CWE:
 

Topic
Date
Author
Med.
CTFd 2.1.5 Administrator Account Takeover
04.01.2020
Social Engineering Neo


CVEMAP Search Results

CVE
Details
Description
2020-05-13
Medium
CVE-2019-2388

Vendor: Mongodb
Software: Ops manager
 

 
In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.

 
2020-03-11
Medium
CVE-2016-1000111

Vendor: Twistedmatrix
Software: Twisted
 

 
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

 
2020-02-04
Medium
CVE-2020-8116

Vendor: Dot-prop project
Software: Dot-prop
 

 
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

 
2019-04-17
Low
CVE-2018-20028

Vendor: Contao
Software: Contao cms
 

 
Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control.

 
2019-03-21
Medium
CVE-2018-18862

Vendor: BMC
Software: Remedy actio...
 

 
BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has Incorrect Access Control in ITAM forms, as demonstrated by TLS%3APLR-Configuration+Details/Default+Admin+View/, AST%3AARServerConnection/Default+Admin+View/, and AR+System+Administration%3A+Server+Information/Default+Admin+View/.

 
2019-01-03
Medium
CVE-2018-18004

Vendor: Vivotek
Software: Camera
 

 
Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL parameter.

 
2018-12-21
Low
CVE-2018-20345

Vendor: Stackstorm
Software: Stackstorm
 

 
Incorrect access control in StackStorm API (st2api) in StackStorm before 2.9.2 and 2.10.x before 2.10.1 allows an attacker (who has a StackStorm account and is authenticated against the StackStorm API) to retrieve datastore items for other users by utilizing the /v1/keys "?scope=all" and "?user=<username>" query filter parameters. Enterprise editions with RBAC enabled are not affected.

 
2018-12-20
Medium
CVE-2018-6669

Vendor: Mcafee
Software: Application ...
 

 
A whitelist bypass vulnerability in McAfee Application Control / Change Control 7.0.1 and before allows a remote or local user to execute blacklisted files through an ASP.NET form.

 
2018-12-13
Medium
CVE-2018-18922

Vendor: Abisoftgt
Software: Ticketly
 

 
add_user in AbiSoft Ticketly 1.0 allows remote attackers to create administrator accounts via an action/add_user.php POST request.

 
2018-11-28
Low
CVE-2018-19620

Vendor: Showdoc
Software: Showdoc
 

 
ShowDoc 2.4.1 allows remote attackers to edit other users' notes by navigating with a modified page_id.

 

 


Copyright 2020, cxsecurity.com

 

Back to Top