Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-1750

Summary
Assigner-ibm
Assigner Org ID-9a959283-ebb5-44b6-b705-dcc2bbced522
Published At-08 Oct, 2018 | 15:00
Updated At-16 Sep, 2024 | 18:39
Rejected At-
Credits

IBM Security Key Lifecycle Manager 3.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 148511.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ibm
Assigner Org ID:9a959283-ebb5-44b6-b705-dcc2bbced522
Published At:08 Oct, 2018 | 15:00
Updated At:16 Sep, 2024 | 18:39
Rejected At:
▼CVE Numbering Authority (CNA)

IBM Security Key Lifecycle Manager 3.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 148511.

Affected Products
Vendor
IBM CorporationIBM
Product
Security Key Lifecycle Manager
Versions
Affected
  • 3.0
Problem Types
TypeCWE IDDescription
textN/AGain Access
Type: text
CWE ID: N/A
Description: Gain Access
Metrics
VersionBase scoreBase severityVector
3.04.2MEDIUM
CVSS:3.0/A:N/AC:H/AV:N/C:L/I:L/PR:L/S:U/UI:N/E:U/RC:C/RL:O
Version: 3.0
Base score: 4.2
Base severity: MEDIUM
Vector:
CVSS:3.0/A:N/AC:H/AV:N/C:L/I:L/PR:L/S:U/UI:N/E:U/RC:C/RL:O
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://exchange.xforce.ibmcloud.com/vulnerabilities/148511
vdb-entry
x_refsource_XF
http://www.ibm.com/support/docview.wss?uid=ibm10733311
x_refsource_CONFIRM
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/148511
Resource:
vdb-entry
x_refsource_XF
Hyperlink: http://www.ibm.com/support/docview.wss?uid=ibm10733311
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://exchange.xforce.ibmcloud.com/vulnerabilities/148511
vdb-entry
x_refsource_XF
x_transferred
http://www.ibm.com/support/docview.wss?uid=ibm10733311
x_refsource_CONFIRM
x_transferred
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/148511
Resource:
vdb-entry
x_refsource_XF
x_transferred
Hyperlink: http://www.ibm.com/support/docview.wss?uid=ibm10733311
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@us.ibm.com
Published At:08 Oct, 2018 | 15:29
Updated At:09 Oct, 2019 | 23:39

IBM Security Key Lifecycle Manager 3.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 148511.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.08.1HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Secondary3.04.2MEDIUM
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary2.05.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:N
Type: Primary
Version: 3.0
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.0
Base score: 4.2
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 5.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:N
CPE Matches
IBM Corporation
ibm
>>security_key_lifecycle_manager>>Versions from 2.6.0(inclusive) to 2.6.0.5(inclusive)
cpe:2.3:a:ibm:security_key_lifecycle_manager:*:*:*:*:*:*:*:*
IBM Corporation
ibm
>>security_key_lifecycle_manager>>Versions from 2.7.0(inclusive) to 2.7.0.4(inclusive)
cpe:2.3:a:ibm:security_key_lifecycle_manager:*:*:*:*:*:*:*:*
IBM Corporation
ibm
>>security_key_lifecycle_manager>>3.0
cpe:2.3:a:ibm:security_key_lifecycle_manager:3.0:*:*:*:*:*:*:*
IBM Corporation
ibm
>>security_key_lifecycle_manager>>3.0.0.1
cpe:2.3:a:ibm:security_key_lifecycle_manager:3.0.0.1:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-732Primarynvd@nist.gov
CWE ID: CWE-732
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.ibm.com/support/docview.wss?uid=ibm10733311psirt@us.ibm.com
Patch
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/148511psirt@us.ibm.com
VDB Entry
Vendor Advisory
Hyperlink: http://www.ibm.com/support/docview.wss?uid=ibm10733311
Source: psirt@us.ibm.com
Resource:
Patch
Vendor Advisory
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/148511
Source: psirt@us.ibm.com
Resource:
VDB Entry
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

