Total
2747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2784 | 1 Mattermost | 1 Mattermost | 2023-06-23 | N/A | 6.5 MEDIUM |
| Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. | |||||
| CVE-2022-24768 | 1 Linuxfoundation | 1 Argo-cd | 2023-06-23 | 6.5 MEDIUM | 8.8 HIGH |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting with 0.8.0 and 0.5.0 contain limited versions of this issue. To perform exploits, an authorized Argo CD user must have push access to an Application's source git or Helm repository or `sync` and `override` access to an Application. Once a user has that access, different exploitation levels are possible depending on their other RBAC privileges. A patch for this vulnerability has been released in Argo CD versions 2.3.2, 2.2.8, and 2.1.14. Some mitigation measures are available but do not serve as a substitute for upgrading. To avoid privilege escalation, limit who has push access to Application source repositories or `sync` + `override` access to Applications; and limit which repositories are available in projects where users have `update` access to Applications. To avoid unauthorized resource inspection/tampering, limit who has `delete`, `get`, or `action` access to Applications. | |||||
| CVE-2023-35149 | 1 Jenkins | 1 Digital.ai App Management Publisher | 2023-06-23 | N/A | 6.5 MEDIUM |
| A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | |||||
| CVE-2023-2783 | 1 Mattermost | 1 Mattermost | 2023-06-22 | N/A | 4.3 MEDIUM |
| Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps. | |||||
| CVE-2023-21122 | 1 Google | 1 Android | 2023-06-21 | N/A | 7.8 HIGH |
| In various functions of various files, there is a possible way to bypass the DISALLOW_DEBUGGING_FEATURES restriction for tracing due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-270050191 | |||||
| CVE-2023-21123 | 1 Google | 1 Android | 2023-06-21 | N/A | 7.8 HIGH |
| In multiple functions of multiple files, there is a possible way to bypass the DISALLOW_DEBUGGING_FEATURES restriction for tracing due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-270050064 | |||||
| CVE-2023-3230 | 1 Fossbilling | 1 Fossbilling | 2023-06-17 | N/A | 7.5 HIGH |
| Missing Authorization in GitHub repository fossbilling/fossbilling prior to 0.5.0. | |||||
| CVE-2023-34234 | 1 Openzeppelin | 2 Contracts, Contracts Upgradeable | 2023-06-15 | N/A | 5.3 MEDIUM |
| OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround. | |||||
| CVE-2023-33477 | 1 Harmonicinc | 2 Nsg 9000-6g, Nsg 9000-6g Firmware | 2023-06-13 | N/A | 6.5 MEDIUM |
| In Harmonic NSG 9000-6G devices, an authenticated remote user can obtain source code by directly requesting a special path. | |||||
| CVE-2023-33970 | 1 Kanboard | 1 Kanboard | 2023-06-12 | N/A | 6.5 MEDIUM |
| Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a `missing access control` was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or it's a personal project. This could also lead to private/critical information being leaked if such information is in the title. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-33968 | 1 Kanboard | 1 Kanboard | 2023-06-12 | N/A | 5.4 MEDIUM |
| Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to a missing access control vulnerability that allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not been invited or the project is personal. The vulnerable features are `Duplicate to project` and `Move to project`, which both utilize the `checkDestinationProjectValues()` function to check his values. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-39335 | 1 Matrix | 1 Synapse | 2023-06-11 | N/A | 5.0 MEDIUM |
| Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade. | |||||
| CVE-2023-30915 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-06-10 | N/A | 5.5 MEDIUM |
| In email service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
| CVE-2023-30914 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-06-10 | N/A | 5.5 MEDIUM |
| In email service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
| CVE-2023-30866 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-06-10 | N/A | 5.5 MEDIUM |
| In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
| CVE-2023-30865 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-06-10 | N/A | 5.5 MEDIUM |
| In dialer service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
| CVE-2023-30864 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-06-10 | N/A | 7.8 HIGH |
| In Connectivity Service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
| CVE-2023-30863 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-06-10 | N/A | 7.8 HIGH |
| In Connectivity Service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
| CVE-2022-48448 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-06-10 | N/A | 5.5 MEDIUM |
| In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
| CVE-2022-48447 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-06-10 | N/A | 5.5 MEDIUM |
| In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||