Total
61 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-9327 | 1 Cloudera | 1 Cloudera Manager | 2019-07-11 | 4.0 MEDIUM | 6.5 MEDIUM |
Secret data of processes managed by CM is not secured by file permissions. | |||||
CVE-2017-17060 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 7.5 HIGH | 9.8 CRITICAL |
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecure Permissions. | |||||
CVE-2014-1631 | 1 Eventum Project | 1 Eventum | 2019-04-26 | 5.0 MEDIUM | 7.5 HIGH |
Eventum before 2.3.5 allows remote attackers to reinstall the application via direct request to /setup/index.php. | |||||
CVE-2014-1632 | 1 Eventum Project | 1 Eventum | 2019-04-26 | 9.3 HIGH | 8.1 HIGH |
htdocs/setup/index.php in Eventum before 2.3.5 allows remote attackers to inject and execute arbitrary PHP code via the hostname parameter. | |||||
CVE-2016-6715 | 1 Google | 1 Android | 2019-03-07 | 4.3 MEDIUM | 5.5 MEDIUM |
An elevation of privilege vulnerability in the Framework APIs in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could allow a local malicious application to record audio without the user's permission. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission.) Android ID: A-29833954. | |||||
CVE-2016-6719 | 1 Google | 1 Android | 2019-03-07 | 4.3 MEDIUM | 5.5 MEDIUM |
An elevation of privilege vulnerability in the Bluetooth component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could enable a local malicious application to pair with any Bluetooth device without user consent. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission.) Android ID: A-29043989. | |||||
CVE-2014-6047 | 1 Phpmyfaq | 1 Phpmyfaq | 2018-10-23 | 5.0 MEDIUM | 5.3 MEDIUM |
phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks. | |||||
CVE-2015-8300 | 1 Polycom | 1 Btoe Connector | 2018-09-26 | 7.2 HIGH | 7.8 HIGH |
Polycom BToE Connector before 3.0.0 uses weak permissions (Everyone: Full Control) for "Program Files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe," which allows local users to gain privileges via a Trojan horse file. | |||||
CVE-2016-9061 | 2 Google, Mozilla | 2 Android, Firefox | 2018-07-30 | 5.0 MEDIUM | 7.5 HIGH |
A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. | |||||
CVE-2016-5299 | 2 Google, Mozilla | 2 Android, Firefox | 2018-07-30 | 5.0 MEDIUM | 7.5 HIGH |
A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. | |||||
CVE-2013-4040 | 1 Ibm | 1 Tivoli Application Dependency Discovery Manager | 2018-06-13 | 2.1 LOW | 5.5 MEDIUM |
IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2.x before 7.2.1.5 and 7.2.x before 7.2.2.0 on Unix use weak permissions (755) for unspecified configuration and log files, which allows local users to obtain sensitive information by reading the files. IBM X-Force ID: 86176. | |||||
CVE-2012-5628 | 1 Gofer Project | 1 Gofer | 2018-06-07 | 3.6 LOW | 4.4 MEDIUM |
gofer before 0.68 uses world-writable permissions for /var/lib/gofer/journal/watchdog, which allows local users to cause a denial of service by removing journal entries. | |||||
CVE-2017-11463 | 1 Ivanti | 1 Endpoint Manager | 2018-03-27 | 6.5 MEDIUM | 8.8 HIGH |
In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and use it to access/update objects belonging to other users. Such objects could be user profiles, tickets, incidents, etc. | |||||
CVE-2016-8520 | 1 Eucalyptus | 1 Eucalyptus | 2018-03-13 | 6.5 MEDIUM | 8.8 HIGH |
HPE Helion Eucalyptus v4.3.0 and earlier does not correctly check IAM user's permissions for accessing versioned objects and ACLs. In some cases, authenticated users with S3 permissions could also access versioned data. | |||||
CVE-2017-5809 | 1 Hp | 1 Data Protector | 2018-03-07 | 4.9 MEDIUM | 5.5 MEDIUM |
A Remote Arbitrary Code Execution vulnerability in HPE Data Protector version prior to 8.17 and 9.09 was found. | |||||
CVE-2017-16887 | 1 Fiberhome | 2 Lm53q1, Lm53q1 Firmware | 2018-02-02 | 5.0 MEDIUM | 9.8 CRITICAL |
The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services can result in disclosure of the WLAN key/password. | |||||
CVE-2015-7889 | 2 Google, Samsung | 2 Android, Galaxy S6 Edge | 2018-01-17 | 4.3 MEDIUM | 5.5 MEDIUM |
The SecEmailComposer/EmailComposer application in the Samsung S6 Edge before the October 2015 MR uses weak permissions for the com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND service action, which might allow remote attackers with knowledge of the local email address to obtain sensitive information via a crafted application that sends a crafted intent. | |||||
CVE-2017-17876 | 1 Iwcnetwork | 1 Shift | 2018-01-10 | 5.0 MEDIUM | 7.5 HIGH |
Biometric Shift Employee Management System 3.0 allows remote attackers to bypass intended file-read restrictions via a user=download request with a pathname in the path parameter. | |||||
CVE-2017-8153 | 1 Huawei | 1 Vmall | 2017-12-12 | 5.8 MEDIUM | 7.1 HIGH |
Huawei VMall (for Android) with the versions before 1.5.8.5 have a privilege elevation vulnerability due to improper design. An attacker can trick users into installing a malicious app which can send out HTTP requests and execute JavaScript code in web pages without obtaining the Internet access permission. Successful exploit could lead to resource occupation or information leak. | |||||
CVE-2017-2694 | 1 Huawei | 1 Vmall | 2017-12-11 | 4.3 MEDIUM | 3.3 LOW |
The AlarmService component in HwVmall with software earlier than 1.5.2.0 versions has no control over calling permissions, allowing any third party to call. An attacker can construct a malicious application to call it. Consequently, alert music will be played suddenly, compromising user experience. |