Total
2555 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11628 | 1 Primekey | 1 Ejbca | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. It is intended to support restriction of available remote protocols (CMP, ACME, REST, etc.) through the system configuration. These restrictions can be bypassed by modifying the URI string from a client. (EJBCA's internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment.)
|
|||||
| CVE-2020-11209 | 1 Qualcomm | 26 Qcs603, Qcs603 Firmware, Qcs605 and 23 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Improper authorization in DSP process could allow unauthorized users to downgrade the library versions in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439
|
|||||
| CVE-2020-10786 | 1 Vestacp | 1 Vesta Control Panel | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs.
|
|||||
| CVE-2020-10676 | 1 Suse | 1 Rancher | 2024-11-21 | N/A | 8.8 HIGH |
|
In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project.
|
|||||
| CVE-2020-10534 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled.
|
|||||
| CVE-2020-10510 | 1 Sun | 1 Ehrd | 2024-11-21 | 4.0 MEDIUM | 8.1 HIGH |
|
Sunnet eHRD, a human training and development management system, contains a vulnerability of Broken Access Control. After login, attackers can use a specific URL, access unauthorized functionality and data.
|
|||||
| CVE-2020-10239 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.
|
|||||
| CVE-2020-0981 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2024-11-21 | 4.6 MEDIUM | 8.8 HIGH |
|
A security feature bypass vulnerability exists when Windows fails to properly handle token relationships.An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level, leading to a sandbox escape.The update addresses the vulnerability by correcting how Windows handles token relationships, aka 'Windows Token Security Feature Bypass Vulnerability'.
|
|||||
| CVE-2020-0481 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
In AndroidManifest.xml, there is a possible permissions bypass. This could lead to local escalation of privilege allowing a non-system app to send a broadcast it shouldn't have permissions to send, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-157472962
|
|||||
| CVE-2020-0479 | 1 Google | 1 Android | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
In callUnchecked of DocumentsProvider.java, there is a possible permissions bypass. This could lead to local escalation of privilege allowing a malicious app to access files available to the DocumentProvider without user permission, with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-157294893
|
|||||
| CVE-2020-0473 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
|
In updateIncomingFileConfirmNotification of BluetoothOppNotification.java, there is a possible permissions bypass. This could lead to local escalation of privilege allowing an attacker with physical possession of the device to transfer files to it over Bluetooth, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-160691486
|
|||||
| CVE-2020-0115 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
In verifyIntentFiltersIfNeeded of PackageManagerService.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-150038428
|
|||||
| CVE-2020-0097 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
In various methods of PackageManagerService.java, there is a possible permission bypass due to a missing condition for system apps. This could lead to local escalation of privilege with User privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-145981139
|
|||||
| CVE-2020-0087 | 1 Google | 1 Android | 2024-11-21 | 1.9 LOW | 5.5 MEDIUM |
|
In getProcessPss of ActivityManagerService.java, there is a possible side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-127989044
|
|||||
| CVE-2020-0036 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
In hasPermissions of PermissionMonitor.java, there is a possible access to restricted permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-144679405
|
|||||
| CVE-2019-9364 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
In AudioService, there is a possible trigger of background user audio due to a permissions bypass. This could lead to local information disclosure by playing the background user's audio with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-73364631
|
|||||
| CVE-2019-9272 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In WiFi, there is a possible leak of WiFi state due to a permissions bypass. This could lead to a local information disclosure which could be used to determine device location with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-11596047
|
|||||
| CVE-2019-9149 | 1 Mailvelope | 1 Mailvelope | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign (and encrypt) arbitrary messages with Mailvelope, assuming the private key password is cached. A second vulnerability allows an attacker to decrypt an arbitrary message when the GnuPG backend is used in Mailvelope.
|
|||||
| CVE-2019-8512 | 1 Apple | 1 Iphone Os | 2024-11-21 | 7.9 HIGH | 5.7 MEDIUM |
|
This issue was addressed with improved transparency. This issue is fixed in iOS 12.2. A user may authorize an enterprise administrator to remotely wipe their device without appropriate disclosure.
|
|||||
| CVE-2019-8446 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.
|
|||||
| CVE-2019-8445 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check.
|
|||||
| CVE-2019-7639 | 2 Fedoraproject, Gsi-openssh Project | 2 Fedora, Gsi-openssh | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
|
An issue was discovered in gsi-openssh-server 7.9p1 on Fedora 29. If PermitPAMUserChange is set to yes in the /etc/gsissh/sshd_config file, logins succeed with a valid username and an incorrect password, even though a failure entry is recorded in the /var/log/messages file.
