Filtered by CWE-285
Total 906 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2016-7078 2 Redhat, Theforeman 3 Satellite, Satellite Capsule, Foreman 2024-11-21 N/A
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
CVE-2016-7077 2 Redhat, Theforeman 3 Satellite, Satellite Capsule, Foreman 2024-11-21 N/A
foreman before 1.14.0 is vulnerable to an information leak. It was found that Foreman form helper does not authorize options for associated objects. Unauthorized user can see names of such objects if their count is less than 6.
CVE-2016-7071 1 Redhat 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine 2024-11-21 N/A
It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.
CVE-2016-7035 2 Clusterlabs, Redhat 4 Pacemaker, Enterprise Linux, Enterprise Linux Server and 1 more 2024-11-21 N/A
An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
CVE-2016-10859 1 Cpanel 1 Cpanel 2024-11-21 N/A
cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65).
CVE-2016-10848 1 Cpanel 1 Cpanel 2024-11-21 N/A
cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/quotacheck (SEC-81).
CVE-2016-10734 1 Projectsend 1 Projectsend 2024-11-21 N/A
ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.
CVE-2016-0373 1 Ibm 1 Urbancode Deploy 2024-11-21 N/A
IBM UrbanCode Deploy 6.0 through 6.2.2.1 could allow an authenticated user to read sensitive information due to UCD REST endpoints not properly authorizing users when determining who can read data. IBM X-Force ID: 112119.
CVE-2015-7463 1 Ibm 1 Business Process Manager 2024-11-21 N/A
IBM Business Process Manager 7.5.x, 8.0.x, 8.5.0, 8.5.5, and 8.5.6.0 through cumulative fix 2 allow remote authenticated users to delete process and task data by leveraging incorrect authorization checks. IBM X-Force ID: 108393.
CVE-2015-5463 1 Axiomsl 1 Axiom 2024-11-21 N/A
AxiomSL's Axiom java applet module (used for editing uploaded Excel files and associated Java RMI services) 9.5.3 and earlier allows remote attackers to (1) access data of other basic users through arbitrary SQL commands, (2) perform a horizontal and vertical privilege escalation, (3) cause a Denial of Service on global application, or (4) write/read/delete arbitrary files on server hosting the application.
CVE-2015-3954 1 Pifzer 6 Plum A\+3 Infusion System, Plum A\+3 Infusion System Firmware, Plum A\+ Infusion System and 3 more 2024-11-21 N/A
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump. Hospira recommends that customers close Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.
CVE-2015-1780 1 Redhat 2 Ovirt-engine, Virtualization 2024-11-21 6.5 Medium
oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain to any data-center
CVE-2015-10033 1 Merlinsboard Project 1 Merlinsboard 2024-11-21 3.5 Low
A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The identifier of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability.
CVE-2014-6049 1 Phpmyfaq 1 Phpmyfaq 2024-11-21 N/A
phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter.
CVE-2014-0197 1 Redhat 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine 2024-11-21 8.8 High
CFME: CSRF protection vulnerability via permissive check of the referrer header
CVE-2014-0087 1 Redhat 2 Cloudforms Management Engine, Cloudforms Managementengine 2024-11-21 N/A
The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the rbac_user_edit action.
CVE-2013-7245 1 Sybase 1 Adaptive Server Enterprise 2024-11-21 N/A
The Backup Server component in SAP Sybase ASE 15.7 before SP51 allows remote attackers to bypass access restrictions and perform database dumps by leveraging failure to validate credentials, aka SAP Security Note 1927859.
CVE-2013-4201 2 Katello, Redhat 2 Katello, Satellite 2024-11-21 N/A
Katello allows remote authenticated users to call the "system remove_deletion" CLI command via vectors related to "remove system" permissions.
CVE-2024-48897 1 Moodle 1 Moodle 2024-11-20 6.5 Medium
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.
CVE-2024-48901 1 Moodle 1 Moodle 2024-11-20 4.3 Medium
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.