Export limit exceeded: 10499 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10499 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-26563 | 1 Synology | 7 Diskstation Manager, Diskstation Manager Unified Controller, Skynas and 4 more | 2025-01-14 | 8.2 High |
| Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors. | ||||
| CVE-2023-2945 | 1 Open-emr | 1 Openemr | 2025-01-14 | 5.4 Medium |
| Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-24605 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 4.2 Medium |
| OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens. | ||||
| CVE-2023-24600 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 4.3 Medium |
| OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. | ||||
| CVE-2023-28352 | 2 Faronics, Microsoft | 2 Insight, Windows | 2025-01-13 | 7.4 High |
| An issue was discovered in Faronics Insight 10.0.19045 on Windows. By abusing the Insight UDP broadcast discovery system, an attacker-controlled artificial Student Console can connect to and attack a Teacher Console even after Enhanced Security Mode has been enabled. | ||||
| CVE-2022-4937 | 1 Wclovers | 1 Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible | 2025-01-13 | 6.3 Medium |
| The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more. There were hundreds of AJAX endpoints affected. | ||||
| CVE-2023-2547 | 1 Featherplugins | 1 Feather Login Page | 2025-01-13 | 5.4 Medium |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteUser' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the temp user generated by the plugin. | ||||
| CVE-2023-2545 | 1 Featherplugins | 1 Feather Login Page | 2025-01-13 | 8.1 High |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getListOfUsers' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to access the login links, which can be used for privilege escalation. | ||||
| CVE-2022-45353 | 1 Muffingroup | 1 Betheme | 2025-01-13 | 4.3 Medium |
| Broken Access Control in Betheme theme <= 26.6.1 on WordPress. | ||||
| CVE-2020-9081 | 1 Huawei | 14 Mate 20, Mate 20 Firmware, P30 and 11 more | 2025-01-10 | 3.5 Low |
| There is an improper authorization vulnerability in some Huawei smartphones. An attacker could perform a series of operation in specific mode to exploit this vulnerability. Successful exploit could allow the attacker to bypass app lock. (Vulnerability ID: HWPSIRT-2019-12144) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9081. | ||||
| CVE-2023-25729 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2025-01-10 | 8.8 High |
| Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. | ||||
| CVE-2024-23493 | 1 Mattermost | 1 Mattermost Server | 2025-01-10 | 4.3 Medium |
| Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of. | ||||
| CVE-2024-3761 | 1 Lunary | 1 Lunary | 2025-01-10 | 7.5 High |
| In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issue was fixed in version 1.2.8. The impact of this vulnerability is significant as it permits unauthorized users to delete datasets, potentially leading to data loss or disruption of service. | ||||
| CVE-2024-1738 | 1 Lunary | 1 Lunary | 2025-01-10 | 7.5 High |
| An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results. | ||||
| CVE-2024-1740 | 1 Lunary | 1 Lunary | 2025-01-10 | 9.1 Critical |
| In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions. | ||||
| CVE-2024-4011 | 1 Gitlab | 1 Gitlab | 2025-01-09 | 3.1 Low |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives. | ||||
| CVE-2023-34218 | 1 Jetbrains | 1 Teamcity | 2025-01-09 | 9.1 Critical |
| In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible | ||||
| CVE-2023-34219 | 1 Jetbrains | 1 Teamcity | 2025-01-09 | 4.3 Medium |
| In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API | ||||
| CVE-2023-28657 | 1 Contec | 1 Conprosys Hmi System | 2025-01-09 | 8.8 High |
| Improper access control vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user of the PC where the affected product is installed may gain an administrative privilege. As a result, information regarding the product may be obtained and/or altered by the user. | ||||
| CVE-2023-25749 | 1 Mozilla | 1 Firefox | 2025-01-09 | 4.3 Medium |
| Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. <br>*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111. | ||||