Filtered by vendor
Subscriptions
Total
352 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-55232 | 2024-12-26 | 5.4 Medium | ||
An IDOR vulnerability in the manage-notes.php module in PHPGurukul Online Notes Sharing Management System v1.0 allows unauthorized users to delete notes belonging to other accounts due to missing authorization checks. This flaw enables attackers to delete another user's information. | ||||
CVE-2024-55470 | 2024-12-20 | 7.5 High | ||
Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication. | ||||
CVE-2024-3843 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-12-19 | 4.3 Medium |
Insufficient data validation in Downloads in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
CVE-2023-34157 | 1 Huawei | 1 Harmonyos | 2024-12-17 | 10 Critical |
Vulnerability of HwWatchHealth being hijacked.Successful exploitation of this vulnerability may cause repeated pop-up windows of the app. | ||||
CVE-2022-48469 | 1 Huawei | 2 B535-232a, B535-232a Firmware | 2024-12-17 | 6.5 Medium |
There is a traffic hijacking vulnerability in Huawei routers. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers. | ||||
CVE-2024-28228 | 1 Jetbrains | 1 Youtrack | 2024-12-16 | 5.3 Medium |
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible | ||||
CVE-2023-41133 | 2024-12-13 | 5.3 Medium | ||
Authentication Bypass by Spoofing vulnerability in Michal Novák Secure Admin IP allows Functionality Bypass.This issue affects Secure Admin IP: from n/a through 2.0. | ||||
CVE-2023-34167 | 1 Huawei | 1 Emui | 2024-12-12 | 5.3 Medium |
Vulnerability of spoofing trustlists of Huawei desktop.Successful exploitation of this vulnerability can cause third-party apps to hide app icons on the desktop to prevent them from being uninstalled. | ||||
CVE-2023-34160 | 1 Huawei | 1 Emui | 2024-12-12 | 5.3 Medium |
Vulnerability of spoofing trustlists of Huawei desktop.Successful exploitation of this vulnerability can cause third-party apps to hide app icons on the desktop to prevent them from being uninstalled. | ||||
CVE-2023-34158 | 1 Huawei | 1 Emui | 2024-12-12 | 5.3 Medium |
Vulnerability of spoofing trustlists of Huawei desktop.Successful exploitation of this vulnerability can cause third-party apps to hide app icons on the desktop to prevent them from being uninstalled. | ||||
CVE-2024-1347 | 1 Gitlab | 1 Gitlab | 2024-12-11 | 4.3 Medium |
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group. | ||||
CVE-2023-42843 | 5 Apple, Fedoraproject, Redhat and 2 more | 9 Ios And Ipados, Ipad Os, Iphone Os and 6 more | 2024-12-09 | 7.5 High |
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, Safari 17.1, macOS Sonoma 14.1. Visiting a malicious website may lead to address bar spoofing. | ||||
CVE-2023-42889 | 1 Apple | 1 Macos | 2024-12-09 | 5.3 Medium |
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to bypass certain Privacy preferences. | ||||
CVE-2023-3128 | 2 Grafana, Redhat | 3 Grafana, Ceph Storage, Enterprise Linux | 2024-12-06 | 9.4 Critical |
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | ||||
CVE-2023-27964 | 1 Apple | 1 Airpods Firmware | 2024-12-05 | 5.4 Medium |
An authentication issue was addressed with improved state management. This issue is fixed in AirPods Firmware Update 5E133. When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones. | ||||
CVE-2024-22457 | 1 Dell | 1 Secure Connect Gateway | 2024-12-04 | 7.1 High |
Dell Secure Connect Gateway 5.20 contains an improper authentication vulnerability during the SRS to SCG update path. A remote low privileged attacker could potentially exploit this vulnerability, leading to impersonation of the server through presenting a fake self-signed certificate and communicating with the remote server. | ||||
CVE-2023-27199 | 1 Paxtechnology | 2 Pax A930, Pax A930 Firmware | 2024-12-04 | 6.7 Medium |
PAX Technology A930 PayDroid_7.1.1_Virgo_V04.5.02_20220722 allows attackers to compile a malicious shared library and use LD_PRELOAD to bypass authorization checks. | ||||
CVE-2024-36466 | 1 Zabbix | 1 Zabbix | 2024-12-04 | 8.8 High |
A bug in the code allows an attacker to sign a forged zbx_session cookie, which then allows them to sign in with admin permissions. | ||||
CVE-2021-25827 | 1 Emby | 1 Emby | 2024-12-03 | 9.8 Critical |
Emby Server < 4.7.12.0 is vulnerable to a login bypass attack by setting the X-Forwarded-For header to a local IP-address. | ||||
CVE-2024-53862 | 1 Argoproj | 1 Argo-workflows | 2024-12-02 | 5.3 Medium |
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication & authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint's fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13. |