Total
376 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-23117 | 2025-03-05 | N/A | 6.8 MEDIUM | ||
| An Insufficient Firmware Update Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera system. | |||||
| CVE-2023-26114 | 1 Coder | 1 Code-server | 2025-02-25 | N/A | 8.2 HIGH |
| Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance. | |||||
| CVE-2023-5973 | 1 Broadcom | 1 Fabric Operating System | 2025-02-13 | N/A | 4.3 MEDIUM |
| Brocade Web Interface in Brocade Fabric OS v9.x and before v9.2.0 does not properly represent the portName to the user if the portName contains reserved characters. This could allow an authenticated user to alter the UI of the Brocade Switch and change ports display. | |||||
| CVE-2024-25124 | 1 Gofiber | 1 Fiber | 2025-02-05 | N/A | 9.4 CRITICAL |
| Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this. | |||||
| CVE-2023-46715 | 1 Fortinet | 1 Fortios | 2025-01-31 | N/A | 5.0 MEDIUM |
| An origin validation error [CWE-346] vulnerability in Fortinet FortiOS IPSec VPN version 7.4.0 through 7.4.1 and version 7.2.6 and below allows an authenticated IPSec VPN user with dynamic IP addressing to send (but not receive) packets spoofing the IP of another user via crafted network packets. | |||||
| CVE-2023-2445 | 1 Devolutions | 1 Devolutions Server | 2025-01-30 | N/A | 4.9 MEDIUM |
| Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earlier allows attackers with administrator privileges to retrieve usage information on folders in user vaults via a specific folder name. | |||||
| CVE-2023-29868 | 1 Zammad | 1 Zammad | 2025-01-30 | N/A | 6.5 MEDIUM |
| Zammad 5.3.x (Fixed in 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker with agent and customer roles could perform unauthorized changes on articles where they only have customer permissions. | |||||
| CVE-2023-29867 | 1 Zammad | 1 Zammad | 2025-01-30 | N/A | 6.5 MEDIUM |
| Zammad 5.3.x (Fixed 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker could gain information about linked accounts of users involved in their tickets using the Zammad API. | |||||
| CVE-2023-27932 | 2 Apple, Debian | 7 Ipados, Iphone Os, Macos and 4 more | 2025-01-29 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, tvOS 16.4, watchOS 9.4. Processing maliciously crafted web content may bypass Same Origin Policy. | |||||
| CVE-2023-27962 | 1 Apple | 1 Macos | 2025-01-29 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. An app may be able to modify protected parts of the file system. | |||||
| CVE-2023-27944 | 1 Apple | 1 Macos | 2025-01-29 | N/A | 8.6 HIGH |
| This issue was addressed with a new entitlement. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. An app may be able to break out of its sandbox. | |||||
| CVE-2023-28318 | 1 Rocket.chat | 1 Rocket.chat | 2025-01-28 | N/A | 5.3 MEDIUM |
| A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. This allows users to bypass the intended message deletion behavior, hiding messages and deletion notices. | |||||
| CVE-2023-23578 | 1 Seiko-sol | 2 Skybridge Mb-a200, Skybridge Mb-a200 Firmware | 2025-01-28 | N/A | 7.5 HIGH |
| Improper access control vulnerability in SkyBridge MB-A200 firmware Ver. 01.00.05 and earlier allows a remote unauthenticated attacker to connect to the product's ADB port. | |||||
| CVE-2024-22062 | 1 Zte | 1 Zxcloud Irai | 2025-01-28 | N/A | 6.3 MEDIUM |
| There is a permissions and access control vulnerability in ZXCLOUD IRAI.An attacker can elevate non-administrator permissions to administrator permissions by modifying the configuration. | |||||
| CVE-2023-32993 | 1 Jenkins | 1 Saml Single Sign On | 2025-01-23 | N/A | 4.8 MEDIUM |
| Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections. | |||||
| CVE-2024-25996 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-01-23 | N/A | 5.3 MEDIUM |
| An unauthenticated remote attacker can perform a remote code execution due to an origin validation error. The access is limited to the service user. | |||||
| CVE-2024-26135 | 1 Meshcentral | 1 Meshcentral | 2025-01-16 | N/A | 8.3 HIGH |
| MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to `control.ashx` as the victim user within MeshCentral. Version 1.1.21 contains a patch for this issue. | |||||
| CVE-2023-23561 | 1 Stormshield | 1 Endpoint Security | 2025-01-14 | N/A | 5.5 MEDIUM |
| Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control: authenticated users can read sensitive information. | |||||
| CVE-2023-29728 | 1 Applika | 1 Call Blocker | 2025-01-13 | N/A | 9.8 CRITICAL |
| The Call Blocker application 6.6.3 for Android allows attackers to tamper with feature-related data, resulting in a severe elevation of privilege attack. | |||||
| CVE-2023-28349 | 2 Faronics, Microsoft | 2 Insight, Windows | 2025-01-13 | N/A | 8.8 HIGH |
| An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a crafted program that functions similarly to the Teacher Console. This can compel Student Consoles to connect and put themselves at risk automatically. Connected Student Consoles can be compelled to write arbitrary files to arbitrary locations on disk with NT AUTHORITY/SYSTEM level permissions, enabling remote code execution. | |||||