Total
2056 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-47077 | 2024-09-30 | N/A | 6.5 MEDIUM | ||
| authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is affected. Versions 2024.8.3 and 2024.6.5 fix the issue. | |||||
| CVE-2024-7711 | 1 Github | 1 Enterprise Server | 2024-09-27 | N/A | 4.3 MEDIUM |
| An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3.12.8, and 3.11.14. Versions 3.10 of GitHub Enterprise Server are not affected. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2024-6337 | 1 Github | 1 Enterprise Server | 2024-09-27 | N/A | 6.5 MEDIUM |
| An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2024-47060 | 1 Zitadel | 1 Zitadel | 2024-09-25 | N/A | 4.3 MEDIUM |
| Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore. | |||||
| CVE-2024-47159 | 1 Jetbrains | 1 Youtrack | 2024-09-24 | N/A | 4.3 MEDIUM |
| In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project | |||||
| CVE-2024-47160 | 1 Jetbrains | 1 Youtrack | 2024-09-24 | N/A | 4.3 MEDIUM |
| In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible | |||||
| CVE-2024-42423 | 2 Citrix, Dell | 2 Workspace, Thinos | 2024-09-20 | N/A | 6.1 MEDIUM |
| Citrix Workspace App version 23.9.0.24.4 on Dell ThinOS 2311 contains an Incorrect Authorization vulnerability when Citrix CEB is enabled for WebLogin. A local unauthenticated user with low privileges may potentially exploit this vulnerability to bypass existing controls and perform unauthorized actions leading to information disclosure and tampering. | |||||
| CVE-2024-4465 | 1 Nozominetworks | 2 Cmc, Guardian | 2024-09-20 | N/A | 6.0 MEDIUM |
| An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. This could expand the scope of the attack. | |||||
| CVE-2024-8601 | 1 Techexcel | 1 Back Office Software | 2024-09-17 | N/A | 6.5 MEDIUM |
| This vulnerability exists in TechExcel Back Office Software versions prior to 1.0.0 due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to unauthorized access to sensitive information belonging to other users. | |||||
| CVE-2024-44114 | 1 Sap | 1 Netweaver Application Server Abap | 2024-09-16 | N/A | 2.0 LOW |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application. | |||||
| CVE-2024-8011 | 1 Logitech | 1 Options\+ | 2024-09-11 | N/A | 5.5 MEDIUM |
| Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera. | |||||
| CVE-2024-41964 | 1 Getkirby | 1 Kirby | 2024-09-06 | N/A | 8.1 HIGH |
| Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-7697 | 1 Transsion | 1 Carlcare | 2024-09-06 | N/A | 7.5 HIGH |
| Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks. | |||||
| CVE-2024-43250 | 1 Bitapps | 1 Bit Form | 2024-09-06 | N/A | 7.1 HIGH |
| Incorrect Authorization vulnerability in Bit Apps Bit Form Pro bitformpro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bit Form Pro: from n/a through 2.6.4. | |||||
| CVE-2024-34642 | 1 Samsung | 1 Android | 2024-09-05 | N/A | 4.6 MEDIUM |
| Improper authorization in One UI Home prior to SMR Sep-2024 Release 1 allows physical attackers to temporarily access sensitive information. | |||||
| CVE-2024-34650 | 1 Samsung | 1 Android | 2024-09-05 | N/A | 4.0 MEDIUM |
| Incorrect authorization in CocktailbarService prior to SMR Sep-2024 Release 1 allows local attackers to access privileged APIs related to Edge panel. | |||||
| CVE-2024-34651 | 1 Samsung | 1 Android | 2024-09-05 | N/A | 6.2 MEDIUM |
| Improper authorization in My Files prior to SMR Sep-2024 Release 1 allows local attackers to access restricted data in My Files. | |||||
| CVE-2024-34652 | 1 Samsung | 1 Android | 2024-09-05 | N/A | 4.0 MEDIUM |
| Incorrect authorization in kperfmon prior to SMR Sep-2024 Release 1 allows local attackers to access information related to performance including app usage. | |||||
| CVE-2024-38868 | 1 Zohocorp | 1 Manageengine Endpoint Central | 2024-09-04 | N/A | 7.6 HIGH |
| Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15 | |||||
| CVE-2024-45509 | 1 Misp | 1 Misp | 2024-09-04 | N/A | 6.5 MEDIUM |
| In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. | |||||