Total
1628 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-3183 | 1 Sage | 1 Xrt Treasury | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access privileges are determined by the USER_CODE field associated with the querying user. By modifying the USER_CODE value to match that of a privileged user, a low-privileged, authenticated user may gain privileged access to the SQL database. A remote, authenticated user can submit specially crafted SQL queries to gain privileged access to the application database. | |||||
| CVE-2017-2673 | 1 Redhat | 1 Openstack | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
| An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles. | |||||
| CVE-2017-2632 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges. | |||||
| CVE-2017-2611 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents. | |||||
| CVE-2017-2599 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321). | |||||
| CVE-2017-2306 | 1 Juniper | 1 Junos Space | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device. | |||||
| CVE-2017-2305 | 1 Juniper | 1 Junos Space | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation. | |||||
| CVE-2017-20066 | 1 Adminer Login Project | 1 Adminer Login | 2024-11-21 | 4.6 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been found in Adminer Login 1.4.4 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improper access controls. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-1766 | 1 Ibm | 1 Business Process Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Due to incorrect authorization in IBM Business Process Manager 8.6 an attacker can claim and work on ad hoc tasks he is not assigned to. IBM X-Force ID: 136151. | |||||
| CVE-2017-1700 | 1 Ibm | 7 Rational Collaborative Lifecycle Management, Rational Doors Next Generation, Rational Engineering Lifecycle Manager and 4 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Jazz Team Server affecting the following IBM Rational Products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM) could allow an authenticated user to cause a denial of service due to incorrect authorization for resource intensive scenarios. IBM X-Force ID: 134392. | |||||
| CVE-2017-1628 | 1 Ibm | 1 Business Process Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Business Process Manager 8.6.0.0 allows authenticated users to stop and resume the Event Manager by calling a REST API with incorrect authorization checks. | |||||
| CVE-2017-1233 | 1 Ibm | 1 Bigfix Remote Control | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| IBM Remote Control v9 could allow a local user to use the component to replace files to which he does not have write access and which he can cause to be executed with Local System or root privileges. IBM X-Force ID: 123912. | |||||
| CVE-2017-18095 | 1 Atlassian | 1 Crucible | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability. | |||||
| CVE-2017-17708 | 1 Pleasantsolutions | 1 Pleasant Password Server | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Because of insufficient authorization checks it is possible for any authenticated user to change profile data of other users in Pleasant Password Server before 7.8.3. | |||||
| CVE-2017-17668 | 1 Ncr | 2 S1 Dispenser Controller, S1 Dispenser Controller Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities. | |||||
| CVE-2017-17323 | 1 Huawei | 2 Ibmc, Ibmc Firmware | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Huawei iBMC V200R002C10; V200R002C20; V200R002C30 have an improper authorization vulnerability. The software incorrectly performs an authorization check when a normal user attempts to access certain information which is supposed to be accessed only by admin user. Successful exploit could cause information disclosure. | |||||
| CVE-2017-17067 | 1 Splunk | 1 Splunk | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and 6.3.x before 6.3.12, when the SAML authType is enabled, mishandles SAML, which allows remote attackers to bypass intended access restrictions or conduct impersonation attacks. | |||||
| CVE-2017-16778 | 1 Fermax | 2 Outdoor Panel, Outdoor Panel Firmware | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| An access control weakness in the DTMF tone receiver of Fermax Outdoor Panel allows physical attackers to inject a Dual-Tone-Multi-Frequency (DTMF) tone to invoke an access grant that would allow physical access to a restricted floor/level. By design, only a residential unit owner may allow such an access grant. However, due to incorrect access control, an attacker could inject it via the speaker unit to perform an access grant to gain unauthorized access, as demonstrated by a loud DTMF tone representing '1' and a long '#' (697 Hz and 1209 Hz, followed by 941 Hz and 1477 Hz). | |||||
| CVE-2017-16773 | 1 Synology | 1 Universal Search | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
| Improper authorization vulnerability in Highlight Preview in Synology Universal Search before 1.0.5-0135 allows remote authenticated users to bypass permission checks for directories in POSIX mode. | |||||
| CVE-2017-16743 | 1 Phoenixcontact | 58 Fl Switch 3004t-fx, Fl Switch 3004t-fx Firmware, Fl Switch 3004t-fx St and 55 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32. A remote unauthenticated attacker may be able to craft special HTTP requests allowing an attacker to bypass web-service authentication allowing the attacker to obtain administrative privileges on the device. | |||||