Total
653 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-44981 | 3 Apache, Debian, Redhat | 4 Zookeeper, Debian Linux, Amq Broker and 1 more | 2024-08-02 | 9.1 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration. | ||||
| CVE-2023-44249 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-08-02 | 4.1 Medium |
| An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests. | ||||
| CVE-2023-40720 | 1 Fortinet | 1 Fortivoice | 2024-08-02 | 6.7 Medium |
| An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiVoiceEntreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to read the SIP configuration of other users via crafted HTTP or HTTPS requests. | ||||
| CVE-2023-38884 | 1 Os4ed | 1 Opensis | 2024-08-02 | 7.5 High |
| An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>' | ||||
| CVE-2023-38513 | 1 Meowapps | 1 Photo Engine | 2024-08-02 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).This issue affects Photo Engine (Media Organizer & Lightroom): from n/a through 6.2.5. | ||||
| CVE-2023-37871 | 1 Automattic | 1 Woocommerce Gocardless | 2024-08-02 | 8.2 High |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6. | ||||
| CVE-2023-37242 | 1 Huawei | 2 Emui, Harmonyos | 2024-08-02 | 9.8 Critical |
| Vulnerability of commands from the modem being intercepted in the atcmdserver module. Attackers may exploit this vulnerability to rewrite the non-volatile random-access memory (NVRAM), or facilitate the exploitation of other vulnerabilities. | ||||
| CVE-2023-36520 | 1 Zackgrossbart | 1 Editorial Calendar | 2024-08-02 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12. | ||||
| CVE-2023-36235 | 1 Webkul | 1 Qloapps | 2024-08-02 | 6.5 Medium |
| An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter. | ||||
| CVE-2023-35916 | 1 Automattic | 1 Woopayments | 2024-08-02 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0. | ||||
| CVE-2023-35914 | 1 Automattic | 1 Woocommerce Subscriptions | 2024-08-02 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2. | ||||
| CVE-2023-35876 | 1 Automattic | 1 Woocommerce Square | 2024-08-02 | 8.1 High |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1. | ||||
| CVE-2023-33956 | 1 Kanboard | 1 Kanboard | 2024-08-02 | 4.3 Medium |
| Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any other user, regardless of their privileges or restrictions. By Changing the file_id any user can render all the files where MimeType is image uploaded under **/files** directory regard less of uploaded by any user. This vulnerability poses a significant impact and severity to the application's security. By manipulating the URL parameter, an attacker can access sensitive files that should only be available to authorized users. This includes confidential documents or any other type of file stored within the application. The ability to read these files can lead to various detrimental consequences, such as unauthorized disclosure of sensitive information, privacy breaches, intellectual property theft, or exposure of trade secrets. Additionally, it could result in legal and regulatory implications, reputation damage, financial losses, and potential compromise of user trust. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-34000 | 1 Woocommerce | 1 Stripe Payment Gateway | 2024-08-02 | 7.5 High |
| Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions. | ||||
| CVE-2023-33706 | 1 Sysaid | 1 Sysaid | 2024-08-02 | 6.5 Medium |
| SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks to read ticket data via a modified sid parameter to EmailHtmlSourceIframe.jsp or a modified srID parameter to ShowMessage.jsp. | ||||
| CVE-2023-32799 | 1 Woocommerce | 1 Shipping Multiple Addresses | 2024-08-02 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3. | ||||
| CVE-2023-32747 | 1 Automattic | 1 Woocommerce Bookings | 2024-08-02 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78. | ||||
| CVE-2023-32310 | 1 Dataease | 1 Dataease | 2024-08-02 | 8.1 High |
| DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. | ||||
| CVE-2023-31182 | 1 Easytor | 1 Easytor | 2024-08-02 | 8.1 High |
| EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method. | ||||
| CVE-2023-30550 | 1 Metersphere | 1 Metersphere | 2024-08-02 | 6.8 Medium |
| MeterSphere is an open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing, and performance testing. This IDOR vulnerability allows the administrator of a project to modify other projects under the workspace. An attacker can obtain some operating permissions. The issue has been fixed in version 2.9.0. | ||||