Total
1418 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-5864 | 1 Google | 1 Chrome | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
Insufficient data validation in CORS in Google Chrome prior to 76.0.3809.87 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. | |||||
CVE-2020-7955 | 1 Hashicorp | 1 Consul | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. | |||||
CVE-2020-8119 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app. | |||||
CVE-2010-3782 | 2 Obs-server, Suse | 2 Obs-server, Linux Enterprise Server | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
obs-server before 1.7.7 allows logins by 'unconfirmed' accounts due to a bug in the REST api implementation. | |||||
CVE-2019-15941 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs. | |||||
CVE-2020-0087 | 1 Google | 1 Android | 2024-02-28 | 1.9 LOW | 5.5 MEDIUM |
In getProcessPss of ActivityManagerService.java, there is a possible side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-127989044 | |||||
CVE-2019-4745 | 1 Ibm | 7 Maximo Asset Management, Maximo For Aviation, Maximo For Life Sciences and 4 more | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM Maximo Asset Management 7.6.1.0 could allow a remote attacker to disclose sensitive information to an authenticated user due to disclosing path information in the URL. IBM X-Force ID: 172883. | |||||
CVE-2019-12648 | 1 Cisco | 6 807 Industrial Integrated Services Routers, 809 Industrial Integrated Services Routers, 829 Industrial Integrated Services Routers and 3 more | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user. | |||||
CVE-2020-5251 | 1 Parseplatform | 1 Parse-server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way. | |||||
CVE-2019-17190 | 1 Avast | 1 Secure Browser | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the elevated process cleans the ACL of the Update.ini file in %PROGRAMDATA%\Avast Software\Browser\Update\ and sets all privileges to group Everyone. Because any low-privileged user can create, delete, or modify the Update.ini file stored in this location, an attacker with low privileges can create a hard link named Update.ini in this folder, and make it point to a file writable by NT AUTHORITY\SYSTEM. Once AvastBrowserUpdate.exe is triggered by the update check functionality, the DACL is set to a misconfigured value on the crafted Update.ini and, consequently, to the target file that was previously not writable by the low-privileged attacker. | |||||
CVE-2020-2134 | 1 Jenkins | 1 Script Security | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies. | |||||
CVE-2014-0169 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application. | |||||
CVE-2019-5474 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions. | |||||
CVE-2020-9381 | 1 Totaljs | 1 Total.js Cms | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954. | |||||
CVE-2013-4228 | 1 Organic Groups Project | 1 Organic Groups | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors. | |||||
CVE-2019-13716 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||
CVE-2019-5533 | 1 Vmware | 1 Sd-wan By Velocloud | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
In VMware SD-WAN by VeloCloud versions 3.x prior to 3.3.0, the VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. Among the information is username, first and last name, phone numbers and e-mail address if present but no other personal data. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3. | |||||
CVE-2019-12671 | 1 Cisco | 30 4321\/k9-rf Integrated Services Router, 4321\/k9-ws Integrated Services Router, 4321\/k9 Integrated Services Router and 27 more | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to gain shell access on an affected device and execute commands on the underlying operating system (OS). The vulnerability is due to insufficient enforcement of the consent token in authorizing shell access. An attacker could exploit this vulnerability by authenticating to the CLI and requesting shell access on an affected device. A successful exploit could allow the attacker to gain shell access on the affected device and execute commands on the underlying OS. | |||||
CVE-2013-4985 | 1 Vivotek | 6 Ip7160, Ip7160 Firmware, Ip7361 and 3 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream | |||||
CVE-2019-7192 | 1 Qnap | 2 Photo Station, Qts | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions. |