Total
1368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-2267 | 1 Jenkins | 1 Mongodb | 2020-09-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller. | |||||
| CVE-2020-2272 | 1 Jenkins | 1 Elastest | 2020-09-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins ElasTest Plugin 1.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2018-15429 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2020-09-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web-based UI of Cisco HyperFlex HX Data Platform Software could allow an unauthenticated, remote attacker to access sensitive information on an affected system. The vulnerability is due to a lack of proper input and authorization of HTTP requests. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based UI of an affected system. A successful exploit could allow the attacker to access files that may contain sensitive data. | |||||
| CVE-2020-0989 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2020-09-15 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions, aka 'Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability'. | |||||
| CVE-2019-16236 | 4 Canonical, Debian, Dino and 1 more | 4 Ubuntu Linux, Debian Linux, Dino and 1 more | 2020-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| Dino before 2019-09-10 does not check roster push authorization in module/roster/module.vala. | |||||
| CVE-2020-3394 | 1 Cisco | 65 Nexus 3016, Nexus 3048, Nexus 3064 and 62 more | 2020-09-09 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the Enable Secret feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, local attacker to issue the enable command and get full administrative privileges. To exploit this vulnerability, the attacker would need to have valid credentials for the affected device. The vulnerability is due to a logic error in the implementation of the enable command. An attacker could exploit this vulnerability by logging in to the device and issuing the enable command. A successful exploit could allow the attacker to gain full administrative privileges without using the enable password. Note: The Enable Secret feature is disabled by default. | |||||
| CVE-2020-2242 | 1 Jenkins | 1 Database | 2020-09-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins database Plugin 1.6 and earlier allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials. | |||||
| CVE-2020-3443 | 1 Cisco | 1 Smart Software Manager On-prem | 2020-09-02 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges and execute commands with higher privileges. The vulnerability is due to insufficient authorization of the System Operator role capabilities. An attacker could exploit this vulnerability by logging in with the System Operator role, performing a series of actions, and then assuming a new higher privileged role. A successful exploit could allow the attacker to perform all actions associated with the privilege of the assumed role. If that role is an administrative role, the attacker would gain full access to the device. | |||||
| CVE-2019-1003077 | 1 Jenkins | 1 Audit To Database | 2020-09-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003059 | 1 Jenkins | 1 Ftp Publisher | 2020-09-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-10868 | 2 Debian, Tryton | 2 Debian Linux, Trytond | 2020-08-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. | |||||
| CVE-2019-2005 | 1 Google | 1 Android | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| In onPermissionGrantResult of GrantPermissionsActivity.java, there is a possible incorrectly granted permission due to a missing permission check. This could lead to local escalation of privilege on a locked device with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-68777217 | |||||
| CVE-2019-9974 | 1 Dasannetworks | 2 H660rm, H660rm Firmware | 2020-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| diag_tool.cgi on DASAN H660RM GPON routers with firmware 1.03-0022 lacks any authorization check, which allows remote attackers to run a ping command via a GET request to enumerate LAN devices or crash the router with a DoS attack. | |||||
| CVE-2019-9742 | 1 Gdata-software | 1 Total Security | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| gdwfpcd.sys in G Data Total Security before 2019-02-22 allows an attacker to bypass ACLs because Interpreted Device Characteristics lacks FILE_DEVICE_SECURE_OPEN and therefore files and directories "inside" the \\.\gdwfpcd device are not properly protected, leading to unintended impersonation or object creation. | |||||
| CVE-2019-9713 | 1 Joomla | 1 Joomla\! | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access. | |||||
| CVE-2019-9574 | 1 Mishubd | 1 Wp Human Resource Management | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The WP Human Resource Management plugin before 2.2.6 for WordPress does not ensure that a leave modification occurs in the context of the Administrator or HR Manager role. | |||||
| CVE-2019-9374 | 2020-08-24 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. | |||||
| CVE-2019-9295 | 1 Google | 1 Android | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| In com.android.apps.tag, there is a possible bypass of user interaction requirements due to a missing permission check. This could lead to a to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-36885811 | |||||
| CVE-2019-9263 | 1 Google | 1 Android | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| In telephony, there is a possible bypass of user interaction requirements due to missing permission checks. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-73136824 | |||||
| CVE-2019-9224 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 4 of 5). | |||||