Total
899 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32078 | 1 Gravitl | 1 Netmaker | 2024-11-21 | N/A | 7.5 HIGH |
| Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server. | |||||
| CVE-2023-31182 | 1 Easytor | 1 Easytor | 2024-11-21 | N/A | 8.1 HIGH |
| EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method. | |||||
| CVE-2023-2978 | 1 Abstrium | 1 Pydio Cells | 2024-11-21 | 4.1 MEDIUM | 4.6 MEDIUM |
| A vulnerability was found in Abstrium Pydio Cells 4.2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Change Subscription Handler. The manipulation leads to authorization bypass. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-230210 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-2958 | 1 Orjinyazilim | 1 Ats Pro | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714. | |||||
| CVE-2023-2883 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in CBOT Chatbot allows Authentication Abuse, Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | |||||
| CVE-2023-2844 | 1 Fit2cloud | 1 Cloudexplorer Lite | 2024-11-21 | N/A | 4.9 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. | |||||
| CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15. | |||||
| CVE-2023-2702 | 1 Finexmedia | 1 Competition Management System | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07. | |||||
| CVE-2023-2548 | 1 Metagauss | 1 Registrationmagic | 2024-11-21 | N/A | 6.6 MEDIUM |
| The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup. | |||||
| CVE-2023-2544 | 1 Upv | 1 Peix | 2024-11-21 | N/A | 5.3 MEDIUM |
| Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users. | |||||
| CVE-2023-2260 | 1 Alf | 1 Alf | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||||
| CVE-2023-2190 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public. | |||||
| CVE-2023-2065 | 1 Armoli | 1 Cargo Tracking System | 2024-11-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass.This issue affects Cargo Tracking System: before 3558f28 . | |||||
| CVE-2023-28481 | 1 Tigergraph | 1 Tigergraph | 2024-11-21 | N/A | 8.8 HIGH |
| An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key. | |||||
| CVE-2023-28334 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 4.3 MEDIUM |
| Authenticated users were able to enumerate other users' names via the learning plans page. | |||||
| CVE-2023-28109 | 1 Play-with-docker | 1 Play With Docker | 2024-11-21 | N/A | 6.5 MEDIUM |
| Play With Docker is a browser-based Docker playground. Versions 0.0.2 and prior are vulnerable to domain hijacking. Because CORS configuration was not correct, an attacker could use `play-with-docker.com` as an example and set the origin header in an http request as `evil-play-with-docker.com`. The domain would echo in response header, which successfully bypassed the CORS policy and retrieved basic user information. This issue has been fixed in commit ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a. There are no known workarounds. | |||||
| CVE-2023-27576 | 1 Phplist | 1 Phplist | 2024-11-21 | N/A | 6.7 MEDIUM |
| An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified request (manipulating both the ID parameter and the associated username) can bypass the intended email confirmation requirement. For example, the attacker can start from an updatepassword=1 request with their own ID number, and change the ID number to 1 (representing the super admin account) and change the username to admin2. In the first step, the attacker changes the super admin's email address to one under the attacker's control. In the second step, the attacker performs a password reset for the super admin account. The new password allows login as the super admin, i.e., a successful account takeover. | |||||
| CVE-2023-26428 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-11-21 | N/A | 6.5 MEDIUM |
| Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explicitly shared. We improved permission handling when requesting snippets that are not explicitly shared with other users. No publicly available exploits are known. | |||||
| CVE-2023-26237 | 1 Watchguard | 8 Edr, Edr Firmware, Epdr and 5 more | 2024-11-21 | N/A | 6.7 MEDIUM |
| An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to bypass the defensive capabilities by adding a registry key as SYSTEM. | |||||
| CVE-2023-25160 | 1 Nextcloud | 1 Mail | 2024-11-21 | N/A | 4.1 MEDIUM |
| Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available. | |||||