| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The commons_discussion_views_default_views function in modules/features/commons_discussion/commons_discussion.views_default.inc in the Drupal Commons module 6.x-2.x before 6.x-2.8 for Drupal does not properly enforce intended node access restrictions, which might allow remote attackers to obtain sensitive information via the recent comments listing. |
| The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005. |
| The file_browser component in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not properly restrict access to category and course data, which allows remote attackers to obtain potentially sensitive information via a request for a file. |
| Unspecified vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to bypass access restrictions via unknown attack vectors. |
| The Security Questions module for Drupal 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.1 does not properly restrict access, which allows remote attackers to edit an arbitrary user's questions and answers via unspecified vectors. |
| The Restrict node page view module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "view any node page" or "view any node {type} page" permission to access unpublished nodes via a direct request. |
| The Search Autocomplete module 7.x-2.x before 7.x-2.4 for Drupal does not properly restrict access to the module admin page, which allows remote attackers to disable an autocompletion or change the priority order via unspecified vectors. |
| The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not properly check permissions when importing emails, which allows remote comment authors to bypass access restrictions and possibly have other unspecified impact. |
| openCryptoki before 2.4.1, when using spinlocks, allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) .pkapi_xpk or (2) .pkcs11spinloc file in /tmp. |
| MySQL 5.0.88, and possibly other versions and platforms, allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of a CVE-2009-4030 regression, which was not omitted in other packages and versions such as MySQL 5.0.95 in Red Hat Enterprise Linux 6. |
| 389 Directory Server 1.2.10 does not properly update the ACL when a DN entry is moved by a modrdn operation, which allows remote authenticated users with certain permissions to bypass ACL restrictions and access the DN entry. |
| Monkey HTTP Daemon 0.9.3 uses a real UID of root and a real GID of root during execution of CGI scripts, which might allow local users to gain privileges by leveraging cgi-bin write access. |
| Monkey HTTP Daemon 0.9.3 retains the supplementary group IDs of the root account during operations with a non-root effective UID, which might allow local users to bypass intended file-read restrictions by leveraging a race condition in a file-permission check. |
| org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. |
| The dump_resource function in dird/dird_conf.c in Bacula before 5.2.11 does not properly enforce ACL rules, which allows remote authenticated users to obtain resource dump information via unspecified vectors. |
| libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself. |
| wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. |
| The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. |
| GlusterFS 3.3.0, as used in Red Hat Storage server 2.0, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names. |
| OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles. |
