Total
2377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0451 | 1 Econolite | 1 Eos | 2023-06-20 | N/A | 7.5 HIGH |
| Econolite EOS versions prior to 3.2.23 lack a password requirement for gaining “READONLY” access to log files and certain database and configuration files. One such file contains tables with MD5 hashes and usernames for all defined users in the control software, including administrators and technicians. | |||||
| CVE-2023-3095 | 1 Teampass | 1 Teampass | 2023-06-09 | N/A | 6.5 MEDIUM |
| Improper Access Control in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||||
| CVE-2023-28066 | 1 Dell | 1 Os Recovery Tool | 2023-06-09 | N/A | 7.8 HIGH |
| Dell OS Recovery Tool, versions 2.2.4013 and 2.3.7012.0, contain an Improper Access Control Vulnerability. A local authenticated non-administrator user could potentially exploit this vulnerability in order to elevate privileges on the system. | |||||
| CVE-2023-33191 | 1 Nirmata | 1 Kyverno | 2023-06-05 | N/A | 8.8 HIGH |
| Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4. | |||||
| CVE-2023-33946 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2023-06-01 | N/A | 4.3 MEDIUM |
| The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page. | |||||
| CVE-2023-33947 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2023-06-01 | N/A | 4.3 MEDIUM |
| The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition. | |||||
| CVE-2021-25749 | 1 Kubernetes | 1 Kubernetes | 2023-06-01 | N/A | 7.8 HIGH |
| Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true. | |||||
| CVE-2023-2944 | 1 Open-emr | 1 Openemr | 2023-06-01 | N/A | 5.4 MEDIUM |
| Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | |||||
| CVE-2023-2946 | 1 Open-emr | 1 Openemr | 2023-06-01 | N/A | 8.1 HIGH |
| Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | |||||
| CVE-2023-31241 | 2 Control4, Snapone | 13 Ca-1, Ca-10, Ea-1 and 10 more | 2023-05-31 | N/A | 10.0 CRITICAL |
| Snap One OvrC cloud servers contain a route an attacker can use to bypass requirements and claim devices outright. | |||||
| CVE-2023-2845 | 1 Fit2cloud | 1 Cloudexplorer Lite | 2023-05-30 | N/A | 8.1 HIGH |
| Improper Access Control in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. | |||||
| CVE-2018-16838 | 2 Fedoraproject, Redhat | 2 Sssd, Enterprise Linux | 2023-05-29 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access. | |||||
| CVE-2023-23446 | 1 Sick | 14 Ftmg-esd15axx, Ftmg-esd15axx Firmware, Ftmg-esd20axx and 11 more | 2023-05-25 | N/A | 7.5 HIGH |
| Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to download files by using a therefore unpriviledged account via the REST interface. | |||||
| CVE-2023-23445 | 1 Sick | 14 Ftmg-esd15axx, Ftmg-esd15axx Firmware, Ftmg-esd20axx and 11 more | 2023-05-25 | N/A | 7.5 HIGH |
| Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to gain unauthorized access to data fields by using a therefore unpriviledged account via the REST interface. | |||||
| CVE-2020-3524 | 1 Cisco | 26 4221 Integrated Services Router, 4331 Integrated Services Router, 4431 Integrated Services Router and 23 more | 2023-05-22 | 6.9 MEDIUM | 6.8 MEDIUM |
| A vulnerability in the Cisco IOS XE ROM Monitor (ROMMON) Software for Cisco 4000 Series Integrated Services Routers, Cisco ASR 920 Series Aggregation Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, and Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, physical attacker to break the chain of trust and load a compromised software image on an affected device. The vulnerability is due to the presence of a debugging configuration option in the affected software. An attacker could exploit this vulnerability by connecting to an affected device through the console, forcing the device into ROMMON mode, and writing a malicious pattern using that specific option on the device. A successful exploit could allow the attacker to break the chain of trust and load a compromised software image on the affected device. A compromised software image is any software image that has not been digitally signed by Cisco. | |||||
| CVE-2023-1834 | 1 Rockwellautomation | 2 Kinetix 5500, Kinetix 5500 Firmware | 2023-05-22 | N/A | 9.1 CRITICAL |
| Rockwell Automation was made aware that Kinetix 5500 drives, manufactured between May 2022 and January 2023, and are running v7.13 may have the telnet and FTP ports open by default. This could potentially allow attackers unauthorized access to the device through the open ports. | |||||
| CVE-2023-2674 | 1 Open-emr | 1 Openemr | 2023-05-22 | N/A | 4.3 MEDIUM |
| Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | |||||
| CVE-2018-1168 | 1 Hitachienergy | 2 Sys600, Sys600 Firmware | 2023-05-16 | 7.2 HIGH | 7.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on vulnerable installations of ABB MicroSCADA 9.3 with FP 1-2-3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of the access controls for the installed product files. The installation procedure leaves critical files open to manipulation by any authenticated user. An attacker can leverage this vulnerability to escalate privileges to SYSTEM. Was ZDI-CAN-5097. | |||||
| CVE-2019-18998 | 1 Hitachienergy | 1 Asset Suite | 2023-05-16 | 5.5 MEDIUM | 7.1 HIGH |
| Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly. | |||||
| CVE-2023-32060 | 1 Dhis2 | 1 Dhis 2 | 2023-05-16 | N/A | 6.5 MEDIUM |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.35 branch and prior to versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0, when the Category Option Combination Sharing settings are configured to control access to specific tracker program events or program stages, the `/trackedEntityInstances` and `/events` API endpoints may include all events regardless of the sharing settings applied to the category option combinations. When this specific configuration is present, users may have access to events which they should not be able to see based on the sharing settings of the category options. The events will not appear in the user interface for web-based Tracker Capture or Capture applications, but if the Android Capture App is used they will be displayed to the user. Versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0 contain a fix for this issue. No workaround is known. | |||||