| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In Jspxcms 9.0.0, a vulnerable URL routing implementation allows remote code execution after logging in as web admin. |
| In Versa Director, the un-authentication request found. |
| A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1. |
| A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares. |
| Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens. |
| Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load. |
| A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password. |
| LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits. |
| A missing password verification in the web interface in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an remote attacker (in the same network as the device) to change the admin password without authentication via a POST request. |
| SecureCore Standard Edition Version 2.x allows an attacker to bypass the product 's authentication to log in to a Windows PC. |
| Insufficient policy enforcement in extensions API in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. |
| Object lifecycle issue in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass content security policy via a crafted HTML page. |
| Insufficient policy enforcement in site isolation in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass site isolation via a crafted HTML page. |
| Insufficient policy enforcement in site isolation in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass site isolation via a crafted HTML page. |
| EasyIO EasyIO-30P devices before 2.0.5.27 have Incorrect Access Control, related to webuser.js. |
| Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval. This scenario can happen if the application is configured to use a custom approval endpoint that declares AuthorizationRequest as a controller method argument. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and use a custom Approval Endpoint that declares AuthorizationRequest as a controller method argument. This vulnerability does not expose applications that: Act in the role of an Authorization Server and use the default Approval Endpoint, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient). |
| SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). |
| Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. |
| The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use this vulnerability to gain access to the local API. |
| An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as a hyperlink in an email. The user is not prompted when the handler processes the "send" command, thus leading to automatic transmission of an attacker crafted email from the target account. |
