CWE:
 

Tytuł
Data
Autor
Med.
CTFd 2.1.5 Administrator Account Takeover
04.01.2020
Social Engineering Neo


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2021-10-15
Medium
CVE-2018-16060

Updating...
 

 
Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.

 
2021-02-16
Medium
CVE-2020-35570

Vendor: Mbconnectline
Software: Mbconnect24
 

 
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing.

 
2020-12-11
Medium
CVE-2020-7541

Updating...
 

 
A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.

 
2020-09-14
Medium
CVE-2020-24660

Vendor: Lemonldap-ng
Software: Lemonldap\
 

 
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.

 
2020-05-13
Medium
CVE-2019-2388

Vendor: Mongodb
Software: Ops manager
 

 
In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.

 
2020-03-11
Medium
CVE-2016-1000111

Vendor: Twistedmatrix
Software: Twisted
 

 
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

 
2020-02-04
Medium
CVE-2020-8116

Vendor: Dot-prop project
Software: Dot-prop
 

 
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

 
2019-04-17
Low
CVE-2018-20028

Vendor: Contao
Software: Contao cms
 

 
Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control.

 
2019-03-21
Medium
CVE-2018-18862

Vendor: BMC
Software: Remedy actio...
 

 
BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has Incorrect Access Control in ITAM forms, as demonstrated by TLS%3APLR-Configuration+Details/Default+Admin+View/, AST%3AARServerConnection/Default+Admin+View/, and AR+System+Administration%3A+Server+Information/Default+Admin+View/.

 
2019-01-03
Medium
CVE-2018-18004

Vendor: Vivotek
Software: Camera
 

 
Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL parameter.

 

 


Copyright 2022, cxsecurity.com

 

Back to Top