Search
Total
1115 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-24595 | 1 Mitel | 1 Micloud Management Portal | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to retrieve sensitive information due to insufficient access control. | |||||
| CVE-2020-25283 | 1 Google | 1 Android | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. BT manager allows attackers to bypass intended access restrictions on a certain mode. The LG ID is LVE-SMP-200021 (September 2020). | |||||
| CVE-2019-10596 | 1 Qualcomm | 38 Bitra, Bitra Firmware, Nicobar and 35 more | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| u'Improper access control can lead signed process to guess pid of other processes and access their address space' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in Bitra, Nicobar, QCS605, QCS610, Rennell, SA6155P, Saipan, SC7180, SC8180X, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 | |||||
| CVE-2020-8576 | 1 Netapp | 1 Clustered Data Ontap | 2021-07-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| Clustered Data ONTAP versions prior to 9.3P19, 9.5P14, 9.6P9 and 9.7 are susceptible to a vulnerability which when successfully exploited could lead to addition or modification of data or disclosure of sensitive information. | |||||
| CVE-2020-12621 | 1 Teamwire | 1 Teamwire | 2021-07-21 | 3.6 LOW | 6.1 MEDIUM |
| The Teamwire application 5.3.0 for Android allows physically proximate attackers to exploit a flaw related to the pass-code component. | |||||
| CVE-2020-12776 | 1 Openfind | 1 Mail2000 | 2021-07-21 | 9.0 HIGH | 7.2 HIGH |
| Openfind Mail2000 contains Broken Access Control vulnerability, which can be used to execute unauthorized commands after attackers obtain the administrator access token or cookie. | |||||
| CVE-2020-25049 | 1 Google | 1 Android | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. StatusBarService has insufficient DEX access control. The Samsung ID is SVE-2020-17797 (August 2020). | |||||
| CVE-2020-13593 | 1 Ti | 1 Simplelink-cc2640r2 Software Development Kit | 2021-07-21 | 5.8 MEDIUM | 8.8 HIGH |
| The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation in Texas Instruments SimpleLink SIMPLELINK-CC2640R2-SDK through 2.2.3 allows the Diffie-Hellman check during the Secure Connection pairing to be skipped if the Link Layer encryption setup is performed earlier. An attacker in radio range can achieve arbitrary read/write access to protected GATT service data, cause a denial of service, or possibly control a device's function by establishing an encrypted session with an unauthenticated Long Term Key (LTK). | |||||
| CVE-2020-12643 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address. | |||||
| CVE-2019-5321 | 1 Arubanetworks | 12 2530, 2530 Firmware, 2540 and 9 more | 2021-07-21 | 9.3 HIGH | 8.8 HIGH |
| Aruba Intelligent Edge Switch Series 2540, 2530, 2930F, 2930M, 2920, 5400R, and 3810M with firmware 16.08.* before 16.08.0009, 16.09.* before 16.09.0007, 16.10.* before 16.10.0003 are vulnerable to Remote Unauthorized Access in the WebUI. | |||||
| CVE-2019-11862 | 1 Sierrawireless | 13 Airlink Es440, Airlink Es450, Airlink Gx400 and 10 more | 2021-07-21 | 4.6 MEDIUM | 8.4 HIGH |
| The SSH service on ALEOS before 4.12.0, 4.9.5, 4.4.9 allows traffic proxying. | |||||
| CVE-2020-15868 | 1 Sonatype | 1 Nexus Repository Manager | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control. | |||||
| CVE-2020-9248 | 1 Huawei | 1 Fusioncompute | 2021-07-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| Huawei FusionComput 8.0.0 have an improper authorization vulnerability. A module does not verify some input correctly and authorizes files with incorrect access. Attackers can exploit this vulnerability to launch privilege escalation attack. This can compromise normal service. | |||||
| CVE-2020-9692 | 1 Magento | 1 Magento | 2021-07-21 | 8.5 HIGH | 6.5 MEDIUM |
| Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-16244 | 1 Openmicroscopy | 1 Omero.server | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| OMERO.server before 5.6.1 allows attackers to bypass the security filters and access hidden objects via a crafted query. | |||||
| CVE-2020-4029 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability. | |||||
| CVE-2020-14165 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability. | |||||
| CVE-2020-5582 | 1 Cybozu | 1 Garoon | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Cybozu Garoon 4.0.0 to 5.0.1 allows remote authenticated attackers to bypass access restriction to alter the data for the file attached to Report via unspecified vectors. | |||||
| CVE-2020-0064 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An improper authorization while processing the provisioning data.Product: AndroidVersions: Android SoCAndroid ID: A-149866855 | |||||
| CVE-2020-11680 | 1 Castel | 2 Nextgen Dvr, Nextgen Dvr Firmware | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Castel NextGen DVR v1.0.0 is vulnerable to authorization bypass on all administrator functionality. The application fails to check that a request was submitted by an administrator. Consequently, a normal user can perform actions including, but not limited to, creating/modifying the file store, creating/modifying alerts, creating/modifying users, etc. | |||||
| CVE-2020-1797 | 1 Huawei | 2 Mate 20, Mate 20 Firmware | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system does not properly restrict certain operation in ADB mode, successful exploit could allow certain user break the limit of digital balance function. | |||||
