Total
3294 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32063 | 1 Oroinc | 1 Client Relationship Management | 2024-11-21 | N/A | 5.0 MEDIUM |
| OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1. | |||||
| CVE-2023-32062 | 1 Oroinc | 1 Oroplatform | 2024-11-21 | N/A | 5.0 MEDIUM |
| OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1. | |||||
| CVE-2023-32060 | 1 Dhis2 | 1 Dhis 2 | 2024-11-21 | N/A | 6.5 MEDIUM |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.35 branch and prior to versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0, when the Category Option Combination Sharing settings are configured to control access to specific tracker program events or program stages, the `/trackedEntityInstances` and `/events` API endpoints may include all events regardless of the sharing settings applied to the category option combinations. When this specific configuration is present, users may have access to events which they should not be able to see based on the sharing settings of the category options. The events will not appear in the user interface for web-based Tracker Capture or Capture applications, but if the Android Capture App is used they will be displayed to the user. Versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0 contain a fix for this issue. No workaround is known. | |||||
| CVE-2023-32009 | 1 Microsoft | 9 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 6 more | 2024-11-21 | N/A | 8.8 HIGH |
| Windows Collaborative Translation Framework Elevation of Privilege Vulnerability | |||||
| CVE-2023-31271 | 1 Intel | 1 Virtual Raid On Cpu | 2024-11-21 | N/A | 6.7 MEDIUM |
| Improper access control in some Intel(R) VROC software before version 8.0.8.1001 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-31242 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | N/A | 8.1 HIGH |
| An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2023-31199 | 1 Intel | 1 Solid State Drive Toolbox | 2024-11-21 | N/A | 7.7 HIGH |
| Improper access control in the Intel(R) Solid State Drive Toolbox(TM) before version 3.4.5 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-31138 | 1 Dhis2 | 1 Dhis 2 | 2024-11-21 | N/A | 7.1 HIGH |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests. | |||||
| CVE-2023-31100 | 1 Phoenix | 1 Securecore Technology | 2024-11-21 | N/A | 8.4 HIGH |
| Improper Access Control in SMI handler vulnerability in Phoenix SecureCore™ Technology™ 4 allows SPI flash modification. This issue affects SecureCore™ Technology™ 4: * from 4.3.0.0 before 4.3.0.203 * from 4.3.1.0 before 4.3.1.163 * from 4.4.0.0 before 4.4.0.217 * from 4.5.0.0 before 4.5.0.138 | |||||
| CVE-2023-31020 | 2 Microsoft, Nvidia | 2 Windows, Virtual Gpu | 2024-11-21 | N/A | 6.1 MEDIUM |
| NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause improper access control, which may lead to denial of service or data tampering. | |||||
| CVE-2023-31019 | 2 Microsoft, Nvidia | 2 Windows, Virtual Gpu | 2024-11-21 | N/A | 7.8 HIGH |
| NVIDIA GPU Display Driver for Windows contains a vulnerability in wksServicePlugin.dll, where the driver implementation does not restrict or incorrectly restricts access from the named pipe server to a connecting client, which may lead to potential impersonation to the client's secure context. | |||||
| CVE-2023-30969 | 1 Palantir | 1 Tiles | 2024-11-21 | N/A | 8.2 HIGH |
| The Palantir Tiles1 service was found to be vulnerable to an API wide issue where the service was not performing authentication/authorization on all the endpoints. | |||||
| CVE-2023-30768 | 1 Intel | 128 Server Board S1200btl, Server Board S1200btl Firmware, Server Board S1200btlr and 125 more | 2024-11-21 | N/A | 7.7 HIGH |
| Improper access control in the Intel(R) Server Board S2600WTT belonging to the Intel(R) Server Board S2600WT Family with the BIOS version 0016 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-30587 | 2024-11-21 | N/A | 7.5 HIGH | ||
| A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | |||||
| CVE-2023-30583 | 2024-11-21 | N/A | 7.5 HIGH | ||
| fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | |||||
| CVE-2023-30582 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | |||||
| CVE-2023-30539 | 1 Nextcloud | 2 Nextcloud Files Automated Tagging, Nextcloud Server | 2024-11-21 | N/A | 6.5 MEDIUM |
| Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enterprise Server to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5, and the Nextcloud Files automated tagging app to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or 1.16.1. Users unable to upgrade should disable all workflow related apps. Users are advised to upgrade. | |||||
| CVE-2023-2979 | 1 Abstrium | 1 Pydio Cells | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability classified as critical has been found in Abstrium Pydio Cells 4.2.0. This affects an unknown part of the component User Creation Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230211. | |||||
| CVE-2023-2946 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A | 8.1 HIGH |
| Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | |||||
| CVE-2023-2944 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A | 5.4 MEDIUM |
| Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | |||||