Total
2193 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-1000388 | 1 Jenkins | 1 Dependency Graph Viewer | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data. | |||||
CVE-2017-18101 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks. | |||||
CVE-2018-1000015 | 1 Jenkins | 1 Pipeline Nodes And Processes | 2023-12-10 | 4.9 MEDIUM | 4.8 MEDIUM |
On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline `node` blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes plugin 2.17 and earlier. | |||||
CVE-2018-10207 | 1 Vaultize | 1 Enterprise File Sharing | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. An attacker can exploit Missing Authorization on the FlexPaperViewer SWF reader, and export files that should have been restricted, via vectors involving page-by-page access to a document in SWF format. | |||||
CVE-2018-7689 | 1 Opensuse | 1 Open Build Service | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions. | |||||
CVE-2018-1116 | 3 Canonical, Debian, Polkit Project | 3 Ubuntu Linux, Debian Linux, Polkit | 2023-12-10 | 3.6 LOW | 4.4 MEDIUM |
A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure. | |||||
CVE-2018-10092 | 1 Dolibarr | 1 Dolibarr | 2023-12-10 | 6.0 MEDIUM | 8.0 HIGH |
The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads. | |||||
CVE-2018-6000 | 1 Asus | 1 Asuswrt | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999. | |||||
CVE-2017-1000400 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to. | |||||
CVE-2018-5113 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. This vulnerability affects Firefox < 58. | |||||
CVE-2018-2412 | 1 Sap | 1 Disclosure Management | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
CVE-2018-0317 | 1 Cisco | 2 Prime Collaboration, Prime Collaboration Provisioning | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A vulnerability in the web interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to escalate their privileges. The vulnerability is due to insufficient web portal access control checks. An attacker could exploit this vulnerability by modifying an access request. An exploit could allow the attacker to promote their account to any role defined on the system. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.2 and prior. Cisco Bug IDs: CSCvc90286. | |||||
CVE-2018-2413 | 1 Sap | 1 Disclosure Management | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
CVE-2018-9039 | 1 Octopus | 1 Octopus Deploy | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments. | |||||
CVE-2018-7702 | 1 Securenvoy | 1 Securmail | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
SecurEnvoy SecurMail before 9.2.501 allows remote attackers to spoof transmission of arbitrary e-mail messages, resend e-mail messages to arbitrary recipients, or modify arbitrary message bodies and attachments by leveraging missing authentication and authorization. | |||||
CVE-2018-0322 | 1 Cisco | 2 Prime Collaboration, Prime Collaboration Provisioning | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A vulnerability in the web management interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to modify sensitive data that is associated with arbitrary accounts on an affected device. The vulnerability is due to a failure to enforce access restrictions on the Help Desk and User Provisioning roles that are assigned to authenticated users. This failure could allow an authenticated attacker to modify critical attributes of higher-privileged accounts on the device. A successful exploit could allow the attacker to gain elevated privileges on the device. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.1 and prior. Cisco Bug IDs: CSCvd61779. | |||||
CVE-2018-7688 | 1 Opensuse | 1 Open Build Service | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
A missing permission check in the review handling of openSUSE Open Build Service before 2.9.3 allowed all authenticated users to modify sources in projects where they do not have write permissions. | |||||
CVE-2018-2436 | 1 Sap | 1 R\/3 Enterprise Retail | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Executing transaction WRCK in SAP R/3 Enterprise Retail (EHP6) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
CVE-2018-1217 | 1 Dell | 2 Emc Avamar, Emc Integrated Data Protection Appliance | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials. | |||||
CVE-2018-5135 | 1 Mozilla | 1 Firefox | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged "about:" pages. This vulnerability affects Firefox < 59. |