Total
1438 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24730 | 1 Linuxfoundation | 1 Argo-cd | 2023-06-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `get` access for a repository containing a Helm chart can craft an API request to the `/api/v1/repositories/{repo_url}/appdetails` endpoint to leak the contents of out-of-bounds files from the repo-server. The malicious payload would reference an out-of-bounds file, and the contents of that file would be returned as part of the response. Contents from a non-YAML file may be returned as part of an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from other Applications' source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The patches prevent path traversal and limit access to users who either A) have been granted Application `create` privileges or B) have been granted Application `get` privileges and are requesting details for a `repo_url` that has already been used for the given Application. There are currently no known workarounds. | |||||
| CVE-2023-34965 | 1 Sspanel-uim Project | 1 Sspanel-uim | 2023-06-23 | N/A | 5.3 MEDIUM |
| SSPanel-Uim 2023.3 does not restrict access to the /link/ interface which can lead to a leak of user information. | |||||
| CVE-2023-32061 | 1 Discourse | 1 Discourse | 2023-06-23 | N/A | 5.3 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to exploit the vulnerability and hide subsequent comments from other users. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2023-22248 | 1 Adobe | 2 Commerce, Magento | 2023-06-22 | N/A | 7.5 HIGH |
| Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to leak another user's data. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-29288 | 1 Adobe | 2 Commerce, Magento | 2023-06-22 | N/A | 4.3 MEDIUM |
| Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-29295 | 1 Adobe | 2 Commerce, Magento | 2023-06-22 | N/A | 4.3 MEDIUM |
| Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-29296 | 1 Adobe | 2 Commerce, Magento | 2023-06-22 | N/A | 4.3 MEDIUM |
| Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction. | |||||
| CVE-2022-22307 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2023-06-21 | N/A | 7.8 HIGH |
| IBM Security Guardium 11.3, 11.4, and 11.5 could allow a local user to obtain elevated privileges due to incorrect authorization checks. IBM X-Force ID: 216753. | |||||
| CVE-2023-32683 | 1 Matrix | 1 Synapse | 2023-06-17 | N/A | 5.4 MEDIUM |
| Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews. | |||||
| CVE-2023-33651 | 1 Sitecore | 4 Experience Commerce, Experience Manager, Experience Platform and 1 more | 2023-06-16 | N/A | 7.5 HIGH |
| An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules. | |||||
| CVE-2023-32749 | 1 Pydio | 1 Cells | 2023-06-15 | N/A | 8.8 HIGH |
| Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted. | |||||
| CVE-2023-3066 | 1 Mobatime | 1 Amxgt 100 | 2023-06-14 | N/A | 8.1 HIGH |
| Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20. | |||||
| CVE-2023-22610 | 1 Schneider-electric | 3 Ecostruxure Geo Scada Expert 2019, Ecostruxure Geo Scada Expert 2020, Ecostruxure Geo Scada Expert 2021 | 2023-06-14 | N/A | 7.5 HIGH |
| A CWE-863: Incorrect Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port. | |||||
| CVE-2023-28352 | 2 Faronics, Microsoft | 2 Insight, Windows | 2023-06-13 | N/A | 7.4 HIGH |
| An issue was discovered in Faronics Insight 10.0.19045 on Windows. By abusing the Insight UDP broadcast discovery system, an attacker-controlled artificial Student Console can connect to and attack a Teacher Console even after Enhanced Security Mode has been enabled. | |||||
| CVE-2022-46308 | 1 Sguda | 2 U-lock, U-lock Firmware | 2023-06-09 | N/A | 8.8 HIGH |
| SGUDA U-Lock central lock control service’s user management function has incorrect authorization. A remote attacker with general user privilege can exploit this vulnerability to call privileged APIs to access, modify and delete user information. | |||||
| CVE-2023-3033 | 1 Mobatime | 1 Mobatime Web Application | 2023-06-09 | N/A | 8.8 HIGH |
| Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22. | |||||
| CVE-2023-28698 | 1 Wddgroup | 1 Fantsy | 2023-06-09 | N/A | 9.8 CRITICAL |
| Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service. | |||||
| CVE-2022-46307 | 1 Sguda | 2 U-lock, U-lock Firmware | 2023-06-09 | N/A | 8.8 HIGH |
| SGUDA U-Lock central lock control service’s lock management function has incorrect authorization. A remote attacker with general privilege can exploit this vulnerability to call privileged APIs to acquire information, manipulate or disrupt the functionality of arbitrary electronic locks. | |||||
| CVE-2023-31226 | 1 Huawei | 1 Emui | 2023-06-08 | N/A | 7.5 HIGH |
| The SDK for the MediaPlaybackController module has improper permission verification. Successful exploitation of this vulnerability may affect confidentiality. | |||||
| CVE-2023-34218 | 1 Jetbrains | 1 Teamcity | 2023-06-06 | N/A | 9.8 CRITICAL |
| In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible | |||||