Total
508 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-31131 | 1 Nextcloud | 1 Nextcloud Mail | 2023-06-29 | 4.3 Medium |
| Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com) | ||||
| CVE-2022-1810 | 1 Publify Project | 1 Publify | 2023-06-29 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository publify/publify prior to 9.2.9. | ||||
| CVE-2022-22190 | 1 Juniper | 1 Paragon Active Assurance Control Center | 2023-06-27 | 7.5 High |
| An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated attacker to leverage a crafted URL to generate PDF reports, potentially containing sensitive configuration information. A feature was introduced in version 3.1 of the Paragon Active Assurance Control Center which allows users to selective share account data using a unique identifier. Knowing the proper format of the URL and the identifier of an existing object in an application it is possible to get access to that object without being logged in, even if the object is not shared, resulting in the opportunity for malicious exfiltration of user data. Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue. This issue affects Juniper Networks Paragon Active Assurance version 3.1.0. | ||||
| CVE-2022-2312 | 1 Student Result Or Employee Database Project | 1 Student Result Or Employee Database | 2023-06-27 | 5.4 Medium |
| The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting | ||||
| CVE-2022-0732 | 1 1byte | 9 Copy9, Exactspy, Fonetracker and 6 more | 2023-06-27 | 7.5 High |
| The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. | ||||
| CVE-2023-2844 | 1 Fit2cloud | 1 Cloudexplorer Lite | 2023-06-27 | 4.9 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. | ||||
| CVE-2022-4686 | 1 Usememos | 1 Memos | 2023-06-27 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0. | ||||
| CVE-2023-34000 | 1 Woocommerce | 1 Stripe Payment Gateway | 2023-06-21 | 7.5 High |
| Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions. | ||||
| CVE-2021-33223 | 1 Seeddms | 1 Seeddms | 2023-06-15 | 8.8 High |
| An issue discovered in SeedDMS 6.0.15 allows an attacker to escalate privileges via the userid and role parameters in the out.UsrMgr.php file. | ||||
| CVE-2023-0985 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2023-06-15 | 8.8 High |
| An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. An authenticated remote user with low privileges can change the password of any user in the same account. This allows to take over the admin user and therefore fully compromise the account. | ||||
| CVE-2023-3066 | 1 Mobatime | 1 Amxgt 100 | 2023-06-14 | 8.1 High |
| Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20. | ||||
| CVE-2023-33956 | 1 Kanboard | 1 Kanboard | 2023-06-12 | 6.5 Medium |
| Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any other user, regardless of their privileges or restrictions. By Changing the file_id any user can render all the files where MimeType is image uploaded under **/files** directory regard less of uploaded by any user. This vulnerability poses a significant impact and severity to the application's security. By manipulating the URL parameter, an attacker can access sensitive files that should only be available to authorized users. This includes confidential documents or any other type of file stored within the application. The ability to read these files can lead to various detrimental consequences, such as unauthorized disclosure of sensitive information, privacy breaches, intellectual property theft, or exposure of trade secrets. Additionally, it could result in legal and regulatory implications, reputation damage, financial losses, and potential compromise of user trust. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-32310 | 1 Dataease | 1 Dataease | 2023-06-09 | 8.1 High |
| DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. | ||||
| CVE-2023-28656 | 1 F5 | 3 Nginx Api Connectivity Manager, Nginx Instance Manager, Nginx Security Monitoring | 2023-06-09 | 8.1 High |
| NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2022-36247 | 1 Shopbeat | 1 Shop Beat Media Player | 2023-06-02 | 9.1 Critical |
| Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to IDOR via controlpanel.shopbeat.co.za. | ||||
| CVE-2023-2065 | 1 Armoli | 1 Cargo Tracking System | 2023-06-01 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass.This issue affects Cargo Tracking System: before 3558f28 . | ||||
| CVE-2023-2883 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2023-05-31 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in CBOT Chatbot allows Authentication Abuse, Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | ||||
| CVE-2023-2702 | 1 Finexmedia | 1 Competition Management System | 2023-05-30 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07. | ||||
| CVE-2023-31182 | 1 Easytor | 1 Easytor | 2023-05-17 | 9.8 Critical |
| EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method. | ||||
| CVE-2019-18998 | 1 Hitachienergy | 1 Asset Suite | 2023-05-16 | 7.1 High |
| Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly. | ||||