Total
1438 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50732 | 1 Xwiki | 1 Xwiki | 2024-01-04 | N/A | 6.3 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1. | |||||
| CVE-2023-49949 | 1 Passwork | 1 Passwork | 2024-01-04 | N/A | 8.1 HIGH |
| Passwork before 6.2.0 allows remote authenticated users to bypass 2FA by sending all one million of the possible 6-digit codes. | |||||
| CVE-2023-5644 | 1 Wpvibes | 1 Wp Mail Log | 2024-01-04 | N/A | 7.6 HIGH |
| The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users. | |||||
| CVE-2023-51649 | 1 Networktocode | 1 Nautobot | 2024-01-03 | N/A | 4.3 MEDIUM |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0 | |||||
| CVE-2022-39337 | 1 Dromara | 1 Hertzbeat | 2024-01-02 | N/A | 7.5 HIGH |
| Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue. | |||||
| CVE-2023-6355 | 1 Gallagher | 2 Controller 7000, Controller 7000 Firmware | 2024-01-02 | N/A | 6.8 MEDIUM |
| Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug. This issue affects: Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507 (MR1)), 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)). | |||||
| CVE-2020-16904 | 1 Microsoft | 1 Azure Functions | 2023-12-31 | 7.5 HIGH | 5.3 MEDIUM |
| <p>An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.</p> <p>An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.</p> <p>This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.</p> | |||||
| CVE-2020-17049 | 2 Microsoft, Samba | 4 Windows Server 2012, Windows Server 2016, Windows Server 2019 and 1 more | 2023-12-31 | 9.0 HIGH | 6.6 MEDIUM |
| <p>A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).</p> <p>To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.</p> <p>The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.</p> | |||||
| CVE-2021-27086 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2023-12-29 | 4.6 MEDIUM | 7.8 HIGH |
| Windows Services and Controller App Elevation of Privilege Vulnerability | |||||
| CVE-2023-50705 | 1 Efacec | 2 Uc 500e, Uc 500e Firmware | 2023-12-29 | N/A | 5.3 MEDIUM |
| An attacker could create malicious requests to obtain sensitive information about the web server. | |||||
| CVE-2023-51379 | 1 Github | 1 Enterprise Server | 2023-12-29 | N/A | 4.9 MEDIUM |
| An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. | |||||
| CVE-2022-4014 | 1 Feehi | 1 Feehicms | 2023-12-28 | N/A | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in FeehiCMS. Affected by this issue is some unknown functionality of the component Post My Comment Tab. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The identifier of this vulnerability is VDB-213788. | |||||
| CVE-2023-49734 | 1 Apache | 1 Superset | 2023-12-28 | N/A | 6.5 MEDIUM |
| An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue. | |||||
| CVE-2022-3585 | 1 Oretnom23 | 1 Simple Cold Storage Management System | 2023-12-28 | N/A | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in SourceCodester Simple Cold Storage Management System 1.0. Affected is an unknown function of the file /csms/?page=contact_us of the component Contact Us. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-211194 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-3582 | 1 Oretnom23 | 1 Simple Cold Storage Management System | 2023-12-28 | N/A | 3.5 LOW |
| A vulnerability has been found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument change password leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-211189 was assigned to this vulnerability. | |||||
| CVE-2023-41314 | 1 Apache | 1 Doris | 2023-12-22 | N/A | 8.2 HIGH |
| The api /api/snapshot and /api/get_log_file would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues. | |||||
| CVE-2022-29047 | 1 Jenkins | 1 Pipeline\ | 2023-12-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them. | |||||
| CVE-2022-22967 | 1 Saltstack | 1 Salt | 2023-12-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth. | |||||
| CVE-2022-47002 | 1 Masacms | 1 Masacms | 2023-12-21 | N/A | 9.8 CRITICAL |
| A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request. | |||||
| CVE-2023-4853 | 2 Quarkus, Redhat | 13 Quarkus, Build Of Optaplanner, Build Of Quarkus and 10 more | 2023-12-21 | N/A | 8.1 HIGH |
| A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. | |||||