Total
1438 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23192 | 1 Isdecisions | 1 Userlock | 2023-03-27 | N/A | 7.2 HIGH |
| IS Decisions UserLock MFA 11.01 is vulnerable to authentication bypass using scheduled task. | |||||
| CVE-2023-27578 | 1 Galaxyproject | 1 Galaxy | 2023-03-23 | N/A | 7.5 HIGH |
| Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally, they can copy or import any Galaxy Visualization given they know the encoded ID of it. Patches are available for versions 22.01, 22.05, and 23.0. For the changes to take effect, you must restart all Galaxy server processes. There are no supported workarounds. | |||||
| CVE-2022-4315 | 1 Gitlab | 1 Dynamic Application Security Testing Analyzer | 2023-03-22 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 2.0 before 3.0.55, which sends custom request headers with every request on the authentication page. | |||||
| CVE-2022-39214 | 1 Combodo | 1 Itop | 2023-03-18 | N/A | 7.5 HIGH |
| Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. | |||||
| CVE-2023-22891 | 1 Smartbear | 1 Zephyr Enterprise | 2023-03-16 | N/A | 8.1 HIGH |
| There exists a privilege escalation vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by authorized users to reset passwords for other accounts. | |||||
| CVE-2023-23918 | 1 Nodejs | 1 Node.js | 2023-03-16 | N/A | 7.5 HIGH |
| A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. | |||||
| CVE-2023-27899 | 1 Jenkins | 1 Jenkins | 2023-03-16 | N/A | 7.0 HIGH |
| Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution. | |||||
| CVE-2023-27903 | 1 Jenkins | 1 Jenkins | 2023-03-15 | N/A | 4.4 MEDIUM |
| Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used. | |||||
| CVE-2023-27486 | 1 Xcat Project | 1 Xcat | 2023-03-15 | N/A | 8.8 HIGH |
| xCAT is a toolkit for deployment and administration of computer clusters. In versions prior to 2.16.5 if zones are configured as a mechanism to secure clusters in XCAT, it is possible for a local root user from one node to obtain credentials to SSH to any node in any zone, except the management node of the default zone. XCAT zones are not enabled by default. Only users that use the optional zone feature are impacted. All versions of xCAT prior to xCAT 2.16.5 are vulnerable. This problem has been fixed in xCAT 2.16.5. Users making use of zones should upgrade to 2.16.5. Users unable to upgrade may mitigate the issue by disabling zones or patching the management node with the fix contained in commit `85149c37f49`. | |||||
| CVE-2023-27485 | 1 Thm | 1 Feedbacksystem | 2023-03-14 | N/A | 4.3 MEDIUM |
| thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying `subresults`, it is possible to query `subresults` from other users due to insufficient authorisation. This is only possible for logged-in users and it is not possible to associate the subresults with a specific user. This bug was fixed in commit `f1ae67d8bb2`and released with version 1.5.3. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-26056 | 1 Xwiki | 1 Xwiki | 2023-03-13 | N/A | 5.4 MEDIUM |
| XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue. | |||||
| CVE-2023-25575 | 1 Api-platform | 1 Core | 2023-03-13 | N/A | 6.5 MEDIUM |
| API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\Metadata\ApiProperty` attribute is used. | |||||
| CVE-2018-20826 | 1 Atlassian | 1 Jira | 2023-03-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check. | |||||
| CVE-2019-13417 | 1 Search-guard | 1 Search Guard | 2023-03-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated. | |||||
| CVE-2023-0298 | 1 Firefly-iii | 1 Firefly Iii | 2023-03-02 | N/A | 6.5 MEDIUM |
| Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0. | |||||
| CVE-2023-23064 | 1 Totolink | 2 A720r, A720r Firmware | 2023-02-28 | N/A | 9.8 CRITICAL |
| TOTOLINK A720R V4.1.5cu.532_ B20210610 is vulnerable to Incorrect Access Control. | |||||
| CVE-2018-3778 | 1 Aedes Project | 1 Aedes | 2023-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper authorization in aedes version <0.35.0 will publish a LWT in a channel when a client is not authorized. | |||||
| CVE-2021-32163 | 1 Linuxfoundation | 1 Modular Open Smart Network | 2023-02-28 | N/A | 9.8 CRITICAL |
| Authentication vulnerability in MOSN v.0.23.0 allows attacker to escalate privileges via case-sensitive JWT authorization. | |||||
| CVE-2019-13386 | 1 Centos-webpanel | 1 Centos Web Panel | 2023-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege. | |||||
| CVE-2018-10925 | 3 Canonical, Debian, Postgresql | 3 Ubuntu Linux, Debian Linux, Postgresql | 2023-02-24 | 5.5 MEDIUM | 8.1 HIGH |
| It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table. | |||||