Total
2479 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-2305 | 1 Juniper | 1 Junos Space | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation. | |||||
| CVE-2017-4915 | 2 Linux, Vmware | 3 Linux Kernel, Workstation Player, Workstation Pro | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine. | |||||
| CVE-2017-3801 | 1 Cisco | 1 Unified Computing System Director | 2025-04-20 | 4.6 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants. Cisco Bug IDs: CSCvb64765. | |||||
| CVE-2016-6797 | 6 Apache, Canonical, Debian and 3 more | 14 Tomcat, Ubuntu Linux, Debian Linux and 11 more | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. | |||||
| CVE-2017-9855 | 1 Sma | 78 Sunny Boy 1.5, Sunny Boy 1.5 Firmware, Sunny Boy 2.5 and 75 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in SMA Solar Technology products. A secondary authentication system is available for Installers called the Grid Guard system. This system uses predictable codes, and a single Grid Guard code can be used on any SMA inverter. Any such code, when combined with the installer account, allows changing very sensitive parameters. NOTE: the vendor reports that Grid Guard is not an authentication feature; it is only a tracing feature. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected | |||||
| CVE-2017-2306 | 1 Juniper | 1 Junos Space | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device. | |||||
| CVE-2017-9378 | 1 Bigtreecms | 1 Bigtree Cms | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted. | |||||
| CVE-2017-6377 | 1 Drupal | 1 Drupal | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass. | |||||
| CVE-2017-8196 | 1 Huawei | 1 Fusionsphere | 2025-04-20 | 4.6 MEDIUM | 4.2 MEDIUM |
| FusionSphere V100R006C00SPC102(NFV) has an incorrect authorization vulnerability. An authenticated attacker could execute commands that he/she should have had no permission to perform, thereby querying, modifying, and deleting certain service data and making the service unavailable. | |||||
| CVE-2017-8633 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2025-04-20 | 8.5 HIGH | 7.5 HIGH |
| Windows Error Reporting (WER) in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an elevation of privilege vulnerability, aka "Windows Error Reporting Elevation of Privilege Vulnerability". | |||||
| CVE-2017-1628 | 1 Ibm | 1 Business Process Manager | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Business Process Manager 8.6.0.0 allows authenticated users to stop and resume the Event Manager by calling a REST API with incorrect authorization checks. | |||||
| CVE-2017-0910 | 1 Zulip | 1 Zulip Server | 2025-04-20 | 4.0 MEDIUM | 8.8 HIGH |
| In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. | |||||
| CVE-2017-6590 | 1 Canonical | 1 Ubuntu Linux | 2025-04-20 | 6.9 MEDIUM | 6.3 MEDIUM |
| An issue was discovered in network-manager-applet (aka network-manager-gnome) in Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. A local attacker could use this issue at the default Ubuntu login screen to access local files and execute arbitrary commands as the lightdm user. The exploitation requires physical access to the locked computer and the Wi-Fi must be turned on. An access point that lets you use a certificate to login is required as well, but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. One also can open some applications such as Firefox, which is useful for downloading malicious binaries. | |||||
| CVE-2017-9653 | 1 Osisoft | 3 Pi Integrator For Business Analystics, Pi Integrator For Microsoft Azure, Pi Integrator For Sap Hana | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An Improper Authorization issue was discovered in OSIsoft PI Integrator for Business Analytics before 2016 R2, PI Integrator for Microsoft Azure before 2016 R2 SP1, and PI Integrator for SAP HANA before 2017. An attacker is able to gain privileged access to the system while unauthorized. | |||||
| CVE-2017-6672 | 1 Cisco | 1 Asr 5000 Series Software | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in certain filtering mechanisms of access control lists (ACLs) for Cisco ASR 5000 Series Aggregation Services Routers through 21.x could allow an unauthenticated, remote attacker to bypass ACL rules that have been configured for an affected device. More Information: CSCvb99022 CSCvc16964 CSCvc37351 CSCvc54843 CSCvc63444 CSCvc77815 CSCvc88658 CSCve08955 CSCve14141 CSCve33870. | |||||
| CVE-2017-17067 | 1 Splunk | 1 Splunk | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and 6.3.x before 6.3.12, when the SAML authType is enabled, mishandles SAML, which allows remote attackers to bypass intended access restrictions or conduct impersonation attacks. | |||||
| CVE-2017-6816 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | 5.5 MEDIUM | 4.9 MEDIUM |
| In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. | |||||
| CVE-2017-7505 | 1 Theforeman | 1 Foreman | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords. | |||||
| CVE-2017-8192 | 1 Huawei | 1 Fusionsphere Openstack | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
| FusionSphere OpenStack V100R006C00 has an improper authorization vulnerability. Due to improper authorization, an attacker with low privilege may exploit this vulnerability to obtain the operation authority of some specific directory, causing privilege escalation. | |||||
| CVE-2017-5060 | 5 Apple, Google, Linux and 2 more | 8 Macos, Android, Chrome and 5 more | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. | |||||