Total
541 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36966 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | N/A | 5.4 MEDIUM |
| Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous. | |||||
| CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2023-08-02 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15. | |||||
| CVE-2023-3048 | 1 Tmtmakine | 2 Lockcell, Lockcell Firmware | 2023-08-02 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in TMT Lockcell allows Authentication Abuse, Authentication Bypass.This issue affects Lockcell: before 15. | |||||
| CVE-2023-3700 | 1 Easyappointments | 1 Easyappointments | 2023-08-02 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |||||
| CVE-2023-2958 | 1 Orjinyazilim | 1 Ats Pro | 2023-07-31 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714. | |||||
| CVE-2022-4811 | 1 Usememos | 1 Memos | 2023-07-21 | N/A | 5.4 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1. | |||||
| CVE-2023-2190 | 1 Gitlab | 1 Gitlab | 2023-07-20 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public. | |||||
| CVE-2022-0442 | 1 Ayecode | 1 Userswp | 2023-07-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. | |||||
| CVE-2023-37242 | 1 Huawei | 2 Emui, Harmonyos | 2023-07-12 | N/A | 9.8 CRITICAL |
| Vulnerability of commands from the modem being intercepted in the atcmdserver module. Attackers may exploit this vulnerability to rewrite the non-volatile random-access memory (NVRAM), or facilitate the exploitation of other vulnerabilities. | |||||
| CVE-2022-4505 | 1 Open-emr | 1 Openemr | 2023-07-11 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.2. | |||||
| CVE-2022-42175 | 1 Soluslabs | 1 Solusvm | 2023-07-10 | N/A | 8.8 HIGH |
| Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization. | |||||
| CVE-2022-2824 | 1 Open-emr | 1 Openemr | 2023-07-10 | N/A | 5.4 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1. | |||||
| CVE-2023-23679 | 1 Jshelpdesk | 1 Jshelpdesk | 2023-07-05 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in JS Help Desk js-support-ticket allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk: from n/a through 2.7.7. | |||||
| CVE-2022-31131 | 1 Nextcloud | 1 Nextcloud Mail | 2023-06-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com) | |||||
| CVE-2022-1810 | 1 Publify Project | 1 Publify | 2023-06-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository publify/publify prior to 9.2.9. | |||||
| CVE-2022-22190 | 1 Juniper | 1 Paragon Active Assurance Control Center | 2023-06-27 | 4.3 MEDIUM | 7.5 HIGH |
| An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated attacker to leverage a crafted URL to generate PDF reports, potentially containing sensitive configuration information. A feature was introduced in version 3.1 of the Paragon Active Assurance Control Center which allows users to selective share account data using a unique identifier. Knowing the proper format of the URL and the identifier of an existing object in an application it is possible to get access to that object without being logged in, even if the object is not shared, resulting in the opportunity for malicious exfiltration of user data. Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue. This issue affects Juniper Networks Paragon Active Assurance version 3.1.0. | |||||
| CVE-2022-2312 | 1 Student Result Or Employee Database Project | 1 Student Result Or Employee Database | 2023-06-27 | N/A | 5.4 MEDIUM |
| The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting | |||||
| CVE-2022-0732 | 1 1byte | 9 Copy9, Exactspy, Fonetracker and 6 more | 2023-06-27 | 5.0 MEDIUM | 7.5 HIGH |
| The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. | |||||
| CVE-2023-2844 | 1 Fit2cloud | 1 Cloudexplorer Lite | 2023-06-27 | N/A | 4.9 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. | |||||
| CVE-2022-4686 | 1 Usememos | 1 Memos | 2023-06-27 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0. | |||||