Total
1438 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22518 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2023-12-19 | N/A | 9.8 CRITICAL |
| All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. | |||||
| CVE-2023-6542 | 1 Sap | 1 Emarsys Sdk | 2023-12-18 | N/A | 7.1 HIGH |
| Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device. | |||||
| CVE-2023-49273 | 1 Umbraco | 1 Umbraco Cms | 2023-12-15 | N/A | 5.4 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. | |||||
| CVE-2023-48227 | 1 Umbraco | 1 Umbraco Cms | 2023-12-15 | N/A | 4.3 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available. | |||||
| CVE-2020-10676 | 1 Suse | 1 Rancher | 2023-12-14 | N/A | 8.8 HIGH |
| In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project. | |||||
| CVE-2023-36646 | 1 Prolion | 1 Cryptospike | 2023-12-13 | N/A | 8.8 HIGH |
| Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation. | |||||
| CVE-2023-50457 | 1 Zammad | 1 Zammad | 2023-12-13 | N/A | 4.3 MEDIUM |
| An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions. | |||||
| CVE-2023-48859 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2023-12-12 | N/A | 8.8 HIGH |
| TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authentication RCE due to incorrect access control, allows attackers to bypass front-end security restrictions and execute arbitrary code. | |||||
| CVE-2023-49239 | 1 Huawei | 2 Emui, Harmonyos | 2023-12-11 | N/A | 7.5 HIGH |
| Unauthorized access vulnerability in the card management module. Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2023-49240 | 1 Huawei | 2 Emui, Harmonyos | 2023-12-11 | N/A | 7.5 HIGH |
| Unauthorized access vulnerability in the launcher module. Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2023-42575 | 1 Samsung | 1 Pass | 2023-12-11 | N/A | 6.8 MEDIUM |
| Improper Authentication vulnerability in Samsung Pass prior to version 4.3.00.17 allows physical attackers to bypass authentication due to invalid flag setting. | |||||
| CVE-2023-42569 | 1 Samsung | 1 Android | 2023-12-11 | N/A | 3.3 LOW |
| Improper authorization verification vulnerability in AR Emoji prior to SMR Dec-2023 Release 1 allows attackers to read sandbox data of AR Emoji. | |||||
| CVE-2016-6797 | 6 Apache, Canonical, Debian and 3 more | 14 Tomcat, Ubuntu Linux, Debian Linux and 11 more | 2023-12-08 | 5.0 MEDIUM | 7.5 HIGH |
| The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. | |||||
| CVE-2023-49947 | 1 Forgejo | 1 Forgejo | 2023-12-07 | N/A | 7.5 HIGH |
| Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. | |||||
| CVE-2023-42006 | 1 Ibm | 1 I | 2023-12-06 | N/A | 5.5 MEDIUM |
| IBM Administration Runtime Expert for i 7.2, 7.3, 7.4, and 7.5 could allow a local user to obtain sensitive information caused by improper authority checks. IBM X-Force ID: 265266. | |||||
| CVE-2023-47827 | 1 Nicheaddons | 1 Events Addon For Elementor | 2023-12-05 | N/A | 7.5 HIGH |
| Incorrect Authorization vulnerability in NicheAddons Events Addon for Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Events Addon for Elementor: from n/a through 2.1.3. | |||||
| CVE-2022-42344 | 2 Adobe, Magento | 2 Commerce, Magento | 2023-12-04 | N/A | 8.8 HIGH |
| Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve information exposure and privilege escalation. | |||||
| CVE-2023-38218 | 1 Adobe | 2 Commerce, Magento | 2023-12-04 | N/A | 8.8 HIGH |
| Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Incorrect Authorization . An authenticated attacker can exploit this to achieve information exposure and privilege escalation. | |||||
| CVE-2023-48712 | 1 Warpgate Project | 1 Warpgate | 2023-11-30 | N/A | 8.8 HIGH |
| Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. In affected versions there is a privilege escalation vulnerability through a non-admin user's account. Limited users can impersonate another user's account if only single-factor authentication is configured. If a user knows an admin username, opens the login screen and attempts to authenticate with an incorrect password they can subsequently enter a valid non-admin username and password they will be logged in as the admin user. All installations prior to version 0.9.0 are affected. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-48218 | 1 Strapi | 1 Protected Populate | 2023-11-29 | N/A | 5.3 MEDIUM |
| The Strapi Protected Populate Plugin protects `get` endpoints from revealing too much information. Prior to version 1.3.4, users were able to bypass the field level security. Users who tried to populate something that they didn't have access to could populate those fields anyway. This issue has been patched in version 1.3.4. There are no known workarounds. | |||||