Total
1416 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-41964 | 1 Getkirby | 1 Kirby | 2024-09-06 | N/A | 8.1 HIGH |
| Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-39871 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-09-06 | N/A | 5.4 MEDIUM |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to. | |||||
| CVE-2023-4194 | 4 Debian, Fedoraproject, Linux and 1 more | 4 Debian Linux, Fedora, Linux Kernel and 1 more | 2024-09-06 | N/A | 5.5 MEDIUM |
| A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate. | |||||
| CVE-2024-7697 | 1 Transsion | 1 Carlcare | 2024-09-06 | N/A | 7.5 HIGH |
| Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks. | |||||
| CVE-2024-43250 | 1 Bitapps | 1 Bit Form | 2024-09-06 | N/A | 6.5 MEDIUM |
| Incorrect Authorization vulnerability in Bit Apps Bit Form Pro bitformpro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bit Form Pro: from n/a through 2.6.4. | |||||
| CVE-2023-21390 | 1 Google | 1 Android | 2024-09-05 | N/A | 7.8 HIGH |
| In Sim, there is a possible way to evade mobile preference restrictions due to a permission bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-34642 | 1 Samsung | 1 Android | 2024-09-05 | N/A | 4.6 MEDIUM |
| Improper authorization in One UI Home prior to SMR Sep-2024 Release 1 allows physical attackers to temporarily access sensitive information. | |||||
| CVE-2024-34650 | 1 Samsung | 1 Android | 2024-09-05 | N/A | 3.3 LOW |
| Incorrect authorization in CocktailbarService prior to SMR Sep-2024 Release 1 allows local attackers to access privileged APIs related to Edge panel. | |||||
| CVE-2024-34651 | 1 Samsung | 1 Android | 2024-09-05 | N/A | 5.5 MEDIUM |
| Improper authorization in My Files prior to SMR Sep-2024 Release 1 allows local attackers to access restricted data in My Files. | |||||
| CVE-2024-34652 | 1 Samsung | 1 Android | 2024-09-05 | N/A | 3.3 LOW |
| Incorrect authorization in kperfmon prior to SMR Sep-2024 Release 1 allows local attackers to access information related to performance including app usage. | |||||
| CVE-2024-38868 | 1 Zohocorp | 1 Manageengine Endpoint Central | 2024-09-04 | N/A | 8.3 HIGH |
| Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15 | |||||
| CVE-2024-45509 | 1 Misp | 1 Misp | 2024-09-04 | N/A | 6.5 MEDIUM |
| In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. | |||||
| CVE-2024-45588 | 1 Symphonyfintech | 2 Xts Mobile Trader, Xts Web Trader | 2024-09-04 | N/A | 8.1 HIGH |
| This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Preference module of the application. An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized access and modification of sensitive information belonging to other users. | |||||
| CVE-2024-45587 | 1 Symphonyfintech | 2 Xts Mobile Trader, Xts Web Trader | 2024-09-04 | N/A | 8.8 HIGH |
| This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Transaction module of vulnerable application. An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to compromise of other user accounts. | |||||
| CVE-2024-45586 | 1 Symphonyfintech | 2 Xts Mobile Trader, Xts Web Trader | 2024-09-04 | N/A | 8.8 HIGH |
| This vulnerability exists due to improper access controls on APIs in the Authentication module of Symphony XTS Web Trading and Mobile Trading platforms (version 2.0.0.1_P160). An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized account take over belonging to other users. | |||||
| CVE-2024-31970 | 1 Adtran | 2 834-5, Sdg Smartos | 2024-09-03 | N/A | 8.8 HIGH |
| AdTran SRG 834-5 HDC17600021F1 devices (with SmartOS 11.1.1.1 and fixed in Version 12.1.3.1) have SSH enabled by default, accessible both over the LAN and the Internet. During a window of time when the device is being set up, it uses a default username and password combination of admin/admin with root-level privileges. An attacker can exploit this window to gain unauthorized root access by either modifying the existing admin account or creating a new account with equivalent privileges. This vulnerability allows attackers to execute arbitrary commands. NOTE: The vendor has disputed this, finding the report not applicable. According to AdTran, SSH has never been accessible (from WAN) on SmartOS official builds. Furthermore, the vendor adds that test build 11.1.0.101-202106231430 was never released to end users. | |||||
| CVE-2024-42062 | 1 Apache | 1 Cloudstack | 2024-09-03 | N/A | 7.2 HIGH |
| CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated. | |||||
| CVE-2024-38869 | 1 Zohocorp | 3 Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus | 2024-08-30 | N/A | 5.4 MEDIUM |
| Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25. | |||||
| CVE-2024-43954 | 1 Themeum | 1 Droip | 2024-08-30 | N/A | 6.3 MEDIUM |
| Incorrect Authorization vulnerability in Themeum Droip allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Droip: from n/a through 1.1.1. | |||||
| CVE-2024-4146 | 1 Lunary | 1 Lunary | 2024-08-30 | N/A | 9.8 CRITICAL |
| In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the `account_project` table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information. | |||||