Total
1418 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-31597 | 1 Zammad | 1 Zammad | 2024-02-28 | N/A | 6.5 MEDIUM |
An issue in Zammad v5.4.0 allows attackers to bypass e-mail verification using an arbitrary address and manipulate the data of the generated user. Attackers are also able to gain unauthorized access to existing tickets. | |||||
CVE-2023-3114 | 1 Hashicorp | 1 Terraform Enterprise | 2024-02-28 | N/A | 7.7 HIGH |
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1. | |||||
CVE-2023-28611 | 1 Omicronenergy | 2 Stationguard, Stationscout | 2024-02-28 | N/A | 9.8 CRITICAL |
Incorrect authorization in OMICRON StationGuard 1.10 through 2.20 and StationScout 1.30 through 2.20 allows an attacker to bypass intended access restrictions. | |||||
CVE-2023-28698 | 1 Wddgroup | 1 Fantsy | 2024-02-28 | N/A | 9.8 CRITICAL |
Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service. | |||||
CVE-2023-34965 | 1 Sspanel-uim Project | 1 Sspanel-uim | 2024-02-28 | N/A | 5.3 MEDIUM |
SSPanel-Uim 2023.3 does not restrict access to the /link/ interface which can lead to a leak of user information. | |||||
CVE-2023-21035 | 1 Google | 1 Android | 2024-02-28 | N/A | 7.8 HIGH |
In multiple functions of BackupHelper.java, there is a possible way for an app to get permissions previously granted to another app with the same package name due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-184847040 | |||||
CVE-2022-25274 | 1 Drupal | 1 Drupal | 2024-02-28 | N/A | 5.4 MEDIUM |
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system. | |||||
CVE-2023-25923 | 1 Ibm | 1 Security Key Lifecycle Manager | 2024-02-28 | N/A | 7.5 HIGH |
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an attacker to upload files that could be used in a denial of service attack due to incorrect authorization. IBM X-Force ID: 247629. | |||||
CVE-2023-3033 | 1 Mobatime | 1 Mobatime Web Application | 2024-02-28 | N/A | 8.8 HIGH |
Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22. | |||||
CVE-2023-31226 | 1 Huawei | 1 Emui | 2024-02-28 | N/A | 7.5 HIGH |
The SDK for the MediaPlaybackController module has improper permission verification. Successful exploitation of this vulnerability may affect confidentiality. | |||||
CVE-2023-30467 | 1 Milesight | 40 Ms-n1004-uc, Ms-n1004-uc Firmware, Ms-n1004-upc and 37 more | 2024-02-28 | N/A | 9.8 CRITICAL |
This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device. Successful exploitation of this vulnerability could allow remote attacker to perform unauthorized activities on the targeted device. | |||||
CVE-2023-31435 | 1 Evasys | 1 Evasys | 2024-02-28 | N/A | 8.1 HIGH |
Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow authenticated attackers to read and write to unauthorized data by accessing functions directly. | |||||
CVE-2023-2782 | 1 Acronis | 1 Cyber Infrastructure | 2024-02-28 | N/A | 5.5 MEDIUM |
Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.3.1-38. | |||||
CVE-2023-25594 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2024-02-28 | N/A | 8.8 HIGH |
A vulnerability in the web-based management interface of ClearPass Policy Manager allows an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of this vulnerability allows an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform. | |||||
CVE-2023-30955 | 1 Palantir | 1 Foundry Workspace-server | 2024-02-28 | N/A | 5.4 MEDIUM |
A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0. | |||||
CVE-2023-30771 | 1 Apache | 1 Iotdb Web Workbench | 2024-02-28 | N/A | 9.8 CRITICAL |
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards. | |||||
CVE-2023-34161 | 1 Huawei | 1 Emui | 2024-02-28 | N/A | 7.5 HIGH |
nappropriate authorization vulnerability in the SettingsProvider module.Successful exploitation of this vulnerability may cause features to perform abnormally. | |||||
CVE-2022-46308 | 1 Sguda | 2 U-lock, U-lock Firmware | 2024-02-28 | N/A | 8.8 HIGH |
SGUDA U-Lock central lock control service’s user management function has incorrect authorization. A remote attacker with general user privilege can exploit this vulnerability to call privileged APIs to access, modify and delete user information. | |||||
CVE-2023-33190 | 1 Sealos Project | 1 Sealos | 2024-02-28 | N/A | 9.8 CRITICAL |
Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. This issue has been addressed in version 4.2.1-rc4. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-29296 | 1 Adobe | 2 Commerce, Magento | 2024-02-28 | N/A | 4.3 MEDIUM |
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction. |