Vulnerabilities > Permissions, Privileges, and Access Controls

DATE CVE VULNERABILITY TITLE RISK
2017-10-30 CVE-2014-0073 Permissions, Privileges, and Access Controls vulnerability in Apache Cordova and Cordova In-App-Browser
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI.
network
low complexity
apache CWE-264
critical
9.8
2017-10-22 CVE-2015-5699 Permissions, Privileges, and Access Controls vulnerability in Cumulusnetworks Cumulus Linux 2.5.3
The Switch Configuration Tools Backend (clcmd_server) in Cumulus Linux 2.5.3 and earlier allows local users to execute arbitrary commands via shell metacharacters in a cl-rctl command label.
local
low complexity
cumulusnetworks CWE-264
7.8
2017-10-16 CVE-2015-4650 Permissions, Privileges, and Access Controls vulnerability in Arubanetworks Clearpass Policy Manager
Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote attackers to gain shell access and execute arbitrary code with root privileges via unspecified vectors.
network
low complexity
arubanetworks CWE-264
critical
9.8
2017-10-16 CVE-2015-3229 Permissions, Privileges, and Access Controls vulnerability in Fedoraproject Spin-Kickstarts
fedora-cloud-atomic.ks in spin-kickstarts allows remote attackers to conduct man-in-the-middle attacks by leveraging use of HTTP to download Fedora Atomic updates.
network
high complexity
fedoraproject CWE-264
5.9
2017-10-16 CVE-2014-7851 Permissions, Privileges, and Access Controls vulnerability in multiple products
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.
network
high complexity
ovirt redhat CWE-264
7.5
2017-10-10 CVE-2015-5675 Permissions, Privileges, and Access Controls vulnerability in Freebsd 10.1/9.3
The sys_amd64 IRET Handler in the kernel in FreeBSD 9.3 and 10.1 allows local users to gain privileges or cause a denial of service (kernel panic).
local
low complexity
freebsd CWE-264
7.8
2017-10-06 CVE-2015-2673 Permissions, Privileges, and Access Controls vulnerability in Wpeasycart WP Easycart
The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters.
network
low complexity
wpeasycart CWE-264
8.8
2017-10-06 CVE-2015-0296 Permissions, Privileges, and Access Controls vulnerability in TUG Texlive 3.1.20140525R34255.Fc21/6.20131226R32488.Fc20
The pre-install script in texlive 3.1.20140525_r34255.fc21 as packaged in Fedora 21 and rpm, and texlive 6.20131226_r32488.fc20 and rpm allows local users to delete arbitrary files via a crafted file in the user's home directory.
local
high complexity
tug CWE-264
4.7
2017-10-03 CVE-2015-7359 Permissions, Privileges, and Access Controls vulnerability in multiple products
The (1) IsVolumeAccessibleByCurrentUser and (2) MountDevice methods in Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, do not check the impersonation level of impersonation tokens, which allows local users to impersonate a user at SecurityIdentify level and gain access to other users' mounted encrypted volumes.
local
low complexity
ciphershed idrix truecrypt CWE-264
7.8
2017-10-03 CVE-2015-7358 Permissions, Privileges, and Access Controls vulnerability in multiple products
The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, does not properly validate drive letter symbolic links, which allows local users to mount an encrypted volume over an existing drive letter and gain privileges via an entry in the /GLOBAL?? directory.
local
low complexity
ciphershed idrix truecrypt CWE-264
7.8