Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-862
Total 1368 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-5095 1 Tempo 1 Tempo 2019-11-04 4.0 MEDIUM 4.3 MEDIUM
An issue summary information disclosure vulnerability exists in Atlassian Jira Tempo plugin, version 4.10.0. Authenticated users can obtain the summary for issues they do not have permission to view via the Tempo plugin.
CVE-2017-1002151 1 Redhat 1 Pagure 2019-10-16 5.0 MEDIUM 7.5 HIGH
Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization
CVE-2019-0367 1 Sap 1 Netweaver Process Integration 2019-10-10 4.0 MEDIUM 4.3 MEDIUM
SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check.
CVE-2018-7689 1 Opensuse 1 Open Build Service 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions.
CVE-2018-7688 1 Opensuse 1 Open Build Service 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
A missing permission check in the review handling of openSUSE Open Build Service before 2.9.3 allowed all authenticated users to modify sources in projects where they do not have write permissions.
CVE-2018-2413 1 Sap 1 Disclosure Management 2019-10-09 6.5 MEDIUM 8.8 HIGH
SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
CVE-2018-2412 1 Sap 1 Disclosure Management 2019-10-09 6.5 MEDIUM 8.8 HIGH
SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
CVE-2018-2419 1 Sap 3 Ea-finserv, S4core, Sapscore 2019-10-09 5.5 MEDIUM 4.6 MEDIUM
SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
CVE-2018-18996 1 Lcds 1 Laquis Scada 2019-10-09 7.5 HIGH 9.8 CRITICAL
LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper authorization or sanitation, which may allow an attacker to execute remote code on the server.
CVE-2018-0092 1 Cisco 20 Nexus 92160yc Switch, Nexus 92300yc Switch, Nexus 92304qc Switch and 17 more 2019-10-09 3.6 LOW 7.1 HIGH
A vulnerability in the network-operator user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The network-operator role should not be able to delete other configured users on the device. The vulnerability is due to a lack of proper role-based access control (RBAC) checks for the actions that a user with the network-operator role is allowed to perform. An attacker could exploit this vulnerability by authenticating to the device with user credentials that give that user the network-operator role. Successful exploitation could allow the attacker to impact the integrity of the device by deleting configured user credentials. The attacker would need valid user credentials for the device. This vulnerability affects the following Cisco products running Cisco NX-OS System Software: Nexus 3000 Series Switches, Nexus 3600 Platform Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCvg21120.
CVE-2018-0317 1 Cisco 2 Prime Collaboration, Prime Collaboration Provisioning 2019-10-09 6.5 MEDIUM 8.8 HIGH
A vulnerability in the web interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to escalate their privileges. The vulnerability is due to insufficient web portal access control checks. An attacker could exploit this vulnerability by modifying an access request. An exploit could allow the attacker to promote their account to any role defined on the system. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.2 and prior. Cisco Bug IDs: CSCvc90286.
CVE-2018-0322 1 Cisco 2 Prime Collaboration, Prime Collaboration Provisioning 2019-10-09 6.5 MEDIUM 8.8 HIGH
A vulnerability in the web management interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to modify sensitive data that is associated with arbitrary accounts on an affected device. The vulnerability is due to a failure to enforce access restrictions on the Help Desk and User Provisioning roles that are assigned to authenticated users. This failure could allow an authenticated attacker to modify critical attributes of higher-privileged accounts on the device. A successful exploit could allow the attacker to gain elevated privileges on the device. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.1 and prior. Cisco Bug IDs: CSCvd61779.
CVE-2018-0336 1 Cisco 1 Prime Collaboration 2019-10-09 6.5 MEDIUM 8.8 HIGH
A vulnerability in the batch provisioning feature of Cisco Prime Collaboration Provisioning could allow an authenticated, remote attacker to escalate privileges to the Administrator level. The vulnerability is due to insufficient authorization enforcement on batch processing. An attacker could exploit this vulnerability by uploading a batch file and having the batch file processed by the system. A successful exploit could allow the attacker to escalate privileges to the Administrator level. Cisco Bug IDs: CSCvd86578.
CVE-2017-9513 1 Atlassian 1 Activity Streams 2019-10-09 5.5 MEDIUM 5.4 MEDIUM
Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks.
CVE-2017-7914 1 Rockwellautomation 2 Panelview Plus 6 700-1500, Panelview Plus 6 700-1500 Firmware 2019-10-09 7.5 HIGH 8.6 HIGH
A Missing Authorization issue was discovered in Rockwell Automation PanelView Plus 6 700-1500 6.00.04, 6.00.05, 6.00.42, 6.00-20140306, 6.10.20121012, 6.10-20140122, 7.00-20121012, 7.00-20130108, 7.00-20130325, 7.00-20130619, 7.00-20140128, 7.00-20140310, 7.00-20140429, 7.00-20140621, 7.00-20140729, 7.00-20141022, 8.00-20140730, and 8.00-20141023. There is no authorization check when connecting to the device, allowing an attacker remote access.
CVE-2017-6923 1 Drupal 1 Drupal 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.
CVE-2017-18035 1 Atlassian 2 Crucible, Fisheye 2019-10-09 4.0 MEDIUM 4.3 MEDIUM
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.
CVE-2018-5547 1 F5 1 Big-ip Access Policy Manager Client 2019-10-09 7.2 HIGH 7.8 HIGH
Windows Logon Integration feature of F5 BIG-IP APM client prior to version 7.1.7.1 for Windows by default uses Legacy logon mode which uses a SYSTEM account to establish network access. This feature displays a certificate user interface dialog box which contains the link to the certificate policy. By clicking on the link, unprivileged users can open additional dialog boxes and get access to the local machine windows explorer which can be used to get administrator privilege. Windows Logon Integration is vulnerable when the APM client is installed by an administrator on a user machine. Users accessing the local machine can get administrator privileges
CVE-2019-9377 1 Google 1 Android 2019-10-07 2.1 LOW 3.3 LOW
In FingerprintService, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to a local information disclosure of metadata about the biometrics of another user on the device with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599663
CVE-2018-11541 1 Ribboncommunications 5 Sbc Swe Lite Web, Sonus Sbc 1000, Sonus Sbc 1000 Firmware and 2 more 2019-10-02 10.0 HIGH 9.8 CRITICAL
A root privilege escalation vulnerability in the Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface allows unauthorised access to privileged content via an unspecified vector. It affects the 1000 and 2000 devices 6.0.x up to Build 446, 6.1.x up to Build 492, and 7.0.x up to Build 485. It affects the SWe Lite devices 6.1.x up to Build 111 and 7.0.x up to Build 140.