Total
1599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5521 | 1 Kernelsu | 1 Kernelsu | 2023-10-13 | N/A | 9.8 CRITICAL |
| Incorrect Authorization in GitHub repository tiann/kernelsu prior to v0.6.9. | |||||
| CVE-2023-30995 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2023-10-10 | N/A | 7.5 HIGH |
| IBM Aspera Faspex 4.0 through 4.4.2 and 5.0 through 5.0.5 could allow a malicious actor to bypass IP whitelist restrictions using a specially crafted HTTP request. IBM X-Force ID: 254268. | |||||
| CVE-2022-48538 | 1 Cacti | 1 Cacti | 2023-08-28 | N/A | 5.3 MEDIUM |
| In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password. | |||||
| CVE-2023-25647 | 1 Zte | 8 Axon 30, Axon 30 Firmware, Axon 40 Pro and 5 more | 2023-08-24 | N/A | 3.3 LOW |
| There is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could monitor the touch event. | |||||
| CVE-2023-40168 | 1 Turbowarp | 1 Turbowarp Desktop | 2023-08-24 | N/A | 6.5 MEDIUM |
| TurboWarp is a desktop application that compiles scratch projects to JavaScript. TurboWarp Desktop versions prior to version 1.8.0 allowed a malicious project or custom extension to read arbitrary files from disk and upload them to a remote server. The only required user interaction is opening the sb3 file or loading the extension. The web version of TurboWarp is not affected. This bug has been addressed in commit `55e07e99b59` after an initial fix which was reverted. Users are advised to upgrade to version 1.8.0 or later. Users unable to upgrade should avoid opening sb3 files or loading extensions from untrusted sources. | |||||
| CVE-2022-43515 | 1 Zabbix | 1 Frontend | 2023-08-22 | N/A | 9.8 CRITICAL |
| Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. | |||||
| CVE-2023-32748 | 1 Mitel | 1 Mivoice Connect | 2023-08-22 | N/A | 9.8 CRITICAL |
| The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 (22.24.1500.0) could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control. | |||||
| CVE-2023-39384 | 1 Huawei | 2 Emui, Harmonyos | 2023-08-17 | N/A | 7.5 HIGH |
| Vulnerability of incomplete permission verification in the input method module. Successful exploitation of this vulnerability may cause features to perform abnormally. | |||||
| CVE-2023-39965 | 1 1panel | 1 1panel | 2023-08-16 | N/A | 4.3 MEDIUM |
| 1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access. Attackers can freely download the file content on the target system. This may cause a large amount of information leakage. Version 1.5.0 has a patch for this issue. | |||||
| CVE-2023-33468 | 1 Kramerav | 4 Via Connect2, Via Connect2 Firmware, Via Go2 and 1 more | 2023-08-16 | N/A | 9.1 CRITICAL |
| KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior to 4.0.1.1326 exhibit a vulnerability that enables remote manipulation of the device. This vulnerability involves extracting the connection confirmation code remotely, bypassing the need to obtain it directly from the physical screen. | |||||
| CVE-2023-4107 | 1 Mattermost | 1 Mattermost | 2023-08-15 | N/A | 6.5 MEDIUM |
| Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. | |||||
| CVE-2018-15465 | 1 Cisco | 1 Adaptive Security Appliance Software | 2023-08-15 | 5.5 MEDIUM | 8.1 HIGH |
| A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface. The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device. | |||||
| CVE-2023-38209 | 1 Adobe | 1 Commerce | 2023-08-15 | N/A | 6.5 MEDIUM |
| Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-28468 | 1 Insyde | 1 Kernel | 2023-08-09 | N/A | 6.5 MEDIUM |
| An issue was discovered in FvbServicesRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS. | |||||
| CVE-2023-38958 | 1 Zkteco | 1 Bioaccess Ivs | 2023-08-08 | N/A | 5.3 MEDIUM |
| An access control issue in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to arbitrarily close and open the doors managed by the platform remotely via sending a crafted web request. | |||||
| CVE-2022-35716 | 1 Ibm | 1 Urbancode Deploy | 2023-08-08 | N/A | 6.5 MEDIUM |
| IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper security checking. IBM X-Force ID: 231360. | |||||
| CVE-2022-25335 | 1 Rigoblock | 1 Drago | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major protocol upgrade occurs. | |||||
| CVE-2022-29271 | 1 Nagios | 1 Nagios Xi | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services. This allows an attacker to permanently disable all monitoring checks. | |||||
| CVE-2022-42724 | 1 Misp-project | 1 Malware Information Sharing Platform | 2023-08-08 | N/A | 4.3 MEDIUM |
| app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have). | |||||
| CVE-2022-1460 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user. | |||||