Total
1375 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40622 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-09-28 | 9.9 Critical |
| SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, under certain condition allows an authenticated attacker to view sensitive information which is otherwise restricted. On successful exploitation, the attacker can completely compromise the application causing high impact on confidentiality, integrity, and availability. | ||||
| CVE-2023-32114 | 1 Sap | 1 Netweaver | 2024-09-28 | 2.7 Low |
| SAP NetWeaver (Change and Transport System) - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an authenticated user with admin privileges to maliciously run a benchmark program repeatedly in intent to slowdown or make the server unavailable which may lead to a limited impact on Availability with No impact on Confidentiality and Integrity of the application. | ||||
| CVE-2023-5077 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-09-26 | 7.6 High |
| The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0. | ||||
| CVE-2023-32162 | 2 Microsoft, Wacom | 3 Windows, Driver, Drivers For Windows | 2024-09-26 | 7.8 High |
| Wacom Drivers for Windows Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Wacom Drivers for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the WacomInstallI.txt file by the PrefUtil.exe utility. The issue results from incorrect permissions on the WacomInstallI.txt file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-16318. | ||||
| CVE-2023-32005 | 1 Nodejs | 1 Node.js | 2024-09-26 | 5.3 Medium |
| A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2024-3375 | 1 Havelsan | 1 Dialogue | 2024-09-26 | 9.4 Critical |
| Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dialogue: from v1.83 before v1.83.1 or v1.84. | ||||
| CVE-2023-4777 | 1 Qualys | 1 Container Scanning Connector | 2024-09-25 | 3.1 Low |
| An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. | ||||
| CVE-2023-4665 | 1 Saphira | 1 Connect | 2024-09-25 | 8.8 High |
| Incorrect Execution-Assigned Permissions vulnerability in Saphira Saphira Connect allows Privilege Escalation.This issue affects Saphira Connect: before 9. | ||||
| CVE-2023-4565 | 1 Huawei | 2 Emui, Harmonyos | 2024-09-25 | 5.3 Medium |
| Broadcast permission control vulnerability in the framework module. Successful exploitation of this vulnerability may cause the hotspot feature to be unavailable. | ||||
| CVE-2023-41295 | 1 Huawei | 2 Emui, Harmonyos | 2024-09-24 | 5.3 Medium |
| Vulnerability of improper permission management in the displayengine module. Successful exploitation of this vulnerability may cause the screen to turn dim. | ||||
| CVE-2024-30369 | 1 A10networks | 1 Advanced Core Operating System | 2024-09-24 | 7.8 High |
| A10 Thunder ADC Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of A10 Thunder ADC. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the installer. The issue results from incorrect permissions on a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-22754. | ||||
| CVE-2022-43915 | 1 Ibm | 1 App Connect Enterprise Certified Container | 2024-09-21 | 6.8 Medium |
| IBM App Connect Enterprise Certified Container 5.0, 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, and 12.1 does not limit calls to unshare in running Pods. This can allow a user with privileged access to execute commands in a running Pod to elevate their user privileges. | ||||
| CVE-2023-47712 | 1 Ibm | 1 Security Guardium | 2024-09-20 | 7.8 High |
| IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow a local user to gain elevated privileges on the system due to improper permissions control. IBM X-Force ID: 271527. | ||||
| CVE-2023-36465 | 1 Decidim | 1 Decidim | 2024-09-19 | 9.1 Critical |
| Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4. | ||||
| CVE-2023-45364 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-09-19 | 5.3 Medium |
| An issue was discovered in includes/page/Article.php in MediaWiki 1.36.x through 1.39.x before 1.39.5 and 1.40.x before 1.40.1. Deleted revision existence is leaked due to incorrect permissions being checked. This reveals that a given revision ID belonged to the given page title, and its timestamp, both of which are not supposed to be public information. | ||||
| CVE-2023-45369 | 1 Mediawiki | 1 Mediawiki | 2024-09-19 | 4.3 Medium |
| An issue was discovered in the PageTriage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. Usernames of hidden users are exposed. | ||||
| CVE-2024-29964 | 1 Brocade | 1 Sannav | 2024-09-18 | 5.7 Medium |
| Brocade SANnav versions before v2.3.0a do not correctly set permissions on files, including docker files. An unprivileged attacker who gains access to the server can read sensitive information from these files. | ||||
| CVE-2023-40516 | 1 Lg | 1 Simple Editor | 2024-09-18 | N/A |
| LG Simple Editor Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of LG Simple Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The product sets incorrect permissions on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-20327. | ||||
| CVE-2024-45041 | 1 External-secrets | 2 External-secrets, External Secrets Operator | 2024-09-18 | 8.3 High |
| External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2. | ||||
| CVE-2023-3915 | 1 Gitlab | 1 Gitlab | 2024-09-18 | 6.5 Medium |
| An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects. | ||||