Total
543 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-44249 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-02-05 | N/A | 6.5 MEDIUM |
An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests. | |||||
CVE-2023-3601 | 1 Webfactoryltd | 1 Simple Author Box | 2024-02-05 | N/A | 4.3 MEDIUM |
The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. | |||||
CVE-2023-28481 | 1 Tigergraph | 1 Tigergraph | 2024-02-05 | N/A | 8.8 HIGH |
An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key. | |||||
CVE-2023-2958 | 1 Orjinyazilim | 1 Ats Pro | 2024-02-05 | N/A | 9.8 CRITICAL |
Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714. | |||||
CVE-2023-37543 | 1 Cacti | 1 Cacti | 2024-02-05 | N/A | 7.5 HIGH |
Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723. | |||||
CVE-2023-2190 | 1 Gitlab | 1 Gitlab | 2024-02-05 | N/A | 6.5 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public. | |||||
CVE-2023-38257 | 1 Iagona | 1 Scrutisweb | 2024-02-05 | N/A | 7.5 HIGH |
Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insecure direct object reference vulnerability that could allow an unauthenticated user to view profile information, including user login names and encrypted passwords. | |||||
CVE-2023-2260 | 1 Alf | 1 Alf | 2024-02-04 | N/A | 8.8 HIGH |
Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||||
CVE-2023-1911 | 1 Creativethemes | 1 Blocksy Companion | 2024-02-04 | N/A | 4.3 MEDIUM |
The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example | |||||
CVE-2023-2883 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2024-02-04 | N/A | 8.8 HIGH |
Authorization Bypass Through User-Controlled Key vulnerability in CBOT Chatbot allows Authentication Abuse, Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | |||||
CVE-2021-33223 | 1 Seeddms | 1 Seeddms | 2024-02-04 | N/A | 8.8 HIGH |
An issue discovered in SeedDMS 6.0.15 allows an attacker to escalate privileges via the userid and role parameters in the out.UsrMgr.php file. | |||||
CVE-2023-2276 | 1 Wclovers | 1 Wcfm Membership | 2024-02-04 | N/A | 9.8 CRITICAL |
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. | |||||
CVE-2023-3066 | 1 Mobatime | 1 Amxgt 100 | 2024-02-04 | N/A | 8.1 HIGH |
Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20. | |||||
CVE-2023-37242 | 1 Huawei | 2 Emui, Harmonyos | 2024-02-04 | N/A | 9.8 CRITICAL |
Vulnerability of commands from the modem being intercepted in the atcmdserver module. Attackers may exploit this vulnerability to rewrite the non-volatile random-access memory (NVRAM), or facilitate the exploitation of other vulnerabilities. | |||||
CVE-2023-3133 | 1 Themeum | 1 Tutor Lms | 2024-02-04 | N/A | 7.5 HIGH |
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available. | |||||
CVE-2023-3105 | 1 Learndash | 1 Learndash | 2024-02-04 | N/A | 8.8 HIGH |
The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts. | |||||
CVE-2023-1129 | 1 Wp Fevents Book Project | 1 Wp Fevents Book | 2024-02-04 | N/A | 6.5 MEDIUM |
The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users. | |||||
CVE-2023-2702 | 1 Finexmedia | 1 Competition Management System | 2024-02-04 | N/A | 8.8 HIGH |
Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07. | |||||
CVE-2023-0688 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-02-04 | N/A | 6.5 MEDIUM |
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_thankyou' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about form submissions, including payment status, and transaction ID. | |||||
CVE-2018-17449 | 1 Gitlab | 1 Gitlab | 2024-02-04 | N/A | 7.5 HIGH |
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Remote attackers could obtain sensitive information about issues, comments, and project titles via events API insecure direct object reference. |