CWE:
 

Topic
Date
Author
Med.
Dell OpenManage Network Manager 6.2.0.51 SP3 Privilege Escalation
07.11.2018
Matthew Bergin
Low
SAP Business Objects Unauthorized Audit Information Access
26.02.2015
Onapsis
Med.
SAP Business Objects Unauthorized Audit Information Delete
26.02.2015
Onapsis
Low
SAP Business Objects Information Disclosure Via CORBA
09.10.2014
Will Vandevanter
Med.
SAP Business Warehouse Missing Authorization Check
09.10.2014
Will Vandevanter
Med.
SAP Business Objects Denial Of Service Via CORBA
09.10.2014
Will Vandevanter
Med.
Checkpoint Endpoint Security Media Encryption EPM Explorer Bypass
15.11.2013
Pedro Andujar
High
Zoom Telephonics Multiple Vulns
03.09.2013
K Lovett


CVEMAP Search Results

CVE
Details
Description
2018-11-13
Low
CVE-2018-7926

Vendor: Huawei
Software: Watch 2 firmware
 

 
Huawei Watch 2 with versions and earlier than OWDD.180707.001.E1 have an improper authorization vulnerability. Due to improper permission configuration for specific operations, an attacker who obtained the Huawei ID bound to the watch can bypass permission verification to perform specific operations and modify some data on the watch.

 
Medium
CVE-2018-7925

Vendor: Huawei
Software: Emily-al00a ...
 

 
The radio module of some Huawei smartphones Emily-AL00A The versions before 8.1.0.171(C00) have a lock-screen bypass vulnerability. An unauthenticated attacker could start third-part input method APP through certain operations to bypass lock-screen by exploit this vulnerability.

 
2018-10-30
Medium
CVE-2018-17933

Vendor: Vecna
Software: Vgo firmware
 

 
VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may also be affected) connected to the VGo XAMPP. User accounts may be able to execute commands that are outside the scope of their privileges and within the scope of an admin account. If an attacker has access to VGo XAMPP Client credentials, they may be able to execute admin commands on the connected robot.

 
2018-10-29
Medium
CVE-2016-10734

Vendor: Projectsend
Software: Projectsend
 

 
ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.

 
2018-10-23
Medium
CVE-2017-18312

Vendor: Qualcomm
Software: Msm8996au fi...
 

 
While accessing SafeSwitch services, third party can manipulate a given device and perform unauthorized operation due to lack of checking of same state transitions in Snapdragon Automobile, Snapdragon Mobile in version MSM8996AU, SD 410/12, SD 617, SD 650/52, SD 810, SD 820, SD 820A

 
2018-10-05
Medium
CVE-2018-0460

Vendor: Cisco
Software: Network func...
 

 
A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read any file on an affected system. The vulnerability is due to insufficient authorization and parameter validation checks. An attacker could exploit this vulnerability by sending a malicious API request with the authentication credentials of a low-privileged user. A successful exploit could allow the attacker to read any file on the affected system.

 
Medium
CVE-2018-0459

Vendor: Cisco
Software: Network func...
 

 
A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to cause an affected system to reboot or shut down. The vulnerability is due to insufficient server-side authorization checks. An attacker who is logged in to the web-based management interface as a low-privileged user could exploit this vulnerability by sending a crafted HTTP request. A successful exploit could allow the attacker to use the low-privileged user account to reboot or shut down the affected system.

 
2018-10-03
Low
CVE-2018-16048

Vendor: Gitlab
Software: Gitlab
 

 
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage.

 
2018-09-18
Low
CVE-2018-17178

Vendor: Neato
Software: Botvac d3 co...
 

 
An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything.

 
2018-09-11
Medium
CVE-2018-2461

Vendor: SAP
Software: People profile
 

 
Missing authorization check in SAP HCM Fiori "People Profile" (GBX01 HR version 6.0) for an authenticated user which may result in an escalation of privileges.

 

 


Copyright 2018, cxsecurity.com

 

Back to Top