Vulnerabilities (CVE)

Filtered by CWE-863
Total 1609 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-0926 2 Debian, Gitlab 2 Debian Linux, Gitlab 2024-02-28 6.5 MEDIUM 8.8 HIGH
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.
CVE-2018-1258 5 Netapp, Oracle, Pivotal Software and 2 more 42 Oncommand Insight, Oncommand Unified Manager, Oncommand Workflow Automation and 39 more 2024-02-28 6.5 MEDIUM 8.8 HIGH
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CVE-2018-12103 2 D-link, Dlink 6 Dir-885\/r, Dir-885l\/r Firmware, Dir-895\/r and 3 more 2024-02-28 3.3 LOW 6.5 MEDIUM
An issue was discovered on D-Link DIR-890L with firmware 1.21B02beta01 and earlier, DIR-885L/R with firmware 1.21B03beta01 and earlier, and DIR-895L/R with firmware 1.21B04beta04 and earlier devices (all hardware revisions). Due to the predictability of the /docs/captcha_(number).jpeg URI, being local to the network, but unauthenticated to the administrator's panel, an attacker can disclose the CAPTCHAs used by the access point and can elect to load the CAPTCHA of their choosing, leading to unauthorized login attempts to the access point.
CVE-2017-16773 1 Synology 1 Universal Search 2024-02-28 6.5 MEDIUM 8.8 HIGH
Improper authorization vulnerability in Highlight Preview in Synology Universal Search before 1.0.5-0135 allows remote authenticated users to bypass permission checks for directories in POSIX mode.
CVE-2017-2599 1 Jenkins 1 Jenkins 2024-02-28 5.5 MEDIUM 5.4 MEDIUM
Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).
CVE-2017-12117 1 Ethereum 1 Cpp-ethereum 2024-02-28 6.8 MEDIUM 8.1 HIGH
An exploitable improper authorization vulnerability exists in miner_start API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.
CVE-2017-12196 1 Redhat 4 Jboss Enterprise Application Platform, Jboss Fuse, Undertow and 1 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.
CVE-2018-1000106 1 Jenkins 1 Gerrit Trigger 2024-02-28 5.5 MEDIUM 5.4 MEDIUM
An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to modify the Gerrit configuration in Jenkins.
CVE-2018-1000111 1 Jenkins 1 Subversion 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
An improper authorization vulnerability exists in Jenkins Subversion Plugin version 2.10.2 and earlier in SubversionStatus.java and SubversionRepositoryStatus.java that allows an attacker with network access to obtain a list of nodes and users.
CVE-2017-2611 2 Jenkins, Redhat 2 Jenkins, Openshift 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
CVE-2018-6316 1 Ivanti 1 Endpoint Security 2024-02-28 6.0 MEDIUM 7.5 HIGH
Ivanti Endpoint Security (formerly HEAT Endpoint Management and Security Suite) 8.5 Update 1 and earlier allows an authenticated user with low privileges and access to the local network to bypass application whitelisting when using the Application Control module on Ivanti Endpoint Security in lockdown mode.
CVE-2017-1628 1 Ibm 1 Business Process Manager 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
IBM Business Process Manager 8.6.0.0 allows authenticated users to stop and resume the Event Manager by calling a REST API with incorrect authorization checks.
CVE-2017-8216 1 Huawei 2 P10 Lite, P10 Lite Firmware 2024-02-28 7.1 HIGH 5.5 MEDIUM
Warsaw Huawei Smart phones with software of versions earlier than Warsaw-AL00C00B180, versions earlier than Warsaw-TL10C01B180 have a permission control vulnerability. Due to improper authorization on specific processes, an attacker with the root privilege of a mobile Android system can exploit this vulnerability to obtain some information of the user.
CVE-2017-16743 1 Phoenixcontact 58 Fl Switch 3004t-fx, Fl Switch 3004t-fx Firmware, Fl Switch 3004t-fx St and 55 more 2024-02-28 10.0 HIGH 9.8 CRITICAL
An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32. A remote unauthenticated attacker may be able to craft special HTTP requests allowing an attacker to bypass web-service authentication allowing the attacker to obtain administrative privileges on the device.
CVE-2017-2305 1 Juniper 1 Junos Space 2024-02-28 6.5 MEDIUM 8.8 HIGH
On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation.
CVE-2016-6797 6 Apache, Canonical, Debian and 3 more 14 Tomcat, Ubuntu Linux, Debian Linux and 11 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
CVE-2017-4946 1 Vmware 2 Vrealize Operations For Horizon, Vrealize Operations For Published Applications 2024-02-28 7.2 HIGH 7.8 HIGH
The VMware V4H and V4PA desktop agents (6.x before 6.5.1) contain a privilege escalation vulnerability. Successful exploitation of this issue could result in a low privileged windows user escalating their privileges to SYSTEM.
CVE-2018-0803 1 Microsoft 3 Edge, Windows 10, Windows Server 2016 2024-02-28 5.8 MEDIUM 4.2 MEDIUM
Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to access information from one domain and inject it into another domain, due to how Microsoft Edge enforces cross-domain policies, aka "Microsoft Edge Elevation of Privilege Vulnerability".
CVE-2017-5060 5 Apple, Google, Linux and 2 more 8 Macos, Android, Chrome and 5 more 2024-02-28 4.3 MEDIUM 6.5 MEDIUM
Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.
CVE-2017-17067 1 Splunk 1 Splunk 2024-02-28 10.0 HIGH 9.8 CRITICAL
Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and 6.3.x before 6.3.12, when the SAML authType is enabled, mishandles SAML, which allows remote attackers to bypass intended access restrictions or conduct impersonation attacks.