Total
444 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-38513 | 1 Meowapps | 1 Photo Engine | 2023-12-28 | N/A | 5.4 MEDIUM |
Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).This issue affects Photo Engine (Media Organizer & Lightroom): from n/a through 6.2.5. | |||||
CVE-2023-37871 | 1 Automattic | 1 Woocommerce Gocardless | 2023-12-28 | N/A | 7.5 HIGH |
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6. | |||||
CVE-2023-46446 | 1 Asyncssh Project | 1 Asyncssh | 2023-12-22 | N/A | 6.8 MEDIUM |
An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | |||||
CVE-2023-44249 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2023-12-21 | N/A | 6.5 MEDIUM |
An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests. | |||||
CVE-2023-48641 | 1 Archerirm | 1 Archer | 2023-12-15 | N/A | 8.8 HIGH |
Archer Platform 6.x before 6.14 P1 HF2 (6.14.0.1.2) contains an insecure direct object reference vulnerability. An authenticated malicious user in a multi-instance installation could potentially exploit this vulnerability by manipulating application resource references in user requests to bypass authorization checks, in order to gain execute access to AWF application resources. | |||||
CVE-2023-46701 | 1 Mattermost | 1 Mattermost Server | 2023-12-14 | N/A | 5.3 MEDIUM |
Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | |||||
CVE-2023-6226 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2023-12-10 | N/A | 4.3 MEDIUM |
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin. | |||||
CVE-2023-45380 | 1 Silbersaiten | 1 Order Duplicator | 2023-12-10 | N/A | 8.8 HIGH |
In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address. | |||||
CVE-2023-38884 | 1 Os4ed | 1 Opensis | 2023-12-10 | N/A | 7.5 HIGH |
An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>' | |||||
CVE-2023-33706 | 1 Sysaid | 1 Sysaid | 2023-12-10 | N/A | 6.5 MEDIUM |
SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks to read ticket data via a modified sid parameter to EmailHtmlSourceIframe.jsp or a modified srID parameter to ShowMessage.jsp. | |||||
CVE-2023-5544 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2023-12-10 | N/A | 5.4 MEDIUM |
Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. | |||||
CVE-2023-47316 | 1 H-mdm | 1 Headwind Mdm | 2023-12-10 | N/A | 5.4 MEDIUM |
Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control. The Web panel allows users to gain access to potentially sensitive API calls such as listing users and their data, file management API calls and audit-related API calls. | |||||
CVE-2023-43900 | 1 Emsigner | 1 Emsigner | 2023-12-10 | N/A | 6.5 MEDIUM |
Insecure Direct Object References (IDOR) in EMSigner v2.8.7 allow attackers to gain unauthorized access to application content and view sensitive data of other users via manipulation of the documentID and EncryptedDocumentId parameters. | |||||
CVE-2023-6341 | 1 Catalisgov | 1 Cms360 | 2023-12-10 | N/A | 5.3 MEDIUM |
Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation. | |||||
CVE-2022-24400 | 1 Midnightblue | 1 Tetra\ | 2023-12-10 | N/A | 5.9 MEDIUM |
A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero. | |||||
CVE-2023-4099 | 1 Qsige | 1 Qsige | 2023-12-10 | N/A | 6.5 MEDIUM |
The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | |||||
CVE-2023-28481 | 1 Tigergraph | 1 Tigergraph | 2023-12-10 | N/A | 8.8 HIGH |
An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key. | |||||
CVE-2023-32669 | 1 Buddyboss | 1 Buddyboss | 2023-12-10 | N/A | 5.4 MEDIUM |
Authorization bypass vulnerability in BuddyBoss 2.2.9 version, the exploitation of which could allow an authenticated user to access and rename other users' albums. This vulnerability can be exploited by changing the album identification (id). | |||||
CVE-2023-2544 | 1 Upv | 1 Peix | 2023-12-10 | N/A | 6.5 MEDIUM |
Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users. | |||||
CVE-2023-4934 | 1 Usta | 1 Aybs | 2023-12-10 | N/A | 8.8 HIGH |
Authorization Bypass Through User-Controlled Key vulnerability in Usta AYBS allows Authentication Abuse, Authentication Bypass.This issue affects AYBS: before 1.0.3. |