Total
3879 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11456 | 1 Siemens | 1 Automation License Manager | 2024-11-21 | N/A |
| A vulnerability has been identified in Automation License Manager 5 (All versions < 5.3.4.4). An attacker with network access to the device could send specially crafted network packets to determine whether or not a network port on another remote system is accessible or not. This allows the attacker to do basic network scanning using the victims machine. Successful exploitation requires a network connection to the affected device. The attacker does not need privileges, no user interaction is required. The impact is limited to determining whether or not a port on a target system is accessible by the affected device. | ||||
| CVE-2018-10905 | 1 Redhat | 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine | 2024-11-21 | N/A |
| CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user. | ||||
| CVE-2018-10691 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2024-11-21 | N/A |
| An issue was discovered on Moxa AWK-3121 1.14 devices. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization. | ||||
| CVE-2018-10630 | 1 Crestron | 15 Mc3, Mc3 Firmware, Tsw-1060-b-s and 12 more | 2024-11-21 | N/A |
| For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version prior to 1.502.0047.001, The devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. When compromised, the access to the CTP console is left open. | ||||
| CVE-2018-10612 | 1 Codesys | 12 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 9 more | 2024-11-21 | N/A |
| In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials. | ||||
| CVE-2018-10500 | 1 Samsung | 1 Galaxy Apps | 2024-11-21 | N/A |
| This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 6.4.0.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of push messages. The issue lies in the ability to start an activity with controlled arguments. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the application. Was ZDI-CAN-5331. | ||||
| CVE-2018-1000134 | 2 Pingidentity, Redhat | 3 Ldapsdk, Jboss Enterprise Bpms Platform, Rhev Manager | 2024-11-21 | N/A |
| UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6. | ||||
| CVE-2018-0484 | 1 Cisco | 1 Ios | 2024-11-21 | N/A |
| A vulnerability in the access control logic of the Secure Shell (SSH) server of Cisco IOS and IOS XE Software may allow connections sourced from a virtual routing and forwarding (VRF) instance despite the absence of the vrf-also keyword in the access-class configuration. The vulnerability is due to a missing check in the SSH server. An attacker could use this vulnerability to open an SSH connection to an affected Cisco IOS or IOS XE device with a source address belonging to a VRF instance. Once connected, the attacker would still need to provide valid credentials to access the device. | ||||
| CVE-2017-9626 | 1 Marel | 2 Pluto1203, Pluto2 | 2024-11-21 | N/A |
| Systems using the Marel Food Processing Systems Pluto platform do not restrict remote access. Marel has created an update for Pluto-based applications. This update will restrict remote access by implementing SSH authentication. | ||||
| CVE-2017-9513 | 1 Atlassian | 1 Activity Streams | 2024-11-21 | N/A |
| Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. | ||||
| CVE-2017-9285 | 2 Microfocus, Netiq | 2 Edirectory, Edirectory | 2024-11-21 | N/A |
| NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions when "ebaclient" was used, allowing unpermitted access to eDirectory services. | ||||
| CVE-2017-8340 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | N/A |
| Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. | ||||
| CVE-2017-7912 | 1 Hanwhasecurity | 2 Srn-4000, Srn-4000 Firmware | 2024-11-21 | N/A |
| Hanwha Techwin SRN-4000, SRN-4000 firmware versions prior to SRN4000_v2.16_170401, A specially crafted http request and response could allow an attacker to gain access to the device management page with admin privileges without proper authentication. | ||||
| CVE-2017-7497 | 1 Redhat | 2 Cloudforms Management Engine, Cloudforms Managementengine | 2024-11-21 | N/A |
| The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant. | ||||
| CVE-2017-7471 | 1 Qemu | 1 Qemu | 2024-11-21 | 9.0 Critical |
| Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. | ||||
| CVE-2017-6912 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | N/A |
| Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. | ||||
| CVE-2017-5863 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | N/A |
| Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. | ||||
| CVE-2017-5212 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | N/A |
| Open-Xchange GmbH OX App Suite 7.8.3 is affected by: Incorrect Access Control. | ||||
| CVE-2017-2664 | 1 Redhat | 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine | 2024-11-21 | N/A |
| CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges. | ||||
| CVE-2017-18543 | 1 Invite Anyone Project | 1 Invite Anyone | 2024-11-21 | N/A |
| The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations. | ||||