Search
Total
1247 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1003081 | 1 Jenkins | 1 Openshift Deployer | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-20407 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2020-07-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check. | |||||
| CVE-2020-5368 | 1 Dell | 4 Vxrail D560, Vxrail D560 Firmware, Vxrail D560f and 1 more | 2020-07-13 | 5.0 MEDIUM | 7.5 HIGH |
| Dell EMC VxRail versions 4.7.410 and 4.7.411 contain an improper authentication vulnerability. A remote unauthenticated attacker may exploit this vulnerability to obtain sensitive information in an encrypted form. | |||||
| CVE-2020-5345 | 1 Dell | 3 Emc Unisphere For Powermax, Emc Unisphere For Powermax Virtual Appliance, Powermax Os | 2020-07-02 | 5.5 MEDIUM | 5.4 MEDIUM |
| Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17, Dell EMC Unisphere for PowerMax Virtual Appliance versions prior to 9.1.0.17, and PowerMax OS Release 5978 contain an authorization bypass vulnerability. An authenticated malicious user may potentially execute commands to alter or stop database statistics. | |||||
| CVE-2018-21257 | 1 Mattermost | 1 Mattermost Server | 2020-06-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API. | |||||
| CVE-2018-21251 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body. | |||||
| CVE-2020-3245 | 1 Cisco | 1 Smart Software Manager On-prem | 2020-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web application of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to create arbitrary user accounts. The vulnerability is due to the lack of authorization controls in the web application. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to add user accounts to the configuration of an affected device. These accounts would not be administrator or operator accounts. | |||||
| CVE-2020-5362 | 1 Dell | 708 Chengming 3967, Chengming 3967 Firmware, Chengming 3977 and 705 more | 2020-06-23 | 2.1 LOW | 4.4 MEDIUM |
| Dell Client Consumer and Commercial platforms include an improper authorization vulnerability in the Dell Manageability interface for which an unauthorized actor, with local system access with OS administrator privileges, could bypass the BIOS Administrator authentication to restore BIOS Setup configuration to default values. | |||||
| CVE-2020-14213 | 1 Zammad | 1 Zammad | 2020-06-23 | 5.5 MEDIUM | 5.4 MEDIUM |
| In Zammad before 3.3.1, a Customer has ticket access that should only be available to an Agent (e.g., read internal data, split, or merge). | |||||
| CVE-2020-6270 | 1 Sap | 1 Netweaver As Abap | 2020-06-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices. | |||||
| CVE-2020-6268 | 1 Sap | 2 Erp \(ea-finserv\), Erp \(s4core\) | 2020-06-16 | 5.5 MEDIUM | 8.1 HIGH |
| Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check. | |||||
| CVE-2020-13266 | 1 Gitlab | 1 Gitlab | 2020-06-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions | |||||
| CVE-2020-13425 | 1 Thetrackr | 2 Trackr, Trackr Firmware | 2020-05-26 | 6.8 MEDIUM | 7.1 HIGH |
| TrackR devices through 2020-05-06 allow attackers to trigger the Beep (aka alarm) feature, which will eventually cause a denial of service when battery capacity is exhausted. | |||||
| CVE-2020-10620 | 1 Opto22 | 1 Softpac Project | 2020-05-18 | 7.5 HIGH | 9.8 CRITICAL |
| Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC communication does not include any credentials. This allows an attacker with network access to directly communicate with SoftPAC, including, for example, stopping the service remotely. | |||||
| CVE-2020-1996 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a remote unauthenticated user to inject messages into the management server ms.log file. This vulnerability can be leveraged to obfuscate an ongoing attack or fabricate log entries in the ms.log file This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.9. | |||||
| CVE-2020-10612 | 1 Opto22 | 1 Softpac Project | 2020-05-18 | 6.4 MEDIUM | 9.1 CRITICAL |
| Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to control the SoftPACAgent service including updating SoftPAC firmware, starting or stopping service, or writing to certain registry values. | |||||
| CVE-2020-6259 | 1 Sap | 1 Adaptive Server Enterprise | 2020-05-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Under certain conditions SAP Adaptive Server Enterprise, versions 15.7, 16.0, allows an attacker to access information which would otherwise be restricted leading to Missing Authorization Check. | |||||
