Total
541 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31095 | 2024-04-01 | N/A | N/A | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.1.0. | |||||
| CVE-2024-30513 | 2024-04-01 | N/A | 6.5 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.2. | |||||
| CVE-2024-30543 | 2024-04-01 | N/A | 6.5 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in UPQODE Whizz.This issue affects Whizzy: from n/a through 1.1.18. | |||||
| CVE-2024-29194 | 2024-03-25 | N/A | 8.3 HIGH | ||
| OneUptime is a solution for monitoring and managing online services. The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. This has been patched in 7.0.1815. | |||||
| CVE-2023-36483 | 2024-03-21 | N/A | 6.5 MEDIUM | ||
| Authorization bypass can be achieved by session ID prediction in MASmobile Classic Android version 1.16.18 and earlier and MASmobile Classic iOS version 1.7.24 and earlier which allows remote attackers to retrieve sensitive data including customer data, security system status, and event history. | |||||
| CVE-2023-6515 | 1 Miateknoloji | 1 Mia-med | 2024-03-21 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse.This issue affects MİA-MED: before 1.0.7. | |||||
| CVE-2023-49298 | 2 Freebsd, Openzfs | 2 Freebsd, Openzfs | 2024-03-18 | N/A | 7.5 HIGH |
| OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions. | |||||
| CVE-2024-23112 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-03-15 | N/A | 4.3 MEDIUM |
| An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS version 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.1 through 7.0.13, 6.4.7 through 6.4.14, and FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14 SSL-VPN may allow an authenticated attacker to gain access to another user’s bookmark via URL manipulation. | |||||
| CVE-2024-27302 | 2024-03-06 | N/A | 9.1 CRITICAL | ||
| go-zero is a web and rpc framework. Go-zero allows user to specify a CORS Filter with a configurable allows param - which is an array of domains allowed in CORS policy. However, the `isOriginAllowed` uses `strings.HasSuffix` to check the origin, which leads to bypass via a malicious domain. This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests and/or retrieve data on behalf of other users. Version 1.4.4 fixes this issue. | |||||
| CVE-2024-1470 | 2024-02-29 | N/A | 7.1 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in NetIQ (OpenText) Client Login Extension on Windows allows Privilege Escalation, Code Injection.This issue only affects NetIQ Client Login Extension: 4.6. | |||||
| CVE-2024-25983 | 2024-02-29 | N/A | 3.5 LOW | ||
| Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page). | |||||
| CVE-2023-6724 | 1 Simgesel | 1 Hearing Tracking System | 2024-02-15 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse.This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0. | |||||
| CVE-2022-36202 | 1 Doctor\'s Appointment System Project | 1 Doctor\'s Appointment System | 2024-02-14 | N/A | 9.8 CRITICAL |
| Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. The settings.php is affected by Broken Access Control (IDOR) via id= parameter. | |||||
| CVE-2023-6983 | 1 Josevega | 1 Display Custom Fields In The Frontend - Post And User Profile Fields | 2024-02-13 | N/A | 4.3 MEDIUM |
| The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.1 via the vg_display_data shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive post meta. | |||||
| CVE-2023-47022 | 1 Ncr | 1 Terminal Handler | 2024-02-13 | N/A | 6.5 MEDIUM |
| Insecure Direct Object Reference in NCR Terminal Handler v.1.5.1 allows an unprivileged user to edit the audit logs for any user and can lead to CSV injection. | |||||
| CVE-2024-0366 | 1 Squirrly | 1 Starbox | 2024-02-13 | N/A | 4.3 MEDIUM |
| The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings. | |||||
| CVE-2024-22305 | 1 Kaliforms | 1 Kali Forms | 2024-02-05 | N/A | 8.1 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36. | |||||
| CVE-2023-7199 | 1 Relevanssi | 1 Relevanssi | 2024-02-03 | N/A | 5.3 MEDIUM |
| The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request | |||||
| CVE-2024-23747 | 1 Modernasistemas | 1 Modernanet Hospital Management System 2024 | 2024-02-02 | N/A | 7.5 HIGH |
| The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information. | |||||
| CVE-2022-2808 | 1 Algan | 1 Prens Student Information System | 2024-02-01 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Algan Software Prens Student Information System allows Object Relational Mapping Injection.This issue affects Prens Student Information System: before 2.1.11. | |||||