Total
541 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40579 | 1 Online Enrollment Management System Project | 1 Online Enrollment Management System | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| https://www.sourcecodester.com/ Online Enrollment Management System in PHP and PayPal Free Source Code 1.0 is affected by: Incorrect Access Control. The impact is: gain privileges (remote). | |||||
| CVE-2021-24562 | 1 Lifterlms | 1 Lifterlms | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2 was affected by an IDOR issue, allowing students to see other student answers and grades | |||||
| CVE-2021-21022 | 1 Magento | 1 Magento | 2023-11-07 | 4.3 MEDIUM | 5.3 MEDIUM |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources. | |||||
| CVE-2021-21012 | 1 Adobe | 2 Magento Commerce, Magento Open Source | 2023-11-07 | 4.3 MEDIUM | 5.3 MEDIUM |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-8154 | 1 Nextcloud | 1 Nextcloud Server | 2023-11-07 | 6.8 MEDIUM | 7.7 HIGH |
| An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. | |||||
| CVE-2020-26068 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2023-11-07 | 5.5 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users. | |||||
| CVE-2020-13923 | 1 Apache | 1 Ofbiz | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | |||||
| CVE-2020-10130 | 1 Searchblox | 1 Searchblox | 2023-11-07 | N/A | 8.8 HIGH |
| SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system. | |||||
| CVE-2019-16723 | 1 Cacti | 1 Cacti | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. | |||||
| CVE-2023-46478 | 1 Minical | 1 Minical | 2023-11-06 | N/A | 8.8 HIGH |
| An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter. | |||||
| CVE-2023-44154 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2023-10-26 | N/A | 8.1 HIGH |
| Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | |||||
| CVE-2022-39018 | 1 M-files | 1 Hubshare | 2023-10-25 | N/A | 7.5 HIGH |
| Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL. | |||||
| CVE-2019-16546 | 1 Jenkins | 1 Google Compute Engine | 2023-10-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. | |||||
| CVE-2023-45393 | 1 Grandingteco | 1 Utime Master | 2023-10-20 | N/A | 6.5 MEDIUM |
| An indirect object reference (IDOR) in GRANDING UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to access sensitive information via a crafted cookie. | |||||
| CVE-2023-42455 | 1 Wazuh | 2 Wazuh-dashboard, Wazuh-kibana-app | 2023-10-13 | N/A | 8.8 HIGH |
| Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds. | |||||
| CVE-2023-26237 | 1 Watchguard | 8 Edr, Edr Firmware, Epdr and 5 more | 2023-10-11 | N/A | 6.7 MEDIUM |
| An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to bypass the defensive capabilities by adding a registry key as SYSTEM. | |||||
| CVE-2023-4101 | 1 Qsige | 1 Qsige | 2023-10-10 | N/A | 6.5 MEDIUM |
| The QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | |||||
| CVE-2023-2544 | 1 Upv | 1 Peix | 2023-10-05 | N/A | 6.5 MEDIUM |
| Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users. | |||||
| CVE-2023-4099 | 1 Qsige | 1 Qsige | 2023-10-04 | N/A | 6.5 MEDIUM |
| The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | |||||
| CVE-2023-32669 | 1 Buddyboss | 1 Buddyboss | 2023-10-04 | N/A | 5.4 MEDIUM |
| Authorization bypass vulnerability in BuddyBoss 2.2.9 version, the exploitation of which could allow an authenticated user to access and rename other users' albums. This vulnerability can be exploited by changing the album identification (id). | |||||