Vulnerabilities (CVE)

Filtered by CWE-863
Total 1609 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-0337 1 Cisco 15 Nexus 5000, Nexus 5010, Nexus 5020 and 12 more 2024-02-28 7.2 HIGH 7.8 HIGH
A vulnerability in the role-based access-checking mechanisms of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on an affected device. The vulnerability exists because the affected software lacks proper input and validation checks for certain file systems. An attacker could exploit this vulnerability by issuing crafted commands in the CLI of an affected device. A successful exploit could allow the attacker to cause other users to execute unwanted, arbitrary commands on the affected device. Cisco Bug IDs: CSCvd06339, CSCvd15698, CSCvd36108, CSCvf52921, CSCvf52930, CSCvf52953, CSCvf52976.
CVE-2017-1700 1 Ibm 7 Rational Collaborative Lifecycle Management, Rational Doors Next Generation, Rational Engineering Lifecycle Manager and 4 more 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
IBM Jazz Team Server affecting the following IBM Rational Products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM) could allow an authenticated user to cause a denial of service due to incorrect authorization for resource intensive scenarios. IBM X-Force ID: 134392.
CVE-2018-1000105 1 Jenkins 1 Gerrit Trigger 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to retrieve some configuration information about Gerrit in Jenkins.
CVE-2018-13109 1 Adbglobal 8 Dv2210, Dv2210 Firmware, Prg Av4202n and 5 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
All ADB broadband gateways / routers based on the Epicentro platform are affected by an authorization bypass vulnerability where attackers are able to access and manipulate settings within the web interface that are forbidden to end users (e.g., by the ISP). An attacker would be able to enable the TELNET server or other settings as well.
CVE-2017-12112 1 Ethereum 1 Cpp-ethereum 2024-02-28 6.8 MEDIUM 8.1 HIGH
An exploitable improper authorization vulnerability exists in admin_addPeer API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.
CVE-2018-1000112 1 Jenkins 1 Mercurial 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users.
CVE-2018-0110 1 Cisco 1 Webex Meetings Server 2024-02-28 5.5 MEDIUM 8.1 HIGH
A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to access the remote support account even after it has been disabled via the web application. The vulnerability is due to a design flaw in Cisco WebEx Meetings Server, which would not disable access to specifically configured user accounts, even after access had been disabled in the web application. An attacker could exploit this vulnerability by connecting to the remote support account, even after it had been disabled at the web application level. An exploit could allow the attacker to modify server configuration and gain access to customer data. Cisco Bug IDs: CSCvg46741.
CVE-2017-1233 1 Ibm 1 Bigfix Remote Control 2024-02-28 7.2 HIGH 6.7 MEDIUM
IBM Remote Control v9 could allow a local user to use the component to replace files to which he does not have write access and which he can cause to be executed with Local System or root privileges. IBM X-Force ID: 123912.
CVE-2017-1766 1 Ibm 1 Business Process Manager 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Due to incorrect authorization in IBM Business Process Manager 8.6 an attacker can claim and work on ad hoc tasks he is not assigned to. IBM X-Force ID: 136151.
CVE-2018-7245 1 Schneider-electric 11 66074 Mge Network Management Card Transverse, Mge Comet Ups, Mge Eps 6000 and 8 more 2024-02-28 6.4 MEDIUM 9.1 CRITICAL
An improper authorization vulnerability exists In Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. The integrated web server (Port 80/443/TCP) of the affected devices could allow a remote attacker to change UPS control and shutdown parameters or other critical settings without authorization.
CVE-2018-11142 1 Quest 1 Kace System Management Appliance 2024-02-28 2.1 LOW 5.5 MEDIUM
The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers in a POST request. An anonymous user can abuse this vulnerability to execute critical functions without authorization.
CVE-2018-1057 3 Canonical, Debian, Samba 3 Ubuntu Linux, Debian Linux, Samba 2024-02-28 6.5 MEDIUM 8.8 HIGH
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
CVE-2017-17668 1 Ncr 2 S1 Dispenser Controller, S1 Dispenser Controller Firmware 2024-02-28 7.8 HIGH 7.5 HIGH
Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.
CVE-2018-0278 1 Cisco 1 Firepower Management Center 2024-02-28 4.3 MEDIUM 6.5 MEDIUM
A vulnerability in the management console of Cisco Firepower System Software could allow an unauthenticated, remote attacker to access sensitive data about the system. The vulnerability is due to improper cross-origin domain protections for the WebSocket protocol. An attacker could exploit this vulnerability by convincing a user to visit a malicious website designed to send requests to the affected application while the user is logged into the application with an active session cookie. A successful exploit could allow the attacker to retrieve policy or configuration information from the affected software and to perform another attack against the management console. Cisco Bug IDs: CSCvh68311.
CVE-2017-12118 1 Ethereum 1 Cpp-ethereum 2024-02-28 6.8 MEDIUM 8.1 HIGH
An exploitable improper authorization vulnerability exists in miner_stop API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). An attacker can send JSON to trigger this vulnerability.
CVE-2017-15695 1 Apache 1 Geode 2024-02-28 6.5 MEDIUM 8.8 HIGH
When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.
CVE-2018-1000197 1 Jenkins 1 Black Duck Hub 2024-02-28 5.5 MEDIUM 8.1 HIGH
An improper authorization vulnerability exists in Jenkins Black Duck Hub Plugin 3.0.3 and older in PostBuildScanDescriptor.java that allows users with Overall/Read permission to read and write the Black Duck Hub plugin configuration.
CVE-2017-0927 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users.
CVE-2017-0920 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance.
CVE-2018-1278 1 Pivotal Software 1 Pivotal Application Service 2024-02-28 4.3 MEDIUM 6.5 MEDIUM
Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org.