Total
1318 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-24568 | 2024-03-07 | N/A | 5.3 MEDIUM | ||
| Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, the rules inspecting HTTP2 headers can get bypassed by crafted traffic. The vulnerability has been patched in 7.0.3. | |||||
| CVE-2023-3509 | 1 Gitlab | 1 Gitlab | 2024-03-04 | N/A | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group. | |||||
| CVE-2023-6840 | 1 Gitlab | 1 Gitlab | 2024-03-04 | N/A | 6.7 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR. | |||||
| CVE-2024-0410 | 1 Gitlab | 1 Gitlab | 2024-03-04 | N/A | 7.7 HIGH |
| An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict. | |||||
| CVE-2023-4895 | 1 Gitlab | 1 Gitlab | 2024-03-04 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access environment details of projects | |||||
| CVE-2024-1525 | 1 Gitlab | 1 Gitlab | 2024-03-04 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP. | |||||
| CVE-2024-0795 | 2024-03-04 | N/A | 7.2 HIGH | ||
| If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this new account to have elevated privileges on the instance | |||||
| CVE-2024-1942 | 2024-02-29 | N/A | 4.3 MEDIUM | ||
| Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of. | |||||
| CVE-2024-1887 | 2024-02-29 | N/A | 4.3 MEDIUM | ||
| Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export. | |||||
| CVE-2024-20291 | 2024-02-29 | N/A | 5.8 MEDIUM | ||
| A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an affected device. This vulnerability is due to incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access network resources that should be protected by an ACL that was applied on port channel subinterfaces. | |||||
| CVE-2024-23488 | 2024-02-29 | N/A | 3.1 LOW | ||
| Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled. | |||||
| CVE-2024-1888 | 2024-02-29 | N/A | 4.3 MEDIUM | ||
| Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server | |||||
| CVE-2024-25981 | 2024-02-29 | N/A | 4.3 MEDIUM | ||
| Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers. | |||||
| CVE-2024-25980 | 2024-02-29 | N/A | 4.3 MEDIUM | ||
| Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers. | |||||
| CVE-2024-1632 | 2024-02-28 | N/A | 8.8 HIGH | ||
| Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area. | |||||
| CVE-2024-22459 | 2024-02-28 | N/A | 6.8 MEDIUM | ||
| Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespace | |||||
| CVE-2024-0551 | 2024-02-27 | N/A | 7.1 HIGH | ||
| Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack. It is worth noting that the deterministic nature of the export name is lower risk as the UI for exporting would start the download at the same time, which once downloaded - deletes the export from the system. The endpoint for exporting should simply be patched to a higher privilege level. | |||||
| CVE-2024-20325 | 2024-02-22 | N/A | 5.1 MEDIUM | ||
| A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control implementations on cluster configuration CLI requests. An attacker could exploit this vulnerability by sending a cluster configuration CLI request to specific directories on an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device. | |||||
| CVE-2023-6259 | 2024-02-21 | N/A | 7.1 HIGH | ||
| Insufficiently Protected Credentials, : Improper Access Control vulnerability in Brivo ACS100, ACS300 allows Password Recovery Exploitation, Bypassing Physical Security.This issue affects ACS100, ACS300: from 5.2.4 before 6.2.4.3. | |||||
| CVE-2024-1343 | 2024-02-20 | N/A | 4.7 MEDIUM | ||
| A weak permission was found in the backup directory in LaborOfficeFree affecting version 19.10. This vulnerability allows any authenticated user to read backup files in the directory '%programfiles(x86)% LaborOfficeFree BackUp'. | |||||