Total
452 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-2702 | 1 Finexmedia | 1 Competition Management System | 2023-12-10 | N/A | 8.8 HIGH |
Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07. | |||||
CVE-2023-32310 | 1 Dataease | 1 Dataease | 2023-12-10 | N/A | 8.1 HIGH |
DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. | |||||
CVE-2023-2260 | 1 Alf | 1 Alf | 2023-12-10 | N/A | 8.8 HIGH |
Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||||
CVE-2023-33956 | 1 Kanboard | 1 Kanboard | 2023-12-10 | N/A | 6.5 MEDIUM |
Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any other user, regardless of their privileges or restrictions. By Changing the file_id any user can render all the files where MimeType is image uploaded under **/files** directory regard less of uploaded by any user. This vulnerability poses a significant impact and severity to the application's security. By manipulating the URL parameter, an attacker can access sensitive files that should only be available to authorized users. This includes confidential documents or any other type of file stored within the application. The ability to read these files can lead to various detrimental consequences, such as unauthorized disclosure of sensitive information, privacy breaches, intellectual property theft, or exposure of trade secrets. Additionally, it could result in legal and regulatory implications, reputation damage, financial losses, and potential compromise of user trust. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2018-17455 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 7.5 HIGH |
An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the "merge request approvals" feature. | |||||
CVE-2022-45175 | 1 Liveboxcloud | 1 Vdesk | 2023-12-10 | N/A | 6.5 MEDIUM |
An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file. | |||||
CVE-2022-36247 | 1 Shopbeat | 1 Shop Beat Media Player | 2023-12-10 | N/A | 9.1 CRITICAL |
Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to IDOR via controlpanel.shopbeat.co.za. | |||||
CVE-2021-33223 | 1 Seeddms | 1 Seeddms | 2023-12-10 | N/A | 8.8 HIGH |
An issue discovered in SeedDMS 6.0.15 allows an attacker to escalate privileges via the userid and role parameters in the out.UsrMgr.php file. | |||||
CVE-2018-17449 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 7.5 HIGH |
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Remote attackers could obtain sensitive information about issues, comments, and project titles via events API insecure direct object reference. | |||||
CVE-2022-42175 | 1 Soluslabs | 1 Solusvm | 2023-12-10 | N/A | 8.8 HIGH |
Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization. | |||||
CVE-2023-24834 | 1 Wisdomgarden | 1 Tronclass Ilearn | 2023-12-10 | N/A | 6.5 MEDIUM |
WisdomGarden Tronclass has improper access control when uploading file. An authenticated remote attacker with general user privilege can exploit this vulnerability to access files belonging to other users by modifying the file ID within URL. | |||||
CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2023-12-10 | N/A | 9.8 CRITICAL |
Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15. | |||||
CVE-2023-3048 | 1 Tmtmakine | 2 Lockcell, Lockcell Firmware | 2023-12-10 | N/A | 9.8 CRITICAL |
Authorization Bypass Through User-Controlled Key vulnerability in TMT Lockcell allows Authentication Abuse, Authentication Bypass.This issue affects Lockcell: before 15. | |||||
CVE-2023-0985 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2023-12-10 | N/A | 8.8 HIGH |
An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. An authenticated remote user with low privileges can change the password of any user in the same account. This allows to take over the admin user and therefore fully compromise the account. | |||||
CVE-2023-37242 | 1 Huawei | 2 Emui, Harmonyos | 2023-12-10 | N/A | 9.8 CRITICAL |
Vulnerability of commands from the modem being intercepted in the atcmdserver module. Attackers may exploit this vulnerability to rewrite the non-volatile random-access memory (NVRAM), or facilitate the exploitation of other vulnerabilities. | |||||
CVE-2023-34000 | 1 Woocommerce | 1 Stripe Payment Gateway | 2023-12-10 | N/A | 7.5 HIGH |
Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions. | |||||
CVE-2023-3066 | 1 Mobatime | 1 Amxgt 100 | 2023-12-10 | N/A | 8.1 HIGH |
Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20. | |||||
CVE-2023-1749 | 1 Getnexx | 8 Nxal-100, Nxal-100 Firmware, Nxg-100b and 5 more | 2023-12-10 | N/A | 6.5 MEDIUM |
The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could send API requests that the affected devices would execute. | |||||
CVE-2023-2065 | 1 Armoli | 1 Cargo Tracking System | 2023-12-10 | N/A | 8.8 HIGH |
Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass.This issue affects Cargo Tracking System: before 3558f28 . | |||||
CVE-2023-24842 | 1 Hgiga | 1 Oaklouds Mailsherlock | 2023-12-10 | N/A | 5.3 MEDIUM |
HGiga MailSherlock has vulnerability of insufficient access control. An unauthenticated remote user can exploit this vulnerability to access partial content of another user’s mail by changing user ID and mail ID within URL. |