Total
7102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-0320 | 1 Microsoft | 4 Windows Server 2003, Windows Server 2008, Windows Vista and 1 more | 2019-02-26 | 4.0 MEDIUM | N/A |
| Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O activity measurements of all processes, which allows local users to obtain sensitive information, as demonstrated by reading the I/O Other Bytes column in Task Manager (aka taskmgr.exe) to estimate the number of characters that a different user entered at a runas.exe password prompt, related to a "benchmarking attack." | |||||
| CVE-2014-6355 | 1 Microsoft | 9 Windows 7, Windows 8, Windows 8.1 and 6 more | 2019-02-26 | 5.0 MEDIUM | N/A |
| The Graphics Component in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly process JPEG images, which makes it easier for remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Graphics Component Information Disclosure Vulnerability." | |||||
| CVE-2018-14979 | 1 Asus | 2 Zenfone 3 Max, Zenfone 3 Max Firmware | 2019-02-22 | 1.9 LOW | 4.7 MEDIUM |
| The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user's stored wireless network credentials. | |||||
| CVE-2016-3159 | 4 Debian, Fedoraproject, Oracle and 1 more | 4 Debian Linux, Fedora, Vm Server and 1 more | 2019-02-21 | 1.7 LOW | 3.8 LOW |
| The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. | |||||
| CVE-2019-7628 | 1 Redhat | 1 Pagure | 2019-02-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.) | |||||
| CVE-2018-15656 | 1 42gears | 1 Suremdm | 2019-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the registration API endpoint in 42Gears SureMDM before 2018-11-27. An attacker can submit a GET request to /api/register/:email, where :email is a base64 encoded e-mail address, to receive confirmation as to whether a user account exists in the system with the specified e-mail address. The request must be made with an "apiKey" value in the "ApiKey" header. | |||||
| CVE-2018-15658 | 1 42gears | 1 Suremdm | 2019-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in 42Gears SureMDM before 2018-11-27. By visiting the page found at /console/ConsolePage/Master.html, an attacker is able to see the markup that would be presented to an authenticated user. This is caused by the session validation occurring after the initial markup is loaded. This results in a list of unprotected API endpoints that disclose call logs, SMS logs, and user-account data. | |||||
| CVE-2018-5497 | 1 Netapp | 1 Clustered Data Ontap | 2019-02-15 | 2.1 LOW | 4.4 MEDIUM |
| Clustered Data ONTAP versions prior to 9.1P16, 9.3P10 and 9.4P5 are susceptible to a vulnerability which discloses sensitive information to an unauthorized user. | |||||
| CVE-2018-15659 | 1 42gears | 1 Suremdm | 2019-02-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in 42Gears SureMDM before 2018-11-27, related to the access policy for Silverlight applications. Cross-origin access is possible. | |||||
| CVE-2018-14986 | 1 Leagoo | 2 Z5c, Z5c Firmware | 2019-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed app with a package name of com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) containing an exported content provider named com.android.messaging.datamodel.MessagingContentProvider. Any app co-located on the device can read the most recent text message from each conversation. That is, for each phone number where the user has either sent or received a text message from, a zero-permission third-party app can obtain the body of the text message, phone number, name of the contact (if it exists), and a timestamp for the most recent text message of each conversation. As the querying of the vulnerable content provider app component can be performed silently in the background, a malicious app can continuously monitor the content provider to see if the current message in each conversation has changed to obtain new text messages. | |||||
| CVE-2018-14984 | 1 Leagoo | 2 Z5c, Z5c Firmware | 2019-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed app with a package name of com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) with an exported broadcast receiver app component named com.android.messaging.trackersender.TrackerSender. Any app co-located on the device, even one with no permissions, can send a broadcast intent with certain embedded data to the exported broadcast receiver application component that will result in the programmatic sending of a text message where the phone number and body of the text message is controlled by the attacker. | |||||
| CVE-2018-18334 | 1 Trendmicro | 1 Dr. Safety | 2019-02-13 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the Private Browser of Trend Micro Dr. Safety for Android (Consumer) versions below 3.0.1478 could allow an remote attacker to bypass the Same Origin Policy (SOP) and obtain sensitive information via crafted JavaScript code on vulnerable installations. | |||||
| CVE-2015-6632 | 1 Google | 1 Android | 2019-02-12 | 5.0 MEDIUM | N/A |
| libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows remote attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24346430. | |||||
| CVE-2015-6631 | 1 Google | 1 Android | 2019-02-12 | 5.0 MEDIUM | N/A |
| libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows remote attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24623447. | |||||
| CVE-2015-6630 | 1 Google | 1 Android | 2019-02-12 | 4.3 MEDIUM | N/A |
| SystemUI in Android 5.x before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to read screenshots and consequently gain privileges via a crafted application, aka internal bug 19121797. | |||||
| CVE-2015-6628 | 1 Google | 1 Android | 2019-02-12 | 5.0 MEDIUM | N/A |
| Media Framework in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24074485. | |||||
| CVE-2015-6626 | 1 Google | 1 Android | 2019-02-12 | 5.0 MEDIUM | N/A |
| libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows remote attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24310423. | |||||
| CVE-2015-6627 | 1 Google | 1 Android | 2019-02-12 | 2.6 LOW | N/A |
| The Audio component in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows remote attackers to obtain sensitive information via a crafted audio file, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24211743. | |||||
| CVE-2015-6622 | 1 Google | 1 Android | 2019-02-12 | 5.0 MEDIUM | N/A |
| The Native Frameworks Library in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23905002. | |||||
| CVE-2015-4334 | 1 Symantec | 1 Proxysg Firmware | 2019-02-12 | 5.0 MEDIUM | N/A |
| The default configuration of SGOS in Blue Coat ProxySG before 6.2.16.5, 6.5 before 6.5.7.1, and 6.6 before 6.6.2.1 forwards authentication challenges from upstream origin content servers (OCS) when used in an explicit proxy deployment, which makes it easier for remote attackers to obtain sensitive information via a 407 (aka Proxy Authentication Required) HTTP status code, as demonstrated when using NTLM authentication. | |||||