Export limit exceeded: 343942 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (1507 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-24834 | 1 Wisdomgarden | 1 Tronclass Ilearn | 2025-02-19 | 6.5 Medium |
| WisdomGarden Tronclass has improper access control when uploading file. An authenticated remote attacker with general user privilege can exploit this vulnerability to access files belonging to other users by modifying the file ID within URL. | ||||
| CVE-2023-24842 | 1 Hgiga | 1 Oaklouds Mailsherlock | 2025-02-19 | 5.3 Medium |
| HGiga MailSherlock has vulnerability of insufficient access control. An unauthenticated remote user can exploit this vulnerability to access partial content of another user’s mail by changing user ID and mail ID within URL. | ||||
| CVE-2023-26984 | 1 Peppermint | 1 Peppermint | 2025-02-18 | 8.1 High |
| An issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request. | ||||
| CVE-2025-26788 | 2025-02-15 | 8.4 High | ||
| StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction. | ||||
| CVE-2024-1470 | 1 Netiq | 1 Client Login Extension | 2025-02-14 | 7.1 High |
| Authorization Bypass Through User-Controlled Key vulnerability in NetIQ (OpenText) Client Login Extension on Windows allows Privilege Escalation, Code Injection.This issue only affects NetIQ Client Login Extension: 4.6. | ||||
| CVE-2024-34520 | 2025-02-13 | 8.8 High | ||
| An authorization bypass vulnerability exists in the Mavenir SCE Application Provisioning Portal, version PORTAL-LBS-R_1_0_24_0, which allows an authenticated 'guest' user to perform unauthorized administrative actions, such as accessing the 'add user' feature, by bypassing client-side access controls. | ||||
| CVE-2023-0967 | 1 Imaworldhealth | 1 Bhima | 2025-02-13 | 6.5 Medium |
| Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform. | ||||
| CVE-2024-1313 | 1 Redhat | 1 Enterprise Linux | 2025-02-13 | 6.5 Medium |
| It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. | ||||
| CVE-2023-44249 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2025-02-13 | 4.1 Medium |
| An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests. | ||||
| CVE-2023-32352 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-02-13 | 5.5 Medium |
| A logic issue was addressed with improved checks. This issue is fixed in watchOS 9.5, macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5. An app may bypass Gatekeeper checks. | ||||
| CVE-2023-3219 | 1 Myeventon | 1 Eventon | 2025-02-13 | 5.3 Medium |
| The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. | ||||
| CVE-2024-10497 | 2025-02-12 | 8.8 High | ||
| CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HTTPS requests to the device. | ||||
| CVE-2023-2844 | 1 Fit2cloud | 1 Cloudexplorer Lite | 2025-02-12 | 4.9 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. | ||||
| CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2025-02-12 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15. | ||||
| CVE-2024-43322 | 1 Zephyr-one | 1 Zephyr Project Manager | 2025-02-11 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100. | ||||
| CVE-2023-1417 | 1 Gitlab | 1 Gitlab | 2025-02-11 | 4.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group. | ||||
| CVE-2024-32683 | 1 Wpmet | 1 Wp Ultimate Review | 2025-02-09 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Wpmet Wp Ultimate Review.This issue affects Wp Ultimate Review: from n/a through 2.2.5. | ||||
| CVE-2023-6317 | 1 Lg | 5 Lg43um7000pla, Oled48c1pub, Oled55a23la and 2 more | 2025-02-07 | 7.2 High |
| A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN. Full versions and TV models affected: webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA | ||||
| CVE-2022-45175 | 1 Liveboxcloud | 1 Vdesk | 2025-02-07 | 6.5 Medium |
| An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file. | ||||
| CVE-2018-17449 | 1 Gitlab | 1 Gitlab | 2025-02-07 | 7.5 High |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Remote attackers could obtain sensitive information about issues, comments, and project titles via events API insecure direct object reference. | ||||