CWE:
 

Tytuł
Data
Autor
Med.
Reliable Services Improper Access Control
12.05.2020
KingSkrupellos
Med.
ThinkTrek Solutions Improper Access Control
11.05.2020
KingSkrupellos
Med.
Native Sparrow Improper Access Control
11.05.2020
KingSkrupellos
Med.
MediaCosmo CMS Improper Access Control
11.05.2020
KingSkrupellos
Med.
Avast Secure Browser 76.0.1659.101 Local Privilege Escalation
21.03.2020
Silton Santos
High
Avira Free Security Suite 2019 Software Updater 2.0.6.13175 Improper Access Control
06.08.2019
Silton Santos
Low
Yurdum Software Reflected XSS Privilege Escalation
17.06.2019
KingSkrupellos
Med.
Blue Prism Robotic Process Automation (RPA) Privilege Escalation
23.05.2019
Benjamin Hess
Med.
AlumniMagnet OmniMagnet Improper Access Control Vulnerability
20.05.2019
KingSkrupellos
Med.
Gemalto DS3 Authentication Server / Ezio Server Command Injection / File Disclosure
11.05.2019
TING Meng Yean
Med.
Designed by Longtail E-Media Improper Access Control and RFU Vulnerability
22.09.2018
AYAR
Low
WordPress Developed by Netsoft Limited Software Development Bangladesh Improper Authentication Vulnerability
05.09.2018
KingSkrupellos
Med.
WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability
21.06.2018
KingSkrupellos
High
Solarwinds LEM 6.3.1 Hardcoded Credentials
25.04.2017
Matt Bergin
Med.
HP Printers Wi-Fi Direct Improper Access Control
03.02.2017
Neseso
Med.
SAP HANA Information Disclosure
28.05.2015
onapsis
High
TheCartPress WordPress plugin 1.3.9 Multiple Vulns
29.04.2015
High-Tech Bridge Secur...
Low
SAP Background Processing RFC Missing Authorization
29.04.2014
Onapsis
Low
SAP BASIS Missing Authorization Check
29.04.2014
Onapsis
Low
SAP Profile Maintenance Missing Authorization
29.04.2014
Onapsis
High
OpenDocMan 1.2.7 Multiple Vulnerabilities
05.03.2014
High-Tech Bridge Secur...
High
Microweber 0.8 Arbitrary File Deletion
18.10.2013
High-Tech Bridge Secur...
High
Samsung Kies 2.3.2.12054_20 NULL Pointer Dereference and bypass
16.10.2012
High-Tech Bridge Secur...
High
PBBoard 2.1.4 SQL Injection and Improper Authentication
09.08.2012
High-Tech Bridge Secur...
Med.
AWScripts Gallery Search Engine 1.x Insecure Cookie Vulnerability
01.07.2009
TiGeR-Dz


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2020-06-22
High
CVE-2020-4062

Vendor: Cyberark
Software: Conjur oss h...
 

 
In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. This allows an attacker to gain full read & write access to the Conjur Postgres database, including escalating the attacker's privileges to assume full control. A malicious actor who knows the IP address and port number of the Postgres database and has access into the Kubernetes cluster where Conjur runs can gain full read & write access to the Postgres database. This enables the attacker to write a policy that allows full access to retrieve any secret. This Helm chart is a method to install Conjur OSS into a Kubernetes environment. Hence, the systems impacted are only Conjur OSS systems that were deployed using this chart. Other deployments including Docker and the CyberArk Dynamic Access Provider (DAP) are not affected. To remediate this vulnerability, clone the latest Helm Chart and follow the upgrade instructions. If you are not able to fully remediate this vulnerability immediately, you can mitigate some of the risk by making sure Conjur OSS is deployed on an isolated Kubernetes cluster or namespace. The term "isolated" refers to: - No other workloads besides Conjur OSS and its backend database are running in that Kubernetes cluster/namespace. - Kubernetes and helm access to the cluster/namespace is limited to security administrators via Role-Based Access Control (RBAC).

 
2019-09-09
Medium
CVE-2019-16114

Vendor: Atutor
Software: Atutor
 

 
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.

 
Medium
CVE-2019-15895

Vendor: Search exclude project
Software: Search exclude
 

 
search-exclude.php in the "Search Exclude" plugin before 1.2.4 for WordPress allows unauthenticated options changes.

 
2019-09-06
Medium
CVE-2019-9854

Vendor: Libreoffice
Software: Libreoffice
 

 
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

 
Medium
CVE-2019-13656

Vendor: Broadcom
Software: Ca client au...
 

 
An access vulnerability in CA Common Services DIA of CA Technologies Client Automation 14 and Workload Automation AE 11.3.5, 11.3.6 allows a remote attacker to execute arbitrary code.

 
2019-09-05
Medium
CVE-2019-13188

Vendor: ENG
Software: Knowage
 

 
In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application.

 
Medium
CVE-2019-11380

Vendor: Estrongs
Software: Es file expl...
 

 
The master-password feature in the ES File Explorer File Manager application 4.2.0.1.3 for Android can be bypassed via a com.estrongs.android.pop.ftp.ESFtpShortcut intent, leading to remote FTP access to the entirety of local storage.

 
2019-09-04
Low
CVE-2019-15718

Vendor: Freedesktop
Software: Systemd
 

 
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.

 
2019-09-03
Medium
CVE-2019-15043

Vendor: Grafana
Software: Grafana
 

 
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

 
2019-08-30
Medium
CVE-2018-15513

Vendor: Totemo
Software: Totemomail
 

 
Log viewer in totemomail 6.0.0 build 570 allows access to sessionIDs of high privileged users by leveraging access to a read-only auditor role.

 

 


Copyright 2020, cxsecurity.com

 

Back to Top