Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-35937 | 1 Metersphere | 1 Metersphere | 2023-07-12 | N/A | 8.8 HIGH |
| Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can only be executed by space administrators or project administrators. For example, ordinary users can be updated as space administrators. Version 2.10.2 LTS has a patch for this issue. | |||||
| CVE-2023-36624 | 1 Loxone | 2 Miniserver Go Gen 2, Miniserver Go Gen 2 Firmware | 2023-07-12 | N/A | 7.8 HIGH |
| Loxone Miniserver Go Gen.2 through 14.0.3.28 allows an authenticated operating system user to escalate privileges via the Sudo configuration. This allows the elevated execution of binaries without a password requirement. | |||||
| CVE-2022-39222 | 1 Linuxfoundation | 1 Dex | 2023-07-11 | N/A | 6.5 MEDIUM |
| Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex instances with public clients (and by extension, clients accepting tokens issued by those Dex instances) are affected by this vulnerability if they are running a version prior to 2.35.0. An attacker can exploit this vulnerability by making a victim navigate to a malicious website and guiding them through the OIDC flow, stealing the OAuth authorization code in the process. The authorization code then can be exchanged by the attacker for a token, gaining access to applications accepting that token. Version 2.35.0 has introduced a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-35940 | 1 Glpi-project | 1 Glpi | 2023-07-11 | N/A | 7.5 HIGH |
| GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue. | |||||
| CVE-2023-36815 | 1 Sealos | 1 Sealos | 2023-07-10 | N/A | 8.1 HIGH |
| Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user's control and may have permission to correct it. It is not clear whether a fix exists. | |||||
| CVE-2023-36144 | 1 Intelbras | 2 Sg 2404 Mr, Sg 2404 Mr Firmware | 2023-07-10 | N/A | 7.5 HIGH |
| An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration. | |||||
| CVE-2023-20772 | 2 Google, Mediatek | 34 Android, Mt6580, Mt6735 and 31 more | 2023-07-10 | N/A | 6.7 MEDIUM |
| In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441796; Issue ID: ALPS07441796. | |||||
| CVE-2023-20773 | 2 Google, Mediatek | 34 Android, Mt6580, Mt6735 and 31 more | 2023-07-10 | N/A | 7.8 HIGH |
| In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07611449; Issue ID: ALPS07441735. | |||||
| CVE-2022-46158 | 1 Prestashop | 1 Prestashop | 2023-07-07 | N/A | 4.3 MEDIUM |
| PrestaShop is an open-source e-commerce solution. Versions prior to 1.7.8.8 did not properly restrict host filesystem access for users. Users may have been able to view the contents of the upload directory without appropriate permissions. This issue has been addressed and users are advised to upgrade to version 1.7.8.8. There are no known workarounds for this issue. | |||||
| CVE-2023-36607 | 1 Ovarro | 10 Tbox Lt2, Tbox Lt2 Firmware, Tbox Ms-cpu32 and 7 more | 2023-07-07 | N/A | 5.3 MEDIUM |
| The affected TBox RTUs are missing authorization for running some API commands. An attacker running these commands could reveal sensitive information such as software versions and web server file contents. | |||||
| CVE-2023-36000 | 2 Apple, Proofpoint | 2 Macos, Insider Threat Management Server | 2023-07-06 | N/A | 6.5 MEDIUM |
| A missing authorization check in the MacOS agent configuration endpoint of the Insider Threat Management Server enables an anonymous attacker on an adjacent network to obtain sensitive information. Successful exploitation requires an attacker to first obtain a valid agent authentication token. All versions before 7.14.3 are affected. | |||||
| CVE-2023-36002 | 1 Proofpoint | 1 Insider Threat Management Server | 2023-07-06 | N/A | 4.3 MEDIUM |
| A missing authorization check in multiple URL validation endpoints of the Insider Threat Management Server enables an anonymous attacker on an adjacent network to smuggle content via DNS lookups. All versions before 7.14.3 are affected. | |||||
| CVE-2023-35998 | 1 Proofpoint | 1 Insider Threat Management Server | 2023-07-06 | N/A | 4.6 MEDIUM |
| A missing authorization check in multiple SOAP endpoints of the Insider Threat Management Server enables an attacker on an adjacent network to read and write unauthorized objects. Successful exploitation requires an attacker to first obtain a valid agent authentication token. All versions before 7.14.3 are affected. | |||||
| CVE-2022-4366 | 1 Daloradius | 1 Daloradius | 2023-07-06 | N/A | 7.5 HIGH |
| Missing Authorization in GitHub repository lirantal/daloradius prior to master branch. | |||||
| CVE-2023-21185 | 1 Google | 1 Android | 2023-07-05 | N/A | 7.8 HIGH |
| In multiple functions of WifiNetworkFactory.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-266700762 | |||||
| CVE-2023-34463 | 1 Dataease | 1 Dataease | 2023-07-05 | N/A | 8.1 HIGH |
| DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions Unauthorized users can delete an application erroneously. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-35164 | 1 Dataease | 1 Dataease | 2023-07-05 | N/A | 6.5 MEDIUM |
| DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-36348 | 1 Codekop | 1 Codekop | 2023-07-04 | N/A | 8.8 HIGH |
| POS Codekop v2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the filename parameter. | |||||
| CVE-2022-2377 | 1 Wpwax | 1 Directorist | 2023-06-30 | N/A | 4.3 MEDIUM |
| The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog | |||||
| CVE-2023-21177 | 1 Google | 1 Android | 2023-06-30 | N/A | 5.5 MEDIUM |
| In requestAppKeyboardShortcuts of WindowManagerService.java, there is a possible way to infer the app a user is interacting with due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-273906410 | |||||