Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-269
Total 1509 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-20193 1 Pulsesecure 1 Secure Access Series Ssl Vpn Sa-4000 2019-10-02 4.0 MEDIUM 8.8 HIGH
Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by Pulse Secure, LLC) allow privilege escalation, as demonstrated by Secure Access SSL VPN SA-4000 5.1R5 (build 9627) 4.2 Release (build 7631). This occurs because appropriate controls are not performed. Specifically, it is possible for a readonly user to change the administrator user password by making a local copy of the /dana-admin/user/update.cgi page, changing the "user" value, and saving the changes.
CVE-2017-6728 1 Cisco 1 Ios Xr 2019-10-02 6.9 MEDIUM 7.0 HIGH
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary code at the root privilege level on an affected system, because of Incorrect Permissions. More Information: CSCvb99389. Known Affected Releases: 6.2.1.BASE. Known Fixed Releases: 6.3.1.15i.BASE 6.2.3.1i.BASE 6.2.2.15i.BASE 6.1.4.10i.BASE.
CVE-2018-2481 1 Sap 1 Advanced Business Application Programming 2019-10-02 6.5 MEDIUM 7.2 HIGH
In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality.
CVE-2018-3682 1 Intel 70 Bbs2600bpb, Bbs2600bpq, Bbs2600bps and 67 more 2019-10-02 4.6 MEDIUM 8.2 HIGH
BMC Firmware in Intel server boards, compute modules, and systems potentially allow an attacker with administrative privileges to make unauthorized read\writes to the SMBUS.
CVE-2018-4173 1 Apple 2 Iphone Os, Mac Os X 2019-10-02 4.3 MEDIUM 5.5 MEDIUM
An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the "Status Bar" component. It allows invisible microphone access via a crafted app.
CVE-2018-4310 1 Apple 2 Iphone Os, Mac Os X 2019-10-02 7.5 HIGH 10.0 CRITICAL
An access issue was addressed with additional sandbox restrictions. This issue affected versions prior to iOS 12, macOS Mojave 10.14.
CVE-2017-6732 1 Cisco 1 Prime Network 2019-10-02 7.2 HIGH 6.7 MEDIUM
A vulnerability in the installation procedure for Cisco Prime Network Software could allow an authenticated, local attacker to elevate their privileges to root privileges. More Information: CSCvd47343. Known Affected Releases: 4.2(2.1)PP1 4.2(3.0)PP6 4.3(0.0)PP4 4.3(1.0)PP2. Known Fixed Releases: 4.3(2).
CVE-2017-6767 1 Cisco 1 Application Policy Infrastructure Controller 2019-10-02 4.6 MEDIUM 7.1 HIGH
A vulnerability in Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to gain higher privileges than the account is assigned. The attacker will be granted the privileges of the last user to log in, regardless of whether those privileges are higher or lower than what should have been granted. The attacker cannot gain root-level privileges. The vulnerability is due to a limitation with how Role-Based Access Control (RBAC) grants privileges to remotely authenticated users when login occurs via SSH directly to the local management interface of the APIC. An attacker could exploit this vulnerability by authenticating to the targeted device. The attacker's privilege level will be modified to match that of the last user to log in via SSH. An exploit could allow the attacker to gain elevated privileges and perform CLI commands that should be restricted by the attacker's configured role. Cisco Bug IDs: CSCvc34335. Known Affected Releases: 1.0(1e), 1.0(1h), 1.0(1k), 1.0(1n), 1.0(2j), 1.0(2m), 1.0(3f), 1.0(3i), 1.0(3k), 1.0(3n), 1.0(4h), 1.0(4o); 1.1(0.920a), 1.1(1j), 1.1(3f); 1.2 Base, 1.2(2), 1.2(3), 1.2.2; 1.3(1), 1.3(2), 1.3(2f); 2.0 Base, 2.0(1).
CVE-2018-4862 1 Octopus 1 Octopus Deploy 2019-10-02 6.5 MEDIUM 8.8 HIGH
In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an Azure account in such a way as to bypass the scoping restrictions, resulting in a potential escalation of privileges.
CVE-2018-5166 2 Canonical, Mozilla 2 Ubuntu Linux, Firefox 2019-10-02 5.0 MEDIUM 7.5 HIGH
WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have explicit user permission. This vulnerability affects Firefox < 60.
CVE-2018-5756 1 Open-xchange 1 Open-xchange Appsuite 2019-10-02 4.0 MEDIUM 4.3 MEDIUM
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a delete action to api/tasks.
CVE-2018-5706 1 Octopus 1 Octopus Deploy 2019-10-02 6.5 MEDIUM 8.8 HIGH
An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves Administer System permissions even if they didn't have them, as demonstrated by use of the RoleEdit or TeamEdit permission.
CVE-2018-5839 1 Qualcomm 60 Mdm9150, Mdm9150 Firmware, Mdm9615 and 57 more 2019-10-02 6.6 MEDIUM 7.1 HIGH
Improperly configured memory protection allows read/write access to modem image from HLOS kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in versions MDM9150, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8996AU, QCS605, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, SXR1130.
CVE-2018-5884 1 Qualcomm 24 Mdm9206, Mdm9206 Firmware, Mdm9607 and 21 more 2019-10-02 4.6 MEDIUM 8.4 HIGH
Improper Access Control in Multimedia in Snapdragon Mobile and Snapdragon Wear, Non-standard applications without permission may acquire permission of Qualcomm-specific proprietary intents.
CVE-2018-6080 3 Debian, Google, Redhat 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more 2019-10-02 4.3 MEDIUM 6.5 MEDIUM
Lack of access control checks in Instrumentation in Google Chrome prior to 65.0.3325.146 allowed a remote attacker who had compromised the renderer process to obtain memory metadata from privileged processes .
CVE-2017-6954 1 Buddypress 1 Buddypress 2019-10-02 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in includes/component.php in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper permissions.
CVE-2018-10190 1 Londontrustmedia 1 Private Internet Access 2019-10-02 7.2 HIGH 7.8 HIGH
A vulnerability in London Trust Media Private Internet Access (PIA) VPN Client v77 for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to insufficient implementation of access controls. The "Changelog" and "Help" options available from the system tray context menu spawn an elevated instance of the user's default web browser. An attacker could exploit this vulnerability by selecting "Run as Administrator" from the context menu of an executable file within the file browser of the spawned default web browser. This may allow the attacker to execute privileged commands on the targeted system.
CVE-2017-7489 1 Moodle 1 Moodle 2019-10-02 6.5 MEDIUM 6.3 MEDIUM
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
CVE-2017-7532 1 Moodle 1 Moodle 2019-10-02 4.0 MEDIUM 6.5 MEDIUM
In Moodle 3.x, course creators are able to change system default settings for courses.
CVE-2017-7767 2 Microsoft, Mozilla 3 Windows, Firefox, Firefox Esr 2019-10-02 2.1 LOW 5.5 MEDIUM
The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.