Vulnerabilities (CVE)

Filtered by CWE-863
Total 1603 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-13313 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control.
CVE-2020-3413 1 Cisco 1 Webex Meetings Online 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
A vulnerability in the scheduled meeting template feature of Cisco Webex Meetings could allow an authenticated, remote attacker to delete a scheduled meeting template that belongs to another user in their organization. The vulnerability is due to insufficient authorization enforcement for requests to delete scheduled meeting templates. An attacker could exploit this vulnerability by sending a crafted request to the Webex Meetings interface to delete a scheduled meeting template. A successful exploit could allow the attacker to delete a scheduled meeting template that belongs to a user other than themselves.
CVE-2020-3229 1 Cisco 1 Ios Xe 2024-02-28 9.0 HIGH 8.8 HIGH
A vulnerability in Role Based Access Control (RBAC) functionality of Cisco IOS XE Web Management Software could allow a Read-Only authenticated, remote attacker to execute commands or configuration changes as an Admin user. The vulnerability is due to incorrect handling of RBAC for the administration GUI. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a Read-Only user to execute CLI commands or configuration changes as if they were an Admin user.
CVE-2020-7300 1 Mcafee 1 Data Loss Prevention 2024-02-28 4.0 MEDIUM 6.3 MEDIUM
Improper Authorization vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote attackers to change the configuration when logged in with view only privileges via carefully constructed HTTP post messages.
CVE-2020-24941 1 Laravel 1 Laravel 2024-02-28 4.3 MEDIUM 7.5 HIGH
An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.
CVE-2020-0097 1 Google 1 Android 2024-02-28 4.6 MEDIUM 7.8 HIGH
In various methods of PackageManagerService.java, there is a possible permission bypass due to a missing condition for system apps. This could lead to local escalation of privilege with User privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-145981139
CVE-2020-11628 1 Primekey 1 Ejbca 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. It is intended to support restriction of available remote protocols (CMP, ACME, REST, etc.) through the system configuration. These restrictions can be bypassed by modifying the URI string from a client. (EJBCA's internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment.)
CVE-2020-13834 1 Google 1 Android 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (with TEEGRIS) software. Secure Folder does not properly restrict use of Android Debug Bridge (adb) for arbitrary installations. The Samsung ID is SVE-2020-17369 (June 2020).
CVE-2020-12780 1 Combodo 1 Itop 2024-02-28 5.0 MEDIUM 7.5 HIGH
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-2188 1 Jenkins 1 Amazon Ec2 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
CVE-2020-13300 1 Gitlab 1 Gitlab 2024-02-28 6.4 MEDIUM 10.0 CRITICAL
GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
CVE-2020-3473 1 Cisco 19 8201, 8202, 8808 and 16 more 2024-02-28 7.2 HIGH 7.8 HIGH
A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local CLI shell user to elevate privileges and gain full administrative control of the device. The vulnerability is due to incorrect mapping of a command to task groups within the source code. An attacker could exploit this vulnerability by first authenticating to the local CLI shell on the device and using the CLI command to bypass the task group–based checks. A successful exploit could allow the attacker to elevate privileges and perform actions on the device without authorization checks.
CVE-2020-8142 1 Revive-adserver 1 Revive Adserver 2024-02-28 4.6 MEDIUM 6.8 MEDIUM
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was however possible for anyone with access to a Revive Adserver admin user interface to bypass such check and change e-email address or password of the currently logged in user by altering the form payload.The attack requires physical access to the user interface of a logged in user. If the POST payload was altered by turning the “pwold” parameter into an array, Revive Adserver would fetch and authorise the operation even if no password was provided.
CVE-2020-2228 1 Jenkins 1 Gitlab Authentication 2024-02-28 6.5 MEDIUM 8.8 HIGH
Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.
CVE-2020-5418 1 Cloudfoundry 2 Capi-release, Cf-deployment 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).
CVE-2020-3530 1 Cisco 23 Asr 9000v, Asr 9001, Asr 9006 and 20 more 2024-02-28 5.6 MEDIUM 8.4 HIGH
A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local attacker to execute that command, even though administrative privileges should be required. The attacker must have valid credentials on the affected device. The vulnerability is due to incorrect mapping in the source code of task group assignments for a specific command. An attacker could exploit this vulnerability by issuing the command, which they should not be authorized to issue, on an affected device. A successful exploit could allow the attacker to invalidate the integrity of the disk and cause the device to restart. This vulnerability could allow a user with read permissions to issue a specific command that should require Administrator privileges.
CVE-2020-15120 1 Ihatemoney 1 I Hate Money 2024-02-28 4.0 MEDIUM 4.9 MEDIUM
In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5.
CVE-2018-20498 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
CVE-2020-0036 1 Google 1 Android 2024-02-28 7.2 HIGH 7.8 HIGH
In hasPermissions of PermissionMonitor.java, there is a possible access to restricted permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-144679405
CVE-2020-6380 2 Fedoraproject, Google 2 Fedora, Chrome 2024-02-28 6.8 MEDIUM 8.8 HIGH
Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.130 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted Chrome Extension.