Total
3958 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-0963 | 1 Music Gallery Site Project | 1 Music Gallery Site | 2024-11-25 | 7.3 High |
| A vulnerability was found in SourceCodester Music Gallery Site 1.0. It has been rated as critical. This issue affects some unknown processing of the file Users.php of the component POST Request Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221633 was assigned to this vulnerability. | ||||
| CVE-2024-10965 | 1 Emqx | 1 Neuron | 2024-11-23 | 4.3 Medium |
| A vulnerability classified as problematic was found in emqx neuron up to 2.10.0. Affected by this vulnerability is an unknown functionality of the file /api/v2/schema of the component JSON File Handler. The manipulation leads to information disclosure. The attack can be launched remotely. The patch is named c9ce39747e0372aaa2157b2b56174914a12c06d8. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2023-3096 | 1 Kylinos | 1 Kylin-software-properties | 2024-11-22 | 5.3 Medium |
| A vulnerability was found in KylinSoft kylin-software-properties on KylinOS. It has been declared as critical. This vulnerability affects the function changedSource. The manipulation leads to improper access controls. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 0.0.1-130 is able to address this issue. It is recommended to upgrade the affected component. VDB-230686 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-5331 | 1 Soflyy | 1 Breakdance | 2024-11-21 | 4.3 Medium |
| The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions. | ||||
| CVE-2023-20267 | 1 Cisco | 1 Firepower Threat Defense | 2024-11-21 | 4 Medium |
| A vulnerability in the IP geolocation rules of Snort 3 could allow an unauthenticated, remote attacker to potentially bypass IP address restrictions. This vulnerability exists because the configuration for IP geolocation rules is not parsed properly. An attacker could exploit this vulnerability by spoofing an IP address until they bypass the restriction. A successful exploit could allow the attacker to bypass location-based IP address restrictions. | ||||
| CVE-2023-6930 | 1 Eurotel | 2 Etl3100, Etl3100 Firmware | 2024-11-21 | 9.4 Critical |
| EuroTel ETL3100 versions v01c01 and v01x37 suffer from an unauthenticated configuration and log download vulnerability. This enables the attacker to disclose sensitive information and assist in authentication bypass, privilege escalation, and full system access. | ||||
| CVE-2019-1690 | 1 Cisco | 100 Application Policy Infrastructure Controller, Firepower 2110, Firepower 2120 and 97 more | 2024-11-21 | 6.5 Medium |
| A vulnerability in the management interface of Cisco Application Policy Infrastructure Controller (APIC) software could allow an unauthenticated, adjacent attacker to gain unauthorized access on an affected device. The vulnerability is due to a lack of proper access control mechanisms for IPv6 link-local connectivity imposed on the management interface of an affected device. An attacker on the same physical network could exploit this vulnerability by attempting to connect to the IPv6 link-local address on the affected device. A successful exploit could allow the attacker to bypass default access control restrictions on an affected device. Cisco Application Policy Infrastructure Controller (APIC) devices running versions prior to 4.2(0.21c) are affected. | ||||
| CVE-2019-1805 | 1 Cisco | 1 Wireless Lan Controller Software | 2024-11-21 | 4.3 Medium |
| A vulnerability in certain access control mechanisms for the Secure Shell (SSH) server implementation for Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, adjacent attacker to access a CLI instance on an affected device. The vulnerability is due to a lack of proper input- and validation-checking mechanisms for inbound SSH connections on an affected device. An attacker could exploit this vulnerability by attempting to establish an SSH connection to an affected controller. An exploit could allow the attacker to access an affected device's CLI to potentially cause further attacks. This vulnerability has been fixed in version 8.5(140.0). | ||||
| CVE-2019-1695 | 1 Cisco | 6 Adaptive Security Appliance Software, Firepower 2110, Firepower 2120 and 3 more | 2024-11-21 | 6.5 Medium |
| A vulnerability in the detection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, adjacent attacker to send data directly to the kernel of an affected device. The vulnerability exists because the software improperly filters Ethernet frames sent to an affected device. An attacker could exploit this vulnerability by sending crafted packets to the management interface of an affected device. A successful exploit could allow the attacker to bypass the Layer 2 (L2) filters and send data directly to the kernel of the affected device. A malicious frame successfully delivered would make the target device generate a specific syslog entry. | ||||
| CVE-2019-1890 | 1 Cisco | 34 9432pq, 9536pq, 9636pq and 31 more | 2024-11-21 | 6.5 Medium |
| A vulnerability in the fabric infrastructure VLAN connection establishment of the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN. The vulnerability is due to insufficient security requirements during the Link Layer Discovery Protocol (LLDP) setup phase of the infrastructure VLAN. An attacker could exploit this vulnerability by sending a malicious LLDP packet on the adjacent subnet to the Cisco Nexus 9000 Series Switch in ACI mode. A successful exploit could allow the attacker to connect an unauthorized server to the infrastructure VLAN, which is highly privileged. With a connection to the infrastructure VLAN, the attacker can make unauthorized connections to Cisco Application Policy Infrastructure Controller (APIC) services or join other host endpoints. | ||||
| CVE-2019-15967 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2024-11-21 | 4.4 Medium |
| A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an authenticated, local attacker to enable audio recording without notifying users. The vulnerability is due to the presence of unnecessary debug commands. An attacker could exploit this vulnerability by gaining unrestricted access to the restricted shell and using the specific debug commands. A successful exploit could allow the attacker to enable the microphone of an affected device to record audio without notifying users. | ||||
| CVE-2024-2315 | 2024-11-21 | N/A | ||
| APTIOV contains a vulnerability in BIOS where may cause Improper Access Control by a local attacker. Successful exploitation of this vulnerability may lead to unexpected SPI flash modifications and BIOS boot kit launches, also impacting the availability. | ||||
| CVE-2024-7154 | 1 Totolink | 2 A3700r, A3700r Firmware | 2024-11-21 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is an unknown function of the file /wizard.html of the component Password Reset Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272568. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-7057 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level. | ||||
| CVE-2024-6738 | 1 Wisdomgarden | 1 Tronclass | 2024-11-21 | 5.3 Medium |
| The tumbnail API of Tronclass from WisdomGarden lacks proper access control, allowing unauthenticated remote attackers to obtain certain specific files by modifying the URL. | ||||
| CVE-2024-6737 | 1 Electronic Official Document Management System Project | 1 Electronic Official Document Management System | 2024-11-21 | 8.8 High |
| The access control in the Electronic Official Document Management System from 2100 TECHNOLOGY is not properly implemented, allowing remote attackers with regular privileges to access the account settings functionality and create an administrator account. | ||||
| CVE-2024-6727 | 2024-11-21 | 5.4 Medium | ||
| A flaw in versions of Delphix Data Control Tower (DCT) prior to 19.0.0 results in broken authentication through the enable-scale-testing functionality of the application. | ||||
| CVE-2024-6428 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 5.3 Medium |
| Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. | ||||
| CVE-2024-6385 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 9.6 Critical |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. | ||||
| CVE-2024-6086 | 1 Lunary | 1 Lunary | 2024-11-21 | 4.3 Medium |
| In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization. | ||||