Total
1418 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-47090 | 1 Linuxfoundation | 1 Nats-server | 2024-02-28 | N/A | 6.5 MEDIUM |
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0. | |||||
CVE-2023-32748 | 1 Mitel | 1 Mivoice Connect | 2024-02-28 | N/A | 9.8 CRITICAL |
The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 (22.24.1500.0) could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control. | |||||
CVE-2023-5521 | 1 Kernelsu | 1 Kernelsu | 2024-02-28 | N/A | 9.8 CRITICAL |
Incorrect Authorization in GitHub repository tiann/kernelsu prior to v0.6.9. | |||||
CVE-2023-37881 | 1 Wftpserver | 1 Wing Ftp Server | 2024-02-28 | N/A | 8.8 HIGH |
Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0. | |||||
CVE-2023-5159 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 2.7 LOW |
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots. | |||||
CVE-2022-48538 | 1 Cacti | 1 Cacti | 2024-02-28 | N/A | 5.3 MEDIUM |
In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password. | |||||
CVE-2023-3584 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 3.1 LOW |
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme. | |||||
CVE-2023-32629 | 1 Canonical | 1 Ubuntu Linux | 2024-02-28 | N/A | 7.8 HIGH |
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels | |||||
CVE-2023-46125 | 1 Ethyca | 1 Fides | 2024-02-28 | N/A | 6.5 MEDIUM |
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`. | |||||
CVE-2023-5195 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 5.4 MEDIUM |
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of | |||||
CVE-2023-32672 | 1 Apache | 1 Superset | 2024-02-28 | N/A | 4.3 MEDIUM |
An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability. | |||||
CVE-2023-42541 | 1 Samsung | 1 Push Service | 2024-02-28 | N/A | 5.3 MEDIUM |
Improper authorization in PushClientProvider of Samsung Push Service prior to version 3.4.10 allows attacker to access unique id. | |||||
CVE-2023-3586 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 5.4 MEDIUM |
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. | |||||
CVE-2023-36556 | 1 Fortinet | 1 Fortimail | 2024-02-28 | N/A | 8.8 HIGH |
An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.5 and below 6.4.7 allows an authenticated attacker to login on other users accounts from the same web domain via crafted HTTP or HTTPs requests. | |||||
CVE-2023-4814 | 1 Trellix | 1 Data Loss Prevention | 2024-02-28 | N/A | 7.1 HIGH |
A Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to. | |||||
CVE-2023-30429 | 1 Apache | 1 Pulsar | 2024-02-28 | N/A | 8.8 HIGH |
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role. The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.4. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.1. 3.0 Pulsar Function Worker users are unaffected. Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions. | |||||
CVE-2023-3613 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 3.5 LOW |
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. | |||||
CVE-2023-3582 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, | |||||
CVE-2023-39965 | 1 Fit2cloud | 1 1panel | 2024-02-28 | N/A | 4.3 MEDIUM |
1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access. Attackers can freely download the file content on the target system. This may cause a large amount of information leakage. Version 1.5.0 has a patch for this issue. | |||||
CVE-2023-4853 | 2 Quarkus, Redhat | 13 Quarkus, Build Of Optaplanner, Build Of Quarkus and 10 more | 2024-02-28 | N/A | 8.1 HIGH |
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. |