| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2514. |
| EMC RSA Archer GRC 5.x before 5.5.3 allows remote authenticated users to bypass intended access restrictions, and read or modify Discussion Forum Fields messages, via unspecified vectors. |
| EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513. |
| The Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote attackers to bypass the field_access restriction and obtain sensitive private field information via unspecified vectors. |
| The Services Basic Authentication module 7.x-1.x through 7.x-1.3 for Drupal allows remote attackers to bypass intended resource restrictions via vectors related to page caching. |
| Mozilla Firefox before 40.0 allows man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. |
| Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02, when __debug_trace__ is configured, allows remote authenticated users to gain super-user privileges by leveraging the ability to read a log file containing a login ticket. |
| CSPOC in IBM PowerHA SystemMirror on AIX 6.1 and 7.1 allows remote authenticated users to perform an "su root" action by leveraging presence on the cluster-wide password-change list. |
| The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant information via a web-service request. |
| The web framework in Cisco Prime Collaboration Assurance before 10.5.1.53684-1 allows remote authenticated users to bypass intended access restrictions, and create administrative accounts or read data from arbitrary tenant domains, via a crafted URL, aka Bug IDs CSCus62671 and CSCus62652. |
| Cisco TelePresence Video Communication Server (VCS) X8.5.2 allows remote authenticated users to execute arbitrary commands in the context of the nobody user account via an unspecified web-page parameter, aka Bug ID CSCuv12333. |
| The web framework in Cisco Prime Collaboration Assurance before 10.5.1.53684-1 allows remote authenticated users to bypass intended system-database read restrictions, and discover credentials or SNMP communities for arbitrary tenant domains, via a crafted URL, aka Bug ID CSCus62656. |
| Cisco Mobility Services Engine (MSE) through 8.0.120.7 uses weak permissions for unspecified binary files, which allows local users to obtain root privileges by writing to a file, aka Bug ID CSCuv40504. |
| The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv08434, and CSCuv08436. |
| Cisco Prime Infrastructure (PI) 1.4(0.45) and earlier, when AAA authentication is used, allows remote authenticated users to bypass intended access restrictions via a username with a modified composition of lowercase and uppercase characters, aka Bug ID CSum59958. |
| The Spider Video Player module for Drupal allows remote authenticated users with the "access Spider Video Player administration" permission to delete arbitrary files via a crafted URL. |
| The Open Graph Importer (og_tag_importer) 7.x-1.x for Drupal does not properly check the create permission for content types created during import, which allows remote authenticated users to bypass intended restrictions by leveraging the "import og_tag_importer" permission. |
| Cisco Firepower Extensible Operating System 1.1(1.86) on Firepower 9000 devices allows remote attackers to bypass intended access restrictions and obtain sensitive device information by visiting an unspecified web page, aka Bug ID CSCuu82230. |
| updater.exe in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 on Windows allows local users to write to arbitrary files by conducting a junction attack and waiting for an update operation by the Mozilla Maintenance Service. |
| The web framework in Cisco Prime Collaboration Assurance before 10.5.1.53684-1 allows remote authenticated users to bypass intended login-session read restrictions, and impersonate administrators of arbitrary tenant domains, by discovering a session identifier and constructing a crafted URL, aka Bug IDs CSCus88343 and CSCus88334. |
