Total
907 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-7078 | 1 Theforeman | 1 Foreman | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion. | |||||
CVE-2016-7077 | 1 Theforeman | 1 Foreman | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
foreman before 1.14.0 is vulnerable to an information leak. It was found that Foreman form helper does not authorize options for associated objects. Unauthorized user can see names of such objects if their count is less than 6. | |||||
CVE-2016-7071 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM. | |||||
CVE-2016-7035 | 2 Clusterlabs, Redhat | 3 Pacemaker, Enterprise Linux Server, Enterprise Linux Server Eus | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine. | |||||
CVE-2016-10859 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65). | |||||
CVE-2016-10848 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/quotacheck (SEC-81). | |||||
CVE-2016-10734 | 1 Projectsend | 1 Projectsend | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php. | |||||
CVE-2016-0373 | 1 Ibm | 1 Urbancode Deploy | 2024-11-21 | 4.0 MEDIUM | 3.1 LOW |
IBM UrbanCode Deploy 6.0 through 6.2.2.1 could allow an authenticated user to read sensitive information due to UCD REST endpoints not properly authorizing users when determining who can read data. IBM X-Force ID: 112119. | |||||
CVE-2015-7463 | 1 Ibm | 1 Business Process Manager | 2024-11-21 | 5.5 MEDIUM | 4.3 MEDIUM |
IBM Business Process Manager 7.5.x, 8.0.x, 8.5.0, 8.5.5, and 8.5.6.0 through cumulative fix 2 allow remote authenticated users to delete process and task data by leveraging incorrect authorization checks. IBM X-Force ID: 108393. | |||||
CVE-2015-5463 | 1 Axiomsl | 1 Axiom | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
AxiomSL's Axiom java applet module (used for editing uploaded Excel files and associated Java RMI services) 9.5.3 and earlier allows remote attackers to (1) access data of other basic users through arbitrary SQL commands, (2) perform a horizontal and vertical privilege escalation, (3) cause a Denial of Service on global application, or (4) write/read/delete arbitrary files on server hosting the application. | |||||
CVE-2015-3954 | 1 Pifzer | 6 Plum A\+3 Infusion System, Plum A\+3 Infusion System Firmware, Plum A\+ Infusion System and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump. Hospira recommends that customers close Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue. | |||||
CVE-2015-10033 | 1 Merlinsboard Project | 1 Merlinsboard | 2024-11-21 | 3.7 LOW | 3.5 LOW |
A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The identifier of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability. | |||||
CVE-2014-6049 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | 5.5 MEDIUM | 2.7 LOW |
phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter. | |||||
CVE-2013-7245 | 1 Sybase | 1 Adaptive Server Enterprise | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The Backup Server component in SAP Sybase ASE 15.7 before SP51 allows remote attackers to bypass access restrictions and perform database dumps by leveraging failure to validate credentials, aka SAP Security Note 1927859. | |||||
CVE-2024-48897 | 1 Moodle | 1 Moodle | 2024-11-20 | N/A | 4.3 MEDIUM |
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify. | |||||
CVE-2024-48901 | 1 Moodle | 1 Moodle | 2024-11-20 | N/A | 4.3 MEDIUM |
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report. | |||||
CVE-2022-31671 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.4 HIGH |
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database. | |||||
CVE-2021-3991 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-19 | N/A | 4.3 MEDIUM |
An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions. | |||||
CVE-2022-31667 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 6.4 MEDIUM |
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions. | |||||
CVE-2022-31668 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.4 HIGH |
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects. |