Total
2641 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-20501 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2019-15005 | 1 Atlassian | 8 Bamboo, Bitbucket, Confluence and 5 more | 2019-11-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2. | |||||
| CVE-2019-6121 | 1 Nicehash | 1 Miner | 2019-11-08 | 4.3 MEDIUM | 3.7 LOW |
| An issue was discovered in NiceHash Miner before 2.0.3.0. Missing Authorization allows an adversary to can gain access to a miner's information about such as his recent payments, unclaimed Balance, Old Balance (at the time of December 2017 breach) , Projected payout, Mining stats like profitability, Efficiency, Number of workers, etc.. A valid Email address is required in order to retrieve this Information. | |||||
| CVE-2019-18674 | 1 Joomla | 1 Joomla\! | 2019-11-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure. | |||||
| CVE-2019-5095 | 1 Tempo | 1 Tempo | 2019-11-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue summary information disclosure vulnerability exists in Atlassian Jira Tempo plugin, version 4.10.0. Authenticated users can obtain the summary for issues they do not have permission to view via the Tempo plugin. | |||||
| CVE-2019-0367 | 1 Sap | 1 Netweaver Process Integration | 2019-10-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check. | |||||
| CVE-2018-2419 | 1 Sap | 3 Ea-finserv, S4core, Sapscore | 2019-10-09 | 5.5 MEDIUM | 4.6 MEDIUM |
| SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2413 | 1 Sap | 1 Disclosure Management | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-2412 | 1 Sap | 1 Disclosure Management | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-18996 | 1 Lcds | 1 Laquis Scada | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper authorization or sanitation, which may allow an attacker to execute remote code on the server. | |||||
| CVE-2018-0336 | 1 Cisco | 1 Prime Collaboration | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the batch provisioning feature of Cisco Prime Collaboration Provisioning could allow an authenticated, remote attacker to escalate privileges to the Administrator level. The vulnerability is due to insufficient authorization enforcement on batch processing. An attacker could exploit this vulnerability by uploading a batch file and having the batch file processed by the system. A successful exploit could allow the attacker to escalate privileges to the Administrator level. Cisco Bug IDs: CSCvd86578. | |||||
| CVE-2018-0322 | 1 Cisco | 2 Prime Collaboration, Prime Collaboration Provisioning | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the web management interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to modify sensitive data that is associated with arbitrary accounts on an affected device. The vulnerability is due to a failure to enforce access restrictions on the Help Desk and User Provisioning roles that are assigned to authenticated users. This failure could allow an authenticated attacker to modify critical attributes of higher-privileged accounts on the device. A successful exploit could allow the attacker to gain elevated privileges on the device. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.1 and prior. Cisco Bug IDs: CSCvd61779. | |||||
| CVE-2018-0317 | 1 Cisco | 2 Prime Collaboration, Prime Collaboration Provisioning | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the web interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to escalate their privileges. The vulnerability is due to insufficient web portal access control checks. An attacker could exploit this vulnerability by modifying an access request. An exploit could allow the attacker to promote their account to any role defined on the system. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.2 and prior. Cisco Bug IDs: CSCvc90286. | |||||
| CVE-2018-0092 | 1 Cisco | 20 Nexus 92160yc Switch, Nexus 92300yc Switch, Nexus 92304qc Switch and 17 more | 2019-10-09 | 3.6 LOW | 7.1 HIGH |
| A vulnerability in the network-operator user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The network-operator role should not be able to delete other configured users on the device. The vulnerability is due to a lack of proper role-based access control (RBAC) checks for the actions that a user with the network-operator role is allowed to perform. An attacker could exploit this vulnerability by authenticating to the device with user credentials that give that user the network-operator role. Successful exploitation could allow the attacker to impact the integrity of the device by deleting configured user credentials. The attacker would need valid user credentials for the device. This vulnerability affects the following Cisco products running Cisco NX-OS System Software: Nexus 3000 Series Switches, Nexus 3600 Platform Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCvg21120. | |||||
| CVE-2017-9513 | 1 Atlassian | 1 Activity Streams | 2019-10-09 | 5.5 MEDIUM | 5.4 MEDIUM |
| Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. | |||||
| CVE-2017-7914 | 1 Rockwellautomation | 2 Panelview Plus 6 700-1500, Panelview Plus 6 700-1500 Firmware | 2019-10-09 | 7.5 HIGH | 8.6 HIGH |
| A Missing Authorization issue was discovered in Rockwell Automation PanelView Plus 6 700-1500 6.00.04, 6.00.05, 6.00.42, 6.00-20140306, 6.10.20121012, 6.10-20140122, 7.00-20121012, 7.00-20130108, 7.00-20130325, 7.00-20130619, 7.00-20140128, 7.00-20140310, 7.00-20140429, 7.00-20140621, 7.00-20140729, 7.00-20141022, 8.00-20140730, and 8.00-20141023. There is no authorization check when connecting to the device, allowing an attacker remote access. | |||||
| CVE-2017-7530 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs). | |||||
| CVE-2017-2652 | 1 Jenkins | 1 Distributed Fork | 2019-10-09 | 9.0 HIGH | 8.8 HIGH |
| It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes. | |||||
| CVE-2017-18035 | 1 Atlassian | 2 Crucible, Fisheye | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it. | |||||
| CVE-2019-9377 | 1 Google | 1 Android | 2019-10-07 | 2.1 LOW | 3.3 LOW |
| In FingerprintService, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to a local information disclosure of metadata about the biometrics of another user on the device with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599663 | |||||