Total
508 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-45393 | 1 Grandingteco | 1 Utime Master | 2023-10-20 | 6.5 Medium |
| An indirect object reference (IDOR) in GRANDING UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to access sensitive information via a crafted cookie. | ||||
| CVE-2023-42455 | 1 Wazuh | 2 Wazuh-dashboard, Wazuh-kibana-app | 2023-10-13 | 8.8 High |
| Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds. | ||||
| CVE-2023-26237 | 1 Watchguard | 8 Edr, Edr Firmware, Epdr and 5 more | 2023-10-11 | 6.7 Medium |
| An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to bypass the defensive capabilities by adding a registry key as SYSTEM. | ||||
| CVE-2023-4101 | 1 Qsige | 1 Qsige | 2023-10-10 | 6.5 Medium |
| The QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | ||||
| CVE-2023-2544 | 1 Upv | 1 Peix | 2023-10-05 | 6.5 Medium |
| Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users. | ||||
| CVE-2023-4099 | 1 Qsige | 1 Qsige | 2023-10-04 | 6.5 Medium |
| The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | ||||
| CVE-2023-32669 | 1 Buddyboss | 1 Buddyboss | 2023-10-04 | 5.4 Medium |
| Authorization bypass vulnerability in BuddyBoss 2.2.9 version, the exploitation of which could allow an authenticated user to access and rename other users' albums. This vulnerability can be exploited by changing the album identification (id). | ||||
| CVE-2023-38872 | 1 Economizzer | 1 Economizzer | 2023-10-03 | 3.7 Low |
| An Insecure Direct Object Reference (IDOR) vulnerability in gugoan Economizzer commit 3730880 (April 2023) and v.0.9-beta1 allows any unauthenticated attacker to access cash book entry attachments of any other user, if they know the Id of the attachment. | ||||
| CVE-2023-4934 | 1 Usta | 1 Aybs | 2023-10-02 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Usta AYBS allows Authentication Abuse, Authentication Bypass.This issue affects AYBS: before 1.0.3. | ||||
| CVE-2023-44206 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2023-09-28 | 9.1 Critical |
| Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | ||||
| CVE-2023-44205 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2023-09-28 | 5.3 Medium |
| Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | ||||
| CVE-2023-42334 | 1 Fl3xx | 2 Crew, Dispatch | 2023-09-22 | 6.5 Medium |
| An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter. | ||||
| CVE-2023-41368 | 1 Sap | 1 S\/4 Hana | 2023-09-14 | 5.3 Medium |
| The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call. | ||||
| CVE-2023-0882 | 2 Krontech, Microsoft | 2 Single Connect, Windows | 2023-09-03 | 8.8 High |
| Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Kron Tech Single Connect on Windows allows Privilege Abuse. This issue affects Single Connect: 2.16. | ||||
| CVE-2023-32078 | 1 Gravitl | 1 Netmaker | 2023-08-31 | 7.5 High |
| Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server. | ||||
| CVE-2019-17382 | 1 Zabbix | 1 Zabbix | 2023-08-22 | 9.1 Critical |
| An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. | ||||
| CVE-2023-28481 | 1 Tigergraph | 1 Tigergraph | 2023-08-21 | 8.8 High |
| An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key. | ||||
| CVE-2022-23856 | 1 Saviynt | 1 Enterprise Identity Cloud | 2023-08-08 | 5.3 Medium |
| An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An attacker can enumerate users by changing the id parameter, such as for the ECM/maintenance/forgotpasswordstep1 URI. | ||||
| CVE-2022-2243 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.3 Medium |
| An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. | ||||
| CVE-2021-44949 | 1 Glfusion | 1 Glfusion | 2023-08-08 | 9.8 Critical |
| glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php. | ||||