CWE-732

expressCart before 1.1.6 allows remote attackers to create an admin user via a /admin/setup Referer header.

openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links.

Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.

A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.

Incorrect access control in ECOS System Management Appliance (aka SMA) 5.2.68 allows a user to compromise authentication keys, and access and manipulate security relevant configurations, via unrestricted database access during Easy Enrollment.

Arista CloudVision Portal through 2018.1.1 has Incorrect Permissions.