Total
1894 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13277 | 2025-01-10 | 9.1 Critical | ||
| Incorrect Authorization vulnerability in Drupal Smart IP Ban allows Forceful Browsing.This issue affects Smart IP Ban: from 7.X-1.0 before 7.X-1.1. | ||||
| CVE-2024-13258 | 2025-01-10 | 9.8 Critical | ||
| Incorrect Authorization vulnerability in Drupal Drupal REST & JSON API Authentication allows Forceful Browsing.This issue affects Drupal REST & JSON API Authentication: from 0.0.0 before 2.0.13. | ||||
| CVE-2024-13257 | 2025-01-10 | 5.3 Medium | ||
| Incorrect Authorization vulnerability in Drupal Commerce View Receipt allows Forceful Browsing.This issue affects Commerce View Receipt: from 0.0.0 before 1.0.3. | ||||
| CVE-2024-13253 | 2025-01-10 | 9.1 Critical | ||
| Incorrect Authorization vulnerability in Drupal Advanced PWA inc Push Notifications allows Forceful Browsing.This issue affects Advanced PWA inc Push Notifications: from 0.0.0 before 1.5.0. | ||||
| CVE-2024-1738 | 1 Lunary | 1 Lunary | 2025-01-10 | 7.5 High |
| An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results. | ||||
| CVE-2024-1741 | 1 Lunary | 1 Lunary | 2025-01-10 | 9.1 Critical |
| lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured authorization token. This issue exposes organizations to unauthorized access and manipulation of sensitive template data. | ||||
| CVE-2024-1740 | 1 Lunary | 1 Lunary | 2025-01-10 | 9.1 Critical |
| In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions. | ||||
| CVE-2024-4011 | 1 Gitlab | 1 Gitlab | 2025-01-09 | 3.1 Low |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives. | ||||
| CVE-2023-31250 | 1 Drupal | 1 Drupal | 2025-01-09 | 6.5 Medium |
| The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating. | ||||
| CVE-2023-34218 | 1 Jetbrains | 1 Teamcity | 2025-01-09 | 9.1 Critical |
| In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible | ||||
| CVE-2023-34219 | 1 Jetbrains | 1 Teamcity | 2025-01-09 | 4.3 Medium |
| In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API | ||||
| CVE-2024-13271 | 2025-01-09 | N/A | ||
| Incorrect Authorization vulnerability in Drupal Content Entity Clone allows Forceful Browsing.This issue affects Content Entity Clone: from 0.0.0 before 1.0.4. | ||||
| CVE-2024-13270 | 2025-01-09 | N/A | ||
| Incorrect Authorization vulnerability in Drupal Freelinking allows Forceful Browsing.This issue affects Freelinking: from 0.0.0 before 4.0.1. | ||||
| CVE-2024-7266 | 1 Nask | 1 Ezd Rp | 2025-01-09 | 4.3 Medium |
| Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2. | ||||
| CVE-2023-25749 | 1 Mozilla | 1 Firefox | 2025-01-09 | 4.3 Medium |
| Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. <br>*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111. | ||||
| CVE-2024-31990 | 3 Argoproj, Kubernetes, Redhat | 3 Argo Cd, Argo-cd, Openshift Gitops | 2025-01-09 | 4.8 Medium |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16. | ||||
| CVE-2024-8001 | 1 Viwis | 2 Learning Management System, Lms | 2025-01-09 | 5.3 Medium |
| A vulnerability was found in VIWIS LMS 9.11. It has been classified as critical. Affected is an unknown function of the component Print Handler. The manipulation leads to missing authorization. It is possible to launch the attack remotely. A user with the role learner can use the administrative print function with an active session before and after an exam slot to access the entire exam including solutions in the web application. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-22449 | 2025-01-09 | 3.8 Low | ||
| Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. | ||||
| CVE-2022-46308 | 1 Sguda | 2 U-lock, U-lock Firmware | 2025-01-09 | 8.8 High |
| SGUDA U-Lock central lock control service’s user management function has incorrect authorization. A remote attacker with general user privilege can exploit this vulnerability to call privileged APIs to access, modify and delete user information. | ||||
| CVE-2022-46307 | 1 Sguda | 2 U-lock, U-lock Firmware | 2025-01-09 | 8.8 High |
| SGUDA U-Lock central lock control service’s lock management function has incorrect authorization. A remote attacker with general privilege can exploit this vulnerability to call privileged APIs to acquire information, manipulate or disrupt the functionality of arbitrary electronic locks. | ||||