Total
28982 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-34958 | 1 Chamilo | 1 Chamilo Lms | 2024-02-28 | N/A | 4.3 MEDIUM |
Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID. | |||||
CVE-2023-36664 | 3 Artifex, Debian, Fedoraproject | 3 Ghostscript, Debian Linux, Fedora | 2024-02-28 | N/A | 7.8 HIGH |
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). | |||||
CVE-2023-33947 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-02-28 | N/A | 4.3 MEDIUM |
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition. | |||||
CVE-2023-1695 | 1 Huawei | 2 Emui, Harmonyos | 2024-02-28 | N/A | 7.5 HIGH |
Vulnerability of failures to capture exceptions in the communication framework. Successful exploitation of this vulnerability may cause features to perform abnormally. | |||||
CVE-2023-28472 | 1 Concretecms | 1 Concrete Cms | 2024-02-28 | N/A | 5.3 MEDIUM |
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies. | |||||
CVE-2023-20199 | 1 Cisco | 1 Duo | 2024-02-28 | N/A | 6.6 MEDIUM |
A vulnerability in Cisco Duo Two-Factor Authentication for macOS could allow an authenticated, physical attacker to bypass secondary authentication and access an affected macOS device. This vulnerability is due to the incorrect handling of responses from Cisco Duo when the application is configured to fail open. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the affected device without valid permission. | |||||
CVE-2022-25275 | 1 Drupal | 1 Drupal | 2024-02-28 | N/A | 7.5 HIGH |
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating. | |||||
CVE-2023-34671 | 1 Elenos | 2 Etg150 Fm, Etg150 Fm Firmware | 2024-02-28 | N/A | 8.8 HIGH |
Improper Access Control leads to privilege escalation affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role in the user profile. An attack could occur over the public Internet in some cases. | |||||
CVE-2023-34163 | 1 Huawei | 1 Emui | 2024-02-28 | N/A | 7.5 HIGH |
Permission control vulnerability in the window management module.Successful exploitation of this vulnerability may cause features to perform abnormally. | |||||
CVE-2023-29459 | 1 Redbull | 1 Fc Red Bull Salzburg | 2024-02-28 | N/A | 6.1 MEDIUM |
The laola.redbull application through 5.1.9-R for Android exposes the exported activity at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity, which accepts a data: URI. The target of this URI is subsequently loaded into the application's webview, thus allowing the loading of arbitrary content into the context of the application. This can occur via the fcrbs schema or an explicit intent invocation. | |||||
CVE-2023-29931 | 1 Laravels Project | 1 Laravels | 2024-02-28 | N/A | 9.8 CRITICAL |
laravel-s 3.7.35 is vulnerable to Local File Inclusion via /src/Illuminate/Laravel.php. | |||||
CVE-2023-21486 | 1 Samsung | 1 Android | 2024-02-28 | N/A | 4.6 MEDIUM |
Improper export of android application components vulnerability in ImagePreviewActivity in Call Settings to SMR May-2023 Release 1 allows physical attackers to access some media data stored in sandbox. | |||||
CVE-2023-22633 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-02-28 | N/A | 7.5 HIGH |
An improper permissions, privileges, and access controls vulnerability [CWE-264] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions 8.7.0 all versions may allow an unauthenticated attacker to perform a DoS attack on the device via client-secure renegotiation. | |||||
CVE-2022-40207 | 1 Intel | 1 System Usage Report | 2024-02-28 | N/A | 7.8 HIGH |
Improper access control in the Intel(R) SUR software before version 2.4.8989 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
CVE-2023-21103 | 1 Google | 1 Android | 2024-02-28 | N/A | 5.5 MEDIUM |
In registerPhoneAccount of PhoneAccountRegistrar.java, uncaught exceptions in parsing persisted user data could lead to local persistent denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-259064622 | |||||
CVE-2023-27094 | 1 Opengoofy | 1 Hippo4j | 2024-02-28 | N/A | 8.8 HIGH |
An issue found in OpenGoofy Hippo4j v.1.4.3 allows attackers to escalate privileges via the ThreadPoolController of the tenant Management module. | |||||
CVE-2023-1031 | 1 Monicahq | 1 Monica | 2024-02-28 | N/A | 8.8 HIGH |
MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter. | |||||
CVE-2023-33946 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-02-28 | N/A | 4.3 MEDIUM |
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page. | |||||
CVE-2023-21105 | 1 Google | 1 Android | 2024-02-28 | N/A | 5.5 MEDIUM |
In multiple functions of ChooserActivity.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261036568 | |||||
CVE-2022-20467 | 1 Google | 1 Android | 2024-02-28 | N/A | 5.5 MEDIUM |
In isBluetoothShareUri of BluetoothOppUtility.java, there is a possible incorrect file read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-225880741 |