Vulnerabilities (CVE)

Filtered by CWE-862
Total 3177 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-16566 1 Jenkins 1 Team Concert 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-16547 1 Jenkins 1 Google Compute Engine 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment.
CVE-2019-16236 4 Canonical, Debian, Dino and 1 more 4 Ubuntu Linux, Debian Linux, Dino and 1 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
Dino before 2019-09-10 does not check roster push authorization in module/roster/module.vala.
CVE-2019-16124 1 Youphptube 1 Youphptube 2024-11-21 7.5 HIGH 9.8 CRITICAL
In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code.
CVE-2019-16097 1 Linuxfoundation 1 Harbor 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
CVE-2019-15998 1 Cisco 8 Asr 9001, Asr 9006, Asr 9010 and 5 more 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
A vulnerability in the access-control logic of the NETCONF over Secure Shell (SSH) of Cisco IOS XR Software may allow connections despite an access control list (ACL) that is configured to deny access to the NETCONF over SSH of an affected device. The vulnerability is due to a missing check in the NETCONF over SSH access control list (ACL). An attacker could exploit this vulnerability by connecting to an affected device using NETCONF over SSH. A successful exploit could allow the attacker to connect to the device on the NETCONF port. Valid credentials are required to access the device. This vulnerability does not affect connections to the default SSH process on the device.
CVE-2019-15954 1 Totaljs 1 Total.js Cms 2024-11-21 9.0 HIGH 9.9 CRITICAL
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>
CVE-2019-15953 1 Totaljs 1 Total.js Cms 2024-11-21 6.5 MEDIUM 8.8 HIGH
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads to vertical and horizontal privilege escalation.
CVE-2019-15932 1 Intesync 1 Solismed 2024-11-21 7.5 HIGH 9.8 CRITICAL
Intesync Solismed 3.3sp has Incorrect Access Control.
CVE-2019-15877 1 Freebsd 1 Freebsd 2024-11-21 2.1 LOW 5.5 MEDIUM
In FreeBSD 12.1-STABLE before r356606 and 12.1-RELEASE before 12.1-RELEASE-p3, driver specific ioctl command handlers in the ixl network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to trigger updates to the device's non-volatile memory.
CVE-2019-15876 1 Freebsd 1 Freebsd 2024-11-21 2.1 LOW 5.5 MEDIUM
In FreeBSD 12.1-STABLE before r356089, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r356090, and 11.3-RELEASE before 11.3-RELEASE-p7, driver specific ioctl command handlers in the oce network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to send passthrough commands to the device firmware.
CVE-2019-15871 1 Wpbrigade 1 Loginpress 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
The LoginPress plugin before 1.1.4 for WordPress has no capability check for updates to settings.
CVE-2019-15850 1 Eq-3 2 Homematic Ccu3, Homematic Ccu3 Firmware 2024-11-21 9.0 HIGH 8.8 HIGH
eQ-3 HomeMatic CCU3 firmware version 3.41.11 allows Remote Code Execution in the ReGa.runScript method. An authenticated attacker can easily execute code and compromise the system.
CVE-2019-15723 1 Gitlab 1 Gitlab 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1. Merge requests created by email could be used to bypass push rules in certain situations.
CVE-2019-15648 1 Elearningfreak 1 Insert Or Embed Articulate Content 2024-11-21 5.5 MEDIUM 6.5 MEDIUM
The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber.
CVE-2019-15576 1 Gitlab 1 Gitlab 2024-11-21 5.0 MEDIUM 7.5 HIGH
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint.
CVE-2019-15387 1 Archos 2 Core 101, Core 101 Firmware 2024-11-21 2.1 LOW 3.3 LOW
The Archos Core 101 Android device with a build fingerprint of archos/MTKAC101CR3G_ARCHOS/ac101cr3g:7.0/NRD90M/20180611.034442:user/release-keys contains a pre-installed app with a package name of com.roco.autogen app (versionCode=1, versionName=1) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15386 1 Lavamobiles 2 Z60s, Z60s Firmware 2024-11-21 2.1 LOW 5.5 MEDIUM
The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15136 1 Eprosima 1 Fast-rtps 2024-11-21 5.0 MEDIUM 7.5 HIGH
The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.
CVE-2019-15030 4 Canonical, Linux, Opensuse and 1 more 4 Ubuntu Linux, Linux Kernel, Leap and 1 more 2024-11-21 3.6 LOW 4.4 MEDIUM
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.