Total
2327 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-53949 | 1 Apache | 1 Superset | 2025-02-12 | N/A | 6.5 MEDIUM |
| Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue. | |||||
| CVE-2024-7624 | 1 Zephyr-one | 1 Zephyr Project Manager | 2025-02-11 | N/A | 8.1 HIGH |
| The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enable access to the plugin's settings through the update_user_access() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to grant themselves full access to the plugin's settings. | |||||
| CVE-2024-27288 | 1 Fit2cloud | 1 1panel | 2025-02-11 | N/A | 6.3 MEDIUM |
| 1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.10.1-lts, users can use Burp to obtain unauthorized access to the console page. The vulnerability has been fixed in v1.10.1-lts. There are no known workarounds. | |||||
| CVE-2023-25415 | 1 Aten | 2 Pe8108, Pe8108 Firmware | 2025-02-11 | N/A | 5.3 MEDIUM |
| Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Event Notification configuration. | |||||
| CVE-2023-0319 | 1 Gitlab | 1 Gitlab | 2025-02-11 | N/A | 5.8 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment names supposed to be restricted to project memebers only. | |||||
| CVE-2024-28148 | 1 Apache | 1 Superset | 2025-02-11 | N/A | 4.3 MEDIUM |
| An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2. Users are recommended to upgrade to version 3.1.2 or above, which fixes the issue. | |||||
| CVE-2023-1417 | 1 Gitlab | 1 Gitlab | 2025-02-11 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group. | |||||
| CVE-2023-1071 | 1 Gitlab | 1 Gitlab | 2025-02-10 | N/A | 3.1 LOW |
| An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic. | |||||
| CVE-2023-22620 | 1 Securepoint | 1 Unified Threat Management | 2025-02-10 | N/A | 7.5 HIGH |
| An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface. | |||||
| CVE-2021-41528 | 2025-02-07 | N/A | N/A | ||
| An error when handling authorization related to the import / export interfaces on the RISC Platform prior to the saas-2021-12-29 release can potentially be exploited to access the import / export functionality with low privileges. | |||||
| CVE-2024-9654 | 1 Awesomemotive | 1 Easy Digital Downloads | 2025-02-07 | N/A | 3.7 LOW |
| The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased. | |||||
| CVE-2020-17354 | 1 Lilypond | 1 Lilypond | 2025-02-06 | N/A | 8.6 HIGH |
| LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used. | |||||
| CVE-2023-46241 | 1 Discourse | 1 Microsoft Authentication | 2025-02-05 | N/A | 9.0 CRITICAL |
| `discourse-microsoft-auth` is a plugin that enables authentication via Microsoft. On sites with the `discourse-microsoft-auth` plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than `Accounts in this organizational directory only (O365 only - Single tenant)` are vulnerable. This vulnerability has been patched in commit c40665f44509724b64938c85def9fb2e79f62ec8 of `discourse-microsoft-auth`. A `microsoft_auth:revoke` rake task has also been added which will deactivate and log out all users that have connected their accounts to Microsoft. User API keys as well as API keys created by those users will also be revoked. The rake task will also remove the connection records to Microsoft for those users. This will allow affected users to re-verify their account emails as well as reconnect their Discourse account to Microsoft for authentication. As a workaround, disable the `discourse-microsoft-auth` plugin by setting the `microsoft_auth_enabled` site setting to `false`. Run the `microsoft_auth:log_out_users` rake task to log out all users with associated Microsoft accounts. | |||||
| CVE-2024-26145 | 1 Discourse | 1 Calendar | 2025-02-05 | N/A | 6.5 MEDIUM |
| Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on Discourse. Uninvited users are able to gain access to private events by crafting a request to update their attendance. This problem is resolved in commit dfc4fa15f340189f177a1d1ab2cc94ffed3c1190. As a workaround, one may use post visibility to limit access. | |||||
| CVE-2023-20950 | 1 Google | 1 Android | 2025-02-05 | N/A | 7.8 HIGH |
| In AlarmManagerActivity of AlarmManagerActivity.java, there is a possible way to bypass background activity launch restrictions via a pendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-195756028 | |||||
| CVE-2024-54488 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-02-05 | N/A | 5.3 MEDIUM |
| A logic issue was addressed with improved file handling. This issue is fixed in macOS Ventura 13.7.2, iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sonoma 14.7.2, macOS Sequoia 15.2. Photos in the Hidden Photos Album may be viewed without authentication. | |||||
| CVE-2024-54512 | 1 Apple | 3 Ipados, Iphone Os, Watchos | 2025-02-04 | N/A | 9.1 CRITICAL |
| The issue was addressed by removing the relevant flags. This issue is fixed in watchOS 11.2, iOS 18.2 and iPadOS 18.2. A system binary could be used to fingerprint a user's Apple Account. | |||||
| CVE-2024-42013 | 2025-02-04 | N/A | 6.4 MEDIUM | ||
| In GRAU DATA Blocky before 3.1, Blocky-Gui has a Client-Side Enforcement of Server-Side Security vulnerability. An attacker with Windows administrative or debugging privileges can patch a binary in memory or on disk to bypass the password login requirement and gain full access to all functions of the program. | |||||
| CVE-2023-30544 | 1 Kiwitcms | 1 Kiwi Tcms | 2025-02-04 | N/A | 3.9 LOW |
| Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist. | |||||
| CVE-2023-20871 | 2 Apple, Vmware | 2 Mac Os X, Fusion | 2025-02-04 | N/A | 7.8 HIGH |
| VMware Fusion contains a local privilege escalation vulnerability. A malicious actor with read/write access to the host operating system can elevate privileges to gain root access to the host operating system. | |||||