| CVE-2020-6258 | 1 Sap | 1 Identity Management | 2020-05-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP Identity Management, version 8.0, does not perform necessary authorization checks for an authenticated user, allowing the attacker to view certain sensitive information of the victim, leading to Missing Authorization Check. | |||||
| CVE-2020-6256 | 1 Sap | 1 Master Data Governance | 2020-05-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP Master Data Governance, versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804, allows users to display change request details without having required authorizations, due to Missing Authorization Check. | |||||
| CVE-2020-6212 | 1 Sap | 2 Erp, S\/4hana | 2020-05-08 | 5.5 MEDIUM | 5.4 MEDIUM |
| Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (versions 618, 730, EAPPLGLO 607) and S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user, allowing reading or modification of some tax reports, due to Missing Authorization Check. | |||||
| CVE-2018-1116 | 3 Canonical, Debian, Polkit Project | 3 Ubuntu Linux, Debian Linux, Polkit | 2020-05-05 | 3.6 LOW | 4.4 MEDIUM |
| A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure. | |||||
| CVE-2020-6209 | 1 Sap | 1 Disclosure Management | 2020-04-24 | 6.0 MEDIUM | 7.5 HIGH |
| SAP Disclosure Management, version 10.1, does not perform necessary authorization checks for an authenticated user, allowing access to administration accounts by a user with no roles, leading to Missing Authorization Check. | |||||
| CVE-2019-20676 | 1 Netgear | 44 Fs728tlp, Fs728tlp Firmware, Gs105e and 41 more | 2020-04-23 | 3.6 LOW | 6.0 MEDIUM |
| Certain NETGEAR devices are affected by lack of access control at the function level. This affects FS728TLP before 1.0.1.26, GS105Ev2 before 1.6.0.4, GS105PE before 1.6.0.4, GS108Ev3 before 2.06.08, GS108PEv3 before 2.06.08, GS110EMX before 1.0.1.4, GS116Ev2 before 2.6.0.35, GS408EPP before 1.0.0.15, GS724TPv2 before 1.1.1.29, GS808E before 1.7.0.7, GS810EMX before 1.7.1.1, GS908E before 1.7.0.3, GSS108E before 1.6.0.4, GSS108EPP before 1.0.0.15, GSS116E before 1.6.0.9, JGS516PE before 2.6.0.35, JGS524Ev2 before 2.6.0.35, JGS524PE before 2.6.0.35, XS512EM before 1.0.1.1, XS708Ev2 before 1.6.0.23, XS716E before 1.6.0.23, and XS724EM before 1.0.1.1. | |||||
| CVE-2020-7278 | 1 Mcafee | 1 Endpoint Security | 2020-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Exploiting incorrectly configured access control security levels vulnerability in ENS Firewall in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 and 10.6.1 April 2020 updates allows remote attackers and local users to allow or block unauthorized traffic via pre-existing rules not being handled correctly when updating to the February 2020 updates. | |||||
| CVE-2020-6232 | 1 Sap | 1 Commerce Cloud | 2020-04-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media. | |||||
| CVE-2020-6233 | 1 Sap | 2 Banking Services From Sap, S\/4hana Financial Products Subledger | 2020-04-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP S/4 HANA (Financial Products Subledger and Banking Services), versions - FSAPPL 400, 450, 500 and S4FPSL 100, allows an authenticated user to run an analysis report due to Missing Authorization Check, resulting in slowing the system. | |||||
| CVE-2018-21042 | 1 Google | 1 Android | 2020-04-09 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Dual Messenger allows installation of an arbitrary APK with resultant privileged code execution. The Samsung ID is SVE-2018-13299 (December 2018). | |||||
| CVE-2018-21046 | 1 Google | 1 Android | 2020-04-09 | 2.1 LOW | 2.4 LOW |
| An issue was discovered on Samsung mobile devices with O(8.x) software. There is clipboard Data Exposure via the Emergency Dialer upon connecting a USB device. The Samsung ID is SVE-2018-12911 (November 2018). | |||||
| CVE-2018-21047 | 1 Google | 1 Android | 2020-04-09 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with O(8.x) software. There is a Factory Reset Protection (FRP) bypass via the voice assistant because Internet access begins before the Setup Wizard finishes. The Samsung ID is SVE-2018-12894 (November 2018). | |||||
| CVE-2016-11036 | 1 Google | 1 Android | 2020-04-09 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Samsung mobile devices with M(6.0) software. There is a Factory Reset Protection (FRP) bypass. The Samsung ID is SVE-2016-6008 (August 2016). | |||||
