Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-863
Total 1299 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-7363 1 Zte 2 Zxhn F670, Zxhn F670 Firmware 2019-10-09 3.3 LOW 8.8 HIGH
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper authorization vulnerability. Since appviahttp service has no authorization delay, an attacker can be allowed to brute force account credentials.
CVE-2018-7366 1 Zte 2 Zxv10 B860av2.1 Chinamobile, Zxv10 B860av2.1 Chinamobile Firmware 2019-10-09 4.6 MEDIUM 6.8 MEDIUM
ZTE ZXV10 B860AV2.1 product ChinaMobile branch with the ICNT versions up to V1.3.3, the BESTV versions up to V1.2.2, the WASU versions up to V1.1.7 and the MGTV versions up to V1.4.6 have an authentication bypass vulnerability, which may allows an unauthorized user to perform unauthorized operations.
CVE-2018-1245 1 Emc 1 Rsa Identity Governance And Lifecycle 2019-10-09 9.0 HIGH 8.8 HIGH
RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security Policies. Once bypassed, a malicious user could potentially run arbitrary system commands at the OS level with application owner privileges on the affected system.
CVE-2018-1250 1 Dell 3 Emc Unity, Emc Unity Firmware, Emc Unityvsa 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains an Authorization Bypass vulnerability. A remote authenticated user could potentially exploit this vulnerability to read files in NAS server by directly interacting with certain APIs of Unity OE, bypassing Role-Based Authorization control implemented only in Unisphere GUI.
CVE-2018-15774 1 Dell 3 Idrac7 Firmware, Idrac8 Firmware, Idrac9 Firmware 2019-10-09 6.5 MEDIUM 8.8 HIGH
Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access.
CVE-2018-15754 1 Pivotal Software 1 Cloud Foundry Uaa-release 2019-10-09 4.0 MEDIUM 8.8 HIGH
Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
CVE-2018-15465 1 Cisco 1 Adaptive Security Appliance Software 2019-10-09 5.5 MEDIUM 8.1 HIGH
A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface. The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device.
CVE-2018-14666 1 Redhat 1 Satellite 2019-10-09 6.5 MEDIUM 7.2 HIGH
An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Red Hat Satellite, independent of the organization the host belongs to. This flaw affects all Red Hat Satellite 6 versions.
CVE-2018-0459 1 Cisco 1 Network Functions Virtualization Infrastructure 2019-10-09 6.8 MEDIUM 6.5 MEDIUM
A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to cause an affected system to reboot or shut down. The vulnerability is due to insufficient server-side authorization checks. An attacker who is logged in to the web-based management interface as a low-privileged user could exploit this vulnerability by sending a crafted HTTP request. A successful exploit could allow the attacker to use the low-privileged user account to reboot or shut down the affected system.
CVE-2018-0460 1 Cisco 1 Network Functions Virtualization Infrastructure 2019-10-09 6.8 MEDIUM 6.5 MEDIUM
A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read any file on an affected system. The vulnerability is due to insufficient authorization and parameter validation checks. An attacker could exploit this vulnerability by sending a malicious API request with the authentication credentials of a low-privileged user. A successful exploit could allow the attacker to read any file on the affected system.
CVE-2018-0110 1 Cisco 1 Webex Meetings Server 2019-10-09 5.5 MEDIUM 8.1 HIGH
A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to access the remote support account even after it has been disabled via the web application. The vulnerability is due to a design flaw in Cisco WebEx Meetings Server, which would not disable access to specifically configured user accounts, even after access had been disabled in the web application. An attacker could exploit this vulnerability by connecting to the remote support account, even after it had been disabled at the web application level. An exploit could allow the attacker to modify server configuration and gain access to customer data. Cisco Bug IDs: CSCvg46741.
CVE-2018-0096 1 Cisco 1 Prime Infrastructure 2019-10-09 4.9 MEDIUM 5.9 MEDIUM
A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to perform a privilege escalation in which one virtual domain user can view and modify another virtual domain configuration. The vulnerability is due to a failure to properly enforce RBAC for virtual domains. An attacker could exploit this vulnerability by sending an authenticated, crafted HTTP request to a targeted application. An exploit could allow the attacker to bypass RBAC policies on the targeted system to modify a virtual domain and access resources that are not normally accessible. Cisco Bug IDs: CSCvg36875.
CVE-2017-3183 1 Sage 1 Xrt Treasury 2019-10-09 6.5 MEDIUM 8.8 HIGH
Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access privileges are determined by the USER_CODE field associated with the querying user. By modifying the USER_CODE value to match that of a privileged user, a low-privileged, authenticated user may gain privileged access to the SQL database. A remote, authenticated user can submit specially crafted SQL queries to gain privileged access to the application database.
CVE-2017-2632 1 Redhat 2 Cloudforms, Cloudforms Management Engine 2019-10-09 4.0 MEDIUM 4.9 MEDIUM
A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges.
CVE-2017-1766 1 Ibm 1 Business Process Manager 2019-10-09 4.0 MEDIUM 4.3 MEDIUM
Due to incorrect authorization in IBM Business Process Manager 8.6 an attacker can claim and work on ad hoc tasks he is not assigned to. IBM X-Force ID: 136151.
CVE-2017-16773 1 Synology 1 Universal Search 2019-10-09 6.5 MEDIUM 8.8 HIGH
Improper authorization vulnerability in Highlight Preview in Synology Universal Search before 1.0.5-0135 allows remote authenticated users to bypass permission checks for directories in POSIX mode.
CVE-2017-18095 1 Atlassian 1 Crucible 2019-10-09 5.0 MEDIUM 5.3 MEDIUM
The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability.
CVE-2017-12261 1 Cisco 3 Identity Services Engine, Identity Services Engine Express, Identity Services Engine Virtual Appliance 2019-10-09 7.2 HIGH 7.8 HIGH
A vulnerability in the restricted shell of the Cisco Identity Services Engine (ISE) that is accessible via SSH could allow an authenticated, local attacker to run arbitrary CLI commands with elevated privileges. The vulnerability is due to incomplete input validation of the user input for CLI commands issued at the restricted shell. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. An attacker would need valid user credentials to the device to exploit this vulnerability. The vulnerability affects the following Cisco Identity Services Engine (ISE) products running Release 1.4, 2.0, 2.0.1, 2.1.0: ISE, ISE Express, ISE Virtual Appliance. Cisco Bug IDs: CSCve74916.
CVE-2017-12196 1 Redhat 4 Jboss Enterprise Application Platform, Jboss Fuse, Undertow and 1 more 2019-10-09 4.3 MEDIUM 5.9 MEDIUM
undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.
CVE-2017-0881 1 Zulip 1 Zulip Server 2019-10-09 4.0 MEDIUM 4.3 MEDIUM
An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server.