| CVE-2020-12874 | 1 Veritas | 1 Aptare | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Veritas APTARE versions prior to 10.4 included code that bypassed the normal login process when specific authentication credentials were provided to the server. | |||||
| CVE-2020-12745 | 1 Google | 1 Android | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with Q(10.0) software. Attackers can bypass the locked-state protection mechanism and access clipboard content via USSD. The Samsung ID is SVE-2019-16556 (May 2020). | |||||
| CVE-2020-12669 | 1 Dolibarr | 1 Dolibarr | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter. | |||||
| CVE-2020-11891 | 1 Joomla | 1 Joomla\! | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups. | |||||
| CVE-2020-10952 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images. | |||||
| CVE-2020-5863 | 1 F5 | 1 Nginx Controller | 2021-07-21 | 7.5 HIGH | 8.6 HIGH |
| In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system. | |||||
| CVE-2020-10839 | 1 Google | 1 Android | 2021-07-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Attackers can bypass Factory Reset Protection (FRP) via a SIM card. The Samsung ID is SVE-2019-16193 (February 2020). | |||||
| CVE-2020-10117 | 1 Cpanel | 1 Cpanel | 2021-07-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542). | |||||
| CVE-2020-10116 | 1 Cpanel | 1 Cpanel | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541). | |||||
| CVE-2020-5194 | 1 Cerberusftp | 1 Ftp Server | 2021-07-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists. | |||||
| CVE-2020-0047 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| In setMasterMute of AudioService.java, there is a missing permission check. This could lead to local silencing of audio with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-141622311 | |||||
| CVE-2020-8664 | 1 Cncf | 1 Envoy | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump. | |||||
| CVE-2020-3844 | 1 Apple | 2 Ipados, Iphone Os | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| This issue was addressed with improved checks. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. Users removed from an iMessage conversation may still be able to alter state. | |||||
| CVE-2020-0702 | 1 Microsoft | 2 Surface Hub, Surface Hub Firmware | 2021-07-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| A security feature bypass vulnerability exists in Surface Hub when prompting for credentials, aka 'Surface Hub Security Feature Bypass Vulnerability'. | |||||
| CVE-2020-5197 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 3.5 LOW | 4.3 MEDIUM |
| An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 5.1 through 12.6.1. It has Incorrect Access Control. | |||||
| CVE-2021-26273 | 1 Ninjarmm | 1 Ninjarmm | 2021-07-08 | 4.6 MEDIUM | 7.8 HIGH |
| The Agent in NinjaRMM 5.0.909 has Incorrect Access Control. | |||||
| CVE-2021-34626 | 1 Wp-upload-restriction Project | 1 Wp-upload-restriction | 2021-07-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior. | |||||
| CVE-2021-34627 | 1 Wp-upload-restriction Project | 1 Wp-upload-restriction | 2021-07-08 | 3.5 LOW | 4.3 MEDIUM |
| A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior. | |||||
| CVE-2021-27661 | 1 Johnsoncontrols | 2 F4-snc, F4-snc Firmware | 2021-07-07 | 6.5 MEDIUM | 8.8 HIGH |
| Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC. | |||||
| CVE-2021-36132 | 1 Mediawiki | 1 Mediawiki | 2021-07-07 | 6.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations (specifically file uploads) that they should not be allowed to perform. | |||||
| CVE-2021-21670 | 1 Jenkins | 1 Jenkins | 2021-07-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. | |||||
| CVE-2021-25652 | 1 Avaya | 1 Aura Appliance Virtualization Platform | 2021-06-30 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Appliance Virtualization Platform Utilities (AVPU). This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be available to a privileged user. Affects versions 8.0.0.0 through 8.1.3.1 of AVPU. | |||||
| CVE-2021-32701 | 1 Ory | 1 Oathkeeper | 2021-06-30 | 4.3 MEDIUM | 7.5 HIGH |
| ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process. | |||||
| CVE-2010-2525 | 1 Linux | 1 Linux Kernel | 2021-06-28 | 7.2 HIGH | 7.8 HIGH |
| A flaw was discovered in gfs2 file system’s handling of acls (access control lists). An unprivileged local attacker could exploit this flaw to gain access or execute any file stored in the gfs2 file system. | |||||
| CVE-2021-26845 | 1 Abb | 1 Esoms | 2021-06-25 | 5.0 MEDIUM | 7.5 HIGH |
| Information Exposure vulnerability in Hitachi ABB Power Grids eSOMS allows unauthorized user to gain access to report data if the URL used to access the report is discovered. This issue affects: Hitachi ABB Power Grids eSOMS 6.0 versions prior to 6.0.4.2.2; 6.1 versions prior to 6.1.4; 6.3 versions prior to 6.3. | |||||
| CVE-2020-20466 | 1 White Shark Systems Project | 1 White Shark Systems | 2021-06-23 | 7.5 HIGH | 9.8 CRITICAL |
| White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user. | |||||
| CVE-2020-20471 | 1 White Shark Systems Project | 1 White Shark Systems | 2021-06-23 | 9.0 HIGH | 8.8 HIGH |
| White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges. | |||||
| CVE-2020-28872 | 1 Monitorr Project | 1 Monitorr | 2021-06-23 | 7.5 HIGH | 9.8 CRITICAL |
| An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials. | |||||
| CVE-2021-25399 | 1 Samsung | 1 Smart Manager | 2021-06-21 | 3.6 LOW | 7.1 HIGH |
| Improper configuration in Smart Manager prior to version 11.0.05.0 allows attacker to access the file with system privilege. | |||||