Total
687 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-20921 | 1 Cisco | 1 Aci Multi-site Orchestrator | 2024-11-01 | 8.8 High |
| A vulnerability in the API implementation of Cisco ACI Multi-Site Orchestrator (MSO) could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability is due to improper authorization on specific APIs. An attacker could exploit this vulnerability by sending crafted HTTP requests. A successful exploit could allow an attacker who is authenticated with non-Administrator privileges to elevate to Administrator privileges on an affected device. | ||||
| CVE-2023-22938 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-30 | 4.3 Medium |
| In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint lets any authenticated user send an email as the Splunk instance. The endpoint is now restricted to the ‘splunk-system-user’ account on the local instance. | ||||
| CVE-2023-32709 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-30 | 4.3 Medium |
| In Splunk Enterprise versions below 9.0.5, 8.2.11. and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint. | ||||
| CVE-2023-22931 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-30 | 4.3 Medium |
| In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default. | ||||
| CVE-2023-32707 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-30 | 8.8 High |
| In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. | ||||
| CVE-2023-32717 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-30 | 4.3 Medium |
| On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, an unauthorized user can access the {{/services/indexing/preview}} REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. | ||||
| CVE-2023-3574 | 1 Pimcore | 2 Customer-data-framework, Customer Management Framework | 2024-10-30 | 6.5 Medium |
| Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1. | ||||
| CVE-2023-20088 | 1 Cisco | 1 Finesse | 2024-10-28 | 5.3 Medium |
| A vulnerability in the nginx configurations that are provided as part of the VPN-less reverse proxy for Cisco Finesse could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition for new and existing users who are connected through a load balancer. This vulnerability is due to improper IP address filtering by the reverse proxy. An attacker could exploit this vulnerability by sending a series of unauthenticated requests to the reverse proxy. A successful exploit could allow the attacker to cause all current traffic and subsequent requests to the reverse proxy through a load balancer to be dropped, resulting in a DoS condition. | ||||
| CVE-2023-38135 | 1 Intel | 1 Performance Maximizer | 2024-10-25 | 6.7 Medium |
| Improper authorization in some Intel(R) PM software may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-20182 | 1 Cisco | 1 Dna Center | 2024-10-25 | 5.4 Medium |
| Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2023-20183 | 1 Cisco | 1 Dna Center | 2024-10-25 | 5.4 Medium |
| Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2023-20184 | 1 Cisco | 1 Dna Center | 2024-10-25 | 5.4 Medium |
| Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2023-36611 | 1 Ovarro | 10 Tbox Lt2, Tbox Lt2 Firmware, Tbox Ms-cpu32 and 7 more | 2024-10-25 | 6.5 Medium |
| The affected TBox RTUs allow low privilege users to access software security tokens of higher privilege. This could allow an attacker with “user” privileges to access files requiring higher privileges by establishing an SSH session and providing the other tokens. | ||||
| CVE-2024-9531 | 2024-10-25 | 4.3 Medium | ||
| The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a canned email to the site's administrator asking to delete the profile of an arbitrary vendor. | ||||
| CVE-2023-20186 | 1 Cisco | 2 Ios, Ios Xe | 2024-10-23 | 8 High |
| A vulnerability in the Authentication, Authorization, and Accounting (AAA) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to bypass command authorization and copy files to or from the file system of an affected device using the Secure Copy Protocol (SCP). This vulnerability is due to incorrect processing of SCP commands in AAA command authorization checks. An attacker with valid credentials and level 15 privileges could exploit this vulnerability by using SCP to connect to an affected device from an external machine. A successful exploit could allow the attacker to obtain or change the configuration of the affected device and put files on or retrieve files from the affected device. | ||||
| CVE-2023-52160 | 6 Debian, Fedoraproject, Google and 3 more | 7 Debian Linux, Fedora, Android and 4 more | 2024-10-23 | 6.5 Medium |
| The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks. | ||||
| CVE-2022-38375 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-10-23 | 8.6 High |
| An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests. | ||||
| CVE-2023-22636 | 1 Fortinet | 1 Fortiweb | 2024-10-23 | 6.6 Medium |
| An unauthorized configuration download vulnerability in FortiWeb 6.3.6 through 6.3.21, 6.4.0 through 6.4.2 and 7.0.0 through 7.0.4 may allow a local attacker to access confidential configuration files via a crafted http request. | ||||
| CVE-2023-41841 | 1 Fortinet | 1 Fortios | 2024-10-22 | 7.4 High |
| An improper authorization vulnerability in Fortinet FortiOS 7.0.0 - 7.0.11 and 7.2.0 - 7.2.4 allows an attacker belonging to the prof-admin profile to perform elevated actions. | ||||
| CVE-2023-5675 | 1 Redhat | 11 A Mq Clients, Camel Quarkus, Cryostat and 8 more | 2024-10-22 | 6.5 Medium |
| A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties. | ||||