124Records found
CVE-2018-1551
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-3.1||LOW
EPSS-0.26% / 49.24%
||
7 Day CHG~0.00%
Published-06 Aug, 2018 | 14:00
Updated-16 Sep, 2024 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere MQ 8.0.0.2 through 8.0.0.8 and 9.0.0.0 through 9.0.0.3 could allow users to have more authority than they should have if an MQ administrator creates an invalid user group name. IBM X-Force ID: 142888.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_mqWebSphere MQ
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-22411
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.15% / 36.15%
||
7 Day CHG~0.00%
Published-10 Aug, 2022 | 16:50
Updated-17 Sep, 2024 | 04:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Scale Data Access Services (DAS) 5.1.3.1 could allow an authenticated user to insert code which could allow the attacker to manipulate cluster resources due to excessive permissions. IBM X-Force ID: 223016.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-spectrum_scale_data_access_serviceslinux_kernelSpectrum Scale DAS
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-20423
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.18% / 39.80%
||
7 Day CHG~0.00%
Published-13 Jul, 2021 | 16:10
Updated-16 Sep, 2024 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Cloud Pak for Applications 4.3 could allow an authenticated user gain escalated privilesges due to improper application permissions. IBM X-Force ID: 196308.

Action-Not Available
Vendor-IBM Corporation
Product-cloud_pak_for_applicationsCloud Pak for Applications
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-22330
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.06% / 17.73%
||
7 Day CHG~0.00%
Published-13 Sep, 2022 | 20:45
Updated-16 Sep, 2024 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Control Desk 7.6.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 219126.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-control_desklinux_kernelControl Desk
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2020-4631
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-5.1||MEDIUM
EPSS-0.03% / 5.45%
||
7 Day CHG~0.00%
Published-04 Aug, 2020 | 16:00
Updated-17 Sep, 2024 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Protect Plus 10.1.0 through 10.1.6 agent files, in non-default configurations, on Windows are assigned access to everyone with full control permissions, which could allow a local user to cause interruption of the service operations. IBM X-Force ID: 185372.

Action-Not Available
Vendor-Microsoft CorporationIBM Corporation
Product-windowsspectrum_protect_plusSpectrum Protect Plus
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2025-1139
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.01% / 0.95%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 14:42
Updated-22 Aug, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Edge Application Manager incorrect permissions

IBM Edge Application Manager 4.5 could allow a local user to read or modify resources that they should not have authorization to access due to incorrect permission assignment.

Action-Not Available
Vendor-IBM Corporation
Product-Edge Application Manager
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-1420
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.15% / 36.73%
||
7 Day CHG~0.00%
Published-01 Oct, 2018 | 15:00
Updated-16 Sep, 2024 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 resets access control settings to the out of the box configuration during Combined Cumulative Fix (CF) installation. This can lead to security miss-configuration of the installation. IBM X-Force ID: 138950.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_portalWebSphere Portal
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-51448
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-6.7||MEDIUM
EPSS-0.01% / 1.31%
||
7 Day CHG~0.00%
Published-18 Jan, 2025 | 15:08
Updated-25 Mar, 2025 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Robotic Process Automation privilege escalation

IBM Robotic Process Automation 21.0.0 through 21.0.7.17 and 23.0.0 through 23.0.18 could allow a local user to escalate their privileges. All files in the install inherit the file permissions of the parent directory and therefore a non-privileged user can substitute any executable for the nssm.exe service. A subsequent service or server restart will then run that binary with administrator privilege.

Action-Not Available
Vendor-IBM Corporation
Product-robotic_process_automationRobotic Process Automation
CWE ID-CWE-277
Insecure Inherited Permissions
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-45657
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-5||MEDIUM
EPSS-0.01% / 0.61%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 20:40
Updated-05 Aug, 2025 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Verify Access incorrect privilege assignment

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_accessverify_identity_accessSecurity Verify Access ApplianceSecurity Verify Access Container
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-45655
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 1.28%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 14:48
Updated-24 Aug, 2025 | 11:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Application Gateway incorrect permission assignment

IBM Application Gateway 19.12 through 24.09 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.

Action-Not Available
Vendor-IBM Corporation
Product-application_gatewayApplication Gateway
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-20416
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.09% / 27.12%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 16:30
Updated-16 Sep, 2024 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 196218.

