Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-425
Total 97 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-6669 1 Mcafee 1 Application Change Control 2019-10-09 5.2 MEDIUM 8.0 HIGH
A whitelist bypass vulnerability in McAfee Application Control / Change Control 7.0.1 and before allows a remote or local user to execute blacklisted files through an ASP.NET form.
CVE-2018-18862 1 Bmc 2 Remedy Action Request System, Remedy Mid-tier 2019-10-02 6.5 MEDIUM 8.8 HIGH
BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has Incorrect Access Control in ITAM forms, as demonstrated by TLS%3APLR-Configuration+Details/Default+Admin+View/, AST%3AARServerConnection/Default+Admin+View/, and AR+System+Administration%3A+Server+Information/Default+Admin+View/.
CVE-2017-2143 1 Frogman Office Inc 2 Cs-cart Japanese Edition, Cs-cart Multivendor Japanese Edition 2019-10-02 5.0 MEDIUM 5.3 MEDIUM
CS-Cart Japanese Edition v4.3.10-jp-1 and earlier, CS-Cart Multivendor Japanese Edition v4.3.10-jp-1 and earlier allows remote attackers to bypass access restriction to create a request to return a customer purchased item via rma.post.php.
CVE-2018-11346 1 Asustor 2 As6202t, As6202t Firmware 2019-10-02 4.0 MEDIUM 4.3 MEDIUM
An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the "download_sys_settings" action and then specify files arbitrarily throughout the system via the act parameter.
CVE-2018-7526 1 Beaconmedaes 2 Scroll Medical Air Systems, Scroll Medical Air Systems Firmware 2019-10-02 5.0 MEDIUM 7.5 HIGH
In TotalAlert Web Application in BeaconMedaes Scroll Medical Air Systems prior to v4107600010.23, by accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access information in the application without authenticating.
CVE-2017-10833 1 Nippon-antenna 2 Scr02hd, Scr02hd Firmware 2019-10-02 6.4 MEDIUM 9.1 CRITICAL
"Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows remote attackers to bypass access restriction to view information or modify configurations via unspecified vectors.
CVE-2017-2486 1 Apple 2 Iphone Os, Safari 2019-10-02 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to spoof the address bar via a crafted web site.
CVE-2017-14993 1 Oxid-esales 1 Eshop 2019-10-02 5.0 MEDIUM 7.5 HIGH
OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.
CVE-2017-17736 1 Kentico 1 Kentico Cms 2019-10-02 7.5 HIGH 9.8 CRITICAL
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
CVE-2017-2139 1 Frogman Office Inc 1 Cs-cart 2019-10-02 5.0 MEDIUM 5.3 MEDIUM
CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to bypass access restriction to obtain customer information via orders.pre.php.
CVE-2017-2161 1 Toshiba 1 Flashair 2019-10-02 2.7 LOW 3.5 LOW
FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 and earlier and FlashAirTM SDHC Memory Card (SD-WD/WC Series <W-02>) V2.00.04 and earlier allows authenticated attackers to bypass access restrictions to obtain unauthorized image data via unspecified vectors.
CVE-2018-6624 1 Omron 7 Ns10, Ns12, Ns15 and 4 more 2019-10-02 7.5 HIGH 9.8 CRITICAL
OMRON NS devices 1.1 through 1.3 allow remote attackers to bypass authentication via a direct request to the .html file for a specific screen, as demonstrated by monitor.html.
CVE-2018-19620 1 Showdoc 1 Showdoc 2019-10-02 4.0 MEDIUM 4.3 MEDIUM
ShowDoc 2.4.1 allows remote attackers to edit other users' notes by navigating with a modified page_id.
CVE-2018-19143 2 Debian, Otrs 2 Debian Linux, Open Ticket Request System 2019-10-02 5.5 MEDIUM 6.5 MEDIUM
Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5.0.31, and 6.0.x before 6.0.13 allows an authenticated user to delete files via a modified submission form because upload caching is mishandled.
CVE-2018-19207 1 Van-ons 1 Wp-gdpr-compliance 2019-10-02 7.5 HIGH 9.8 CRITICAL
The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.
CVE-2018-19109 1 Tianti Project 1 Tianti 2019-10-02 6.5 MEDIUM 8.8 HIGH
tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/cms/column/list directly to read the column list page or edit a column.
CVE-2018-18922 1 Abisoftgt 1 Ticketly 2019-10-02 5.0 MEDIUM 9.8 CRITICAL
add_user in AbiSoft Ticketly 1.0 allows remote attackers to create administrator accounts via an action/add_user.php POST request.