Export limit exceeded: 19922 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10411 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10411 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-48897 | 1 Moodle | 1 Moodle | 2024-11-20 | 6.5 Medium |
| A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify. | ||||
| CVE-2024-48898 | 1 Moodle | 1 Moodle | 2024-11-20 | 6.5 Medium |
| A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from. | ||||
| CVE-2024-48901 | 1 Moodle | 1 Moodle | 2024-11-20 | 4.3 Medium |
| A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report. | ||||
| CVE-2024-43323 | 2 Reviewx, Wpdeveloper | 2 Reviewx, Reviewx | 2024-11-19 | 5.3 Medium |
| Missing Authorization vulnerability in ReviewX ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ReviewX: from n/a through 1.6.28. | ||||
| CVE-2024-10575 | 1 Schneider-electric | 1 Ecostruxure It Gateway | 2024-11-19 | 9.8 Critical |
| CWE-862: Missing Authorization vulnerability exists that could cause unauthorized access when enabled on the network and potentially impacting connected devices. | ||||
| CVE-2024-37095 | 2024-11-19 | 4.3 Medium | ||
| Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.7.3. | ||||
| CVE-2021-3987 | 2 Calibre-web Project, Janeczku | 2 Calibre-web, Calibre-web | 2024-11-19 | 4.3 Medium |
| An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users. | ||||
| CVE-2022-31671 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 7.4 High |
| Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database. | ||||
| CVE-2022-31667 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 6.4 Medium |
| Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions. | ||||
| CVE-2022-31668 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 7.4 High |
| Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects. | ||||
| CVE-2022-31670 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 7.7 High |
| Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects. | ||||
| CVE-2022-31669 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 6.4 Medium |
| Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects. | ||||
| CVE-2024-3379 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary-ai\/lunary | 2024-11-18 | 9.6 Critical |
| In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7. | ||||
| CVE-2024-48073 | 1 Sunniwell | 1 Ht3300 Firmware | 2024-11-18 | 9.8 Critical |
| sunniwell HT3300 before 1.0.0.B022.2 is vulnerable to Insecure Permissions. The /usr/local/bin/update program, which is responsible for updating the software in the HT3300 device, is given the execution mode of sudo NOPASSWD. This program is vulnerable to a command injection vulnerability, which could allow an attacker to pass commands to this program via command line arguments to gain elevated root privileges. | ||||
| CVE-2024-44765 | 1 Mgt-commerce | 1 Cloudpanel | 2024-11-18 | 6.5 Medium |
| An Improper Authorization (Access Control Misconfiguration) vulnerability in MGT-COMMERCE GmbH CloudPanel v2.0.0 to v2.4.2 allows low-privilege users to bypass access controls and gain unauthorized access to sensitive configuration files and administrative functionality. | ||||
| CVE-2024-11125 | 1 Get-simple | 1 Getsimplecms | 2024-11-15 | 4.3 Medium |
| A vulnerability was found in GetSimpleCMS 3.3.16 and classified as problematic. This issue affects some unknown processing of the file /admin/profile.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-49376 | 1 Autolabproject | 1 Autolab | 2024-11-14 | 8.8 High |
| Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist. | ||||
| CVE-2024-42000 | 1 Mattermost | 1 Mattermost Server | 2024-11-14 | 2.7 Low |
| Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels. | ||||
| CVE-2024-50310 | 1 Siemens | 2 Simatic Cp 1543-1, Simatic Cp 1543-1 Firmware | 2024-11-13 | 7.5 High |
| A vulnerability has been identified in SIMATIC CP 1543-1 V4.0 (6GK7543-1AX10-0XE0) (All versions >= V4.0.44 < V4.0.50). Affected devices do not properly handle authorization. This could allow an unauthenticated remote attacker to gain access to the filesystem. | ||||
| CVE-2024-43919 | 1 Yarpp | 2 Yarpp, Yet Another Related Posts Plugin | 2024-11-13 | 5.3 Medium |
| Access Control vulnerability in YARPP YARPP allows . This issue affects YARPP: from n/a through 5.30.10. | ||||