Export limit exceeded: 363282 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (1923 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-50267 | 1 Metersphere | 1 Metersphere | 2024-11-21 | 4.3 Medium |
| MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds. | ||||
| CVE-2023-4587 | 1 Zkteco | 2 Zem800, Zem800 Firmware | 2024-11-21 | 8.3 High |
| An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server. | ||||
| CVE-2023-4101 | 1 Qsige | 1 Qsige | 2024-11-21 | 8.8 High |
| The QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | ||||
| CVE-2023-4099 | 1 Qsige | 1 Qsige | 2024-11-21 | 7.6 High |
| The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | ||||
| CVE-2023-48641 | 1 Archerirm | 1 Archer | 2024-11-21 | 7.5 High |
| Archer Platform 6.x before 6.14 P1 HF2 (6.14.0.1.2) contains an insecure direct object reference vulnerability. An authenticated malicious user in a multi-instance installation could potentially exploit this vulnerability by manipulating application resource references in user requests to bypass authorization checks, in order to gain execute access to AWF application resources. | ||||
| CVE-2023-48304 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 4.3 Medium |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, an attacker could enable and disable the birthday calendar for any user on the same server. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise Server 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 contain patches for this issue. No known workarounds are available. | ||||
| CVE-2023-47316 | 1 H-mdm | 1 Headwind Mdm | 2024-11-21 | 5.4 Medium |
| Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control. The Web panel allows users to gain access to potentially sensitive API calls such as listing users and their data, file management API calls and audit-related API calls. | ||||
| CVE-2023-46701 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.5 Medium |
| Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | ||||
| CVE-2023-46478 | 1 Minical | 1 Minical | 2024-11-21 | 8.8 High |
| An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter. | ||||
| CVE-2023-45893 | 1 Floorsightsoftware | 1 Customer Portal | 2024-11-21 | 7.5 High |
| An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information. | ||||
| CVE-2023-45396 | 1 Elenos | 3 Etg150, Etg150 Firmware, Etg150 Fm | 2024-11-21 | 6.5 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability leads to events profiles access in Elenos ETG150 FM transmitter running on version 3.12. | ||||
| CVE-2023-45393 | 1 Grandingteco | 1 Utime Master | 2024-11-21 | 6.5 Medium |
| An indirect object reference (IDOR) in GRANDING UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to access sensitive information via a crafted cookie. | ||||
| CVE-2023-45380 | 1 Silbersaiten | 1 Order Duplicator | 2024-11-21 | 9.1 Critical |
| In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address. | ||||
| CVE-2023-44206 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-11-21 | 9.1 Critical |
| Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | ||||
| CVE-2023-44205 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-11-21 | 5.3 Medium |
| Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | ||||
| CVE-2023-44154 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-11-21 | 8.1 High |
| Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | ||||
| CVE-2023-43900 | 1 Emsigner | 1 Emsigner | 2024-11-21 | 6.5 Medium |
| Insecure Direct Object References (IDOR) in EMSigner v2.8.7 allow attackers to gain unauthorized access to application content and view sensitive data of other users via manipulation of the documentID and EncryptedDocumentId parameters. | ||||
| CVE-2023-43668 | 1 Apache | 1 Inlong | 2024-11-21 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... . Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8604 | ||||
| CVE-2023-42455 | 1 Wazuh | 2 Wazuh-dashboard, Wazuh-kibana-app | 2024-11-21 | 8.8 High |
| Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds. | ||||
| CVE-2023-42334 | 1 Fl3xx | 2 Crew, Dispatch | 2024-11-21 | 6.5 Medium |
| An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter. | ||||