| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and earlier on Windows allows an attacker to bypass permissions via data source switching.
|
| Improper Protection for Outbound Error Messages and Alert Signals vulnerability in Inohom Home Manager Gateway allows Account Footprinting.This issue affects Home Manager Gateway: before v.1.27.12.
|
| The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception. |
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. |
| The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.9. This is due to missing or incorrect nonce validation on the update_password_validate function. This makes it possible for unauthenticated attackers to reset a user's password via a forged request granted they can trick the user into performing an action such as clicking on a link. |
| Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier allows attackers to retrieve logs from vaults or entries they are not allowed to access via the report request url query parameters. |
| A user with a standard account in Fuji Electric Tellus Lite may overwrite files in the system. |
| Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allows an attack with permission to manage PAM propagation scripts to retrieve passwords stored in it via a GET request.
|
| An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports. |
| An access control issue in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows unauthenticated attackers to arbitrarily adjust sensitive SMB settings on the QStar Server. |
| IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2,19.0.1, 19.0.2, 19.0.3,20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1,2 2.0.2, 23.0.1, and 23.0.2 may allow end users to query more documents than expected from a connected Enterprise Content Management system when configured to use a system account. IBM X-Force ID: 275938. |
| IBM InfoSphere Information Server 11.7 returns sensitive information in URL information that could be used in further attacks against the system. IBM X-Force ID: 275776. |
| In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed |
| yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 `state` and OpenID Connect `nonce` is vulnerable for a `timing attack` since it is compared via regular string comparison (instead of `Yii::$app->getSecurity()->compareString()`). Version 2.2.15 contains a patch for the issue. No known workarounds are available. |
|
A user without administrator permissions with access to the UC500 windows system could perform a memory dump of the running processes and extract clear credentials or valid session tokens.
|
| An issue was discovered in XiangShan v2.1, allows local attackers to obtain sensitive information via the L1D cache. |
| An issue was discovered in nos client version 0.6.6, allows remote attackers to escalate privileges via getRPCEndpoint.js. |
| Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user's intention.
|
| The WPB Show Core WordPress plugin through 2.2 is vulnerable to a local file inclusion via the `path` parameter. |
| Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. |
