Total
508 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-24401 | 1 Midnightblue | 1 Tetra\ | 2023-11-07 | 8.1 High |
| Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered. | ||||
| CVE-2022-24400 | 1 Midnightblue | 1 Tetra\ | 2023-11-07 | 5.9 Medium |
| A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero. | ||||
| CVE-2022-21713 | 3 Fedoraproject, Grafana, Netapp | 3 Fedora, Grafana, E-series Performance Analyzer | 2023-11-07 | 4.3 Medium |
| Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. | ||||
| CVE-2022-1996 | 2 Fedoraproject, Go-restful Project | 2 Fedora, Go-restful | 2023-11-07 | 9.1 Critical |
| Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0. | ||||
| CVE-2022-1245 | 1 Redhat | 1 Keycloak | 2023-11-07 | 9.8 Critical |
| A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services. | ||||
| CVE-2022-0613 | 2 Fedoraproject, Uri.js Project | 2 Fedora, Uri.js | 2023-11-07 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8. | ||||
| CVE-2021-4142 | 1 Candlepinproject | 1 Candlepin | 2023-11-07 | 5.5 Medium |
| The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin. | ||||
| CVE-2021-40579 | 1 Online Enrollment Management System Project | 1 Online Enrollment Management System | 2023-11-07 | 6.5 Medium |
| https://www.sourcecodester.com/ Online Enrollment Management System in PHP and PayPal Free Source Code 1.0 is affected by: Incorrect Access Control. The impact is: gain privileges (remote). | ||||
| CVE-2021-24562 | 1 Lifterlms | 1 Lifterlms | 2023-11-07 | 7.5 High |
| The LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2 was affected by an IDOR issue, allowing students to see other student answers and grades | ||||
| CVE-2021-21022 | 1 Magento | 1 Magento | 2023-11-07 | 5.3 Medium |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources. | ||||
| CVE-2021-21012 | 1 Adobe | 2 Magento Commerce, Magento Open Source | 2023-11-07 | N/A |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure. | ||||
| CVE-2020-8154 | 1 Nextcloud | 1 Nextcloud Server | 2023-11-07 | 7.7 High |
| An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. | ||||
| CVE-2020-26068 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2023-11-07 | 6.5 Medium |
| A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users. | ||||
| CVE-2020-13923 | 1 Apache | 1 Ofbiz | 2023-11-07 | 5.3 Medium |
| IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | ||||
| CVE-2020-10130 | 1 Searchblox | 1 Searchblox | 2023-11-07 | 8.8 High |
| SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system. | ||||
| CVE-2019-16723 | 1 Cacti | 1 Cacti | 2023-11-07 | 4.3 Medium |
| In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. | ||||
| CVE-2023-46478 | 1 Minical | 1 Minical | 2023-11-06 | 8.8 High |
| An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter. | ||||
| CVE-2023-44154 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2023-10-26 | 8.1 High |
| Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | ||||
| CVE-2022-39018 | 1 M-files | 1 Hubshare | 2023-10-25 | 7.5 High |
| Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL. | ||||
| CVE-2019-16546 | 1 Jenkins | 1 Google Compute Engine | 2023-10-25 | 5.9 Medium |
| Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. | ||||