Total
2193 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-8012 | 3 Apache, Debian, Oracle | 3 Zookeeper, Debian Linux, Goldengate Stream Analytics | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. | |||||
| CVE-2018-0092 | 1 Cisco | 20 Nexus 92160yc Switch, Nexus 92300yc Switch, Nexus 92304qc Switch and 17 more | 2023-12-10 | 3.6 LOW | 7.1 HIGH |
| A vulnerability in the network-operator user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The network-operator role should not be able to delete other configured users on the device. The vulnerability is due to a lack of proper role-based access control (RBAC) checks for the actions that a user with the network-operator role is allowed to perform. An attacker could exploit this vulnerability by authenticating to the device with user credentials that give that user the network-operator role. Successful exploitation could allow the attacker to impact the integrity of the device by deleting configured user credentials. The attacker would need valid user credentials for the device. This vulnerability affects the following Cisco products running Cisco NX-OS System Software: Nexus 3000 Series Switches, Nexus 3600 Platform Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCvg21120. | |||||
| CVE-2017-13247 | 1 Google | 1 Android | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
| In the Pixel 2 bootloader, there is a missing permission check which bypasses carrier bootloader lock. This could lead to local elevation of privileges with user execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-71486645. | |||||
| CVE-2018-2419 | 1 Sap | 3 Ea-finserv, S4core, Sapscore | 2023-12-10 | 5.5 MEDIUM | 4.6 MEDIUM |
| SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2017-1000390 | 1 Jenkins | 1 Multijob | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Multijob plugin version 1.25 and earlier did not check permissions in the Resume Build action, allowing anyone with Job/Read permission to resume the build. | |||||
| CVE-2018-1000022 | 1 Electrum | 1 Bitcoin Wallet | 2023-12-10 | 2.6 LOW | 5.3 MEDIUM |
| Electrum Technologies GmbH Electrum Bitcoin Wallet version prior to version 3.0.5 contains a Missing Authorization vulnerability in JSONRPC interface that can result in Bitcoin theft, if the user's wallet is not password protected. This attack appear to be exploitable via The victim must visit a web page with specially crafted javascript. This vulnerability appears to have been fixed in 3.0.5. | |||||
| CVE-2017-9513 | 1 Atlassian | 1 Activity Streams | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
| Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. | |||||
| CVE-2018-0336 | 1 Cisco | 1 Prime Collaboration | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the batch provisioning feature of Cisco Prime Collaboration Provisioning could allow an authenticated, remote attacker to escalate privileges to the Administrator level. The vulnerability is due to insufficient authorization enforcement on batch processing. An attacker could exploit this vulnerability by uploading a batch file and having the batch file processed by the system. A successful exploit could allow the attacker to escalate privileges to the Administrator level. Cisco Bug IDs: CSCvd86578. | |||||
| CVE-2017-17693 | 1 Techno - Portfolio Management Panel Project | 1 Techno - Portfolio Management Panel | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Techno - Portfolio Management Panel through 2017-11-16 does not check authorization for panel/portfolio.php?action=delete requests that remove feedback. | |||||
| CVE-2017-9036 | 1 Trendmicro | 1 Serverprotect | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows local users to gain privileges by leveraging an unrestricted quarantine directory. | |||||
| CVE-2017-8083 | 1 Compulab | 4 Intense Pc, Intense Pc Firmware, Mintbox 2 and 1 more | 2023-12-10 | 7.2 HIGH | 6.7 MEDIUM |
| CompuLab Intense PC and MintBox 2 devices with BIOS before 2017-05-21 do not use the CloseMnf protection mechanism for write protection of flash memory regions, which allows local users to install a firmware rootkit by leveraging administrative privileges. | |||||
| CVE-2017-11135 | 1 Stashcat | 1 Heinekingmedia | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. The logout mechanism does not check for authorization. Therefore, an attacker only needs to know the device ID. This causes a denial of service. This might be interpreted as a vulnerability in customer-controlled software, in the sense that the StashCat client side has no secure way to signal that it is ending a session and that data should be deleted. | |||||
| CVE-2017-10846 | 1 Nttdocomo | 2 Wi-fi Station L-02f, Wi-fi Station L-02f Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Wi-Fi STATION L-02F Software version V10b and earlier allows remote attackers to bypass access restrictions to obtain information on device settings via unspecified vectors. | |||||
| CVE-2017-1000086 | 1 Jenkins | 1 Periodic Backup | 2023-12-10 | 6.0 MEDIUM | 8.0 HIGH |
| The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. | |||||
| CVE-2017-1002006 | 1 Dtracker Project | 1 Dtracker | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_contact.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table. | |||||
| CVE-2017-13209 | 1 Google | 1 Android | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| In the ServiceManager::add function in the hardware service manager, there is an insecure permissions check based on the PID of the caller which could allow an application or service to replace a HAL service with its own service. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-68217907. | |||||
| CVE-2017-17450 | 1 Linux | 1 Linux Kernel | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
| net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces. | |||||
| CVE-2017-1000243 | 1 Jenkins | 1 Favorite Plugin | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites | |||||
| CVE-2017-12084 | 1 Meetcircle | 2 Circle With Disney, Circle With Disney Firmware | 2023-12-10 | 6.0 MEDIUM | 6.6 MEDIUM |
| A backdoor vulnerability exists in remote control functionality of Circle with Disney running firmware 2.0.1. A specific set of network packets can remotely start an SSH server on the device, resulting in a persistent backdoor. An attacker can send an API call to enable the SSH server. | |||||
| CVE-2017-17448 | 1 Linux | 1 Linux Kernel | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
| net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces. | |||||