|
|||||
| CVE-2019-7304 | 1 Canonical | 2 Snapd, Ubuntu Linux | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
|
|||||
| CVE-2019-7258 | 1 Nortekcontrol | 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Linear eMerge E3-Series devices allow Privilege Escalation.
|
|||||
| CVE-2019-6855 | 1 Schneider-electric | 44 Ecostruxure Control Expert, Modicon M340 Bmxp341000, Modicon M340 Bmxp341000 Firmware and 41 more | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
Incorrect Authorization vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20) , and Modicon M580 (all versions prior to V3.10), which could cause a bypass of the authentication process between EcoStruxure Control Expert and the M340 and M580 controllers.
|
|||||
| CVE-2019-6838 | 1 Schneider-electric | 8 Meg6260-0410, Meg6260-0410 Firmware, Meg6260-0415 and 5 more | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow a user with low privileges to delete a critical file.
|
|||||
| CVE-2019-6836 | 1 Schneider-electric | 8 Meg6260-0410, Meg6260-0410 Firmware, Meg6260-0415 and 5 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow the file system to access the wrong file.
|
|||||
| CVE-2019-6582 | 1 Siemens | 5 Siveillance Video Management Software 2017 R2, Siveillance Video Management Software 2018 R1, Siveillance Video Management Software 2018 R2 and 2 more | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a), Siveillance VMS 2018 R3 (All versions < V12.3a), Siveillance VMS 2019 R1 (All versions < V13.1a). An attacker with network access to port 80/TCP can change user-defined event properties without proper authorization. The security vulnerability could be exploited by an authenticated attacker with network access to ...
Show More |
|||||
| CVE-2019-6570 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Due to insufficient checking of user permissions, an attacker may access URLs that require special authorization. An attacker must have access to a low privileged account in order to exploit the vulnerability.
|
|||||
| CVE-2019-6144 | 1 Forcepoint | 1 One Endpoint | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
This vulnerability allows a normal (non-admin) user to disable the Forcepoint One Endpoint (versions 19.04 through 19.08) and bypass DLP and Web protection.
|
|||||
| CVE-2019-5879 | 1 Google | 1 Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Insufficient policy enforcement in extensions in Google Chrome prior to 77.0.3865.75 allowed an attacker who convinced a user to install a malicious extension to read local files via a crafted Chrome Extension.
|
|||||
| CVE-2019-5864 | 1 Google | 1 Chrome | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Insufficient data validation in CORS in Google Chrome prior to 76.0.3809.87 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension.
|
|||||
| CVE-2019-5838 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Insufficient policy enforcement in extensions API in Google Chrome prior to 75.0.3770.80 allowed an attacker who convinced a user to install a malicious extension to bypass restrictions on file URIs via a crafted Chrome Extension.
|
|||||
| CVE-2019-5602 | 1 Freebsd | 1 Freebsd | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
In FreeBSD 12.0-STABLE before r349628, 12.0-RELEASE before 12.0-RELEASE-p7, 11.3-PRERELEASE before r349629, 11.3-RC3 before 11.3-RC3-p1, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in the cdrom driver allows users with read access to the cdrom device to arbitrarily overwrite kernel memory when media is present thereby allowing a malicious user in the operator group to gain root privileges.
|
|||||
| CVE-2019-5533 | 1 Vmware | 1 Sd-wan By Velocloud | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In VMware SD-WAN by VeloCloud versions 3.x prior to 3.3.0, the VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. Among the information is username, first and last name, phone numbers and e-mail address if present but no other personal data. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3.
|
|||||
| CVE-2019-5474 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.
|
|||||
| CVE-2019-5231 | 1 Huawei | 2 P30, P30 Firmware | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
|
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
|
|||||
| CVE-2019-5220 | 1 Huawei | 6 Honor Magic 2, Honor Magic 2 Firmware, Mate 20 and 3 more | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
|
There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker could do a certain operation on certain step of setup wizard. Successful exploit could allow the attacker bypass the FRP protection. Affected products: Mate 20 X, versions earlier than Ever-AL00B 9.0.0.200(C00E200R2P1); Mate 20, versions earlier than Hima-AL00B/Hima-TL00B 9.0.0.200(C00E200R2P1); Honor Magic 2, versions earlier than Tony-AL00B/ ...
Show More |
|||||
| CVE-2019-4745 | 1 Ibm | 7 Maximo Asset Management, Maximo For Aviation, Maximo For Life Sciences and 4 more | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
IBM Maximo Asset Management 7.6.1.0 could allow a remote attacker to disclose sensitive information to an authenticated user due to disclosing path information in the URL. IBM X-Force ID: 172883.
|
|||||
| CVE-2019-4509 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to incorrect authorization in some components which could allow an authenticated user to obtain sensitive information. IBM X-Force ID: 164430.
|
|||||