Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-34267 | 1 Rws | 1 Worldserver | 2024-01-04 | N/A | 9.8 CRITICAL |
| An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint. | |||||
| CVE-2023-31224 | 1 Jamf | 1 Jamf | 2024-01-03 | N/A | 9.8 CRITICAL |
| There is broken access control during authentication in Jamf Pro Server before 10.46.1. | |||||
| CVE-2023-49791 | 1 Nextcloud | 1 Nextcloud Server | 2024-01-03 | N/A | 5.4 MEDIUM |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2023-6155 | 1 Ays-pro | 1 Quiz Maker | 2024-01-02 | N/A | 5.3 MEDIUM |
| The Quiz Maker WordPress plugin before 6.4.9.5 does not adequately authorize the `ays_quiz_author_user_search` AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses. | |||||
| CVE-2023-6847 | 1 Github | 1 Enterprise Server | 2023-12-29 | N/A | 7.5 HIGH |
| An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. To exploit this vulnerability, an attacker would need network access to the Enterprise Server appliance configured in Private Mode. This vulnerability affected all versions of GitHub Enterprise Server since 3.9 and was fixed in version 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2023-49790 | 1 Nextcloud | 1 Nextcloud | 2023-12-29 | N/A | 4.3 MEDIUM |
| The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivity platform. Prior to version 4.9.2, the application can be used without providing the 4 digit PIN code. Nextcloud iOS Files app should be upgraded to 4.9.2 to receive the patch. No known workarounds are available. | |||||
| CVE-2021-1725 | 1 Microsoft | 1 Bot Framework Software Development Kit | 2023-12-29 | 2.1 LOW | 5.5 MEDIUM |
| Bot Framework SDK Information Disclosure Vulnerability | |||||
| CVE-2021-36949 | 1 Microsoft | 2 Azure Active Directory Connect, Azure Active Directory Connect Provisioning Agent | 2023-12-28 | 4.9 MEDIUM | 7.1 HIGH |
| Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability | |||||
| CVE-2023-3622 | 1 Solarwinds | 1 Solarwinds Platform | 2023-12-28 | N/A | 4.3 MEDIUM |
| Access Control Bypass Vulnerability in the SolarWinds Platform that allows an underprivileged user to read arbitrary resource | |||||
| CVE-2023-40660 | 2 Opensc Project, Redhat | 2 Opensc, Enterprise Linux | 2023-12-23 | N/A | 6.6 MEDIUM |
| A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness. | |||||
| CVE-2023-6483 | 1 Aditaas | 1 Allied Digital Integrated Tool-as-a-service | 2023-12-22 | N/A | 9.8 CRITICAL |
| The vulnerability exists in ADiTaaS (Allied Digital Integrated Tool-as-a-Service) version 5.1 due to an improper authentication vulnerability in the ADiTaaS backend API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable platform. Successful exploitation of this vulnerability could allow the attacker to gain full access to the customers’ data and completely compromise the targeted platform. | |||||
| CVE-2021-31606 | 1 Openvpn-monitor Project | 1 Openvpn-monitor | 2023-12-22 | 5.0 MEDIUM | 7.5 HIGH |
| furlongm openvpn-monitor through 1.1.3 allows Authorization Bypass to disconnect arbitrary clients. | |||||
| CVE-2023-6768 | 1 Mr-corner | 1 Amazing Little Poll | 2023-12-22 | N/A | 9.8 CRITICAL |
| Authentication bypass vulnerability in Amazing Little Poll affecting versions 1.3 and 1.4. This vulnerability could allow an unauthenticated user to access the admin panel without providing any credentials by simply accessing the "lp_admin.php?adminstep=" parameter. | |||||
| CVE-2022-22935 | 1 Saltstack | 1 Salt | 2023-12-21 | 4.3 MEDIUM | 3.7 LOW |
| An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master. | |||||
| CVE-2021-25281 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2023-12-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. | |||||
| CVE-2022-30150 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2023-12-20 | 6.0 MEDIUM | 7.5 HIGH |
| Windows Defender Remote Credential Guard Elevation of Privilege Vulnerability | |||||
| CVE-2023-49646 | 1 Zoom | 4 Meeting Software Development Kit, Video Software Development Kit, Virtual Desktop Infrastructure and 1 more | 2023-12-19 | N/A | 6.5 MEDIUM |
| Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access. | |||||
| CVE-2023-44252 | 1 Fortinet | 1 Fortiwan | 2023-12-18 | N/A | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED **An improper authentication vulnerability [CWE-287] in Fortinet FortiWAN version 5.2.0 through 5.2.1 and version 5.1.1 through 5.1.2 may allow an authenticated attacker to escalate his privileges via HTTP or HTTPs requests with crafted JWT token values. | |||||
| CVE-2023-28121 | 1 Automattic | 2 Woocommerce Payments, Woopayments | 2023-12-18 | N/A | 9.8 CRITICAL |
| An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated. | |||||
| CVE-2023-45801 | 1 Nadatel | 36 At-0402e, At-0402e Firmware, At-0402l and 33 more | 2023-12-15 | N/A | 7.5 HIGH |
| Improper Authentication vulnerability in Nadatel DVR allows Information Elicitation.This issue affects DVR: from 3.0.0 before 9.9.0. | |||||