CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2251 CVE-2019-15359 2019-11-14 2020-08-24
2.1
None Local Low Not required None Partial None
The Haier A6 Android device with a build fingerprint of Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
2252 CVE-2019-15358 2019-11-14 2020-08-24
2.1
None Local Low Not required None Partial None
The Dexp Z250 Android device with a build fingerprint of DEXP/Z250/Z250:8.1.0/O11019/1531130719:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
2253 CVE-2019-15357 2019-11-14 2020-08-24
2.1
None Local Low Not required None Partial None
The Advan i6A Android device with a build fingerprint of ADVAN/i6A/i6A:8.1.0/O11019/1523602705:userdebug/test-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
2254 CVE-2019-15356 2019-11-14 2020-08-24
2.1
None Local Low Not required None Partial None
The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
2255 CVE-2019-15355 2019-11-14 2020-08-24
2.1
None Local Low Not required None Partial None
The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
2256 CVE-2019-15354 2019-11-14 2020-08-24
2.1
None Local Low Not required None Partial None
The Ulefone Armor 5 Android device with a build fingerprint of Ulefone/Ulefone_Armor_5/Ulefone_Armor_5:8.1.0/O11019/1528806701:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
2257 CVE-2019-15353 2019-11-14 2020-08-24
2.1
None Local Low Not required None Partial None
The Coolpad N3C Android device with a build fingerprint of Coolpad/N3C/N3C:8.1.0/O11019/1538236809:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
2258 CVE-2019-15352 2019-11-14 2020-08-24
2.1
None Local Low Not required None Partial None
The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
2259 CVE-2019-15340 732 2019-11-14 2019-11-25
2.1
None Local Low Not required None Partial None
The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201805292006) that allows any app co-located on the device to programmatically disable and enable Wi-Fi, Bluetooth, and GPS without the corresponding access permission through an exported interface.
2260 CVE-2019-15339 732 2019-11-14 2019-11-25
2.1
None Local Low Not required None Partial None
The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
2261 CVE-2019-15338 732 2019-11-14 2019-11-22
2.1
None Local Low Not required None Partial None
The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
2262 CVE-2019-15337 732 2019-11-14 2019-11-22
2.1
None Local Low Not required None Partial None
The Lava Z81 Android device with a build fingerprint of LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
2263 CVE-2019-15336 732 2019-11-14 2019-11-22
2.1
None Local Low Not required None Partial None
The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
2264 CVE-2019-15335 732 2019-11-14 2019-11-22
2.1
None Local Low Not required None Partial None
The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
2265 CVE-2019-15334 732 2019-11-14 2019-11-22
2.1
None Local Low Not required None Partial None
The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
2266 CVE-2019-15333 732 2019-11-14 2019-11-22
2.1
None Local Low Not required None Partial None
The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
2267 CVE-2019-15332 269 2019-11-14 2020-08-24
2.1
None Local Low Not required None Partial None
The Lava Z61 Android device with a build fingerprint of LAVA/Z61_2GB/Z61_2GB:8.1.0/O11019/1533889281:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
2268 CVE-2019-15266 22 Dir. Trav. 2019-10-16 2019-10-22
2.1
None Local Low Not required Partial None None
A vulnerability in the CLI of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, local attacker to view system files that should be restricted. This vulnerability is due to improper sanitization of user-supplied input in command-line parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. A successful exploit could allow the attacker to view system files that may contain sensitive information.
2269 CVE-2019-15265 20 DoS 2019-10-16 2019-10-22
2.1
None Local Low Not required None None Partial
A vulnerability in the bridge protocol data unit (BPDU) forwarding functionality of Cisco Aironet Access Points (APs) could allow an unauthenticated, adjacent attacker to cause an AP port to go into an error disabled state. The vulnerability occurs because BPDUs received from specific wireless clients are forwarded incorrectly. An attacker could exploit this vulnerability on the wireless network by sending a steady stream of crafted BPDU frames. A successful exploit could allow the attacker to cause a limited denial of service (DoS) attack because an AP port could go offline.
2270 CVE-2019-15126 367 2020-02-05 2020-08-11
2.9
None Local Network Medium Not required Partial None None
An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.
2271 CVE-2019-14939 200 +Info 2019-08-12 2021-07-21
2.1
None Local Low Not required Partial None None
An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default.
2272 CVE-2019-14907 125 2020-01-21 2021-05-29
2.6
None Remote High Not required None None Partial
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).
2273 CVE-2019-14890 312 2019-11-26 2019-12-17
2.1
None Local Low Not required Partial None None
A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database at '/api/v2/config' when applying the Ansible Tower license.
2274 CVE-2019-14858 532 2019-10-14 2019-10-24
2.1
None Local Low Not required Partial None None
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
2275 CVE-2019-14850 406 DoS 2021-03-18 2021-03-24
2.6
None Remote High Not required None None Partial
A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.
