ReportizFlow
Filtered by vendor
Subscriptions
Total
718 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-10686 | 1 Redhat | 1 Keycloak | 2024-11-21 | 4.1 Medium |
| A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users. | ||||
| CVE-2020-10620 | 1 Opto22 | 1 Softpac Project | 2024-11-21 | 9.8 Critical |
| Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC communication does not include any credentials. This allows an attacker with network access to directly communicate with SoftPAC, including, for example, stopping the service remotely. | ||||
| CVE-2020-10517 | 1 Github | 1 Github | 2024-11-21 | 4.3 Medium |
| An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in versions 2.21.6, 2.20.15, and 2.19.21. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2020-10516 | 1 Github | 1 Github | 2024-11-21 | 9.8 Critical |
| An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21 and was fixed in 2.20.9, 2.19.15, and 2.18.20. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2019-7611 | 2 Elastic, Redhat | 3 Elasticsearch, Jboss Enterprise Bpms Platform, Jboss Enterprise Brms Platform | 2024-11-21 | 8.1 High |
| A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index. | ||||
| CVE-2019-7489 | 1 Sonicwall | 1 Email Security Appliance | 2024-11-21 | 9.8 Critical |
| A vulnerability in SonicWall Email Security appliance allow an unauthenticated user to perform remote code execution. This vulnerability affected Email Security Appliance version 10.0.2 and earlier. | ||||
| CVE-2019-7479 | 1 Sonicwall | 2 Sonicos, Sonicosv | 2024-11-21 | 7.2 High |
| A vulnerability in SonicOS allow authenticated read-only admin can elevate permissions to configuration mode. This vulnerability affected SonicOS Gen 5 version 5.9.1.12-4o and earlier, Gen 6 version 6.2.7.4-32n, 6.5.1.4-4n, 6.5.2.3-4n, 6.5.3.3-3n, 6.2.7.10-3n, 6.4.1.0-3n, 6.5.3.3-3n, 6.5.1.9-4n and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V). | ||||
| CVE-2019-6582 | 1 Siemens | 5 Siveillance Video Management Software 2017 R2, Siveillance Video Management Software 2018 R1, Siveillance Video Management Software 2018 R2 and 2 more | 2024-11-21 | 7.1 High |
| A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a), Siveillance VMS 2018 R3 (All versions < V12.3a), Siveillance VMS 2019 R1 (All versions < V13.1a). An attacker with network access to port 80/TCP can change user-defined event properties without proper authorization. The security vulnerability could be exploited by an authenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation compromises integrity of the user-defined event properties and the availability of corresponding functionality. At the time of advisory publication no public exploitation of this security vulnerability was known. | ||||
| CVE-2019-6581 | 1 Siemens | 5 Siveillance Video Management Software 2017 R2, Siveillance Video Management Software 2018 R1, Siveillance Video Management Software 2018 R2 and 2 more | 2024-11-21 | 8.8 High |
| A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a), Siveillance VMS 2018 R3 (All versions < V12.3a), Siveillance VMS 2019 R1 (All versions < V13.1a). An attacker with network access to port 80/TCP could change user roles without proper authorization. The security vulnerability could be exploited by an authenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation compromises confidentiality, integrity and availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known. | ||||
| CVE-2019-3849 | 1 Moodle | 1 Moodle | 2024-11-21 | 8.8 High |
| A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. | ||||
| CVE-2019-3842 | 4 Debian, Fedoraproject, Redhat and 1 more | 5 Debian Linux, Fedora, Enterprise Linux and 2 more | 2024-11-21 | 7.0 High |
| In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any". | ||||
| CVE-2019-3820 | 4 Canonical, Gnome, Opensuse and 1 more | 5 Ubuntu Linux, Gnome-shell, Leap and 2 more | 2024-11-21 | 4.3 Medium |
| It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions. | ||||
| CVE-2019-3785 | 1 Cloudfoundry | 1 Capi-release | 2024-11-21 | 8.1 High |
| Cloud Foundry Cloud Controller, versions prior to 1.78.0, contain an endpoint with improper authorization. A remote authenticated malicious user with read permissions can request package information and receive a signed bit-service url that grants the user write permissions to the bit-service. | ||||
| CVE-2019-3764 | 1 Dell | 3 Idrac7 Firmware, Idrac8 Firmware, Idrac9 Firmware | 2024-11-21 | 4.3 Medium |
| Dell EMC iDRAC7 versions prior to 2.65.65.65, iDRAC8 versions prior to 2.70.70.70 and iDRAC9 versions prior to 3.36.36.36 contain an improper authorization vulnerability. A remote authenticated malicious iDRAC user with low privileges may potentially exploit this vulnerability to obtain sensitive information such as password hashes. | ||||
| CVE-2019-3641 | 1 Mcafee | 1 Threat Intelligence Exchange Server | 2024-11-21 | 4.5 Medium |
| Abuse of Authorization vulnerability in APIs exposed by TIE server in McAfee Threat Intelligence Exchange Server (TIE Server) 3.0.0 allows remote authenticated users to modify stored reputation data via specially crafted messages. | ||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2024-11-21 | 7.1 High |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts. | ||||
| CVE-2019-1934 | 1 Cisco | 1 Adaptive Security Appliance Software | 2024-11-21 | 8.8 High |
| A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to elevate privileges and execute administrative functions on an affected device. The vulnerability is due to insufficient authorization validation. An attacker could exploit this vulnerability by logging in to an affected device as a low-privileged user and then sending specific HTTPS requests to execute administrative functions using the information retrieved during initial login. | ||||
| CVE-2019-1912 | 1 Cisco | 22 Sf-220-24, Sf-220-24 Firmware, Sf220-24p and 19 more | 2024-11-21 | 9.1 Critical |
| A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell. This vulnerability affects Cisco Small Business 220 Series Smart Switches running firmware versions prior to 1.1.4.4 with the web management interface enabled. The web management interface is enabled via both HTTP and HTTPS by default. | ||||
| CVE-2019-1907 | 1 Cisco | 5 Integrated Management Controller Supervisor, Ucs C125 M5, Ucs C4200 and 2 more | 2024-11-21 | 8.8 High |
| A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to set sensitive configuration values and gain elevated privileges. The vulnerability is due to improper handling of substring comparison operations that are performed by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker with read-only privileges to gain administrator privileges. | ||||
| CVE-2019-1899 | 1 Cisco | 6 Rv110w, Rv110w Firmware, Rv130w and 3 more | 2024-11-21 | 5.3 Medium |
| A vulnerability in the web interface of Cisco RV110W, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to acquire the list of devices that are connected to the guest network. The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing a specific URI on the web interface of the router. | ||||