Total
2747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-28623 | 1 Zulip | 1 Zulip | 2023-05-26 | N/A | 3.7 LOW |
| Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue. | |||||
| CVE-2019-14786 | 1 Rankmath | 1 Seo | 2023-05-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter. | |||||
| CVE-2020-11514 | 1 Rankmath | 1 Seo | 2023-05-26 | 7.5 HIGH | 9.8 CRITICAL |
| The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint. | |||||
| CVE-2023-20726 | 5 Google, Linuxfoundation, Mediatek and 2 more | 63 Android, Yocto, Mt2731 and 60 more | 2023-05-24 | N/A | 3.3 LOW |
| In mnld, there is a possible leak of GPS location due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07735968 / ALPS07884552 (For MT6880, MT6890, MT6980, MT6980D and MT6990 only); Issue ID: ALPS07735968 / ALPS07884552 (For MT6880, MT6890, MT6980, MT6980D and MT6990 only). | |||||
| CVE-2020-3524 | 1 Cisco | 26 4221 Integrated Services Router, 4331 Integrated Services Router, 4431 Integrated Services Router and 23 more | 2023-05-22 | 6.9 MEDIUM | 6.8 MEDIUM |
| A vulnerability in the Cisco IOS XE ROM Monitor (ROMMON) Software for Cisco 4000 Series Integrated Services Routers, Cisco ASR 920 Series Aggregation Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, and Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, physical attacker to break the chain of trust and load a compromised software image on an affected device. The vulnerability is due to the presence of a debugging configuration option in the affected software. An attacker could exploit this vulnerability by connecting to an affected device through the console, forcing the device into ROMMON mode, and writing a malicious pattern using that specific option on the device. A successful exploit could allow the attacker to break the chain of trust and load a compromised software image on the affected device. A compromised software image is any software image that has not been digitally signed by Cisco. | |||||
| CVE-2021-44857 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead. | |||||
| CVE-2023-22813 | 1 Westerndigital | 4 My Cloud, My Cloud Home, My Cloud Os 5 and 1 more | 2023-05-16 | N/A | 4.3 MEDIUM |
| A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126. | |||||
| CVE-2017-7548 | 2 Debian, Postgresql | 2 Debian Linux, Postgresql | 2023-05-16 | 4.0 MEDIUM | 7.5 HIGH |
| PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service. | |||||
| CVE-2021-3653 | 3 Debian, Linux, Redhat | 3 Debian Linux, Linux Kernel, Enterprise Linux | 2023-05-16 | 6.1 MEDIUM | 8.8 HIGH |
| A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "int_ctl" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7. | |||||
| CVE-2023-32112 | 1 Sap | 2 S4core, Vendor Master Hierarchy | 2023-05-15 | N/A | 5.5 MEDIUM |
| Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to access some of its function. This could lead to modification of data impacting the integrity of the system. | |||||
| CVE-2022-48388 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-15 | N/A | 7.8 HIGH |
| In powerEx service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
| CVE-2022-44433 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-15 | N/A | 7.8 HIGH |
| In phoneEx service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
| CVE-2022-48384 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-12 | N/A | 7.8 HIGH |
| In srtd service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
| CVE-2022-47490 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-12 | N/A | 5.5 MEDIUM |
| In soter service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
| CVE-2022-47492 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-12 | N/A | 5.5 MEDIUM |
| In soter service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
| CVE-2022-47493 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-12 | N/A | 5.5 MEDIUM |
| In soter service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
| CVE-2022-38685 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-12 | N/A | 5.5 MEDIUM |
| In bluetooth service, there is a possible missing permission check. This could lead to local denial of service in bluetooth service with no additional execution privileges needed. | |||||
| CVE-2022-48375 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-12 | N/A | 5.5 MEDIUM |
| In contacts service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
| CVE-2022-48377 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-12 | N/A | 5.5 MEDIUM |
| In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
| CVE-2022-48376 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-05-12 | N/A | 5.5 MEDIUM |
| In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||