Total
1466 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26097 | 1 Telindus | 1 Apsal | 2023-05-03 | N/A | 5.5 MEDIUM |
| An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked. | |||||
| CVE-2023-20950 | 1 Google | 1 Android | 2023-04-27 | N/A | 7.8 HIGH |
| In AlarmManagerActivity of AlarmManagerActivity.java, there is a possible way to bypass background activity launch restrictions via a pendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-195756028 | |||||
| CVE-2023-27525 | 1 Apache | 1 Superset | 2023-04-27 | N/A | 4.3 MEDIUM |
| An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1 | |||||
| CVE-2023-25547 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-04-27 | N/A | 8.8 HIGH |
| A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||
| CVE-2023-25548 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-04-27 | N/A | 6.5 MEDIUM |
| A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||
| CVE-2018-12103 | 2 D-link, Dlink | 6 Dir-885\/r, Dir-885l\/r Firmware, Dir-895\/r and 3 more | 2023-04-26 | 3.3 LOW | 6.5 MEDIUM |
| An issue was discovered on D-Link DIR-890L with firmware 1.21B02beta01 and earlier, DIR-885L/R with firmware 1.21B03beta01 and earlier, and DIR-895L/R with firmware 1.21B04beta04 and earlier devices (all hardware revisions). Due to the predictability of the /docs/captcha_(number).jpeg URI, being local to the network, but unauthenticated to the administrator's panel, an attacker can disclose the CAPTCHAs used by the access point and can elect to load the CAPTCHA of their choosing, leading to unauthorized login attempts to the access point. | |||||
| CVE-2005-2136 | 1 Raritan | 10 Dominion Sx16, Dominion Sx16 Firmware, Dominion Sx32 and 7 more | 2023-04-25 | 4.6 MEDIUM | N/A |
| Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 set (1) world-readable permissions for /etc/shadow and (2) world-writable permissions for /bin/busybox, which allows local users to obtain hashed passwords or execute arbitrary code as other users. | |||||
| CVE-2023-22620 | 1 Securepoint | 1 Unified Threat Management | 2023-04-21 | N/A | 7.5 HIGH |
| An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface. | |||||
| CVE-2022-43770 | 1 Hitachivantara | 1 Pentaho Business Analytics | 2023-04-20 | N/A | 8.1 HIGH |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. | |||||
| CVE-2021-35112 | 1 Qualcomm | 214 Apq8009w, Apq8009w Firmware, Aqt1000 and 211 more | 2023-04-19 | 7.2 HIGH | 7.8 HIGH |
| A user with user level permission can access graphics protected region due to improper access control in register configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | |||||
| CVE-2023-21715 | 1 Microsoft | 1 365 Apps | 2023-04-17 | N/A | 7.3 HIGH |
| Microsoft Publisher Security Features Bypass Vulnerability | |||||
| CVE-2023-25415 | 1 Aten | 2 Pe8108, Pe8108 Firmware | 2023-04-14 | N/A | 5.3 MEDIUM |
| Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Event Notification configuration. | |||||
| CVE-2023-0319 | 1 Gitlab | 1 Gitlab | 2023-04-12 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment names supposed to be restricted to project memebers only. | |||||
| CVE-2023-1071 | 1 Gitlab | 1 Gitlab | 2023-04-12 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic. | |||||
| CVE-2023-1417 | 1 Gitlab | 1 Gitlab | 2023-04-12 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group. | |||||
| CVE-2023-28634 | 1 Glpi-project | 1 Glpi | 2023-04-12 | N/A | 8.8 HIGH |
| GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue. | |||||
| CVE-2022-22978 | 3 Netapp, Oracle, Vmware | 3 Active Iq Unified Manager, Financial Services Crime And Compliance Management Studio, Spring Security | 2023-04-11 | 7.5 HIGH | 9.8 CRITICAL |
| In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. | |||||
| CVE-2023-23594 | 1 Sato-global | 2 Cl4nx Plus, Cl4nx Plus Firmware | 2023-04-11 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability in the web client interface for the CL4NX printer before firmware version 1.13.3-u724_r2 provides remote unauthenticated attackers with access to execute commands intended only for valid/authenticated users, such as file uploads and configuration changes. | |||||
| CVE-2023-26829 | 1 Gladinet | 1 Centrestack | 2023-04-07 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resulting in a full authentication bypass. | |||||
| CVE-2021-21276 | 1 Polrproject | 1 Polr | 2023-04-06 | 6.4 MEDIUM | 9.3 CRITICAL |
| Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php. | |||||