Vulnerabilities (CVE)

Filtered by CWE-282
Total 9 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-3383 2024-11-21 N/A 7.4 HIGH
A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.
CVE-2024-39755 2024-11-21 N/A 7.8 HIGH
A privilege escalation vulnerability exists in the Veertu Anka Build 1.42.0. The vulnerability occurs during Anka node agent update. A low privilege user can trigger the update action which can result in unexpected elevation of privilege.
CVE-2024-37999 1 Siemens 1 Medicalis Workflow Orchestrator 2024-11-21 N/A 7.8 HIGH
A vulnerability has been identified in Medicalis Workflow Orchestrator (All versions). The affected application executes as a trusted account with high privileges and network access. This could allow an authenticated local attacker to escalate privileges.
CVE-2023-0989 1 Gitlab 1 Gitlab 2024-11-21 N/A 4.3 MEDIUM
An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.
CVE-2022-29187 4 Apple, Debian, Fedoraproject and 1 more 4 Xcode, Debian Linux, Fedora and 1 more 2024-11-21 6.9 MEDIUM 7.8 HIGH
Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.
CVE-2024-47816 2024-10-10 N/A 6.4 MEDIUM
ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the other wiki can act as if they're the original wiki requester. This can be abused to create new comments, edit the request, and view the request if it's marked private. This issue has been addressed in commit `5c91dfc` and all users are advised to update. Users unable to update may disable the special page outside of their global wiki. See `miraheze/mw-config@e566499` for details on that.
CVE-2024-8949 1 Oretnom23 1 Online Eyewear Shop 2024-09-23 6.5 MEDIUM 8.8 HIGH
A vulnerability classified as critical has been found in SourceCodester Online Eyewear Shop 1.0. This affects an unknown part of the file /classes/Master.php of the component Cart Content Handler. The manipulation of the argument cart_id/id leads to improper ownership management. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-45103 4 Emc, Lenovo, Microsoft and 1 more 4 Vmware, Xclarity Administrator, Windows and 1 more 2024-09-19 N/A 4.3 MEDIUM
A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges.
CVE-2024-45104 4 Emc, Lenovo, Microsoft and 1 more 4 Vmware, Xclarity Administrator, Windows and 1 more 2024-09-19 N/A 6.5 MEDIUM
A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.