Search Results (364439 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-3289 1 Easyappointments 1 Easyappointments 2024-11-21 7.7 High
A BOLA vulnerability in POST /services allows a low privileged user to create a service for any user in the system (including admin). This results in unauthorized data manipulation.
CVE-2023-3288 1 Easyappointments 1 Easyappointments 2024-11-21 8.5 High
A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.
CVE-2023-3287 1 Easyappointments 1 Easyappointments 2024-11-21 9.9 Critical
A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.
CVE-2023-3286 1 Easyappointments 1 Easyappointments 2024-11-21 7.7 High
A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation.
CVE-2023-3282 2 Linux, Paloaltonetworks 2 Linux Kernel, Cortex Xsoar 2024-11-21 6.4 Medium
A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system enables a local attacker to execute programs with elevated privileges if the attacker has shell access to the engine.
CVE-2023-3280 2 Microsoft, Paloaltonetworks 2 Windows, Cortex Xdr Agent 2024-11-21 5.5 Medium
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to disable the agent.
CVE-2023-3274 1 Supplier Management System Project 1 Supplier Management System 2024-11-21 6.3 Medium
A vulnerability classified as critical has been found in code-projects Supplier Management System 1.0. Affected is an unknown function of the file btn_functions.php of the component Picture Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231624.
CVE-2023-3270 2 Sick, Sick Ag 3 Icr890-4, Icr890-4 Firmware, Icr890-4 2024-11-21 8.6 High
Exposure of Sensitive Information to an Unauthorized Actor in the SICK ICR890-4 could allow an unauthenticated remote attacker to retrieve sensitive information about the system.
CVE-2023-3267 1 Cyberpower 1 Powerpanel Server 2024-11-21 9.1 Critical
When adding a remote backup location, an authenticated user can pass arbitrary OS commands through the username field. The username is passed without sanitization into CMD running as NT/Authority System. An authenticated attacker can leverage this vulnerability to execute arbitrary code with system-level access to the CyberPower PowerPanel Enterprise server.
CVE-2023-3266 1 Cyberpower 1 Powerpanel Server 2024-11-21 9.8 Critical
A non-feature complete authentication mechanism exists in the production application allowing an attacker to bypass all authentication checks if LDAP authentication is selected.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator by selecting LDAP authentication from a hidden HTML combo box. Successful exploitation of this vulnerability also requires the attacker to know at least one username on the device, but any password will authenticate successfully.
CVE-2023-3265 1 Cyberpower 1 Powerpanel Server 2024-11-21 9.8 Critical
An authentication bypass exists on CyberPower PowerPanel Enterprise by failing to sanitize meta-characters from the username, allowing an attacker to login into the application with the default user "cyberpower" by appending a non-printable character.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator with hardcoded default credentials.
CVE-2023-3264 2 Cyberpower, Dataprobe 45 Powerpanel Server, Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware and 42 more 2024-11-21 6.7 Medium
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database. A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records.
CVE-2023-3263 1 Dataprobe 45 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 42 more 2024-11-21 7.5 High
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass in the REST API due to the mishandling of special characters when parsing credentials.Successful exploitation allows the malicious agent to obtain a valid authorization token and read information relating to the state of the relays and power distribution.
CVE-2023-3262 1 Dataprobe 45 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 42 more 2024-11-21 6.7 Medium
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database.A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records.
CVE-2023-3261 2 Cyberpower, Dataprobe 45 Powerpanel Server, Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware and 42 more 2024-11-21 7.5 High
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier contains a buffer overflow vulnerability in the librta.so.0.0.0 library.Successful exploitation could cause denial of service or unexpected behavior with respect to all interactions relying on the targeted vulnerable binary, including the ability to log in via the web server.
CVE-2023-3260 2 Cyberpower, Dataprobe 45 Powerpanel Server, Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware and 42 more 2024-11-21 7.2 High
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to command injection via the `user-name` URL parameter. An authenticated malicious agent can exploit this vulnerability to execute arbitrary command on the underlying Linux operating system.
CVE-2023-3259 1 Dataprobe 45 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 42 more 2024-11-21 9.8 Critical
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass. By manipulating the IP address field in the "iBootPduSiteAuth" cookie, a malicious agent can direct the device to connect to a rouge database.Successful exploitation allows the malicious agent to take actions with administrator privileges including, but not limited to, manipulating power levels, modifying user accounts, and exporting confidential user information
CVE-2023-3253 1 Tenable 1 Nessus 2024-11-21 4.3 Medium
An improper authorization vulnerability exists where an authenticated, low privileged remote attacker could view a list of all the users available in the application.
CVE-2023-3252 1 Tenable 1 Nessus 2024-11-21 6.8 Medium
An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges could alter logging variables to overwrite arbitrary files on the remote host with log data, which could lead to a denial of service condition.
CVE-2023-3251 1 Tenable 1 Nessus 2024-11-21 4.1 Medium
A pass-back vulnerability exists where an authenticated, remote attacker with administrator privileges could uncover stored SMTP credentials within the Nessus application.This issue affects Nessus: before 10.6.0.