Total
3285 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28640 | 1 Apiman | 1 Apiman | 2024-08-02 | 6.4 Medium |
| Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to upgrade. The only known workaround is to restrict account access. | ||||
| CVE-2023-28494 | 2024-08-02 | 4.3 Medium | ||
| Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31. | ||||
| CVE-2023-28492 | 2024-08-02 | 4.3 Medium | ||
| Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View Event Calendar: from n/a through 1.4.10. | ||||
| CVE-2023-27608 | 2024-08-02 | 6.5 Medium | ||
| Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce.This issue affects Points and Rewards for WooCommerce: from n/a through 1.5.0. | ||||
| CVE-2023-27701 | 1 Muyucms | 1 Muyucms | 2024-08-02 | 8.1 High |
| MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html. | ||||
| CVE-2023-27607 | 2024-08-02 | 5.4 Medium | ||
| Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce.This issue affects Points and Rewards for WooCommerce: from n/a through 1.5.0. | ||||
| CVE-2023-27460 | 2024-08-02 | 4.3 Medium | ||
| Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34. | ||||
| CVE-2023-27437 | 2024-08-02 | 3.7 Low | ||
| Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf allows Functionality Misuse.This issue affects Event Espresso 4 Decaf: from n/a through 4.10.44.Decaf. | ||||
| CVE-2023-27309 | 1 Siemens | 1 Ruggedcom Crossbow | 2024-08-02 | 5 Medium |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.2). The client query handler of the affected application fails to check for proper permissions for specific write queries. This could allow an authenticated remote attacker to perform unauthorized actions. | ||||
| CVE-2023-27462 | 1 Siemens | 1 Ruggedcom Crossbow | 2024-08-02 | 3.1 Low |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.3). The client query handler of the affected application fails to check for proper permissions for specific read queries. This could allow authenticated remote attackers to access data they are not authorized for. | ||||
| CVE-2023-27263 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
| A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of. | ||||
| CVE-2023-27310 | 1 Siemens | 1 Ruggedcom Crossbow | 2024-08-02 | 6.6 Medium |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.2). The client query handler of the affected application fails to check for proper permissions when assigning groups to user accounts. This could allow an authenticated remote attacker to assign administrative groups to otherwise non-privileged user accounts. | ||||
| CVE-2023-27264 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 7.1 High |
| A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API. | ||||
| CVE-2023-26957 | 1 Onekeyadmin | 1 Onekeyadmin | 2024-08-02 | 9.1 Critical |
| onekeyadmin v1.3.9 was discovered to contain an arbitrary file delete vulnerability via the component \admin\controller\plugins. | ||||
| CVE-2023-26523 | 1 Codepeople | 1 Calculated Fields Form | 2024-08-02 | 4.3 Medium |
| Missing Authorization vulnerability in CodePeople Calculated Fields Form allows Functionality Misuse.This issue affects Calculated Fields Form: from n/a through 1.1.120. | ||||
| CVE-2023-26521 | 2024-08-02 | 4.3 Medium | ||
| Missing Authorization vulnerability in CodePeople Search in Place allows Functionality Misuse.This issue affects Search in Place: from n/a through 1.0.104. | ||||
| CVE-2023-26510 | 1 Ghost | 1 Ghost | 2024-08-02 | 5.7 Medium |
| Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact. | ||||
| CVE-2023-26301 | 1 Hp | 38 Color Laserjet Pro 4201-4203 4ra87f, Color Laserjet Pro 4201-4203 4ra87f Firmware, Color Laserjet Pro 4201-4203 4ra88f and 35 more | 2024-08-02 | 9.8 Critical |
| Certain HP LaserJet Pro print products are potentially vulnerable to an Elevation of Privilege and/or Information Disclosure related to a lack of authentication with certain endpoints. | ||||
| CVE-2023-26035 | 1 Zoneminder | 1 Zoneminder | 2024-08-02 | 7.2 High |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33. | ||||
| CVE-2023-25768 | 1 Jenkins | 1 Azure Credentials | 2024-08-02 | 6.5 Medium |
| A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server. | ||||