Total
3285 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-30918 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-08-02 | 5.5 Medium |
| In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | ||||
| CVE-2023-30935 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-08-02 | 5.5 Medium |
| In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | ||||
| CVE-2023-30863 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-08-02 | 7.8 High |
| In Connectivity Service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | ||||
| CVE-2023-30866 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-08-02 | 5.5 Medium |
| In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | ||||
| CVE-2023-30864 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-08-02 | 7.8 High |
| In Connectivity Service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | ||||
| CVE-2023-30518 | 1 Jenkins | 1 Thycotic Secret Server | 2024-08-02 | 4.3 Medium |
| A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2023-30526 | 1 Jenkins | 1 Report Portal | 2024-08-02 | 6.5 Medium |
| A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication. | ||||
| CVE-2023-30522 | 1 Jenkins | 1 Fogbugz | 2024-08-02 | 4.3 Medium |
| A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter. | ||||
| CVE-2023-30586 | 1 Nodejs | 1 Node.js | 2024-08-02 | 7.5 High |
| A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2023-30521 | 1 Jenkins | 1 Assembla Merge Request Builder | 2024-08-02 | 5.3 Medium |
| A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. | ||||
| CVE-2023-30519 | 1 Jenkins | 1 Quay.io Trigger | 2024-08-02 | 5.3 Medium |
| A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. | ||||
| CVE-2023-30532 | 1 Jenkins | 1 Turboscript | 2024-08-02 | 6.5 Medium |
| A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository. | ||||
| CVE-2023-30480 | 2024-08-02 | 4.3 Medium | ||
| Missing Authorization vulnerability in Sparkle WP Educenter.This issue affects Educenter: from n/a through 1.5.5. | ||||
| CVE-2023-30195 | 1 Lineagrafica | 1 Lgdetailedorder | 2024-08-02 | 7.5 High |
| In the module "Detailed Order" (lgdetailedorder) in version up to 1.1.20 from Linea Grafica for PrestaShop, a guest can download personal informations without restriction formatted in json. | ||||
| CVE-2023-29529 | 1 Matrix | 1 Javascript Sdk | 2024-08-02 | 5 Medium |
| matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present. | ||||
| CVE-2023-29174 | 2024-08-02 | 6.5 Medium | ||
| Missing Authorization vulnerability in NervyThemes SKU Label Changer For WooCommerce.This issue affects SKU Label Changer For WooCommerce: from n/a through 3.0. | ||||
| CVE-2023-28675 | 1 Jenkins | 1 Octoperf Load Testing | 2024-08-02 | 4.3 Medium |
| A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials. | ||||
| CVE-2023-28673 | 1 Jenkins | 1 Octoperf Load Testing | 2024-08-02 | 4.3 Medium |
| A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2023-28672 | 1 Jenkins | 1 Octoperf Load Testing | 2024-08-02 | 6.5 Medium |
| Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2023-28623 | 1 Zulip | 1 Zulip | 2024-08-02 | 6.5 Medium |
| Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue. | ||||