2276 CVE-2019-14846 532 2019-10-08 2021-08-07
2.1
None Local Low Not required Partial None None
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
2277 CVE-2019-14845 494 Bypass 2019-10-08 2019-12-11
2.9
None Local Network Medium Not required None Partial None
A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content.
2278 CVE-2019-14826 613 2019-09-17 2019-10-09
2.1
None Local Low Not required Partial None None
A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.
2279 CVE-2019-14783 2019-08-08 2020-08-24
2.1
None Local Low Not required None Partial None
On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, FotaAgent allows a malicious application to create privileged files. The Samsung ID is SVE-2019-14764.
2280 CVE-2019-14713 2020-10-23 2020-10-28
2.1
None Local Low Not required None Partial None
Verifone MX900 series Pinpad Payment Terminals with OS 30251000 allow installation of unsigned packages.
2281 CVE-2019-14671 200 +Info 2019-08-05 2021-07-21
2.1
None Local Low Not required Partial None None
Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and import/create/fints.
2282 CVE-2019-14630 200 +Info 2020-08-13 2021-07-21
2.1
None Local Low Not required Partial None None
Reliance on untrusted inputs in a security decision in some Intel(R) Thunderbolt(TM) controllers may allow unauthenticated user to potentially enable information disclosure via physical access.
2283 CVE-2019-14629 732 2020-01-17 2020-08-24
2.1
None Local Low Not required Partial None None
Improper permissions in Intel(R) DAAL before version 2020 Gold may allow an authenticated user to potentially enable information disclosure via local access.
2284 CVE-2019-14625 DoS 2020-03-12 2020-03-17
2.1
None Local Low Not required None None Partial
Improper access control in on-card storage for the IntelĀ® FPGA Programmable Acceleration Card N3000, all versions, may allow a privileged user to potentially enable denial of service via local access.
2285 CVE-2019-14604 476 DoS 2019-12-16 2019-12-23
2.1
None Local Low Not required None None Partial
Null pointer dereference in the FPGA kernel driver for Intel(R) Quartus(R) Prime Pro Edition before version 19.3 may allow an authenticated user to potentially enable denial of service via local access.
2286 CVE-2019-14596 DoS 2020-01-17 2020-08-24
2.1
None Local Low Not required None None Partial
Improper access control in the installer for Intel(R) Chipset Device Software INF Utility before version 10.1.18 may allow an authenticated user to potentially enable denial of service via local access.
2287 CVE-2019-14591 20 DoS 2019-11-14 2020-03-20
2.1
None Local Low Not required None None Partial
Improper input validation in the API for Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable denial of service via local access.
2288 CVE-2019-14590 2019-11-14 2020-08-24
2.1
None Local Low Not required Partial None None
Improper access control in the API for the Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable information disclosure via local access.
2289 CVE-2019-14574 125 DoS 2019-11-14 2020-03-20
2.1
None Local Low Not required None None Partial
Out of bounds read in a subsystem for Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable denial of service via local access.
2290 CVE-2019-14562 190 DoS Overflow 2020-11-23 2021-04-29
2.1
None Local Low Not required None None Partial
Integer overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access.
2291 CVE-2019-14558 DoS 2020-10-05 2021-04-29
2.7
None Local Network Low ??? None None Partial
Insufficient control flow management in BIOS firmware for 8th, 9th, 10th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 & 5000 Series Processors may allow an authenticated user to potentially enable denial of service via adjacent access.
2292 CVE-2019-14556 665 DoS 2020-10-05 2020-10-13
2.1
None Local Low Not required None None Partial
Improper initialization in BIOS firmware for 8th, 9th, 10th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 & 5000 Series Processors may allow a privileged user to potentially enable denial of service via local access.
2293 CVE-2019-14477 522 2020-12-16 2020-12-17
2.1
None Local Low Not required Partial None None
AdRem NetCrunch 10.6.0.4587 has Improper Credential Storage since the internal user database is readable by low-privileged users and passwords in the database are weakly encoded or encrypted.
2294 CVE-2019-14414 2019-07-30 2020-08-24
2.1
None Local Low Not required None Partial None
In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains (SEC-478).
2295 CVE-2019-14412 134 2019-07-30 2019-07-30
2.1
None Local Low Not required None Partial None
Maketext in cPanel before 78.0.2 allows format-string injection in the DCV check_domains_via_dns UAPI (SEC-474).
2296 CVE-2019-14410 134 2019-07-30 2019-07-30
2.1
None Local Low Not required None Partial None
Maketext in cPanel before 78.0.2 allows format-string injection in the Email store_filter UAPI (SEC-472).
2297 CVE-2019-14409 200 +Info 2019-07-30 2021-07-21
2.1
None Local Low Not required Partial None None
cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466).
2298 CVE-2019-14402 2019-07-30 2020-08-24
2.1
None Local Low Not required None Partial None
cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481).
2299 CVE-2019-14396 2019-07-30 2020-08-24
2.1
None Local Low Not required None Partial None
API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495).
2300 CVE-2019-14395 200 +Info 2019-07-30 2021-07-21
2.1
None Local Low Not required Partial None None
cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494).
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.