Search Results (37178 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-28698 1 Wddgroup 1 Fantsy 2025-01-08 9.8 Critical
Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service.
CVE-2023-3033 1 Mobatime 1 Mobatime Web Application 2025-01-08 6.8 Medium
Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22.
CVE-2023-1297 1 Hashicorp 1 Consul 2025-01-08 4.9 Medium
Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3
CVE-2023-3100 1 Ibos 1 Ibos 2025-01-08 5.5 Medium
A vulnerability, which was classified as critical, has been found in IBOS 4.5.5. Affected by this issue is the function actionDel of the file ?r=dashboard/approval/del. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-230690 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-3066 1 Mobatime 1 Amxgt 100 2025-01-08 8.1 High
Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20.
CVE-2023-3027 1 Redhat 2 Acm, Advanced Cluster Management For Kubernetes 2025-01-08 7.8 High
The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage of cluster scoped access in a created policy. This feature does not restrict properly to lookup content from the namespace where the policy was created.
CVE-2023-33651 1 Sitecore 4 Experience Commerce, Experience Manager, Experience Platform and 1 more 2025-01-08 7.5 High
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.
CVE-2023-47609 1 Oss-calendar 1 Oss Calendar 2025-01-08 8.8 High
SQL injection vulnerability in OSS Calendar versions prior to v.2.0.3 allows a remote authenticated attacker to execute arbitrary code or obtain and/or alter the information stored in the database by sending a specially crafted request.
CVE-2023-46097 1 Siemens 1 Simatic Pcs Neo 2025-01-08 6.3 Medium
A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). The PUD Manager of affected products does not properly neutralize user provided inputs. This could allow an authenticated adjacent attacker to execute SQL statements in the underlying database.
CVE-2023-33477 1 Harmonicinc 2 Nsg 9000-6g, Nsg 9000-6g Firmware 2025-01-08 6.5 Medium
In Harmonic NSG 9000-6G devices, an authenticated remote user can obtain source code by directly requesting a special path.
CVE-2023-30863 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-08 7.8 High
In Connectivity Service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
CVE-2023-29632 1 Joommasters 1 Jmspagebuilder 2025-01-08 9.8 Critical
PrestaShop jmspagebuilder 3.x is vulnerable to SQL Injection via ajax_jmspagebuilder.php.
CVE-2022-48448 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-08 5.5 Medium
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
CVE-2022-48447 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-08 5.5 Medium
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
CVE-2022-48446 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-08 5.5 Medium
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
CVE-2022-48392 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-08 7.8 High
In dialer service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
CVE-2022-48391 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-08 5.5 Medium
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
CVE-2023-33968 1 Kanboard 1 Kanboard 2025-01-08 5.4 Medium
Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to a missing access control vulnerability that allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not been invited or the project is personal. The vulnerable features are `Duplicate to project` and `Move to project`, which both utilize the `checkDestinationProjectValues()` function to check his values. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-33970 1 Kanboard 1 Kanboard 2025-01-08 5.4 Medium
Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a `missing access control` was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or it's a personal project. This could also lead to private/critical information being leaked if such information is in the title. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-30915 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-08 5.5 Medium
In email service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.