Total
4661 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-30916 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-11-21 | N/A | 7.8 HIGH |
| In DMService, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
| CVE-2023-30913 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-11-21 | N/A | 5.5 MEDIUM |
| In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
| CVE-2023-30586 | 1 Nodejs | 1 Node.js | 2024-11-21 | N/A | 7.5 HIGH |
| A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | |||||
| CVE-2023-30480 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Sparkle WP Educenter.This issue affects Educenter: from n/a through 1.5.5. | |||||
| CVE-2023-30195 | 1 Lineagrafica | 1 Lgdetailedorder | 2024-11-21 | N/A | 7.5 HIGH |
| In the module "Detailed Order" (lgdetailedorder) in version up to 1.1.20 from Linea Grafica for PrestaShop, a guest can download personal informations without restriction formatted in json. | |||||
| CVE-2023-2945 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A | 5.4 MEDIUM |
| Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1. | |||||
| CVE-2023-2796 | 1 Myeventon | 1 Eventon | 2024-11-21 | N/A | 5.3 MEDIUM |
| The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. | |||||
| CVE-2023-2791 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.3 MEDIUM |
| When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post. | |||||
| CVE-2023-2788 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 6.2 MEDIUM |
| Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated. | |||||
| CVE-2023-2787 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 6.5 MEDIUM |
| Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API. | |||||
| CVE-2023-2786 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.3 MEDIUM |
| Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands. | |||||
| CVE-2023-2784 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.2 MEDIUM |
| Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. | |||||
| CVE-2023-2783 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.3 MEDIUM |
| Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps. | |||||
| CVE-2023-2716 | 1 Groundhogg | 1 Groundhogg | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload a file to the contact, and then lists all the other uploaded files related to the contact. | |||||
| CVE-2023-2715 | 1 Groundhogg | 1 Groundhogg | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's data to the plugin developer, and it is also possible to create an admin access with an auto login link that is also sent to the plugin developer with the ticket. It only works if the plugin is activated with a valid license. | |||||
| CVE-2023-2714 | 1 Groundhogg | 1 Groundhogg | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the license key and support license key, but it can only be changed to a valid license key. | |||||
| CVE-2023-2590 | 1 Answer | 1 Answer | 2024-11-21 | N/A | 3.5 LOW |
| Missing Authorization in GitHub repository answerdev/answer prior to 1.0.9. | |||||
| CVE-2023-2562 | 1 Gallery-metabox Project | 1 Gallery-metabox | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Gallery Metabox for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the refresh_metabox function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to obtain a list of images attached to a post. | |||||
| CVE-2023-2557 | 1 Pluginus | 1 Wordpress Currency Switcher Professional | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit an arbitrary custom drop-down currency switcher. | |||||
| CVE-2023-2547 | 1 Featherplugins | 1 Feather Login Page | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteUser' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the temp user generated by the plugin. | |||||