Total
3294 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-36635 | 1 Fortinet | 1 Fortiswitchmanager | 2024-11-21 | N/A | 7.1 HIGH |
| An improper access control in Fortinet FortiSwitchManager version 7.2.0 through 7.2.2 7.0.0 through 7.0.1 may allow a remote authenticated read-only user to modify the interface settings via the API. | |||||
| CVE-2023-36620 | 1 Nationaledtech | 1 Boomerang | 2024-11-21 | N/A | 4.6 MEDIUM |
| An issue was discovered in the Boomerang Parental Control application before 13.83 for Android. The app is missing the android:allowBackup="false" attribute in the manifest. This allows the user to backup the internal memory of the app to a PC. This gives the user access to the API token that is used to authenticate requests to the API. | |||||
| CVE-2023-36561 | 1 Microsoft | 1 Azure Devops Server | 2024-11-21 | N/A | 7.3 HIGH |
| Azure DevOps Server Elevation of Privilege Vulnerability | |||||
| CVE-2023-36554 | 1 Fortinet | 1 Fortimanager | 2024-11-21 | N/A | 8.1 HIGH |
| A improper access control in Fortinet FortiManager version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.10, version 6.4.0 through 6.4.13, 6.2 all versions allows attacker to execute unauthorized code or commands via specially crafted HTTP requests. | |||||
| CVE-2023-36465 | 1 Decidim | 1 Decidim | 2024-11-21 | N/A | 9.1 CRITICAL |
| Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4. | |||||
| CVE-2023-36106 | 1 Powerjob | 1 Powerjob | 2024-11-21 | N/A | 7.5 HIGH |
| An incorrect access control vulnerability in powerjob 4.3.2 and earlier allows remote attackers to obtain sensitive information via the interface for querying via appId parameter to /container/list. | |||||
| CVE-2023-35940 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 7.5 HIGH |
| GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue. | |||||
| CVE-2023-35939 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 8.1 HIGH |
| GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue. | |||||
| CVE-2023-35927 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 7.6 HIGH |
| NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, when two server are registered as trusted servers for each other and successfully exchanged the share secrets, the malicious server could modify or delete VCards in the system addressbook on the origin server. This would impact the available and shown information in certain places, such as the user search and avatar menu. If a manipulated user modifies their own data in the personal settings the entry is fixed again. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. A workaround is available. Remove all trusted servers in the "Administration" > "Sharing" settings `…/index.php/settings/admin/sharing`. Afterwards, trigger a recreation of the local system addressbook with the following `occ dav:sync-system-addressbook`. | |||||
| CVE-2023-35179 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | N/A | 7.2 HIGH |
| A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. | |||||
| CVE-2023-35173 | 1 Nextcloud | 1 End-to-end Encryption | 2024-11-21 | N/A | 5.7 MEDIUM |
| Nextcloud End-to-end encryption app provides all the necessary APIs to implement End-to-End encryption on the client side. By providing an invalid meta data file, an attacker can make previously dropped files inaccessible. It is recommended that the Nextcloud End-to-end encryption app is upgraded to version 1.12.4 that contains the fix. | |||||
| CVE-2023-35167 | 1 Remult | 1 Remult | 2024-11-21 | N/A | 5.0 MEDIUM |
| Remult is a CRUD framework for full-stack TypeScript. If you used the apiPrefilter option of the `@Entity` decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the `id` of an entity instance is not authorized to access, can gain read, update and delete access to it. The issue is fixed in version 0.20.6. As a workaround, set the `apiPrefilter` option to a filter object instead of a function. | |||||
| CVE-2023-35121 | 2024-11-21 | N/A | 7.8 HIGH | ||
| Improper access control in the Intel(R) oneAPI DPC++/C++ Compiler before version 2022.2.1 for some Intel(R) oneAPI Toolkits before version 2022.3.1 may allow authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-35062 | 1 Intel | 1 Driver \& Support Assistant | 2024-11-21 | N/A | 6.3 MEDIUM |
| Improper access control in some Intel(R) DSA software before version 23.4.33 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-34470 | 1 Ami | 1 Aptio V | 2024-11-21 | N/A | 6.8 MEDIUM |
| AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper access control via the local network. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity and availability. | |||||
| CVE-2023-34469 | 1 Ami | 1 Aptio V | 2024-11-21 | N/A | 4.9 MEDIUM |
| AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper access control via the physical network. A successful exploit of this vulnerability may lead to a loss of confidentiality. | |||||
| CVE-2023-34107 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 6.5 MEDIUM |
| GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue. | |||||
| CVE-2023-34106 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 6.5 MEDIUM |
| GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch. | |||||
| CVE-2023-33947 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-11-21 | N/A | 2.7 LOW |
| The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition. | |||||
| CVE-2023-33946 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-11-21 | N/A | 2.7 LOW |
| The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page. | |||||