6 Android device with a build fingerprint of Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15358 Dexp Unspecified vulnerability in Dexp Z250 Firmware

The Dexp Z250 Android device with a build fingerprint of DEXP/Z250/Z250:8.1.0/O11019/1531130719:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15357 Advandigital Unspecified vulnerability in Advandigital I6A Firmware

The Advan i6A Android device with a build fingerprint of ADVAN/i6A/i6A:8.1.0/O11019/1523602705:userdebug/test-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15356 Lavamobiles Unspecified vulnerability in Lavamobiles Flair Z1 Firmware

The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15355 Tecno Mobile Unspecified vulnerability in Tecno-Mobile Camon Iclick Firmware

The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15354 Ulefone Unspecified vulnerability in Ulefone Armor 5 Firmware

The Ulefone Armor 5 Android device with a build fingerprint of Ulefone/Ulefone_Armor_5/Ulefone_Armor_5:8.1.0/O11019/1528806701:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15353 Coolpad Unspecified vulnerability in Coolpad N3C Firmware

The Coolpad N3C Android device with a build fingerprint of Coolpad/N3C/N3C:8.1.0/O11019/1538236809:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15352 Coolpad Unspecified vulnerability in Coolpad Mega 5 Firmware

The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.

2.1
2019-11-14 CVE-2019-15340 MI Incorrect Permission Assignment FOR Critical Resource vulnerability in MI Redmi 6 Firmware

The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201805292006) that allows any app co-located on the device to programmatically disable and enable Wi-Fi, Bluetooth, and GPS without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-15339 Lavamobiles Incorrect Permission Assignment FOR Critical Resource vulnerability in Lavamobiles Z60S Firmware

The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-15338 Lavamobiles Incorrect Permission Assignment FOR Critical Resource vulnerability in Lavamobiles Iris 88 Firmware

The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-15337 Lavamobiles Incorrect Permission Assignment FOR Critical Resource vulnerability in Lavamobiles Z81 Firmware

The Lava Z81 Android device with a build fingerprint of LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-15336 Lavamobiles Incorrect Permission Assignment FOR Critical Resource vulnerability in Lavamobiles Z61 Firmware

The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-15335 Lavamobiles Incorrect Permission Assignment FOR Critical Resource vulnerability in Lavamobiles Z92 Firmware

The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-15334 Lavamobiles Incorrect Permission Assignment FOR Critical Resource vulnerability in Lavamobiles Iris 88 Firmware

The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-15333 Lavamobiles Incorrect Permission Assignment FOR Critical Resource vulnerability in Lavamobiles Flair Z1 Firmware

The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-15332 Lavamobiles Improper Privilege Management vulnerability in Lavamobiles Z61 Firmware

The Lava Z61 Android device with a build fingerprint of LAVA/Z61_2GB/Z61_2GB:8.1.0/O11019/1533889281:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.

2.1
2019-11-14 CVE-2019-18885 Linux Null Pointer Dereference vulnerability in Linux Kernel

fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.

2.1
2019-11-14 CVE-2011-1490 Rsyslog
Debian
Opensuse
Missing Release of Resource After Effective Lifetime vulnerability in multiple products

A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when multiple rulesets were used and some output batches contained messages belonging to more than one ruleset.

2.1
2019-11-14 CVE-2011-1489 Rsyslog
Opensuse
Debian
Missing Release of Resource After Effective Lifetime vulnerability in multiple products

A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages were logged when multiple rulesets were used and some output batches contained messages belonging to more than one ruleset.

2.1
2019-11-14 CVE-2019-3663 Mcafee Insufficiently Protected Credentials vulnerability in Mcafee Advanced Threat Defense

Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.

2.1
2019-11-13 CVE-2019-2197 Google Insecure Default Initialization of Resource vulnerability in Google Android

In processPhonebookAccess of CachedBluetoothDevice.java, there is a possible permission bypass due to an insecure default value.

2.1
2019-11-13 CVE-2019-5292 Huawei Unspecified vulnerability in Huawei products

Honor 10 Lite, Honor 8A, Huawei Y6 mobile phones with the versions before 9.1.0.217(C00E215R3P1), the versions before 9.1.0.205(C00E97R1P9), the versions before 9.1.0.205(C00E97R2P2) have an information leak vulnerability.

2.1
2019-11-13 CVE-2019-5231 Huawei Incorrect Authorization vulnerability in Huawei P30 Firmware

P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability.

2.1
2019-11-12 CVE-2010-4177 Oracle
Fedoraproject
Cleartext Transmission of Sensitive Information vulnerability in multiple products

mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.

2.1
2019-11-12 CVE-2010-3292 Mailscanner Missing Encryption of Sensitive Data vulnerability in Mailscanner 4.79.112

The update{_bad,}_phishing_sites scripts in mailscanner 4.79.11-2 downloads files and trusts them without using encryption (e.g., https) or digital signature checking which could allow an attacker to replace certain configuration files (e.g., phishing whitelist) via dns/packet spoofing.

2.1
2019-11-12 CVE-2019-1440 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'.

2.1
2019-11-12 CVE-2019-1436 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'.

2.1
2019-11-12 CVE-2019-1418 Microsoft Information Exposure vulnerability in Microsoft products

An information vulnerability exists when Windows Modules Installer Service improperly discloses file information, aka 'Windows Modules Installer Service Information Disclosure Vulnerability'.

2.1
2019-11-12 CVE-2019-1412 Microsoft Out-Of-Bounds Read vulnerability in Microsoft products

An information disclosure vulnerability exists in Windows Adobe Type Manager Font Driver (ATMFD.dll) when it fails to properly handle objects in memory, aka 'OpenType Font Driver Information Disclosure Vulnerability'.

2.1
2019-11-12 CVE-2019-1409 Microsoft Improper Initialization vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows Remote Procedure Call (RPC) runtime improperly initializes objects in memory, aka 'Windows Remote Procedure Call Information Disclosure Vulnerability'.

2.1
2019-11-12 CVE-2019-1402 Microsoft Information Exposure vulnerability in Microsoft Office and Office 365

An information disclosure vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka 'Microsoft Office Information Disclosure Vulnerability'.

2.1
2019-11-12 CVE-2019-1382 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when ActiveX Installer service may allow access to files without proper authentication, aka 'Microsoft ActiveX Installer Service Elevation of Privilege Vulnerability'.

2.1
2019-11-12 CVE-2019-1381 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows Servicing Stack allows access to unprivileged file locations, aka 'Microsoft Windows Information Disclosure Vulnerability'.

2.1
2019-11-12 CVE-2019-1370 Microsoft Information Exposure vulnerability in Microsoft Open Enclave Software Development KIT

An information disclosure vulnerability exists when affected Open Enclave SDK versions improperly handle objects in memory, aka 'Open Enclave SDK Information Disclosure Vulnerability'.

2.1
2019-11-14 CVE-2011-1488 Rsyslog
Opensuse
Debian
Missing Release of Resource After Effective Lifetime vulnerability in multiple products

A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled.

1.9
2019-11-12 CVE-2019-5213 Huawei Improper Authentication vulnerability in Huawei Honor Play Firmware 9.1.0.333(C00E333R1P1T8)/Cornellal00A9.0.0.156(C00E156R1P13T8)

Honor play smartphones with versions earlier than Cornell-AL00A 9.1.0.321(C00E320R1P1T8) have an insufficient authentication vulnerability.

1.9