Total
1628 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-18819 | 1 Mitel | 2 Micollab, Mivoice Business Express | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creation of unauthorized chat sessions, due to insufficient access controls. A successful exploit could allow execution of arbitrary commands. | |||||
CVE-2018-18815 | 1 Tibco | 3 Jasperreports Server, Jaspersoft, Jaspersoft Reporting And Analytics | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0. | |||||
CVE-2018-18397 | 3 Canonical, Linux, Redhat | 10 Ubuntu Linux, Linux Kernel, Enterprise Linux Desktop and 7 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c. | |||||
CVE-2018-17950 | 1 Microfocus | 1 Edirectory | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Incorrect enforcement of authorization checks in eDirectory prior to 9.1 SP2 | |||||
CVE-2018-17857 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation. | |||||
CVE-2018-17195 | 1 Apache | 1 Nifi | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | |||||
CVE-2018-16620 | 1 Sonatype | 1 Nexus Repository Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Sonatype Nexus Repository Manager before 3.14 has Incorrect Access Control. | |||||
CVE-2018-16597 | 3 Linux, Netapp, Opensuse | 4 Linux Kernel, Active Iq Performance Analytics Services, Element Software and 1 more | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
An issue was discovered in the Linux kernel before 4.8. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem. | |||||
CVE-2018-15774 | 1 Dell | 3 Idrac7 Firmware, Idrac8 Firmware, Idrac9 Firmware | 2024-11-21 | 6.5 MEDIUM | 3.8 LOW |
Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access. | |||||
CVE-2018-15767 | 1 Dell | 1 Openmanage Network Manager | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
The Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in the /etc/sudoers file. | |||||
CVE-2018-15754 | 1 Pivotal Software | 1 Cloud Foundry Uaa-release | 2024-11-21 | 4.0 MEDIUM | 4.2 MEDIUM |
Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider. | |||||
CVE-2018-15693 | 1 Inova-software | 1 Inova Partner | 2024-11-21 | 3.5 LOW | 6.4 MEDIUM |
Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass via insecure direct object reference. | |||||
CVE-2018-15692 | 1 Inova-software | 1 Inova Partner | 2024-11-21 | 3.5 LOW | 6.4 MEDIUM |
Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass and data manipulation in certain functions. | |||||
CVE-2018-15640 | 1 Odoo | 1 Odoo | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request. | |||||
CVE-2018-15468 | 1 Xen | 1 Xen | 2024-11-21 | 4.9 MEDIUM | 6.0 MEDIUM |
An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service. | |||||
CVE-2018-15465 | 1 Cisco | 1 Adaptive Security Appliance Software | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface. The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device. | |||||
CVE-2018-15405 | 1 Cisco | 1 Ucs Director | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
A vulnerability in the web interface for specific feature sets of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to an authorization check that does not properly include the access level of the web interface user. An attacker who has valid application credentials could exploit this vulnerability by sending a crafted HTTP request to the web interface. A successful exploit could allow the attacker to view sensitive information that belongs to other users. The attacker could then use this information to conduct additional reconnaissance attacks. | |||||
CVE-2018-14748 | 1 Qnap | 1 Qts | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
Improper Authorization vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to power off the NAS. | |||||
CVE-2018-14666 | 1 Redhat | 1 Satellite | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Red Hat Satellite, independent of the organization the host belongs to. This flaw affects all Red Hat Satellite 6 versions. | |||||
CVE-2018-14665 | 4 Canonical, Debian, Redhat and 1 more | 9 Ubuntu Linux, Debian Linux, Enterprise Linux Desktop and 6 more | 2024-11-21 | 7.2 HIGH | 6.6 MEDIUM |
A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges. |