| CVE-2017-18677 | 1 Google | 1 Android | 2020-04-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software. Because of an unprotected Intent, an attacker can reset the configuration of certain applications. The Samsung ID is SVE-2016-7142 (April 2017). | |||||
| CVE-2017-18666 | 1 Google | 1 Android | 2020-04-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.x) software. Applications can send arbitrary premium SMS messages. The Samsung ID is SVE-2017-8701 (June 2017). | |||||
| CVE-2019-18581 | 1 Dell | 6 Emc Data Protection Advisor, Emc Idpa Dp4400, Emc Idpa Dp5800 and 3 more | 2020-03-24 | 9.0 HIGH | 7.2 HIGH |
| Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands. This may lead to arbitrary OS command execution as the regular user runs the DPA service on the affected system. | |||||
| CVE-2018-13063 | 1 Easyappointments | 1 Easy\!appointments | 2020-03-18 | 5.0 MEDIUM | 7.5 HIGH |
| Easy!Appointments 1.3.0 has a Missing Authorization issue allowing retrieval of hashed passwords and salts. | |||||
| CVE-2020-6199 | 1 Sap | 1 Erp | 2020-03-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| The view FIMENAV_COMPCERT in SAP ERP (MENA Certificate Management), EAPPGLO version 607, SAP_FIN versions- 618, 730 and SAP S/4HANA (MENA Certificate Management), S4CORE versions- 100, 101, 102, 103, 104; does not have any authorization check to it due to which an attacker without an authorization group can maintain any company certificate, leading to Missing Authorization Check. | |||||
| CVE-2020-6204 | 1 Sap | 2 Treasury And Risk Management \(ea-finserv\), Treasury And Risk Management \(s4core\) | 2020-03-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| The selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) returns more records than it should be when selecting and displaying the contract number, leading to Missing Authorization Check. | |||||
| CVE-2020-0054 | 1 Google | 1 Android | 2020-03-11 | 4.6 MEDIUM | 7.8 HIGH |
| In WifiNetworkSuggestionsManager of WifiNetworkSuggestionsManager.java, there is a possible permission revocation due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146642727 | |||||
| CVE-2020-2142 | 1 Jenkins | 1 P4 | 2020-03-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds. | |||||
| CVE-2012-6614 | 1 D-link | 2 Dsr-250n, Dsr-250n Firmware | 2020-03-05 | 9.0 HIGH | 7.2 HIGH |
| D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password. | |||||
| CVE-2012-0055 | 2 Canonical, Linux | 2 Ubuntu Linux, Linux Kernel | 2020-02-28 | 7.2 HIGH | 7.8 HIGH |
| OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions. | |||||
| CVE-2019-19989 | 1 Seling | 1 Visual Access Manager | 2020-02-27 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Several PHP pages, and other type of files, are reachable by any user without checking for user identity and authorization. | |||||
| CVE-2017-5930 | 2 Opensuse, Postfixadmin Project | 2 Leap, Postfixadmin | 2020-02-26 | 3.5 LOW | 2.7 LOW |
| The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check. | |||||
| CVE-2013-4226 | 1 Drupal | 1 Authenticated User Page Caching | 2020-02-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser. | |||||
| CVE-2020-6183 | 1 Sap | 1 Host Agent | 2020-02-20 | 6.4 MEDIUM | 6.5 MEDIUM |
| SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may contain data read with user root privileges e.g. size of any directory, system hardware and OS details, leading to Missing Authorization Check vulnerability. | |||||
| CVE-2020-6188 | 1 Sap | 2 Erp, S\/4 Hana | 2020-02-19 | 6.5 MEDIUM | 8.8 HIGH |
| VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check. | |||||
| CVE-2020-8772 | 1 Revmakx | 1 Infinitewp Client | 2020-02-11 | 7.5 HIGH | 9.8 CRITICAL |
| The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in. | |||||
| CVE-2020-8811 | 1 Bludit | 1 Bludit | 2020-02-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| ajax/profile-picture-upload.php in Bludit 3.10.0 allows authenticated users to change other users' profile pictures. | |||||
| CVE-2020-5228 | 1 Apereo | 1 Opencast | 2020-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows. | |||||
| CVE-2013-3960 | 1 Easytimestudio | 1 Easy File Manager | 2020-02-04 | 8.7 HIGH | 9.9 CRITICAL |
| Easytime Studio Easy File Manager 1.1 has a HTTP request security bypass | |||||
| CVE-2020-6306 | 1 Sap | 1 Leasing | 2020-01-24 | 4.0 MEDIUM | 2.7 LOW |
| Missing authorization check in a transaction within SAP Leasing (update provided in SAP_APPL 6.18, EA-APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16 and 6.17). | |||||