Total
1894 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1625 | 1 Lunary | 1 Lunary | 2025-01-08 | 6.5 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route. | ||||
| CVE-2024-27915 | 1 Sulu | 1 Sulu | 2025-01-08 | 6.8 Medium |
| Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`. | ||||
| CVE-2024-29892 | 1 Zitadel | 1 Zitadel | 2025-01-08 | 6.1 Medium |
| ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17. | ||||
| CVE-2023-28698 | 1 Wddgroup | 1 Fantsy | 2025-01-08 | 9.8 Critical |
| Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service. | ||||
| CVE-2023-3033 | 1 Mobatime | 1 Mobatime Web Application | 2025-01-08 | 6.8 Medium |
| Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22. | ||||
| CVE-2023-3066 | 1 Mobatime | 1 Amxgt 100 | 2025-01-08 | 8.1 High |
| Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20. | ||||
| CVE-2023-3027 | 1 Redhat | 2 Acm, Advanced Cluster Management For Kubernetes | 2025-01-08 | 7.8 High |
| The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage of cluster scoped access in a created policy. This feature does not restrict properly to lookup content from the namespace where the policy was created. | ||||
| CVE-2023-33651 | 1 Sitecore | 4 Experience Commerce, Experience Manager, Experience Platform and 1 more | 2025-01-08 | 7.5 High |
| An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules. | ||||
| CVE-2024-21259 | 1 Oracle | 1 Vm Virtualbox | 2025-01-07 | 7.5 High |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.22 and prior to 7.1.2. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | ||||
| CVE-2023-21670 | 1 Qualcomm | 364 315 5g Iot Modem, 315 5g Iot Modem Firmware, Aqt1000 and 361 more | 2025-01-07 | 7.8 High |
| Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode. | ||||
| CVE-2023-1779 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2025-01-07 | 4.3 Medium |
| Exposure of Sensitive Information to an unauthorized actor vulnerability in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual in versions <=2.13.3 allow an authorized remote attacker with low privileges to view a limited amount of another accounts contact information. | ||||
| CVE-2024-1803 | 1 Wpdeveloper | 1 Embedpress | 2025-01-07 | 4.3 Medium |
| The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of functionality due to insufficient authorization validation on the PDF embed block in all versions up to, and including, 3.9.12. This makes it possible for authenticated attackers, with contributor-level access and above, to embed PDF blocks. | ||||
| CVE-2024-23675 | 1 Splunk | 2 Cloud, Splunk | 2025-01-07 | 6.5 Medium |
| In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. | ||||
| CVE-2023-32683 | 1 Matrix | 1 Synapse | 2025-01-07 | 3.5 Low |
| Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews. | ||||
| CVE-2023-22833 | 1 Palantir | 1 Foundry | 2025-01-07 | 7.6 High |
| Palantir Foundry deployments running Lime2 versions between 2.519.0 and 2.532.0 were vulnerable a bug that allowed authenticated users within a Foundry organization to bypass discretionary or mandatory access controls under certain circumstances. | ||||
| CVE-2023-34958 | 1 Chamilo | 1 Chamilo Lms | 2025-01-06 | 4.3 Medium |
| Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID. | ||||
| CVE-2023-32749 | 1 Pydio | 1 Cells | 2025-01-06 | 8.8 High |
| Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted. | ||||
| CVE-2023-29752 | 1 Ekatox | 1 Facemoji Emoji Keyboard | 2025-01-06 | 7.8 High |
| An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the component. | ||||
| CVE-2023-29766 | 1 Appcrossx | 1 Crossx | 2025-01-06 | 7.8 High |
| An issue found in CrossX v.1.15.3 for Android allows a local attacker to cause an escalation of Privileges via the database files. | ||||
| CVE-2023-29761 | 1 Urbanandroid | 1 Sleep | 2025-01-06 | 5.5 Medium |
| An issue found in Sleep v.20230303 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files. | ||||