Vulnerabilities (CVE)

Filtered by CWE-862
Total 4067 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-0389 1 Google 1 Android 2024-11-21 4.6 MEDIUM 7.8 HIGH
In setNightModeActivated of UiModeManagerService.java, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-168039904
CVE-2021-0388 1 Google 1 Android 2024-11-21 4.6 MEDIUM 7.8 HIGH
In onReceive of ImsPhoneCallTracker.java, there is a possible misattribution of data usage due to an incorrect broadcast handler. This could lead to local escalation of privilege resulting in attributing video call data to the wrong app, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-162741489
CVE-2021-0385 1 Google 1 Android 2024-11-21 4.6 MEDIUM 7.8 HIGH
In createConnectToAvailableNetworkNotification of ConnectToNetworkNotificationBuilder.java, there is a possible connection to untrusted WiFi networks due to notification interaction above the lockscreen. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-172584372
CVE-2021-0380 1 Google 1 Android 2024-11-21 4.6 MEDIUM 7.8 HIGH
In onReceive of DcTracker.java, there is a possible way to trigger a provisioning URL and modify other telephony settings due to a missing permission check. This could lead to local escalation of privilege during the onboarding flow with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-172459128
CVE-2021-0328 1 Google 1 Android 2024-11-21 7.2 HIGH 7.8 HIGH
In onBatchScanReports and deliverBatchScan of GattService.java, there is a possible way to retrieve Bluetooth scan results without permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172670415
CVE-2020-9982 1 Apple 1 Music 2024-11-21 4.3 MEDIUM 5.5 MEDIUM
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
CVE-2020-9458 1 Metagauss 1 Registrationmagic 2024-11-21 6.5 MEDIUM 8.8 HIGH
In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the export function allows remote authenticated users (with minimal privileges) to export submitted form data and settings via class_rm_form_controller.php rm_form_export.
CVE-2020-9457 1 Metagauss 1 Registrationmagic 2024-11-21 6.5 MEDIUM 8.8 HIGH
The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users (with minimal privileges) to import custom vulnerable forms and change form settings via class_rm_form_settings_controller.php, resulting in privilege escalation.
CVE-2020-9456 1 Metagauss 1 Registrationmagic 2024-11-21 6.5 MEDIUM 8.8 HIGH
In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the user controller allows remote authenticated users (with minimal privileges) to elevate their privileges to administrator via class_rm_user_controller.php rm_user_edit.
CVE-2020-9455 1 Metagauss 1 Registrationmagic 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users (with minimal privileges) to send arbitrary emails on behalf of the site via class_rm_user_services.php send_email_user_view.
CVE-2020-9411 2 Ibm, Tibco 2 I, Managed File Transfer Platform Server 2024-11-21 9.3 HIGH 10.0 CRITICAL
The file transfer component of TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for IBM i contains a vulnerability that theoretically allows an attacker to perform unauthorized network file transfers to and from the file system accessible to the affected component. This vulnerability is exploitable when the configuration option 'Require Node Resp' is set to 'No'. In the event of a successful exploit, the attacker could theoretically read and write any file on the file system accessible to the affected component, thus fully affecting the confidentiality, integrity, and availability of the operating system hosting the deployment of the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for IBM i: versions 7.1.0 and below, version 8.0.0.
CVE-2020-9349 1 Cacagoo 2 Tv-288zd-2mp, Tv-288zd-2mp Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password.
CVE-2020-9009 1 Shipstation 1 Shipstation 2024-11-21 N/A 3.7 LOW
The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked. The attacker must guess an order number.
CVE-2020-8811 1 Bludit 1 Bludit 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
ajax/profile-picture-upload.php in Bludit 3.10.0 allows authenticated users to change other users' profile pictures.
CVE-2020-8795 1 Gitlab 1 Gitlab 2024-11-21 5.0 MEDIUM 7.5 HIGH
In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a group could grant project access to unauthorized users.
CVE-2020-8772 1 Revmakx 1 Infinitewp Client 2024-11-21 7.5 HIGH 9.8 CRITICAL
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in.
CVE-2020-8439 1 Monstra 1 Monstra 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI.
CVE-2020-8139 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.
CVE-2020-7472 1 Sugarcrm 1 Sugarcrm 2024-11-21 7.5 HIGH 9.8 CRITICAL
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).
CVE-2020-7343 1 Mcafee 1 Agent 2024-11-21 2.1 LOW 5.5 MEDIUM
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.