Total
1466 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2008-4577 | 4 Canonical, Dovecot, Fedoraproject and 1 more | 4 Ubuntu Linux, Dovecot, Fedora and 1 more | 2024-01-21 | 6.4 MEDIUM | 7.5 HIGH |
| The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions. | |||||
| CVE-2008-7109 | 1 Kyoceramita | 1 Scanner File Utility | 2024-01-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Scanner File Utility (aka listener) in Kyocera Mita (KM) 3.3.0.1 allows remote attackers to bypass authorization and upload arbitrary files to the client system via a modified program that does not prompt the user for a password. | |||||
| CVE-2023-52111 | 1 Huawei | 2 Emui, Harmonyos | 2024-01-19 | N/A | 7.5 HIGH |
| Authorization vulnerability in the BootLoader module. Successful exploitation of this vulnerability may affect service integrity. | |||||
| CVE-2022-0775 | 1 Woocommerce | 1 Woocommerce | 2024-01-19 | N/A | 4.3 MEDIUM |
| The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment | |||||
| CVE-2023-5356 | 1 Gitlab | 1 Gitlab | 2024-01-18 | N/A | 8.8 HIGH |
| Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user. | |||||
| CVE-2023-40611 | 1 Apache | 1 Airflow | 2024-01-16 | N/A | 4.3 MEDIUM |
| Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability. | |||||
| CVE-2008-3424 | 2 Condor Project, Fedoraproject | 2 Condor, Fedora | 2024-01-12 | 7.5 HIGH | N/A |
| Condor before 7.0.4 does not properly handle wildcards in the ALLOW_WRITE, DENY_WRITE, HOSTALLOW_WRITE, or HOSTDENY_WRITE configuration variables in authorization policy lists, which might allow remote attackers to bypass intended access restrictions. | |||||
| CVE-2008-6123 | 4 Net-snmp, Opensuse, Redhat and 1 more | 4 Net-snmp, Opensuse, Enterprise Linux and 1 more | 2024-01-12 | 5.0 MEDIUM | N/A |
| The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2.1, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to "source/destination IP address confusion." | |||||
| CVE-2009-0034 | 2 Gratisoft, Vmware | 2 Sudo, Esx | 2024-01-12 | 6.9 MEDIUM | 7.8 HIGH |
| parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. | |||||
| CVE-2023-40610 | 1 Apache | 1 Superset | 2024-01-10 | N/A | 8.8 HIGH |
| Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data. | |||||
| CVE-2023-41779 | 1 Zte | 2 Zxcloud Irai, Zxcloud Irai Firmware | 2024-01-09 | N/A | 5.5 MEDIUM |
| There is an illegal memory access vulnerability of ZTE's ZXCLOUD iRAI product.When the vulnerability is exploited by an attacker with the common user permission, the physical machine will be crashed. | |||||
| CVE-2009-2213 | 1 Citrix | 2 Netscaler Access Gateway, Netscaler Access Gateway Firmware | 2024-01-09 | 6.3 MEDIUM | 6.5 MEDIUM |
| The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass intended access restrictions. | |||||
| CVE-2023-52077 | 1 Nexryai | 1 Nexkey | 2024-01-04 | N/A | 9.8 CRITICAL |
| Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server settings, as well as compromise object storage and email server credentials. This issue has been patched in 12.23Q4.5. | |||||
| CVE-2023-50732 | 1 Xwiki | 1 Xwiki | 2024-01-04 | N/A | 6.3 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1. | |||||
| CVE-2023-49949 | 1 Passwork | 1 Passwork | 2024-01-04 | N/A | 8.1 HIGH |
| Passwork before 6.2.0 allows remote authenticated users to bypass 2FA by sending all one million of the possible 6-digit codes. | |||||
| CVE-2023-5644 | 1 Wpvibes | 1 Wp Mail Log | 2024-01-04 | N/A | 7.6 HIGH |
| The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users. | |||||
| CVE-2023-51649 | 1 Networktocode | 1 Nautobot | 2024-01-03 | N/A | 4.3 MEDIUM |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0 | |||||
| CVE-2022-39337 | 1 Dromara | 1 Hertzbeat | 2024-01-02 | N/A | 7.5 HIGH |
| Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue. | |||||
| CVE-2023-6355 | 1 Gallagher | 2 Controller 7000, Controller 7000 Firmware | 2024-01-02 | N/A | 6.8 MEDIUM |
| Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug. This issue affects: Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507 (MR1)), 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)). | |||||
| CVE-2020-16904 | 1 Microsoft | 1 Azure Functions | 2023-12-31 | 7.5 HIGH | 5.3 MEDIUM |
| <p>An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.</p> <p>An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.</p> <p>This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.</p> | |||||