Total
3160 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-8217 | 1 Tp-link | 4 C2, C20i, C20i Firmware and 1 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n have too permissive iptables rules, e.g., SNMP is not blocked on any interface. | |||||
| CVE-2017-6622 | 1 Cisco | 1 Prime Collaboration Provisioning | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges. The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. This vulnerability affects Cisco Prime Collaboration Provisioning Software Releases prior to 12.1. Cisco Bug IDs: CSCvc98724. | |||||
| CVE-2017-5985 | 1 Linuxcontainers | 1 Lxc | 2024-02-28 | 2.1 LOW | 3.3 LOW |
| lxc-user-nic in Linux Containers (LXC) allows local users with a lxc-usernet allocation to create network interfaces on the host and choose the name of those interfaces by leveraging lack of netns ownership check. | |||||
| CVE-2017-5930 | 2 Opensuse, Postfixadmin Project | 2 Leap, Postfixadmin | 2024-02-28 | 3.5 LOW | 2.7 LOW |
| The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check. | |||||
| CVE-2017-5180 | 1 Firejail Project | 1 Firejail | 2024-02-28 | 4.6 MEDIUM | 8.8 HIGH |
| Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. | |||||
| CVE-2017-6564 | 1 Franklinfueling | 2 Ts-550 Evo, Ts-550 Evo Firmware | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This ability allows for an attacker to download sensitive system files from the host machine such as databases which contain information that can aid in further attacks. | |||||
| CVE-2017-7622 | 1 Deepin | 1 Deepin Desktop Environment | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| dde-daemon, the daemon process of DDE (Deepin Desktop Environment) 15.0 through 15.3, runs with root privileges and hardly does anything to identify the user who calls the function through D-Bus. Anybody can change the grub config, even to append some arguments to make a backdoor or privilege escalation, by calling DoWriteGrubSettings() provided by dde-daemon. | |||||
| CVE-2017-0554 | 1 Google | 1 Android | 2024-02-28 | 6.8 MEDIUM | 7.8 HIGH |
| An elevation of privilege vulnerability in the Telephony component could enable a local malicious application to access capabilities outside of its permission levels. This issue is rated as Moderate because it could be used to gain access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33815946. | |||||
| CVE-2017-6635 | 1 Cisco | 1 Prime Collaboration Provisioning | 2024-02-28 | 6.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web interface of Cisco Prime Collaboration Provisioning Software (prior to Release 12.1) could allow an authenticated, remote attacker to delete any file from an affected system. The vulnerability exists because the affected software does not perform proper input validation of HTTP requests and fails to apply role-based access controls (RBACs) to requested HTTP URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request that uses directory traversal techniques to submit a path to a desired file location on an affected system. A successful exploit could allow the attacker to delete any file from the system. Cisco Bug IDs: CSCvc99597. | |||||
| CVE-2017-3813 | 1 Cisco | 1 Anyconnect Secure Mobility Client | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient implementation of the access controls. An attacker could exploit this vulnerability by opening the Internet Explorer browser. An exploit could allow the attacker to use Internet Explorer with the privileges of the SYSTEM user. This may allow the attacker to execute privileged commands on the targeted system. This vulnerability affects versions prior to released versions 4.4.00243 and later and 4.3.05017 and later. Cisco Bug IDs: CSCvc43976. | |||||
| CVE-2017-6598 | 1 Cisco | 2 Firepower Extensible Operating System, Unified Computing System | 2024-02-28 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the debug plug-in functionality of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to execute arbitrary commands, aka Privilege Escalation. More Information: CSCvb86725 CSCvb86797. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.105) 92.1(1.1733) 2.1(1.69). | |||||
| CVE-2017-5136 | 1 Sendquick | 4 Avera Sms Gateway, Avera Sms Gateway Firmware, Entera Sms Gateway and 1 more | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered on SendQuick Entera and Avera devices before 2HF16. The application failed to check the access control of the request which could result in an attacker being able to shutdown the system. | |||||
| CVE-2017-6565 | 1 Franklinfueling | 2 Ts-550 Evo, Ts-550 Evo Firmware | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the roleDiag user, which can be obtained by exploiting CVE-2013-7247, has the ability to upload files to the server hosting the web service. As no sanitization checks are in place, an attacker can upload a malicious payload. | |||||
| CVE-2015-8840 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. | |||||
| CVE-2015-0571 | 1 Linux | 1 Linux Kernel | 2024-02-28 | 9.3 HIGH | 7.8 HIGH |
| The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify authorization for private SET IOCTL calls, which allows attackers to gain privileges via a crafted application, related to wlan_hdd_hostapd.c and wlan_hdd_wext.c. | |||||
| CVE-2012-4245 | 1 Gimp | 1 Gimp | 2024-02-28 | 6.8 MEDIUM | N/A |
| The scriptfu network server in GIMP 2.6 does not require authentication, which allows remote attackers to execute arbitrary commands via the python-fu-eval command. | |||||
| CVE-2008-6548 | 1 Moinmo | 1 Moinmoin | 2024-02-28 | 5.0 MEDIUM | N/A |
| The rst parser (parser/text_rst.py) in MoinMoin 1.6.1 does not check the ACL of an included page, which allows attackers to read unauthorized include files via unknown vectors. | |||||
| CVE-2009-2282 | 1 Oracle | 2 Opensolaris, Solaris | 2024-02-28 | 4.6 MEDIUM | N/A |
| The Virtual Network Terminal Server daemon (vntsd) for Logical Domains (aka LDoms) in Sun Solaris 10, and OpenSolaris snv_41 through snv_108, on SPARC platforms does not check authorization for guest console access, which allows local control-domain users to gain guest-domain privileges via unknown vectors. | |||||
| CVE-2009-3168 | 1 Mevin | 1 Basic Php Events Lister | 2024-02-28 | 6.5 MEDIUM | N/A |
| Mevin Productions Basic PHP Events Lister 2.0 does not properly restrict access to (1) admin/reset.php and (2) admin/user_add.php, which allows remote authenticated users to reset administrative passwords or add administrators via a direct request. | |||||
| CVE-2009-3781 | 1 Quicksketch | 1 Filefield | 2024-02-28 | 7.5 HIGH | N/A |
| The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors. | |||||