Total
6955 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20646 | 1 Netgear | 2 Rax40, Rax40 Firmware | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| NETGEAR RAX40 devices before 1.0.3.64 are affected by disclosure of administrative credentials. | |||||
| CVE-2019-6206 | 1 Apple | 1 Iphone Os | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue existed with autofill resuming after it was canceled. The issue was addressed with improved state management. This issue is fixed in iOS 12.1.3. Password autofill may fill in passwords after they were manually cleared. | |||||
| CVE-2019-9126 | 1 D-link | 2 Dir-825 Rev.b, Dir-825 Rev.b Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. There is an information disclosure vulnerability via requests for the router_info.xml document. This will reveal the PIN code, MAC address, routing table, firmware version, update time, QOS information, LAN information, and WLAN information of the device. | |||||
| CVE-2018-20483 | 1 Gnu | 1 Wget | 2020-08-24 | 2.1 LOW | 7.8 HIGH |
| set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl. | |||||
| CVE-2019-14666 | 1 Glpi-project | 1 Glpi | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes. | |||||
| CVE-2019-3615 | 1 Mcafee | 1 Database Security | 2020-08-24 | 2.1 LOW | 6.8 MEDIUM |
| Data Leakage Attacks vulnerability in the web interface in McAfee Database Security prior to the 4.6.6 March 2019 update allows local users to expose passwords via incorrectly auto completing password fields in the admin browser login screen. | |||||
| CVE-2018-18941 | 1 Vignette | 1 Content Management | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Vignette Content Management version 6, it is possible to gain remote access to administrator privileges by discovering the admin password in the vgn/ccb/user/mgmt/user/edit/0,1628,0,00.html?uid=admin HTML source code, and then creating a privileged user account. NOTE: this product is discontinued. | |||||
| CVE-2019-19007 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2020-08-24 | 9.0 HIGH | 7.2 HIGH |
| Intelbras IWR 3000N 1.8.7 devices allow disclosure of the administrator login name and password because v1/system/user is mishandled, a related issue to CVE-2019-17600. | |||||
| CVE-2019-1019 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2020-08-24 | 6.0 MEDIUM | 8.5 HIGH |
| A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages.To exploit this vulnerability, an attacker could send a specially crafted authentication request, aka 'Microsoft Windows Security Feature Bypass Vulnerability'. | |||||
| CVE-2019-11633 | 1 Honeypress Project | 1 Honeypress | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| HoneyPress through 2016-09-27 can be fingerprinted by attackers because of the ingrained unique www.atxsec.com and ayylmao.wpengine.com hostnames within the fake WordPress templates. This allows attackers to discover and avoid this honeypot system. | |||||
| CVE-2018-20371 | 1 Photorange Photo Vault Project | 1 Photorange Photo Vault | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers to bypass intended GET restrictions via a brute-force approach, as demonstrated by "GET /login.html__passwd1" and "GET /login.html__passwd2" and so on. | |||||
| CVE-2018-10946 | 1 Polycom | 2 Realpresence Debut, Realpresence Debut Firmware | 2020-08-24 | 2.7 LOW | 6.8 MEDIUM |
| An issue was discovered in versions earlier than 1.3.0-66872 for Polycom RealPresence Debut that allows attackers to arbitrarily read the admin user's password via the admin web UI. | |||||
| CVE-2018-11215 | 1 Cloudera | 1 Data Science Workbench | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Remote code execution is possible in Cloudera Data Science Workbench version 1.3.0 and prior releases via unspecified attack vectors. | |||||
| CVE-2019-1470 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2020-08-24 | 4.0 MEDIUM | 6.0 MEDIUM |
| An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Information Disclosure Vulnerability'. | |||||
| CVE-2019-15085 | 1 Prise | 1 Adas | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in PRiSE adAS 1.7.0. The current database password is embedded in the change password form. | |||||
| CVE-2019-16285 | 1 Hp | 1 Thinpro Linux | 2020-08-24 | 2.1 LOW | 4.6 MEDIUM |
| If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive. | |||||
| CVE-2018-18467 | 1 Conversations | 1 Conversations | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Daniel Gultsch Conversations 2.3.4. It is possible to spoof a custom message to an existing opened conversation by sending an intent. | |||||
| CVE-2019-15859 | 1 Socomec | 2 Diris A-40, Diris A-40 Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Password disclosure in the web interface on socomec DIRIS A-40 devices before 48250501 allows a remote attacker to get full access to a device via the /password.jsn URI. | |||||
| CVE-2019-19631 | 1 Bigswitch | 3 Big Cloud Fabric, Big Monitoring Fabric, Multi-cloud Director | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0. A read-only user can access sensitive information via an API endpoint that reveals session cookies of authenticated administrators, leading to privilege escalation. | |||||
| CVE-2018-1337 | 1 Apache | 1 Directory Ldap Api | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request). | |||||