Total
6630 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-20504 | 1 Google | 1 Android | 2025-04-21 | N/A | 6.7 MEDIUM |
| In multiple locations of DreamManagerService.java, there is a missing permission check. This could lead to local escalation of privilege and dismissal of system dialogs with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-225878553 | |||||
| CVE-2022-20503 | 1 Google | 1 Android | 2025-04-21 | N/A | 7.8 HIGH |
| In onCreate of WifiDppConfiguratorActivity.java, there is a possible way for a guest user to add a WiFi configuration due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-224772890 | |||||
| CVE-2022-20547 | 1 Google | 1 Android | 2025-04-21 | N/A | 7.8 HIGH |
| In multiple functions of AdapterService.java, there is a possible way to manipulate Bluetooth state due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-240301753 | |||||
| CVE-2017-0554 | 1 Google | 1 Android | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
| An elevation of privilege vulnerability in the Telephony component could enable a local malicious application to access capabilities outside of its permission levels. This issue is rated as Moderate because it could be used to gain access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33815946. | |||||
| CVE-2017-9036 | 1 Trendmicro | 1 Serverprotect | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows local users to gain privileges by leveraging an unrestricted quarantine directory. | |||||
| CVE-2017-17693 | 1 Techno - Portfolio Management Panel Project | 1 Techno - Portfolio Management Panel | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Techno - Portfolio Management Panel through 2017-11-16 does not check authorization for panel/portfolio.php?action=delete requests that remove feedback. | |||||
| CVE-2017-1002007 | 1 Dtracker Project | 1 Dtracker | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_mail.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table. | |||||
| CVE-2017-5180 | 1 Firejail Project | 1 Firejail | 2025-04-20 | 4.6 MEDIUM | 8.8 HIGH |
| Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. | |||||
| CVE-2017-6635 | 1 Cisco | 1 Prime Collaboration Provisioning | 2025-04-20 | 6.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web interface of Cisco Prime Collaboration Provisioning Software (prior to Release 12.1) could allow an authenticated, remote attacker to delete any file from an affected system. The vulnerability exists because the affected software does not perform proper input validation of HTTP requests and fails to apply role-based access controls (RBACs) to requested HTTP URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request that uses directory traversal techniques to submit a path to a desired file location on an affected system. A successful exploit could allow the attacker to delete any file from the system. Cisco Bug IDs: CSCvc99597. | |||||
| CVE-2017-1000105 | 1 Jenkins | 1 Blue Ocean | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient. | |||||
| CVE-2017-6622 | 1 Cisco | 1 Prime Collaboration Provisioning | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges. The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. This vulnerability affects Cisco Prime Collaboration Provisioning Software Releases prior to 12.1. Cisco Bug IDs: CSCvc98724. | |||||
| CVE-2017-11135 | 1 Stashcat | 1 Heinekingmedia | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. The logout mechanism does not check for authorization. Therefore, an attacker only needs to know the device ID. This causes a denial of service. This might be interpreted as a vulnerability in customer-controlled software, in the sense that the StashCat client side has no secure way to signal that it is ending a session and that data should be deleted. | |||||
| CVE-2017-7677 | 1 Apache | 1 Ranger | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table. | |||||
| CVE-2017-1000086 | 1 Jenkins | 1 Periodic Backup | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
| The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. | |||||
| CVE-2017-12582 | 1 Qnap | 2 Ts-212p, Ts-212p Firmware | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Unprivileged user can access all functions in the Surveillance Station component in QNAP TS212P devices with firmware 4.2.1 build 20160601. Unprivileged user cannot login at front end but with that unprivileged user SID, all function can access at Surveillance Station. | |||||
| CVE-2017-6251 | 2 Microsoft, Nvidia | 2 Windows, Gpu Driver | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer handler where a missing permissions check may allow users to gain access to arbitrary physical system memory, which may lead to an escalation of privileges. | |||||
| CVE-2017-6564 | 1 Franklinfueling | 2 Ts-550 Evo, Ts-550 Evo Firmware | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This ability allows for an attacker to download sensitive system files from the host machine such as databases which contain information that can aid in further attacks. | |||||
| CVE-2017-17450 | 1 Linux | 1 Linux Kernel | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
| net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces. | |||||
| CVE-2017-11042 | 1 Google | 1 Android | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
| In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, ImsService and the IQtiImsExt AIDL APIs are not subject to access control. | |||||
| CVE-2017-6565 | 1 Franklinfueling | 2 Ts-550 Evo, Ts-550 Evo Firmware | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the roleDiag user, which can be obtained by exploiting CVE-2013-7247, has the ability to upload files to the server hosting the web service. As no sanitization checks are in place, an attacker can upload a malicious payload. | |||||