Total
1475 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-41806 | 2024-07-26 | N/A | 5.3 MEDIUM | ||
The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available when the uploader uses versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper. The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, deployers should also ensure that existing cohorts uploads have a private ACL, or that other precautions are taken to avoid public access. | |||||
CVE-2024-38164 | 2024-07-26 | N/A | 9.6 CRITICAL | ||
An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link. | |||||
CVE-2024-7057 | 2024-07-25 | N/A | 4.3 MEDIUM | ||
An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level. | |||||
CVE-2023-7028 | 1 Gitlab | 1 Gitlab | 2024-07-24 | N/A | 7.5 HIGH |
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. | |||||
CVE-2024-37882 | 1 Nextcloud | 1 Nextcloud Server | 2024-07-19 | N/A | 8.1 HIGH |
Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4. | |||||
CVE-2024-22020 | 2024-07-19 | N/A | 6.5 MEDIUM | ||
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. | |||||
CVE-2024-6738 | 1 Wisdomgarden | 1 Tronclass | 2024-07-16 | N/A | 5.3 MEDIUM |
The tumbnail API of Tronclass from WisdomGarden lacks proper access control, allowing unauthenticated remote attackers to obtain certain specific files by modifying the URL. | |||||
CVE-2024-6737 | 1 Electronic Official Document Management System Project | 1 Electronic Official Document Management System | 2024-07-16 | N/A | 8.8 HIGH |
The access control in the Electronic Official Document Management System from 2100 TECHNOLOGY is not properly implemented, allowing remote attackers with regular privileges to access the account settings functionality and create an administrator account. | |||||
CVE-2021-45111 | 1 Odoo | 1 Odoo | 2024-07-15 | N/A | 8.1 HIGH |
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials. | |||||
CVE-2021-44465 | 1 Odoo | 1 Odoo | 2024-07-15 | N/A | 4.3 MEDIUM |
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests. | |||||
CVE-2021-44460 | 1 Odoo | 1 Odoo | 2024-07-15 | N/A | 6.5 MEDIUM |
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests. | |||||
CVE-2021-23203 | 1 Odoo | 1 Odoo | 2024-07-15 | N/A | 7.5 HIGH |
Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests. | |||||
CVE-2021-23178 | 1 Odoo | 1 Odoo | 2024-07-15 | N/A | 7.5 HIGH |
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim's payment method to be charged instead. | |||||
CVE-2021-23176 | 1 Odoo | 1 Odoo | 2024-07-15 | N/A | 6.5 MEDIUM |
Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets. | |||||
CVE-2024-2880 | 1 Gitlab | 1 Gitlab | 2024-07-12 | N/A | 2.7 LOW |
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with `admin_group_member` custom role permission could ban group members. | |||||
CVE-2024-5257 | 1 Gitlab | 1 Gitlab | 2024-07-12 | N/A | 2.7 LOW |
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace. | |||||
CVE-2024-5470 | 1 Gitlab | 1 Gitlab | 2024-07-12 | N/A | 2.7 LOW |
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens. | |||||
CVE-2024-6385 | 1 Gitlab | 1 Gitlab | 2024-07-12 | N/A | 9.8 CRITICAL |
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. | |||||
CVE-2024-31320 | 2024-07-12 | N/A | 7.4 HIGH | ||
In setSkipPrompt of AssociationRequest.java , there is a possible way to establish a companion device association without any confirmation due to CDM. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2024-5821 | 2024-07-12 | N/A | 6.2 MEDIUM | ||
The vulnerability allows an attacker to access sensitive files on the server by confusing the agent with incorrect file names. When a user requests the content of a file with a misspelled name, the agent attempts to correct the command and inadvertently reveals the content of the intended file, such as /etc/passwd. This can lead to unauthorized access to sensitive information and potential server compromise. |