Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4943 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_visibility function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.
|
|||||
| CVE-2023-4941 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_swap function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.
|
|||||
| CVE-2023-4938 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_apply_default_combination function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.
|
|||||
| CVE-2023-4895 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 4.3 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access environment details of projects
|
|||||
| CVE-2023-4700 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 3.5 LOW |
|
An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals.
|
|||||
| CVE-2023-4668 | 1 Ad Inserter Project | 1 Ad Inserter | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai-debug-processing-fe URL parameter. This can allow unauthenticated attackers to extract sensitive data including installed plugins (present and active), active theme, various plugin settings, WordPress version, as well as some server settings such as memory limit, installation paths.
|
|||||
| CVE-2023-4645 | 1 Igorfuna | 1 Ad Inserter | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai_ajax function. This can allow unauthenticated attackers to extract sensitive data such as post titles and slugs (including those of protected posts along with their passwords), usernames, available roles, the plugin license key provided the remote debugging option is enabled. In the default state it is disabled.
|
|||||
| CVE-2023-4637 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WPvivid plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function in versions up to, and including, 0.9.94. This makes it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID.
|
|||||
| CVE-2023-4630 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.0 MEDIUM |
|
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports.
|
|||||
| CVE-2023-4606 | 1 Lenovo | 104 Thinkagile Hx1331, Thinkagile Hx1331 Firmware, Thinkagile Hx2330 and 101 more | 2024-11-21 | N/A | 8.1 HIGH |
|
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.
This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
|
|||||
| CVE-2023-4468 | 1 Poly | 4 Lens, Trio 8800, Trio 8800 Firmware and 1 more | 2024-11-21 | 4.6 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in Poly Trio 8500, Trio 8800 and Trio C60. It has been classified as problematic. This affects an unknown part of the component Poly Lens Management Cloud Registration. The manipulation leads to missing authorization. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier VDB-249261 was assigned to this vulnerability.
|
|||||
| CVE-2023-4434 | 1 Hamza417 | 1 Inure | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Missing Authorization in GitHub repository hamza417/inure prior to build88.
|
|||||
| CVE-2023-4302 | 1 Jenkins | 1 Fortify | 2024-11-21 | N/A | 4.2 MEDIUM |
|
A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2023-4282 | 1 Wpdeveloper | 1 Embedpress | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The EmbedPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'admin_post_remove' and 'remove_private_data' functions in versions up to, and including, 3.8.2. This makes it possible for authenticated attackers with subscriber privileges or above, to delete plugin settings.
|
|||||
| CVE-2023-4198 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data
|
|||||
| CVE-2023-4164 | 1 Google | 2 Android, Pixel | 2024-11-21 | N/A | 8.4 HIGH |
|
There is a possible information disclosure due to a missing permission check. This could lead to local information disclosure of health data with no additional execution privileges needed.
|
|||||
| CVE-2023-4124 | 1 Answer | 1 Answer | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Missing Authorization in GitHub repository answerdev/answer prior to v1.1.1.
|
|||||
| CVE-2023-4106 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 6.3 MEDIUM |
|
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.
|
|||||
| CVE-2023-4105 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 3.1 LOW |
|
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message
|
|||||
| CVE-2023-49742 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
|
Missing Authorization vulnerability in Support Genix.This issue affects Support Genix: from n/a through 1.2.3.
|
|||||
| CVE-2023-49674 | 1 Jenkins | 1 Neuvector Vulnerability Scanner | 2024-11-21 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password.
|
|||||
| CVE-2023-49654 | 1 Jenkins | 1 Matlab | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system.
|
|||||
| CVE-2023-49652 | 1 Jenkins | 1 Google Compute Engine | 2024-11-21 | N/A | 2.7 LOW |
|
Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1.
|
|||||
| CVE-2023-49620 | 1 Apache | 1 Dolphinscheduler | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
|
|||||
| CVE-2023-49230 | 1 Peplink | 2 Balance Two, Balance Two Firmware | 2024-11-21 | N/A | 8.8 HIGH |
|
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication.
|
|||||
| CVE-2023-49229 | 1 Peplink | 2 Balance Two, Balance Two Firmware | 2024-11-21 | N/A | 4.3 MEDIUM |
|
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in the administration web service allows read-only, unprivileged users to obtain sensitive information about the device configuration.
|
|||||
| CVE-2023-49003 | 1 Simplemobiletools | 1 Simple Dialer | 2024-11-21 | N/A | 5.3 MEDIUM |
|
An issue in simplemobiletools Simple Dialer 5.18.1 allows an attacker to bypass intended access restrictions via interaction with com.simplemobiletools.dialer.activities.DialerActivity.
|
|||||
| CVE-2023-48761 | 1 Crocoblock | 1 Jetelements | 2024-11-21 | N/A | 6.3 MEDIUM |
|
Missing Authorization vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13.
|
|||||
| CVE-2023-48760 | 1 Crocoblock | 1 Jetelements | 2024-11-21 | N/A | 8.2 HIGH |
|
Missing Authorization vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13.
|
|||||
| CVE-2023-48759 | 1 Crocoblock | 1 Jetelements | 2024-11-21 | N/A | 7.5 HIGH |
|
Missing Authorization vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13.
|
|||||
| CVE-2023-48751 | 1 Xnau | 1 Participants Database | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in Roland Barker, xnau webdesign Participants Database allows Accessing Functionality Not Properly Constrained by ACLs, Cross Site Request Forgery.This issue affects Participants Database: from n/a through 2.5.5.
|
|||||
| CVE-2023-48417 | 1 Google | 2 Chromecast, Chromecast Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Missing Permission checks resulting in unauthorized access and Manipulation in KeyChainActivity Application
|
|||||
| CVE-2023-48402 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
In ppcfw_enable of ppcfw.c, there is a possible EoP due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2023-48375 | 1 Csharp | 1 Cws Collaborative Development Platform | 2024-11-21 | N/A | 8.8 HIGH |
|
SmartStar Software CWS is a web-based integration platform, it has a vulnerability of missing authorization and users are able to access data or perform actions that they should not be allowed to perform via commands. An authenticated with normal user privilege can execute administrator privilege, resulting in performing arbitrary system operations or disrupting service.
|
|||||
| CVE-2023-48280 | 2024-11-21 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in Consensu.IO Consensu.Io.This issue affects Consensu.Io: from n/a through 1.0.1.
|
|||||
| CVE-2023-48273 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Preloader for Website.This issue affects Preloader for Website: from n/a through 1.2.2.
|
|||||
| CVE-2023-48247 | 1 Bosch | 21 Nexo-os, Nexo Cordless Nutrunner Nxa011s-36v-b \(0608842012\), Nexo Cordless Nutrunner Nxa011s-36v \(0608842011\) and 18 more | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The vulnerability allows an unauthenticated remote attacker to read arbitrary files under the context of the application OS user (“root”) via a crafted HTTP request.
|
|||||
| CVE-2023-48245 | 1 Bosch | 21 Nexo-os, Nexo Cordless Nutrunner Nxa011s-36v-b \(0608842012\), Nexo Cordless Nutrunner Nxa011s-36v \(0608842011\) and 18 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The vulnerability allows an unauthenticated remote attacker to upload arbitrary files under the context of the application OS user (“root”) via a crafted HTTP request.
|
|||||
| CVE-2023-48222 | 1 Pagerduty | 1 Rundeck | 2024-11-21 | N/A | 8.1 HIGH |
|
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
|
|||||
| CVE-2023-47870 | 1 Gvectors | 1 Wpforo Forum | 2024-11-21 | N/A | 7.1 HIGH |
|
Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a through 2.2.6.
|
|||||