Total
541 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-38872 | 1 Economizzer | 1 Economizzer | 2023-10-03 | N/A | 3.7 LOW |
| An Insecure Direct Object Reference (IDOR) vulnerability in gugoan Economizzer commit 3730880 (April 2023) and v.0.9-beta1 allows any unauthenticated attacker to access cash book entry attachments of any other user, if they know the Id of the attachment. | |||||
| CVE-2023-4934 | 1 Usta | 1 Aybs | 2023-10-02 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Usta AYBS allows Authentication Abuse, Authentication Bypass.This issue affects AYBS: before 1.0.3. | |||||
| CVE-2023-44206 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2023-09-28 | N/A | 9.1 CRITICAL |
| Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | |||||
| CVE-2023-44205 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2023-09-28 | N/A | 5.3 MEDIUM |
| Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | |||||
| CVE-2023-42334 | 1 Fl3xx | 2 Crew, Dispatch | 2023-09-22 | N/A | 6.5 MEDIUM |
| An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter. | |||||
| CVE-2023-41368 | 1 Sap | 1 S\/4 Hana | 2023-09-14 | N/A | 5.3 MEDIUM |
| The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call. | |||||
| CVE-2023-0882 | 2 Krontech, Microsoft | 2 Single Connect, Windows | 2023-09-03 | N/A | 8.8 HIGH |
| Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Kron Tech Single Connect on Windows allows Privilege Abuse. This issue affects Single Connect: 2.16. | |||||
| CVE-2023-32078 | 1 Gravitl | 1 Netmaker | 2023-08-31 | N/A | 7.5 HIGH |
| Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server. | |||||
| CVE-2019-17382 | 1 Zabbix | 1 Zabbix | 2023-08-22 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. | |||||
| CVE-2023-28481 | 1 Tigergraph | 1 Tigergraph | 2023-08-21 | N/A | 8.8 HIGH |
| An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key. | |||||
| CVE-2022-1949 | 3 Fedoraproject, Port389, Redhat | 4 Fedora, 389-ds-base, Directory Server and 1 more | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data. | |||||
| CVE-2022-23856 | 1 Saviynt | 1 Enterprise Identity Cloud | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An attacker can enumerate users by changing the id parameter, such as for the ECM/maintenance/forgotpasswordstep1 URI. | |||||
| CVE-2022-34770 | 1 Tabit | 1 Tabit | 2023-08-08 | N/A | 7.5 HIGH |
| Tabit - sensitive information disclosure. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described API’s, has in its URL one or more MongoDB ID which is not so simple to enumerate. However, they each receive a ‘tiny URL’ in Tabit’s domain, in the form of https://tbit.be/{suffix} with suffix being a 5 characters long string containing numbers, lower- and upper-case letters. It is not so simple to enumerate them all, but really easy to find some that work and lead to a personal endpoint. This is both an example of OWASP: API4 - rate limiting and OWASP: API1 - Broken object level authorization. Furthermore, the redirect URL disclosed the MongoDB IDs discussed above, and we could use them to query other endpoints disclosing more personal information. For example: The URL https://tabitisrael.co.il/online-reservations/health-statement?orgId={org_id}&healthStatementId={health_statement_id} is used to invite friends to fill a health statement before attending the restaurant. We can use the health_statement_id to access the https://tgm-api.tabit.cloud/health-statement/{health_statement_id} API which disclose medical information as well as id number. | |||||
| CVE-2021-44949 | 1 Glfusion | 1 Glfusion | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php. | |||||
| CVE-2022-3413 | 1 Gitlab | 1 Gitlab | 2023-08-08 | N/A | 4.3 MEDIUM |
| Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above. | |||||
| CVE-2022-2243 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. | |||||
| CVE-2022-25336 | 1 Ibexa | 1 Ez Platform Kernel | 2023-08-08 | 4.3 MEDIUM | 5.3 MEDIUM |
| Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced. | |||||
| CVE-2022-22832 | 1 Servisnet | 1 Tessa | 2023-08-08 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/users/ request. | |||||
| CVE-2022-34775 | 1 Tabit | 1 Tabit | 2023-08-08 | N/A | 7.5 HIGH |
| Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api.tabit.cloud/rsv/management/{reservationId}?organization={orgId} API which returns a lot of data regarding the reservation (OWASP: API3): Name, mail, phone number, the number of visits of the user to this specific restaurant, the money he spent there, the money he spent on alcohol, whether he left a deposit etc. This information can easily be used for a phishing attack. | |||||
| CVE-2022-22331 | 1 Ibm | 1 Partner Engagement Manager | 2023-08-08 | 5.5 MEDIUM | 7.1 HIGH |
| IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 219130. | |||||