Total
690 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5948 | 1 Teamamaze | 1 Amaze File Utilities | 2024-09-05 | 5.5 Medium |
| Improper Authorization in GitHub repository teamamaze/amazefileutilities prior to 1.91. | ||||
| CVE-2024-20497 | 2024-09-05 | 4.3 Medium | ||
| A vulnerability in Cisco Expressway Edge (Expressway-E) could allow an authenticated, remote attacker to masquerade as another user on an affected system. This vulnerability is due to inadequate authorization checks for Mobile and Remote Access (MRA) users. An attacker could exploit this vulnerability by running a series of crafted commands. A successful exploit could allow the attacker to intercept calls that are destined for a particular phone number or to make phone calls and have that phone number appear on the caller ID. To successfully exploit this vulnerability, the attacker must be an MRA user on an affected system. | ||||
| CVE-2023-47109 | 1 Prestashop | 1 Customer Reassurance Block | 2024-09-04 | 5.5 Medium |
| PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4. | ||||
| CVE-2024-7851 | 2 Oretnom23, Sourcecodester | 2 Yoga Class Registration System, Yoga Class Registration System | 2024-09-03 | 6.3 Medium |
| A vulnerability has been found in SourceCodester Yoga Class Registration System 1.0 and classified as critical. This vulnerability affects unknown code of the file /classes/Users.php?f=save of the component Add User Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-36108 | 2024-09-03 | 9.8 Critical | ||
| casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR #201 which is pending merge. An attacker could use `id` parameter of GET requests with value `anonymous/ anonymous` to bypass authorization on certain API endpoints. Successful exploitation of the vulnerability could lead to account takeover, privilege escalation or provide attacker with credential to other services. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-34463 | 1 Bpl | 1 Pws-01-bt | 2024-09-03 | 5.1 Medium |
| BPL Personal Weighing Scale PWS-01BT IND/09/18/599 devices send sensitive information in unencrypted BLE packets. (The packet data also lacks authentication and integrity protection.) | ||||
| CVE-2023-36633 | 1 Fortinet | 1 Fortimail | 2024-08-30 | 5.3 Medium |
| An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests. | ||||
| CVE-2023-32662 | 1 Intel | 1 Battery Life Diagnostic Tool | 2024-08-30 | 6.7 Medium |
| Improper authorization in some Intel Battery Life Diagnostic Tool installation software before version 2.2.1 may allow a privilaged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2024-28285 | 2024-08-29 | 9.8 Critical | ||
| A Fault Injection vulnerability in the SymmetricDecrypt function in cryptopp/elgamal.h of Cryptopp Crypto++ 8.9, allows an attacker to co-reside in the same system with a victim process to disclose information and escalate privileges. | ||||
| CVE-2022-47553 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2024-08-29 | 8.6 High |
| Incorrect authorisation in ekorCCP and ekorRCI, which could allow a remote attacker to obtain resources with sensitive information for the organisation, without being authenticated within the web server. | ||||
| CVE-2024-3959 | 1 Gitlab | 1 Gitlab | 2024-08-29 | 6.5 Medium |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user. | ||||
| CVE-2023-30954 | 1 Palantir | 1 Video-application-server | 2024-08-29 | 2.7 Low |
| The Gotham video-application-server service contained a race condition which would cause it to not apply certain acls new videos if the source system had not yet initialized. | ||||
| CVE-2023-48309 | 1 Nextauth.js | 1 Next-auth | 2024-08-29 | 5.3 Medium |
| NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication. | ||||
| CVE-2024-7578 | 1 Alientechnology | 2 Alr-f800, Alr-f800 Firmware | 2024-08-28 | 7.3 High |
| A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00. It has been classified as critical. Affected is an unknown function of the file /var/www/cmd.php. The manipulation of the argument cmd leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-5808 | 2 Hitachi, Microsoft | 2 Vantara Hitachi Network Attached Storage, Windows | 2024-08-28 | 7.6 High |
| SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in a Storage administrative role are able to access HNAS configuration backup and diagnostic data, that would normally be barred to that specific administrative role. | ||||
| CVE-2024-0077 | 2024-08-27 | 7.8 High | ||
| NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, where it allows a guest OS to allocate resources for which the guest OS is not authorized. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2024-2557 | 2024-08-27 | 5.3 Medium | ||
| A vulnerability was found in kishor-23 Food Waste Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/admin.php. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257056. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-4962 | 1 Apolloconfig | 1 Apollo | 2024-08-26 | 4.3 Medium |
| A vulnerability was found in Apollo 2.0.0/2.0.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /users of the component Configuration Center. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. VDB-250430 is the identifier assigned to this vulnerability. NOTE: The maintainer explains that user data information like user id, name, and email are not sensitive. | ||||
| CVE-2023-35022 | 1 Ibm | 1 Infosphere Information Server | 2024-08-24 | 3.3 Low |
| IBM InfoSphere Information Server 11.7 could allow a local user to update projects that they do not have the authorization to access. IBM X-Force ID: 258254. | ||||
| CVE-2024-42490 | 2024-08-23 | 7.5 High | ||
| authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs/<uuid>/view_certificate/, /api/v3/crypto/certificatekeypairs/<uuid>/view_private_key/, and /api/v3/.../used_by/. Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue. | ||||