Total
899 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6929 | 1 Eurotel | 2 Etl3100, Etl3100 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| EuroTel ETL3100 versions v01c01 and v01x37 are vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization, access the hidden resources on the system, and execute privileged functionalities. | |||||
| CVE-2023-6724 | 1 Simgesel | 1 Hearing Tracking System | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse.This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0. | |||||
| CVE-2023-6630 | 1 Rocklobster | 1 Contact Form 7 | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key. | |||||
| CVE-2023-6523 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.This issue affects Extreme XDS: before 3914. | |||||
| CVE-2023-6341 | 1 Catalisgov | 1 Cms360 | 2024-11-21 | N/A | 5.3 MEDIUM |
| Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation. | |||||
| CVE-2023-6226 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin. | |||||
| CVE-2023-5544 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2024-11-21 | N/A | 6.5 MEDIUM |
| Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. | |||||
| CVE-2023-51503 | 1 Automattic | 1 Woopayments | 2024-11-21 | N/A | 5.9 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 6.9.2. | |||||
| CVE-2023-51502 | 1 Automattic | 1 Woocommerce Stripe | 2024-11-21 | N/A | 7.5 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1. | |||||
| CVE-2023-50267 | 1 Metersphere | 1 Metersphere | 2024-11-21 | N/A | 4.3 MEDIUM |
| MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds. | |||||
| CVE-2023-4934 | 1 Usta | 1 Aybs | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Usta AYBS allows Authentication Abuse, Authentication Bypass.This issue affects AYBS: before 1.0.3. | |||||
| CVE-2023-4587 | 1 Zkteco | 2 Zem800, Zem800 Firmware | 2024-11-21 | N/A | 8.3 HIGH |
| An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server. | |||||
| CVE-2023-4213 | 1 Mikevanwinkle | 1 Simplr Registration Form Plus\+ | 2024-11-21 | N/A | 8.8 HIGH |
| The Simplr Registration Form Plus+ plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.4.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber-level permissions or above to change user passwords and potentially take over administrator accounts. | |||||
| CVE-2023-4101 | 1 Qsige | 1 Qsige | 2024-11-21 | N/A | 8.8 HIGH |
| The QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | |||||
| CVE-2023-4099 | 1 Qsige | 1 Qsige | 2024-11-21 | N/A | 7.6 HIGH |
| The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | |||||
| CVE-2023-49812 | 1 Wppa | 1 Wp Photo Album Plus | 2024-11-21 | N/A | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005. | |||||
| CVE-2023-49765 | 1 Blazzdev | 1 Rate My Post | 2024-11-21 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Blaz K. Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.1. | |||||
| CVE-2023-49298 | 2 Freebsd, Openzfs | 2 Freebsd, Openzfs | 2024-11-21 | N/A | 7.5 HIGH |
| OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions. | |||||
| CVE-2023-49251 | 1 Siemens | 1 Simatic Cn 4100 | 2024-11-21 | N/A | 8.8 HIGH |
| A vulnerability has been identified in SIMATIC CN 4100 (All versions < V2.7). The "intermediate installation" system state of the affected application allows an attacker to add their own login credentials to the device. This allows an attacker to remotely login as root and take control of the device even after the affected device is fully set up. | |||||
| CVE-2023-49112 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Kiuwan provides an API endpoint /saas/rest/v1/info/application to get information about any application, providing only its name via the "application" parameter. This endpoint lacks proper access control mechanisms, allowing other authenticated users to read information about applications, even though they have not been granted the necessary rights to do so. This issue affects Kiuwan SAST: <master.1808.p685.q13371 | |||||