4423 matches found
GHSA-G7XC-M762-WG8F Liferay Portal and Liferay DXP Fails to Check User Permissions for Workflow Submissions
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs...
Containous Traefik Exposes Password Hashes
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control which is contrary to the API documentation, allows remote authenticated users to discover password hashes by reading the Basic HTT...
Aruba ClearPass Policy Manager Remote Authentication Bypass Vulnerability
Aruba ClearPass Policy Manager is an application from Aruba, Inc. that provides a secure access management system for wireless networks.Aruba ClearPass Policy Manager versions 6.10.4 and earlier, 6.9.9 and earlier, and 6.8.9-HF2 and earlier are vulnerable to remote authentication bypass...
Aruba ClearPass Policy Manager Remote Authentication Bypass Vulnerability (CNVD-2022-64234)
Aruba ClearPass Policy Manager is an application from Aruba, Inc. that provides a secure access management system for wireless networks. a remote authentication bypass vulnerability exists in Aruba ClearPass Policy Manager, which can be exploited by attackers to bypass authentication leading to...
Cross site scripting
A remote authenticated stored cross-site scripting xss vulnerability was discovered in Aruba ClearPass Policy Manager versions: 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability...
CVE-2022-23671
A remote authenticated information disclosure vulnerability was discovered in Aruba ClearPass Policy Manager versions: 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability...
CVE-2022-23675
A remote authenticated stored cross-site scripting xss vulnerability was discovered in Aruba ClearPass Policy Manager versions: 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability...
Lift Sensitive Information Disclosure
The JsonParser class in json/JsonParser.scala in Lift before 2.5 interprets a certain end-index value as a length value, which allows remote authenticated users to obtain sensitive information from other users' sessions via invalid input data containing a less than character...
GHSA-JMV9-5GX8-7XPF Minion identity not validated in saltstack
Salt aka SaltStack before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key...
GHSA-25JH-5H5R-H33M Plone Sandbox Bypass
gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors...
Apache Ranger allows users to bypass intended access restrictions via the REST API
The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API...
Jenkins allows attackers to execute arbitrary jobs
BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330...
GHSA-5XM3-48V5-6H7V Jenkins allows Remote Users to Obtain Sensitive Information from a Plugin Code
Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code...
GHSA-VXHJ-3X7P-JXP5 Exposure of Sensitive Information to an Unauthorized Actor in RESTEasy
RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random values" in async jobs...
GHSA-9FC7-RHQ3-WM7X Apache Jackrabbit Authentication Hijacking Vulnerability
Cross-site request forgery CSRF vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the...
GHSA-FMQH-2J2X-VGP3 Drupal Unprivileged access to config export
The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors...
phpMyAdmin cross-site scripting Vulnerability in Table or Column Names
Multiple cross-site scripting XSS vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted 1 table name or 2 column name that is improperly handled...
GHSA-4JP4-3C62-R8JV OpenStack Glance Denial of service by creating a large number of images
OpenStack Image Registry and Delivery Service Glance 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service disk consumption by creating a large number of images using the task v2 API and then deleting them, a different...
GHSA-JPR7-8RXM-4VGX Tryton allow authenticated users with certain permissions to read arbitrary files via the name parameter
fileopen in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors...
GHSA-PHW8-FW9G-V3XC Apache QPID Allows Remote Authentication Bypass
Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication...