Total
2747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15953 | 1 Totaljs | 1 Total.js Cms | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads to vertical and horizontal privilege escalation. | |||||
| CVE-2019-0293 | 1 Sap | 1 Sap Solution Manager System | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Read of RFC destination does not always perform necessary authorization checks, resulting in escalation of privileges to access information on RFC destinations on managed systems and SAP Solution Manager system (ST-PI, before versions 2008_1_700, 2008_1_710, and 740). | |||||
| CVE-2019-1010246 | 1 Mailcleaner | 1 Mailcleaner | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure. The impact is: MySQL database content disclosure (e.g. username, password). The component is: The API call in the function allowAction() in NewslettersController.php. The attack vector is: HTTP Get request. The fixed version is: c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9. | |||||
| CVE-2017-1000388 | 1 Jenkins | 1 Dependency Graph Viewer | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data. | |||||
| CVE-2018-19110 | 1 Tianti Project | 1 Tianti | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| The skin-management feature in tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/user/skin/list directly because controller\usercontroller.java maps a /skin/list request to the function skinList, and lacks an authorization check. | |||||
| CVE-2019-2218 | 1 Google | 1 Android | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| In createSessionInternal of PackageInstallerService.java, there is a possible improper permission grant due to a missing permission check. This could lead to local escalation of privilege by installing malicious packages with User execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-141169173 | |||||
| CVE-2017-8217 | 1 Tp-link | 4 C2, C20i, C20i Firmware and 1 more | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n have too permissive iptables rules, e.g., SNMP is not blocked on any interface. | |||||
| CVE-2019-15850 | 1 Eq-3 | 2 Homematic Ccu3, Homematic Ccu3 Firmware | 2020-08-24 | 9.0 HIGH | 8.8 HIGH |
| eQ-3 HomeMatic CCU3 firmware version 3.41.11 allows Remote Code Execution in the ReGa.runScript method. An authenticated attacker can easily execute code and compromise the system. | |||||
| CVE-2017-7677 | 1 Apache | 1 Ranger | 2020-08-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table. | |||||
| CVE-2019-0279 | 1 Sap | 1 Business Application Software Integrated Solution | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2018-1000015 | 1 Jenkins | 1 Pipeline Nodes And Processes | 2020-08-24 | 4.9 MEDIUM | 4.8 MEDIUM |
| On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline `node` blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes plugin 2.17 and earlier. | |||||
| CVE-2018-18004 | 1 Vivotek | 1 Camera | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL parameter. | |||||
| CVE-2018-10092 | 1 Dolibarr | 1 Dolibarr | 2020-08-24 | 6.0 MEDIUM | 8.0 HIGH |
| The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads. | |||||
| CVE-2019-11607 | 1 Doorgets | 1 Doorgets Cms | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/copydir.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information. | |||||
| CVE-2019-0566 | 1 Microsoft | 4 Edge, Windows 10, Windows Server 2016 and 1 more | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| An elevation of privilege vulnerability exists in Microsoft Edge Browser Broker COM object, aka "Microsoft Edge Elevation of Privilege Vulnerability." This affects Microsoft Edge. | |||||
| CVE-2019-12734 | 1 Sitevision | 1 Sitevision | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| SiteVision 4 has Incorrect Access Control. | |||||
| CVE-2019-18383 | 1 Terra-master | 2 Fs-210, Fs-210 Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can download backup files remotely from terramaster_TNAS-00E43A_config_backup.bin without permission. | |||||
| CVE-2019-1010304 | 1 Mirumee | 1 Saleor | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1. | |||||
| CVE-2019-12470 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | |||||
| CVE-2019-15136 | 1 Eprosima | 1 Fast-rtps | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition. | |||||