Vulnerabilities (CVE)

Filtered by CWE-863
Total 1602 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-19597 1 Dlink 2 Dap-1860, Dap-1860 Firmware 2024-02-28 8.3 HIGH 8.8 HIGH
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.
CVE-2013-4411 2 Fedoraproject, Reviewboard 2 Fedora, Reviewboard 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Review Board: URL processing gives unauthorized users access to review lists
CVE-2020-6307 1 Sap 1 Basis 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information.
CVE-2018-20494 1 Gitlab 1 Gitlab 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
CVE-2017-16778 1 Fermax 2 Outdoor Panel, Outdoor Panel Firmware 2024-02-28 2.1 LOW 4.6 MEDIUM
An access control weakness in the DTMF tone receiver of Fermax Outdoor Panel allows physical attackers to inject a Dual-Tone-Multi-Frequency (DTMF) tone to invoke an access grant that would allow physical access to a restricted floor/level. By design, only a residential unit owner may allow such an access grant. However, due to incorrect access control, an attacker could inject it via the speaker unit to perform an access grant to gain unauthorized access, as demonstrated by a loud DTMF tone representing '1' and a long '#' (697 Hz and 1209 Hz, followed by 941 Hz and 1477 Hz).
CVE-2019-17191 1 Signal 1 Private Messenger 2024-02-28 5.0 MEDIUM 7.5 HIGH
The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered, without callee user interaction, via a connect message. The existence of the call is noticeable to the callee; however, the audio channel may be open before the callee can block eavesdropping.
CVE-2016-6591 1 Symantec 1 Norton App Lock 2024-02-28 3.3 LOW 7.1 HIGH
A security bypass vulnerability exists in Symantec Norton App Lock 1.0.3.186 and earlier if application pinning is enabled, which could let a local malicious user bypass security restrictions.
CVE-2019-11294 1 Cloudfoundry 2 Capi-release, Cf-deployment 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins.
CVE-2013-4410 2 Fedoraproject, Reviewboard 2 Fedora, Reviewboard 2024-02-28 5.0 MEDIUM 7.5 HIGH
ReviewBoard: has an access-control problem in REST API
CVE-2019-5879 1 Google 1 Chrome 2024-02-28 4.3 MEDIUM 6.5 MEDIUM
Insufficient policy enforcement in extensions in Google Chrome prior to 77.0.3865.75 allowed an attacker who convinced a user to install a malicious extension to read local files via a crafted Chrome Extension.
CVE-2019-0384 1 Sap 2 Enterprise Extension Financial Services, Treasury And Risk Management \(s4core\) 2024-02-28 6.5 MEDIUM 8.8 HIGH
Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for functionalities that require user identity.
CVE-2019-19520 1 Openbsd 1 Openbsd 2024-02-28 4.6 MEDIUM 7.8 HIGH
xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
CVE-2019-4311 1 Ibm 1 Security Guardium Big Data Intelligence 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
IBM Security Guardium Big Data Intelligence (SonarG) 4.0 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 161037.
CVE-2020-8086 2 Debian, Prosody 3 Debian Linux, Mod Auth Ldap, Mod Auth Ldap2 2024-02-28 6.8 MEDIUM 9.8 CRITICAL
The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin.
CVE-2019-14843 1 Redhat 2 Jboss Enterprise Application Platform, Single Sign-on 2024-02-28 6.5 MEDIUM 8.8 HIGH
A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue.
CVE-2013-4862 1 Micasaverde 2 Veralite, Veralite Firmware 2024-02-28 5.5 MEDIUM 8.1 HIGH
MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict access, which allows remote authenticated users to (1) update the firmware via the squashfs parameter to upgrade_step2.sh or (2) obtain hashed passwords via the cgi-bin/cmh/backup.sh page.
CVE-2011-3617 2 Debian, Tahoe-lafs 2 Debian Linux, Tahoe-lafs 2024-02-28 5.5 MEDIUM 6.5 MEDIUM
Tahoe-LAFS v1.3.0 through v1.8.2 could allow unauthorized users to delete immutable files in some cases.
CVE-2020-2097 1 Jenkins 1 Sounds 2024-02-28 6.5 MEDIUM 8.8 HIGH
Jenkins Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation, allowing attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.
CVE-2012-6094 2 Apple, Debian 2 Cups, Debian Linux 2024-02-28 6.8 MEDIUM 9.8 CRITICAL
cups (Common Unix Printing System) 'Listen localhost:631' option not honored correctly which could provide unauthorized access to the system
CVE-2011-2726 4 Debian, Drupal, Fedoraproject and 1 more 4 Debian Linux, Drupal, Fedora and 1 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.