Total
2061 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-10805 | 1 Odoo | 1 Odoo | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users. | |||||
CVE-2017-7505 | 1 Theforeman | 1 Foreman | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords. | |||||
CVE-2017-4915 | 2 Linux, Vmware | 3 Linux Kernel, Workstation Player, Workstation Pro | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine. | |||||
CVE-2017-1628 | 1 Ibm | 1 Business Process Manager | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
IBM Business Process Manager 8.6.0.0 allows authenticated users to stop and resume the Event Manager by calling a REST API with incorrect authorization checks. | |||||
CVE-2017-3801 | 1 Cisco | 1 Unified Computing System Director | 2025-04-20 | 4.6 MEDIUM | 8.8 HIGH |
A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants. Cisco Bug IDs: CSCvb64765. | |||||
CVE-2017-9855 | 1 Sma | 78 Sunny Boy 1.5, Sunny Boy 1.5 Firmware, Sunny Boy 2.5 and 75 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in SMA Solar Technology products. A secondary authentication system is available for Installers called the Grid Guard system. This system uses predictable codes, and a single Grid Guard code can be used on any SMA inverter. Any such code, when combined with the installer account, allows changing very sensitive parameters. NOTE: the vendor reports that Grid Guard is not an authentication feature; it is only a tracing feature. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected | |||||
CVE-2017-7512 | 1 Redhat | 1 3scale Api Management Platform | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
Red Hat 3scale (aka RH-3scale) API Management Platform (AMP) before 2.0.0 would permit creation of an access token without a client secret. An attacker could use this flaw to circumvent authentication controls and gain access to restricted APIs. NOTE: some sources have a typo in which CVE-2017-7512 maps to an OpenVPN vulnerability. The proper CVE ID for that OpenVPN vulnerability is CVE-2017-7521. Specifically, CVE-2017-7521 is the correct CVE ID for TWO closely related findings in OpenVPN. Any source that lists BOTH CVE-2017-7512 and CVE-2017-7521 for OpenVPN should have listed ONLY CVE-2017-7521. | |||||
CVE-2017-10379 | 5 Debian, Mariadb, Netapp and 2 more | 17 Debian Linux, Mariadb, Active Iq Unified Manager and 14 more | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | |||||
CVE-2017-6377 | 1 Drupal | 1 Drupal | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass. | |||||
CVE-2017-5618 | 1 Gnu | 1 Screen | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions. | |||||
CVE-2017-9378 | 1 Bigtreecms | 1 Bigtree Cms | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted. | |||||
CVE-2017-2306 | 1 Juniper | 1 Junos Space | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device. | |||||
CVE-2017-6672 | 1 Cisco | 1 Asr 5000 Series Software | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability in certain filtering mechanisms of access control lists (ACLs) for Cisco ASR 5000 Series Aggregation Services Routers through 21.x could allow an unauthenticated, remote attacker to bypass ACL rules that have been configured for an affected device. More Information: CSCvb99022 CSCvc16964 CSCvc37351 CSCvc54843 CSCvc63444 CSCvc77815 CSCvc88658 CSCve08955 CSCve14141 CSCve33870. | |||||
CVE-2017-0910 | 1 Zulip | 1 Zulip Server | 2025-04-20 | 4.0 MEDIUM | 8.8 HIGH |
In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. | |||||
CVE-2017-3891 | 1 Blackberry | 1 Qnx Software Development Platform | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the default configuration of the QNX SDP with QNet enabled on networks comprising two or more QNet nodes could allow an attacker to access local and remote files or take ownership of files on other QNX nodes regardless of permissions by executing commands targeting arbitrary nodes from a secondary QNX 6.6.0 QNet node. | |||||
CVE-2017-8907 | 1 Atlassian | 1 Bamboo | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo. | |||||
CVE-2016-6797 | 6 Apache, Canonical, Debian and 3 more | 14 Tomcat, Ubuntu Linux, Debian Linux and 11 more | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. | |||||
CVE-2017-5060 | 5 Apple, Google, Linux and 2 more | 8 Macos, Android, Chrome and 5 more | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. | |||||
CVE-2017-2305 | 1 Juniper | 1 Junos Space | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation. | |||||
CVE-2017-0881 | 1 Zulip | 1 Zulip Server | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server. |