CWE:
 

Topic
Date
Author
Med.
URVE Software Build 24.03.2020 Missing Authorization
30.12.2020
Erik Steltzner
Low
1CRM 8.6.7 Insecure Direct Object Reference
17.09.2020
Andreas Sperber
Med.
WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability
21.06.2018
KingSkrupellos
High
Lenovo ShareIT Information Disclosure / Hardcoded Password
26.01.2016
CoreLabs
High
SAP Afaria 7 Missing Authorization Check
19.06.2015
Vahagn Vardanyan


CVEMAP Search Results

CVE
Details
Description
2021-01-18
Low
CVE-2020-7343

Vendor: Mcafee
Software: Mcafee agent
 

 
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.

 
2021-01-15
Medium
CVE-2021-21246

Vendor: Onedev project
Software: Onedev
 

 
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api.

 
2021-01-14
High
CVE-2020-27220

Vendor: Eclipse
Software: HONO
 

 
The Eclipse Hono AMQP and MQTT protocol adapters do not check whether an authenticated gateway device is authorized to receive command & control messages when it has subscribed only to commands for a specific device. The missing check involves verifying that the command target device is configured giving permission for the gateway device to act on its behalf. This means an authenticated device of a certain tenant, notably also a non-gateway device acting like a gateway, may receive command & control messages targeted at a different device of the same tenant without corresponding permissions getting checked.

 
2021-01-12
Low
CVE-2021-21467

Vendor: SAP
Software: Banking services
 

 
SAP Banking Services (Generic Market Data) 400, 450, and 500 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. An unauthorized User is allowed to display restricted Business Partner Generic Market Data (GMD), due to improper authorization check.

 
Low
CVE-2021-21468

Vendor: SAP
Software: Business war...
 

 
The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table.

 
Medium
CVE-2021-23123

Vendor: Joomla
Software: Joomla\!
 

 
An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.

 
2021-01-08
Medium
CVE-2020-16029

Vendor: Google
Software: Chrome
 

 
Inappropriate implementation in PDFium in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to bypass navigation restrictions via a crafted PDF file.

 
Low
CVE-2020-16027

Vendor: Google
Software: Chrome
 

 
Insufficient policy enforcement in developer tools in Google Chrome prior to 87.0.4280.66 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from the user's disk via a crafted Chrome Extension.

 
Medium
CVE-2020-16022

Updating...
 

 
Insufficient policy enforcement in networking in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially bypass firewall controls via a crafted HTML page.

 
2021-01-04
High
CVE-2020-35219

Updating...
 

 
The ASUS DSL-N17U modem with firmware 1.1.0.2 allows attackers to access the admin interface by changing the admin password without authentication via a POST request to Advanced_System_Content.asp with the uiViewTools_username=admin&uiViewTools_Password= and uiViewTools_PasswordConfirm= substrings.

 

 


Copyright 2021, cxsecurity.com

 

Back to Top