Total
1315 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46311 | 1 Gvectors | 1 Wpdiscuz | 2024-11-21 | N/A | 2.7 LOW |
|
Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through 7.6.3.
|
|||||
| CVE-2023-45893 | 1 Floorsightsoftware | 1 Customer Portal | 2024-11-21 | N/A | 7.5 HIGH |
|
An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.
|
|||||
| CVE-2023-45396 | 1 Elenos | 2 Etg150, Etg150 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
|
An Insecure Direct Object Reference (IDOR) vulnerability leads to events profiles access in Elenos ETG150 FM transmitter running on version 3.12.
|
|||||
| CVE-2023-45393 | 1 Grandingteco | 1 Utime Master | 2024-11-21 | N/A | 6.5 MEDIUM |
|
An indirect object reference (IDOR) in GRANDING UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to access sensitive information via a crafted cookie.
|
|||||
| CVE-2023-45380 | 1 Silbersaiten | 1 Order Duplicator | 2024-11-21 | N/A | 8.8 HIGH |
|
In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address.
|
|||||
| CVE-2023-44249 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-11-21 | N/A | 4.3 MEDIUM |
|
An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests.
|
|||||
| CVE-2023-44206 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.
|
|||||
| CVE-2023-44205 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.
|
|||||
| CVE-2023-44154 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-11-21 | N/A | 8.1 HIGH |
|
Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.
|
|||||
| CVE-2023-43900 | 1 Emsigner | 1 Emsigner | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Insecure Direct Object References (IDOR) in EMSigner v2.8.7 allow attackers to gain unauthorized access to application content and view sensitive data of other users via manipulation of the documentID and EncryptedDocumentId parameters.
|
|||||
| CVE-2023-43668 | 1 Apache | 1 Inlong | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,
some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile"....
.
Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8604
|
|||||
| CVE-2023-42455 | 1 Wazuh | 2 Wazuh-dashboard, Wazuh-kibana-app | 2024-11-21 | N/A | 8.8 HIGH |
|
Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds.
|
|||||
| CVE-2023-42334 | 1 Fl3xx | 2 Crew, Dispatch | 2024-11-21 | N/A | 6.5 MEDIUM |
|
An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter.
|
|||||
| CVE-2023-41796 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Galleries for Photographers: from n/a before 3.0.0.
|
|||||
| CVE-2023-41368 | 1 Sap | 1 S\/4 Hana | 2024-11-21 | N/A | 2.7 LOW |
|
The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.
|
|||||
| CVE-2023-41356 | 1 Wisdomgarden | 1 Tronclass Ilearn | 2024-11-21 | N/A | 6.5 MEDIUM |
|
NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and read arbitrary system files.
|
|||||
| CVE-2023-40720 | 1 Fortinet | 1 Fortivoice | 2024-11-21 | N/A | 7.1 HIGH |
|
An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiVoiceEntreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to read the SIP configuration of other users via crafted HTTP or HTTPS requests.
|
|||||
| CVE-2023-3700 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 6.3 MEDIUM |
|
Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
|
|||||
| CVE-2023-3290 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 5.0 MEDIUM |
|
A BOLA vulnerability in POST /customers allows a low privileged user to create a low privileged user (customer) in the system. This results in unauthorized data manipulation.
|
|||||
| CVE-2023-3289 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 7.7 HIGH |
|
A BOLA vulnerability in POST /services allows a low privileged user to create a service for any user in the system (including admin). This results in unauthorized data manipulation.
|
|||||
| CVE-2023-3288 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 8.5 HIGH |
|
A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.
|
|||||
| CVE-2023-3287 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.9 CRITICAL |
|
A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.
|
|||||
| CVE-2023-3286 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 7.7 HIGH |
|
A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation.
|
|||||
| CVE-2023-3285 | 2024-11-21 | N/A | 7.7 HIGH | ||
|
A BOLA vulnerability in POST /appointments allows a low privileged user to create an appointment for any user in the system (including admin). This results in unauthorized data manipulation.
|
|||||
| CVE-2023-3219 | 1 Myeventon | 1 Eventon | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.
|
|||||
| CVE-2023-3066 | 1 Mobatime | 1 Amxgt 100 | 2024-11-21 | N/A | 8.1 HIGH |
|
Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20.
|
|||||
| CVE-2023-3048 | 1 Tmtmakine | 2 Lockcell, Lockcell Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Authorization Bypass Through User-Controlled Key vulnerability in TMT Lockcell allows Authentication Abuse, Authentication Bypass.This issue affects Lockcell: before 15.
|
|||||
| CVE-2023-38884 | 1 Os4ed | 1 Opensis | 2024-11-21 | N/A | 7.5 HIGH |
|
An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>'
|
|||||
| CVE-2023-38872 | 1 Economizzer | 1 Economizzer | 2024-11-21 | N/A | 3.7 LOW |
|
An Insecure Direct Object Reference (IDOR) vulnerability in gugoan Economizzer commit 3730880 (April 2023) and v.0.9-beta1 allows any unauthenticated attacker to access cash book entry attachments of any other user, if they know the Id of the attachment.
|
|||||
| CVE-2023-38513 | 1 Meowapps | 1 Photo Engine | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).This issue affects Photo Engine (Media Organizer & Lightroom): from n/a through 6.2.5.
|
|||||
| CVE-2023-38201 | 3 Fedoraproject, Keylime, Redhat | 9 Fedora, Keylime, Enterprise Linux and 6 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.
|
|||||
| CVE-2023-38055 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.6 CRITICAL |
|
A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
|
|||||
| CVE-2023-38054 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.9 CRITICAL |
|
A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation.
|
|||||
| CVE-2023-38053 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.9 CRITICAL |
|
A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
|
|||||
| CVE-2023-38052 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.9 CRITICAL |
|
A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation.
|
|||||
| CVE-2023-38051 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.9 CRITICAL |
|
A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation.
|
|||||
| CVE-2023-38050 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.1 CRITICAL |
|
A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
|
|||||
| CVE-2023-38049 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.9 CRITICAL |
|
A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
|
|||||
| CVE-2023-38048 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.9 CRITICAL |
|
A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation.
|
|||||
| CVE-2023-38047 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 8.5 HIGH |
|
A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
|
|||||