Total
1418 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-34106 | 1 Glpi-project | 1 Glpi | 2024-02-28 | N/A | 6.5 MEDIUM |
GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch. | |||||
CVE-2023-28175 | 1 Bosch | 16 Divar Ip 3000, Divar Ip 3000 Firmware, Divar Ip 4000 and 13 more | 2024-02-28 | N/A | 7.7 HIGH |
Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request. | |||||
CVE-2022-43770 | 1 Hitachivantara | 1 Pentaho Business Analytics | 2024-02-28 | N/A | 8.1 HIGH |
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. | |||||
CVE-2022-27642 | 1 Netgear | 66 Cax80, Cax80 Firmware, Lax20 and 63 more | 2024-02-28 | N/A | 8.8 HIGH |
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-15854. | |||||
CVE-2023-31141 | 1 Amazon | 2 Opensearch, Opensearch Security | 2024-02-28 | N/A | 5.9 MEDIUM |
OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue. | |||||
CVE-2023-30544 | 1 Kiwitcms | 1 Kiwi Tcms | 2024-02-28 | N/A | 4.3 MEDIUM |
Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist. | |||||
CVE-2022-40682 | 1 Fortinet | 1 Forticlient | 2024-02-28 | N/A | 7.8 HIGH |
A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe. | |||||
CVE-2023-26829 | 1 Gladinet | 1 Centrestack | 2024-02-28 | N/A | 9.8 CRITICAL |
An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resulting in a full authentication bypass. | |||||
CVE-2023-23594 | 1 Sato-global | 2 Cl4nx Plus, Cl4nx Plus Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
An authentication bypass vulnerability in the web client interface for the CL4NX printer before firmware version 1.13.3-u724_r2 provides remote unauthenticated attackers with access to execute commands intended only for valid/authenticated users, such as file uploads and configuration changes. | |||||
CVE-2022-41610 | 1 Intel | 2 Endpoint Management Assistant Configuration Tool, Manageability Commander | 2024-02-28 | N/A | 5.5 MEDIUM |
Improper authorization in Intel(R) EMA Configuration Tool before version 1.0.4 and Intel(R) MC before version 2.4 software may allow an authenticated user to potentially enable denial of service via local access. | |||||
CVE-2023-26097 | 1 Telindus | 1 Apsal | 2024-02-28 | N/A | 5.5 MEDIUM |
An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked. | |||||
CVE-2023-28352 | 2 Faronics, Microsoft | 2 Insight, Windows | 2024-02-28 | N/A | 7.4 HIGH |
An issue was discovered in Faronics Insight 10.0.19045 on Windows. By abusing the Insight UDP broadcast discovery system, an attacker-controlled artificial Student Console can connect to and attack a Teacher Console even after Enhanced Security Mode has been enabled. | |||||
CVE-2023-1202 | 1 Devolutions | 1 Remote Desktop Manager | 2024-02-28 | N/A | 6.5 MEDIUM |
Permission bypass when importing or synchronizing entries in User vault in Devolutions Remote Desktop Manager 2023.1.9 and prior versions allows users with restricted rights to bypass entry permission via id collision. | |||||
CVE-2023-34219 | 1 Jetbrains | 1 Teamcity | 2024-02-28 | N/A | 4.3 MEDIUM |
In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API | |||||
CVE-2023-28634 | 1 Glpi-project | 1 Glpi | 2024-02-28 | N/A | 8.8 HIGH |
GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue. | |||||
CVE-2023-24512 | 1 Arista | 110 32qd, 48ehs, 48lbas and 107 more | 2024-02-28 | N/A | 6.5 MEDIUM |
On affected platforms running Arista EOS, an authorized attacker with permissions to perform gNMI requests could craft a request allowing it to update arbitrary configurations in the switch. This situation occurs only when the Streaming Telemetry Agent (referred to as the TerminAttr agent) is enabled and gNMI access is configured on the agent. Note: This gNMI over the Streaming Telemetry Agent scenario is mostly commonly used when streaming to a 3rd party system and is not used by default when streaming to CloudVision | |||||
CVE-2020-36710 | 1 Wpserveur | 1 Wps Hide Login | 2024-02-28 | N/A | 7.5 HIGH |
The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentials on sites in versions up to, and including, 1.5.4.2. | |||||
CVE-2023-0971 | 1 Silabs | 1 Z\/ip Gateway Sdk | 2024-02-28 | N/A | 8.8 HIGH |
A logic error in SiLabs Z/IP Gateway SDK 7.18.02 and earlier allows authentication to be bypassed, remote administration of Z-Wave controllers, and S0/S2 encryption keys to be recovered. | |||||
CVE-2023-32061 | 1 Discourse | 1 Discourse | 2024-02-28 | N/A | 5.3 MEDIUM |
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to exploit the vulnerability and hide subsequent comments from other users. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
CVE-2023-32749 | 1 Pydio | 1 Cells | 2024-02-28 | N/A | 8.8 HIGH |
Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted. |