Total
1418 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-21311 | 1 Google | 1 Android | 2024-02-28 | N/A | 5.5 MEDIUM |
| In Settings, there is a possible way to control private DNS settings from a secondary user due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-33468 | 1 Kramerav | 4 Via Connect2, Via Connect2 Firmware, Via Go2 and 1 more | 2024-02-28 | N/A | 9.1 CRITICAL |
| KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior to 4.0.1.1326 exhibit a vulnerability that enables remote manipulation of the device. This vulnerability involves extracting the connection confirmation code remotely, bypassing the need to obtain it directly from the physical screen. | |||||
| CVE-2023-39154 | 1 Jenkins | 1 Qualys Web App Scanning Connector | 2024-02-28 | N/A | 6.5 MEDIUM |
| Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-5193 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 2.7 LOW |
| Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation. | |||||
| CVE-2023-41882 | 1 Vantage6 | 1 Vantage6 | 2024-02-28 | N/A | 4.3 MEDIUM |
| vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds. | |||||
| CVE-2023-30705 | 1 Samsung | 1 Galaxy Store | 2024-02-28 | N/A | 5.5 MEDIUM |
| Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.56.6?allows local attackers to access privileged content providers as Galaxy Store permission. | |||||
| CVE-2023-4997 | 1 Prointegra | 1 Uptimedc | 2024-02-28 | N/A | 8.8 HIGH |
| Improper authorisation of regular users in ProIntegra Uptime DC software (versions below 2.0.0.33940) allows them to change passwords of all other users including administrators leading to a privilege escalation. | |||||
| CVE-2023-34035 | 1 Vmware | 1 Spring Security | 2024-02-28 | N/A | 5.3 MEDIUM |
| Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.) Specifically, an application is vulnerable when all of the following are true: * Spring MVC is on the classpath * Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet) * The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints An application is not vulnerable if any of the following is true: * The application does not have Spring MVC on the classpath * The application secures no servlets other than Spring MVC’s DispatcherServlet * The application uses requestMatchers(String) only for Spring MVC endpoints | |||||
| CVE-2023-38486 | 1 Arubanetworks | 5 9004, 9004-lte, 9012 and 2 more | 2024-02-28 | N/A | 6.4 MEDIUM |
| A vulnerability in the secure boot implementation on affected Aruba 9200 and 9000 Series Controllers and Gateways allows an attacker to bypass security controls which would normally prohibit unsigned kernel images from executing. An attacker can use this vulnerability to execute arbitrary runtime operating systems, including unverified and unsigned OS images. | |||||
| CVE-2023-1832 | 2 Candlepinproject, Redhat | 2 Candlepin, Satellite | 2024-02-28 | N/A | 8.1 HIGH |
| An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant. | |||||
| CVE-2017-9453 | 1 Bmc | 1 Server Automation | 2024-02-28 | N/A | 9.8 CRITICAL |
| BMC Server Automation before 8.9.01 patch 1 allows Process Spawner command execution because of authentication bypass. | |||||
| CVE-2023-20191 | 1 Cisco | 1 Ios Xr | 2024-02-28 | N/A | 7.5 HIGH |
| A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incomplete support for this feature. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device. There are workarounds that address this vulnerability. This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication . | |||||
| CVE-2023-27523 | 1 Apache | 1 Superset | 2024-02-28 | N/A | 4.3 MEDIUM |
| Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to. | |||||
| CVE-2023-4227 | 1 Moxa | 2 Iologik E4200, Iologik E4200 Firmware | 2024-02-28 | N/A | 6.5 MEDIUM |
| A vulnerability has been identified in the ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which can be exploited by malicious actors to potentially gain unauthorized access to the product. This could lead to security breaches, data theft, and unauthorized manipulation of sensitive information. The vulnerability is attributed to the presence of an unauthorized service, which could potentially enable unauthorized access to the. device. | |||||
| CVE-2023-44860 | 1 Netis-systems | 2 N3m, N3m Firmware | 2024-02-28 | N/A | 7.5 HIGH |
| An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request. | |||||
| CVE-2023-41078 | 1 Apple | 1 Macos | 2024-02-28 | N/A | 5.5 MEDIUM |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14. An app may be able to bypass certain Privacy preferences. | |||||
| CVE-2023-3590 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 7.5 HIGH |
| Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. | |||||
| CVE-2023-35908 | 1 Apache | 1 Airflow | 2024-02-28 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected | |||||
| CVE-2023-38218 | 1 Adobe | 2 Commerce, Magento | 2024-02-28 | N/A | 8.8 HIGH |
| Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Incorrect Authorization . An authenticated attacker can exploit this to achieve information exposure and privilege escalation. | |||||
| CVE-2023-27526 | 1 Apache | 1 Superset | 2024-02-28 | N/A | 4.3 MEDIUM |
| A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. | |||||