Action-Not Available
Vendor-IBM Corporation
Product-guardium_data_encryptionGuardium Data Encryption
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-20526
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.40% / 59.92%
||
7 Day CHG~0.00%
Published-27 Oct, 2021 | 16:00
Updated-17 Sep, 2024 | 02:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 198755.

Action-Not Available
Vendor-IBM Corporation
Product-planning_analyticsPlanning Analytics
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2020-4945
Matching Score-6
Assigner-IBM Corporation
ShareView Details
Matching Score-6
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.16% / 37.30%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 18:45
Updated-16 Sep, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user to overwrite arbirary files due to improper group permissions. IBM X-Force ID: 191945.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-aixdb2linux_kernelDB2 for Linux and UNIX
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-3765
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.1||HIGH
EPSS-0.20% / 42.00%
||
7 Day CHG~0.00%
Published-09 Oct, 2019 | 19:20
Updated-16 Sep, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4 contain an Incorrect Permission Assignment for Critical Resource vulnerability. A remote authenticated malicious user potentially could exploit this vulnerability to view or modify sensitive backup data. This could be used to make backups corrupt or potentially to trick a user into restoring a backup with malicious files in place.

Action-Not Available
Vendor-Dell Inc.
Product-emc_integrated_data_protection_applianceemc_avamar_serverIntegrated Data Protection ApplianceAvamar
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2017-1000134
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.18% / 40.05%
||
7 Day CHG~0.00%
Published-03 Nov, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable because group members can lose access to the group files they uploaded if another group member changes the access permissions on them.

Action-Not Available
Vendor-n/aMahara
Product-maharan/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-15721
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.08% / 24.14%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 16:43
Updated-05 Aug, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 10.8 through 12.2.1. An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2017-0883
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.91%
||
7 Day CHG~0.00%
Published-05 Apr, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS API issue. A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set. Note that this only affects folders and files that the adversary has at least read-only permissions for.

Action-Not Available
Vendor-Nextcloud GmbH
Product-nextcloud_serverNextcloud Server
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-275
Not Available
CVE-2021-41802
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.9||LOW
EPSS-0.24% / 46.77%
||
7 Day CHG~0.00%
Published-08 Oct, 2021 | 17:00
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Action-Not Available
Vendor-n/aHashiCorp, Inc.
Product-vaultn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-20905
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 35.31%
||
7 Day CHG~0.00%
Published-01 Aug, 2019 | 14:25
Updated-05 Aug, 2024 | 12:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-15645
Matching Score-4
Assigner-Odoo
ShareView Details
Matching Score-4
Assigner-Odoo
CVSS Score-8.1||HIGH
EPSS-0.21% / 43.18%
||
7 Day CHG~0.00%
Published-22 Dec, 2020 | 16:25
Updated-05 Aug, 2024 | 10:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation.

Action-Not Available
Vendor-odooOdoo
Product-odooOdoo CommunityOdoo Enterprise
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-32729
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2||LOW
EPSS-0.05% / 13.48%
||
7 Day CHG~0.00%
Published-01 Jul, 2021 | 16:45
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A user without PR can reset user authentication failures information

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user with Script rights and does not require Programming rights. An attacher with script rights who is able to reset the authentication failure record might perform a brute force attack, since they would be able to virtually deactivate the mechanism introduced to mitigate those attacks. The problem has been patched in version 12.6.8, 12.10.4 and 13.0. There are no workarounds aside from upgrading.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-24872
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.19% / 40.91%
||
7 Day CHG~0.00%
Published-20 Apr, 2022 | 19:15
Updated-23 Apr, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in shopware

Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.

Action-Not Available
Vendor-shopwareshopware
Product-shopwareplatform
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2017-18894
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.21% / 43.31%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 18:10
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-43998
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 33.73%
||
7 Day CHG~0.00%
Published-30 Nov, 2021 | 14:59
Updated-04 Aug, 2024 | 04:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

Action-Not Available
Vendor-n/aHashiCorp, Inc.
Product-vaultn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found