Total
848 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-33956 | 1 Kanboard | 1 Kanboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any other user, regardless of their privileges or restrictions. By Changing the file_id any user can render all the files where MimeType is image uploaded under **/files** directory regard less of uploaded by any user. This vulnerability poses a significant impact and severity to the application's security. By manipulating the URL parameter, an attacker can access sensitive files that should only be available to authorized users. This includes confidential documents or any other type of file stored within the application. The ability to read these files can lead to various detrimental consequences, such as unauthorized disclosure of sensitive information, privacy breaches, intellectual property theft, or exposure of trade secrets. Additionally, it could result in legal and regulatory implications, reputation damage, financial losses, and potential compromise of user trust. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-33706 | 1 Sysaid | 1 Sysaid | 2024-11-21 | N/A | 6.5 MEDIUM |
| SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks to read ticket data via a modified sid parameter to EmailHtmlSourceIframe.jsp or a modified srID parameter to ShowMessage.jsp. | |||||
| CVE-2023-32799 | 1 Woocommerce | 1 Shipping Multiple Addresses | 2024-11-21 | N/A | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3. | |||||
| CVE-2023-32747 | 1 Automattic | 1 Woocommerce Bookings | 2024-11-21 | N/A | 5.4 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78. | |||||
| CVE-2023-32669 | 1 Buddyboss | 1 Buddyboss | 2024-11-21 | N/A | 5.4 MEDIUM |
| Authorization bypass vulnerability in BuddyBoss 2.2.9 version, the exploitation of which could allow an authenticated user to access and rename other users' albums. This vulnerability can be exploited by changing the album identification (id). | |||||
| CVE-2023-32310 | 1 Dataease | 1 Dataease | 2024-11-21 | N/A | 8.1 HIGH |
| DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. | |||||
| CVE-2023-32078 | 1 Gravitl | 1 Netmaker | 2024-11-21 | N/A | 7.5 HIGH |
| Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server. | |||||
| CVE-2023-31182 | 1 Easytor | 1 Easytor | 2024-11-21 | N/A | 8.1 HIGH |
| EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method. | |||||
| CVE-2023-2978 | 1 Abstrium | 1 Pydio Cells | 2024-11-21 | 4.1 MEDIUM | 4.6 MEDIUM |
| A vulnerability was found in Abstrium Pydio Cells 4.2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Change Subscription Handler. The manipulation leads to authorization bypass. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-230210 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-2958 | 1 Orjinyazilim | 1 Ats Pro | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714. | |||||
| CVE-2023-2883 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in CBOT Chatbot allows Authentication Abuse, Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | |||||
| CVE-2023-2844 | 1 Fit2cloud | 1 Cloudexplorer Lite | 2024-11-21 | N/A | 4.9 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. | |||||
| CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15. | |||||
| CVE-2023-2702 | 1 Finexmedia | 1 Competition Management System | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07. | |||||
| CVE-2023-2548 | 1 Metagauss | 1 Registrationmagic | 2024-11-21 | N/A | 6.6 MEDIUM |
| The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup. | |||||
| CVE-2023-2544 | 1 Upv | 1 Peix | 2024-11-21 | N/A | 5.3 MEDIUM |
| Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users. | |||||
| CVE-2023-2260 | 1 Alf | 1 Alf | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||||
| CVE-2023-2190 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public. | |||||
| CVE-2023-2065 | 1 Armoli | 1 Cargo Tracking System | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass.This issue affects Cargo Tracking System: before 3558f28 . | |||||
| CVE-2023-28481 | 1 Tigergraph | 1 Tigergraph | 2024-11-21 | N/A | 8.8 HIGH |
| An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key. | |||||