| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts. |
| An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file. |
| An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application's file-transfer web server allows for cross-origin requests from any domain, and the WebSocket server lacks authorization control. Any web site can execute JavaScript code (that accesses a user's data) via cross-origin requests. |
| Certain NETGEAR devices are affected by lack of access control at the function level. This affects FS728TLP before 1.0.1.26, GS105Ev2 before 1.6.0.4, GS105PE before 1.6.0.4, GS108Ev3 before 2.06.08, GS108PEv3 before 2.06.08, GS110EMX before 1.0.1.4, GS116Ev2 before 2.6.0.35, GS408EPP before 1.0.0.15, GS724TPv2 before 1.1.1.29, GS808E before 1.7.0.7, GS810EMX before 1.7.1.1, GS908E before 1.7.0.3, GSS108E before 1.6.0.4, GSS108EPP before 1.0.0.15, GSS116E before 1.6.0.9, JGS516PE before 2.6.0.35, JGS524Ev2 before 2.6.0.35, JGS524PE before 2.6.0.35, XS512EM before 1.0.1.1, XS708Ev2 before 1.6.0.23, XS716E before 1.6.0.23, and XS724EM before 1.0.1.1. |
| An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Allshare allows attackers to access sensitive information. The Samsung ID is SVE-2018-13453 (March 2019). |
| An issue was discovered on Samsung mobile devices with P(9.0) software. Attackers can use Smartwatch to view Secure Folder notification content. The Samsung ID is SVE-2019-13899 (April 2019). |
| An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Voice Assistant mishandles the notification audibility of a secured app. The Samsung ID is SVE-2018-13326 (May 2019). |
| An issue was discovered on Samsung mobile devices with N(7.x) software. The Gallery app allows attackers to view all pictures of a locked device. The Samsung ID is SVE-2019-15189 (October 2019). |
| The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check. |
| D-Link DIR-859 routers before v1.07b03_beta allow Unauthenticated Information Disclosure via the AUTHORIZED_GROUP=1%0a value, as demonstrated by vpnconfig.php. |
| A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell. This vulnerability affects Cisco Small Business 220 Series Smart Switches running firmware versions prior to 1.1.4.4 with the web management interface enabled. The web management interface is enabled via both HTTP and HTTPS by default. |
| A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected vManage device. The vulnerability is due to a failure to properly authorize certain user actions in the device configuration. An attacker could exploit this vulnerability by logging in to the vManage Web UI and sending crafted HTTP requests to vManage. A successful exploit could allow attackers to gain elevated privileges and make changes to the configuration that they would not normally be authorized to make. |
| A vulnerability in the user account management interface of Cisco NX-OS Software could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to an incorrect authorization check of user accounts and their associated Group ID (GID). An attacker could exploit this vulnerability by taking advantage of a logic error that will permit the use of higher privileged commands than what is necessarily assigned. A successful exploit could allow an attacker to execute commands with elevated privileges on the underlying Linux shell of an affected device. Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 8.2(3), and 8.3(2). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). |
| A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to escalate lower-level privileges to the administrator level. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow an attacker to make configuration changes to the system as administrator. Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). |
| An elevation of privilege vulnerability exists when the Windows Update Delivery Optimization does not properly enforce file share permissions, aka 'Windows Update Delivery Optimization Elevation of Privilege Vulnerability'. |
| An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Several PHP pages, and other type of files, are reachable by any user without checking for user identity and authorization. |
| The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure. |
| The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed users with edit_post capabilities to manage plugin settings and email campaigns. |
| In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results." |
| Pebble Templates 3.1.2 allows attackers to bypass a protection mechanism (intended to block access to instances of java.lang.Class) because getClass is accessible via the public static java.lang.Class java.lang.Class.forName(java.lang.Module,java.lang.String) signature. |
