Total
1587 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-4997 | 1 Prointegra | 1 Uptimedc | 2024-09-19 | 8.8 High |
| Improper authorisation of regular users in ProIntegra Uptime DC software (versions below 2.0.0.33940) allows them to change passwords of all other users including administrators leading to a privilege escalation. | ||||
| CVE-2024-47160 | 2024-09-19 | 4.3 Medium | ||
| In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible | ||||
| CVE-2024-47159 | 2024-09-19 | 4.3 Medium | ||
| In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project | ||||
| CVE-2023-44860 | 1 Netis-systems | 2 N3m, N3m Firmware | 2024-09-19 | 7.5 High |
| An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request. | ||||
| CVE-2023-23476 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation For Cloud Pak | 2024-09-19 | 3.1 Low |
| IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes. IBM X-Force ID: 245425. | ||||
| CVE-2023-1832 | 2 Candlepinproject, Redhat | 2 Candlepin, Satellite | 2024-09-19 | 6.8 Medium |
| An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant. | ||||
| CVE-2024-4465 | 1 Nozominetworks | 2 Cmc, Guardian | 2024-09-18 | 6 Medium |
| An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. | ||||
| CVE-2023-42124 | 1 Avast | 1 Premium Security | 2024-09-18 | N/A |
| Avast Premium Security Sandbox Protection Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Premium Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of the sandbox feature. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code outside the sandbox at medium integrity. . Was ZDI-CAN-20178. | ||||
| CVE-2023-35653 | 1 Google | 1 Android | 2024-09-18 | 4.4 Medium |
| In TBD of TBD, there is a possible way to access location information due to a permissions bypass. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-5521 | 2 Kernelsu, Tiann | 2 Kernelsu, Kernelsu | 2024-09-18 | 9.8 Critical |
| Incorrect Authorization in GitHub repository tiann/kernelsu prior to v0.6.9. | ||||
| CVE-2023-40829 | 1 Tencent | 1 Enterprise Wechat Privatization | 2024-09-18 | 7.5 High |
| There is an interface unauthorized access vulnerability in the background of Tencent Enterprise Wechat Privatization 2.5.x and 2.6.930000. | ||||
| CVE-2023-5356 | 1 Gitlab | 1 Gitlab | 2024-09-18 | 7.3 High |
| Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user. | ||||
| CVE-2024-8601 | 2 Techexcel, Techexcel Inc. | 2 Back Office Software, Back Office | 2024-09-17 | 6.5 Medium |
| This vulnerability exists in TechExcel Back Office Software versions prior to 1.0.0 due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to unauthorized access to sensitive information belonging to other users. | ||||
| CVE-2023-43119 | 1 Extremenetworks | 1 Exos | 2024-09-17 | 9.8 Critical |
| An Access Control issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, also fixed in 22.7, 31.7.2 allows attackers to gain escalated privileges using crafted telnet commands via Redis server. | ||||
| CVE-2024-6323 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 7.5 High |
| Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. | ||||
| CVE-2024-4006 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 4.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions | ||||
| CVE-2024-1299 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 6.5 Medium |
| A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges. | ||||
| CVE-2024-5816 | 1 Github | 1 Enterprise Server | 2024-09-17 | 5.3 Medium |
| An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2024-5817 | 1 Github | 1 Enterprise Server | 2024-09-17 | 6.5 Medium |
| An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed read access to issue content via GitHub Projects. This was only exploitable in internal repositories and required the attacker to have access to the corresponding project board. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2023-28635 | 1 Vantage6 | 1 Vantage6 | 2024-09-17 | 5.4 Medium |
| vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. Version 4.0.0 contains a patch for this issue. The best solution is to check when resources are created or modified, that the resource name always starts with a character. | ||||