Total
508 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-30216 | 1 Newbee-mall Project | 1 Newbee-mall | 2023-05-11 | 5.4 Medium |
| Insecure permissions in the updateUserInfo function of newbee-mall before commit 1f2c2dfy allows attackers to obtain user account information. | ||||
| CVE-2023-30550 | 1 Metersphere | 1 Metersphere | 2023-05-10 | 4.5 Medium |
| MeterSphere is an open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing, and performance testing. This IDOR vulnerability allows the administrator of a project to modify other projects under the workspace. An attacker can obtain some operating permissions. The issue has been fixed in version 2.9.0. | ||||
| CVE-2023-2260 | 1 Alf | 1 Alf | 2023-05-10 | 8.8 High |
| Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | ||||
| CVE-2023-1463 | 1 Teampass | 1 Teampass | 2023-04-26 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. | ||||
| CVE-2018-17449 | 1 Gitlab | 1 Gitlab | 2023-04-25 | 7.5 High |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Remote attackers could obtain sensitive information about issues, comments, and project titles via events API insecure direct object reference. | ||||
| CVE-2018-17455 | 1 Gitlab | 1 Gitlab | 2023-04-25 | 7.5 High |
| An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the "merge request approvals" feature. | ||||
| CVE-2022-45175 | 1 Liveboxcloud | 1 Vdesk | 2023-04-19 | 6.5 Medium |
| An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file. | ||||
| CVE-2023-24834 | 1 Wisdomgarden | 1 Tronclass Ilearn | 2023-04-18 | 6.5 Medium |
| WisdomGarden Tronclass has improper access control when uploading file. An authenticated remote attacker with general user privilege can exploit this vulnerability to access files belonging to other users by modifying the file ID within URL. | ||||
| CVE-2023-0967 | 1 Imaworldhealth | 1 Bhima | 2023-04-17 | 6.5 Medium |
| Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform. | ||||
| CVE-2023-26984 | 1 Peppermint | 1 Peppermint | 2023-04-05 | 8.1 High |
| An issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request. | ||||
| CVE-2023-24842 | 1 Hgiga | 1 Oaklouds Mailsherlock | 2023-03-30 | 5.3 Medium |
| HGiga MailSherlock has vulnerability of insufficient access control. An unauthenticated remote user can exploit this vulnerability to access partial content of another user’s mail by changing user ID and mail ID within URL. | ||||
| CVE-2021-36400 | 1 Moodle | 1 Moodle | 2023-03-13 | 5.3 Medium |
| In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. | ||||
| CVE-2023-25403 | 1 Yf-exam Project | 1 Yf-exam | 2023-03-10 | 7.5 High |
| CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication. | ||||
| CVE-2019-14246 | 1 Centos-webpanel | 1 Centos Web Panel | 2023-03-03 | 6.5 Medium |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account. | ||||
| CVE-2019-14245 | 1 Centos-webpanel | 1 Centos Web Panel | 2023-03-03 | 6.5 Medium |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account. | ||||
| CVE-2022-4812 | 1 Usememos | 1 Memos | 2023-03-02 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||
| CVE-2022-4806 | 1 Usememos | 1 Memos | 2023-03-02 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||
| CVE-2022-4803 | 1 Usememos | 1 Memos | 2023-03-02 | 8.8 High |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||
| CVE-2022-4799 | 1 Usememos | 1 Memos | 2023-03-02 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||
| CVE-2022-4802 | 1 Usememos | 1 Memos | 2023-03-02 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||