Total
1418 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-24189 | 1 Sz-fujia | 1 Ourphoto | 2024-02-28 | N/A | 6.5 MEDIUM |
The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users. | |||||
CVE-2023-22480 | 1 Fit2cloud | 1 Kubeoperator | 2024-02-28 | N/A | 9.8 CRITICAL |
KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4. | |||||
CVE-2022-23741 | 1 Github | 1 Enterprise Server | 2024-02-28 | N/A | 7.2 HIGH |
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
CVE-2023-0952 | 1 Devolutions | 1 Devolutions Server | 2024-02-28 | N/A | 6.5 MEDIUM |
Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data without proper authorization. | |||||
CVE-2023-23064 | 1 Totolink | 2 A720r, A720r Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
TOTOLINK A720R V4.1.5cu.532_ B20210610 is vulnerable to Incorrect Access Control. | |||||
CVE-2022-4315 | 1 Gitlab | 1 Dynamic Application Security Testing Analyzer | 2024-02-28 | N/A | 6.5 MEDIUM |
An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 2.0 before 3.0.55, which sends custom request headers with every request on the authentication page. | |||||
CVE-2023-27899 | 1 Jenkins | 1 Jenkins | 2024-02-28 | N/A | 7.0 HIGH |
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution. | |||||
CVE-2023-21424 | 1 Samsung | 1 Android | 2024-02-28 | N/A | 3.3 LOW |
Improper Handling of Insufficient Permissions or Privileges vulnerability in SemChameleonHelper prior to SMR Jan-2023 Release 1 allows attacker to modify network related values, network code, carrier id and operator brand. | |||||
CVE-2022-45956 | 1 Boa | 1 Boa | 2024-02-28 | N/A | 5.3 MEDIUM |
Boa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism. | |||||
CVE-2023-21719 | 1 Microsoft | 1 Edge Chromium | 2024-02-28 | N/A | 6.5 MEDIUM |
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | |||||
CVE-2020-36610 | 1 Duxcms Project | 1 Duxcms | 2024-02-28 | N/A | 8.0 HIGH |
A vulnerability was found in annyshow DuxCMS 2.1. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215116. | |||||
CVE-2022-3883 | 1 Stopbadbots Project | 1 Stopbadbots | 2024-02-28 | N/A | 6.5 MEDIUM |
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org | |||||
CVE-2023-0091 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-02-28 | N/A | 3.8 LOW |
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information. | |||||
CVE-2022-45353 | 1 Muffingroup | 1 Betheme | 2024-02-28 | N/A | 8.1 HIGH |
Broken Access Control in Betheme theme <= 26.6.1 on WordPress. | |||||
CVE-2021-45466 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | N/A | 9.8 CRITICAL |
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder. | |||||
CVE-2023-22945 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-28 | N/A | 4.3 MEDIUM |
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. | |||||
CVE-2023-24829 | 1 Apache | 1 Iotdb | 2024-02-28 | N/A | 8.8 HIGH |
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards. | |||||
CVE-2022-46160 | 1 Enalean | 1 Tuleap | 2024-02-28 | N/A | 4.3 MEDIUM |
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.104, project level authorizations are not properly verified when accessing the project "homepage"/dashboards. Users not authorized to access a project may still be able to get some information provided by the widgets (e.g. number of members, content of the Notes widget...). This issue has been patched in Tuleap Community Edition 14.2.99.104, Tuleap Enterprise Edition 14.2-4, and Tuleap Enterprise Edition 14.1-5. | |||||
CVE-2022-45435 | 1 Sailpoint | 1 Identityiq | 2024-02-28 | N/A | 6.5 MEDIUM |
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration. | |||||
CVE-2022-44039 | 1 Franklinfueling | 1 Colibri Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
Franklin Fueling System FFS Colibri 1.9.22.8925 is affected by: File system overwrite. The impact is: File system rewrite (remote). ¶¶ An attacker can overwrite system files like [system.conf] and [passwd], this occurs because the insecure usage of "fopen" system function with the mode "wb" which allows overwriting file if exists. Overwriting files such as passwd, allows an attacker to escalate his privileges by planting backdoor user with root privilege or change root password. |