Total
1418 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-20950 | 1 Google | 1 Android | 2024-02-28 | N/A | 7.8 HIGH |
| In AlarmManagerActivity of AlarmManagerActivity.java, there is a possible way to bypass background activity launch restrictions via a pendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-195756028 | |||||
| CVE-2023-22620 | 1 Securepoint | 1 Unified Threat Management | 2024-02-28 | N/A | 7.5 HIGH |
| An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface. | |||||
| CVE-2022-43465 | 1 Intel | 1 Setup And Configuration Software | 2024-02-28 | N/A | 5.5 MEDIUM |
| Improper authorization in the Intel(R) SCS software all versions may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2023-25415 | 1 Aten | 2 Pe8108, Pe8108 Firmware | 2024-02-28 | N/A | 5.3 MEDIUM |
| Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Event Notification configuration. | |||||
| CVE-2023-32060 | 1 Dhis2 | 1 Dhis 2 | 2024-02-28 | N/A | 6.5 MEDIUM |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.35 branch and prior to versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0, when the Category Option Combination Sharing settings are configured to control access to specific tracker program events or program stages, the `/trackedEntityInstances` and `/events` API endpoints may include all events regardless of the sharing settings applied to the category option combinations. When this specific configuration is present, users may have access to events which they should not be able to see based on the sharing settings of the category options. The events will not appear in the user interface for web-based Tracker Capture or Capture applications, but if the Android Capture App is used they will be displayed to the user. Versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0 contain a fix for this issue. No workaround is known. | |||||
| CVE-2023-25017 | 1 Rifartek | 1 Iot Wall | 2024-02-28 | N/A | 8.1 HIGH |
| RIFARTEK IOT Wall has a vulnerability of incorrect authorization. An authenticated remote attacker with general user privilege is allowed to perform specific privileged function to access and modify all sensitive data. | |||||
| CVE-2023-26258 | 1 Arcserve | 1 Udp | 2024-02-28 | N/A | 9.8 CRITICAL |
| Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator. | |||||
| CVE-2023-22251 | 1 Adobe | 2 Commerce, Magento Open Source | 2024-02-28 | N/A | 4.3 MEDIUM |
| Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure. | |||||
| CVE-2023-35939 | 1 Glpi-project | 1 Glpi | 2024-02-28 | N/A | 8.1 HIGH |
| GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue. | |||||
| CVE-2023-1158 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Analytics Server | 2024-02-28 | N/A | 4.3 MEDIUM |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. | |||||
| CVE-2021-46891 | 1 Huawei | 2 Emui, Harmonyos | 2024-02-28 | N/A | 9.8 CRITICAL |
| Vulnerability of incomplete read and write permission verification in the GPU module. Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability. | |||||
| CVE-2023-2257 | 3 Apple, Devolutions, Microsoft | 3 Macos, Workspace, Windows | 2024-02-28 | N/A | 7.8 HIGH |
| Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub Business space without being prompted to enter the password via an unimplemented "Force Login" security feature. This vulnerability occurs only if "Force Login" feature is enabled on the Hub Business instance and that an attacker has access to a locked Workspace desktop application configured with a Hub Business space. | |||||
| CVE-2023-1603 | 1 Devolutions | 1 Devolutions Server | 2024-02-28 | N/A | 6.5 MEDIUM |
| Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision. | |||||
| CVE-2020-17354 | 1 Lilypond | 1 Lilypond | 2024-02-28 | N/A | 8.6 HIGH |
| LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used. | |||||
| CVE-2023-27107 | 1 Myq-solution | 2 Central Server, Print Server | 2024-02-28 | N/A | 8.8 HIGH |
| Incorrect access control in the runReport function of MyQ Solution Print Server before 8.2 Patch 32 and Central Server before 8.2 Patch 22 allows users who do not have appropriate access rights to generate internal reports using a direct URL. | |||||
| CVE-2023-1979 | 1 Google | 1 Web Stories | 2024-02-28 | N/A | 6.5 MEDIUM |
| The Web Stories for WordPress plugin supports the WordPress built-in functionality of protecting content with a password. The content is then only accessible to website visitors after entering the password. In WordPress, users with the "Author" role can create stories, but don't have the ability to edit password protected stories. The vulnerability allowed users with said role to bypass this permission check when trying to duplicate the protected story in the plugin's own dashboard, giving them access to the seemingly protected content. We recommend upgrading to version 1.32 or beyond commit ad49781c2a35c5c92ef704d4b621ab4e5cb77d68 https://github.com/GoogleForCreators/web-stories-wp/commit/ad49781c2a35c5c92ef704d4b621ab4e5cb77d68 | |||||
| CVE-2023-26818 | 1 Telegram | 1 Telegram | 2024-02-28 | N/A | 5.5 MEDIUM |
| Telegram 9.3.1 and 9.4.0 allows attackers to access restricted files, microphone ,or video recording via the DYLD_INSERT_LIBRARIES flag. | |||||
| CVE-2023-31138 | 1 Dhis2 | 1 Dhis 2 | 2024-02-28 | N/A | 6.5 MEDIUM |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests. | |||||
| CVE-2022-46307 | 1 Sguda | 2 U-lock, U-lock Firmware | 2024-02-28 | N/A | 8.8 HIGH |
| SGUDA U-Lock central lock control service’s lock management function has incorrect authorization. A remote attacker with general privilege can exploit this vulnerability to call privileged APIs to acquire information, manipulate or disrupt the functionality of arbitrary electronic locks. | |||||
| CVE-2023-27578 | 1 Galaxyproject | 1 Galaxy | 2024-02-28 | N/A | 7.5 HIGH |
| Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally, they can copy or import any Galaxy Visualization given they know the encoded ID of it. Patches are available for versions 22.01, 22.05, and 23.0. For the changes to take effect, you must restart all Galaxy server processes. There are no supported workarounds. | |||||