Total
2377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-1883 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-04-12 | N/A | 5.4 MEDIUM |
| Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | |||||
| CVE-2023-26460 | 1 Sap | 1 Netweaver Application Server For Java | 2023-04-11 | N/A | 5.3 MEDIUM |
| Cache Management Service in SAP NetWeaver Application Server for Java - version 7.50, does not perform any authentication checks for functionalities that require user identity | |||||
| CVE-2023-27268 | 1 Sap | 1 Netweaver Application Server For Java | 2023-04-11 | N/A | 5.3 MEDIUM |
| SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability., resulting in escalation of privileges. | |||||
| CVE-2023-28645 | 1 Nextcloud | 1 Richdocuments | 2023-04-07 | N/A | 6.5 MEDIUM |
| Nextcloud richdocuments is a Nextcloud app integrating the office suit Collabora Online. In affected versions the secure view feature of the rich documents app can be bypassed by using unprotected internal API endpoint of the rich documents app. It is recommended that the Nextcloud Office app (richdocuments) is upgraded to 8.0.0-beta.1, 7.0.2 or 6.3.2. Users unable to upgrade may mitigate the issue by taking steps to restrict the ability to download documents. This includes ensuring that the `WOPI configuration` is configured to only serve documents between Nextcloud and Collabora. It is highly recommended to define the list of Collabora server IPs as the allow list within the Office admin settings of Nextcloud. | |||||
| CVE-2023-28845 | 1 Nextcloud | 1 Talk | 2023-04-07 | N/A | 3.5 LOW |
| Nextcloud talk is a video & audio conferencing app for Nextcloud. In affected versions the talk app does not properly filter access to a conversations member list. As a result an attacker could use this vulnerability to gain information about the members of a Talk conversation, even if they themselves are not members. It is recommended that the Nextcloud Talk is upgraded to 14.0.9 or 15.0.4. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-28844 | 1 Nextcloud | 1 Nextcloud Server | 2023-04-07 | N/A | 6.5 MEDIUM |
| Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-0744 | 1 Answer | 1 Answer | 2023-04-06 | N/A | 9.8 CRITICAL |
| Improper Access Control in GitHub repository answerdev/answer prior to 1.0.4. | |||||
| CVE-2022-24972 | 1 Tp-link | 2 Tl-wr940n, Tl-wr940n Firmware | 2023-04-05 | N/A | 6.5 MEDIUM |
| This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13911. | |||||
| CVE-2023-22250 | 1 Adobe | 2 Commerce, Magento Open Source | 2023-04-04 | N/A | 5.3 MEDIUM |
| Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-28443 | 1 Monospace | 1 Directus | 2023-03-29 | N/A | 5.5 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3. | |||||
| CVE-2018-4844 | 1 Siemens | 1 Simatic Wincc Oa Ui | 2023-03-24 | 3.8 LOW | 6.7 MEDIUM |
| A vulnerability has been identified in SIMATIC WinCC OA UI for Android (All versions < V3.15.10), SIMATIC WinCC OA UI for iOS (All versions < V3.15.10). Insufficient limitation of CONTROL script capabilities could allow read and write access from one HMI project cache folder to other HMI project cache folders within the app's sandbox on the same mobile device. This includes HMI project cache folders of other configured WinCC OA servers. The security vulnerability could be exploited by an attacker who tricks an app user to connect to an attacker-controlled WinCC OA server. Successful exploitation requires user interaction and read/write access to the app's folder on a mobile device. The vulnerability could allow reading data from and writing data to the app's folder. At the time of advisory publication no public exploitation of this security vulnerability was known. Siemens confirms the security vulnerability and provides mitigations to resolve the security issue. | |||||
| CVE-2018-4845 | 1 Siemens | 6 Rapidlab 1200, Rapidlab 1200 Firmware, Rapidpoint 400 and 3 more | 2023-03-24 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems (All versions_without_ use of Siemens Healthineers Informatics products), RAPIDLab 1200 Series (All versions < V3.3 _with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (All versions >= V3.0 _with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (V2.4.X_with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (All versions =< V2.3 _with_ Siemens Healthineers Informatics products), RAPIDPoint 400 systems (All versions _with_ Siemens Healthineers Informatics products). Remote attackers with either local or remote credentialed access to the "Remote View" feature might be able to elevate their privileges, compromising confidentiality, integrity, and availability of the system. No special skills or user interaction are required to perform this attack. At the time of advisory publication, no public exploitation of this security vulnerability is known. Siemens Healthineers confirms the security vulnerability and provides mitigations to resolve the security issue. | |||||
| CVE-2023-21457 | 1 Samsung | 1 Android | 2023-03-24 | N/A | 8.1 HIGH |
| Improper access control vulnerability in Bluetooth prior to SMR Mar-2023 Release 1 allows attackers to send file via Bluetooth without related permission. | |||||
| CVE-2023-27578 | 1 Galaxyproject | 1 Galaxy | 2023-03-23 | N/A | 7.5 HIGH |
| Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally, they can copy or import any Galaxy Visualization given they know the encoded ID of it. Patches are available for versions 22.01, 22.05, and 23.0. For the changes to take effect, you must restart all Galaxy server processes. There are no supported workarounds. | |||||
| CVE-2023-21463 | 2 Google, Samsung | 2 Android, Myfiles | 2023-03-23 | N/A | 3.3 LOW |
| Improper access control vulnerability in MyFiles application prior to versions 12.2.09.0 in Android 11, 13.1.03.501 in Android 12 and 14.1.03.0 in Android 13 allows local attacker to get sensitive information of secret mode in Samsung Internet application with specific conditions. | |||||
| CVE-2023-21465 | 1 Samsung | 1 Bixbytouch | 2023-03-23 | N/A | 5.5 MEDIUM |
| Improper access control vulnerability in BixbyTouch prior to version 3.2.02.5 in China models allows untrusted applications access local files. | |||||
| CVE-2023-22232 | 1 Adobe | 1 Connect | 2023-03-20 | N/A | 5.3 MEDIUM |
| Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-23911 | 1 Rocket.chat | 1 Rocket.chat | 2023-03-16 | N/A | 7.5 HIGH |
| An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room. | |||||
| CVE-2023-26474 | 1 Xwiki | 1 Xwiki | 2023-03-13 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds. | |||||
| CVE-2023-26473 | 1 Xwiki | 1 Xwiki | 2023-03-13 | N/A | 6.5 MEDIUM |
| XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading. | |||||