Total
1299 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1462 | 1 Ibm | 14 San Volume Controller, San Volume Controller Firmware, Spectrum Virtualize and 11 more | 2020-08-19 | 6.5 MEDIUM | 7.6 HIGH |
| IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) could allow an authenticated user to access system files they should not have access to including deleting files or causing a denial of service. IBM X-Force ID: 140363. | |||||
| CVE-2018-1463 | 1 Ibm | 14 San Volume Controller, San Volume Controller Firmware, Spectrum Virtualize and 11 more | 2020-08-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) could allow an authenticated user to access system files they should not have access to some of which could contain account credentials. IBM X-Force ID: 140368. | |||||
| CVE-2019-15941 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2020-08-18 | 7.5 HIGH | 9.8 CRITICAL |
| OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs. | |||||
| CVE-2011-1070 | 2 Debian, V86d Project | 2 Debian Linux, V86d | 2020-08-18 | 7.2 HIGH | 7.8 HIGH |
| v86d before 0.1.10 do not verify if received netlink messages are sent by the kernel. This could allow unprivileged users to manipulate the video mode and potentially other consequences. | |||||
| CVE-2020-2233 | 1 Jenkins | 1 Pipeline Maven Integration | 2020-08-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2020-3374 | 1 Cisco | 1 Sd-wan | 2020-08-06 | 9.0 HIGH | 9.9 CRITICAL |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive information, modify the system configuration, or impact the availability of the affected system. The vulnerability is due to insufficient authorization checking on the affected system. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to gain privileges beyond what would normally be authorized for their configured user authorization level. The attacker may be able to access sensitive information, modify the system configuration, or impact the availability of the affected system. | |||||
| CVE-2020-3386 | 1 Cisco | 1 Data Center Network Manager | 2020-08-05 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device. The vulnerability is due to insufficient authorization of certain API functions. An attacker could exploit this vulnerability by sending a crafted request to the API using low-privileged credentials. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges. | |||||
| CVE-2020-14486 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2020-07-29 | 6.5 MEDIUM | 8.8 HIGH |
| An attacker may bypass permission/authorization checks in OpenClinic GA 5.09.02 and 5.89.05b by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands. | |||||
| CVE-2020-15120 | 1 Ihatemoney | 1 I Hate Money | 2020-07-29 | 4.0 MEDIUM | 4.9 MEDIUM |
| In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5. | |||||
| CVE-2020-15126 | 1 Parseplatform | 1 Parse Server | 2020-07-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object. | |||||
| CVE-2020-3140 | 1 Cisco | 1 Prime License Manager | 2020-07-23 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the web management interface of Cisco Prime License Manager (PLM) Software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to insufficient validation of user input on the web management interface. An attacker could exploit this vulnerability by submitting a malicious request to an affected system. An exploit could allow the attacker to gain administrative-level privileges on the system. The attacker needs a valid username to exploit this vulnerability. | |||||
| CVE-2020-3150 | 1 Cisco | 4 Rv110w, Rv110w Firmware, Rv215w and 1 more | 2020-07-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Small Business RV110W and RV215W Series Routers could allow an unauthenticated, remote attacker to download sensitive information from the device, which could include the device configuration. The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing a specific URI on the web-based management interface of the router, but only after any valid user has opened a specific file on the device since the last reboot. A successful exploit would allow the attacker to view sensitive information, which should be restricted. | |||||
| CVE-2020-5333 | 1 Rsa | 1 Archer | 2020-07-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorization bypass vulnerability in the REST API. A remote authenticated malicious Archer user could potentially exploit this vulnerability to view unauthorized information. | |||||
| CVE-2020-15513 | 1 Mittwald | 1 Typo3 Forum | 2020-07-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control. | |||||
| CVE-2019-16538 | 1 Jenkins | 1 Script Security | 2020-07-13 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2020-5372 | 1 Dell | 10 Emc Powerstore 1000, Emc Powerstore 1000 Firmware, Emc Powerstore 3000 and 7 more | 2020-07-13 | 5.0 MEDIUM | 7.5 HIGH |
| Dell EMC PowerStore versions prior to 1.0.1.0.5.002 contain a vulnerability that exposes test interface ports to external network. A remote unauthenticated attacker could potentially cause Denial of Service via test interface ports which are not used during run time environment. | |||||
| CVE-2020-7921 | 1 Mongodb | 1 Mongodb | 2020-07-07 | 3.5 LOW | 5.3 MEDIUM |
| Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18. | |||||
| CVE-2020-13263 | 1 Gitlab | 1 Gitlab | 2020-07-01 | 6.5 MEDIUM | 8.8 HIGH |
| An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions. | |||||
| CVE-2020-12053 | 1 Unisys | 1 Stealth | 2020-06-29 | 7.5 HIGH | 9.8 CRITICAL |
| In Unisys Stealth 3.4.x, 4.x and 5.x before 5.0.026, if certificate-based authorization is used without HTTPS, an endpoint could be authorized without a private key. | |||||
| CVE-2020-13277 | 1 Gitlab | 1 Gitlab | 2020-06-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5 | |||||