Filtered by vendor
Subscriptions
Total
1853 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-9902 | 1 Redhat | 4 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 1 more | 2024-12-24 | 6.3 Medium |
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. | ||||
CVE-2023-4617 | 2024-12-20 | 10 Critical | ||
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in versions before 5.9. | ||||
CVE-2023-38035 | 1 Ivanti | 1 Mobileiron Sentry | 2024-12-20 | 9.8 Critical |
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration. | ||||
CVE-2024-12831 | 2024-12-20 | N/A | ||
Arista NG Firewall uvm_login Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Arista NG Firewall. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the uvm_login module. The issue results from incorrect authorization. An attacker can leverage this to escalate privileges to resources normally protected from the user. Was ZDI-CAN-24324. | ||||
CVE-2024-56348 | 2024-12-20 | 4.3 Medium | ||
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents | ||||
CVE-2024-56350 | 2024-12-20 | 4.3 Medium | ||
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects | ||||
CVE-2024-38856 | 1 Apache | 1 Ofbiz | 2024-12-20 | 9.8 Critical |
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). | ||||
CVE-2018-9374 | 1 Google | 2 Android, Pixel | 2024-12-18 | 7.8 High |
In installPackageLI of PackageManagerService.java, there is a possible permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | ||||
CVE-2024-30260 | 3 Fedoraproject, Nodejs, Redhat | 3 Fedora, Undici, Openshift Devspaces | 2024-12-18 | 3.9 Low |
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. | ||||
CVE-2024-54495 | 1 Apple | 1 Macos | 2024-12-18 | 5.5 Medium |
The issue was addressed with improved permissions logic. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2. An app may be able to modify protected parts of the file system. | ||||
CVE-2024-54662 | 2024-12-18 | 9.1 Critical | ||
Dante 1.4.0 through 1.4.3 (fixed in 1.4.4) has incorrect access control for some sockd.conf configurations involving socksmethod. | ||||
CVE-2023-21270 | 1 Google | 1 Android | 2024-12-18 | 7.8 High |
In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | ||||
CVE-2024-12539 | 2024-12-18 | 6.5 Medium | ||
An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. | ||||
CVE-2023-28175 | 1 Bosch | 16 Divar Ip 3000, Divar Ip 3000 Firmware, Divar Ip 4000 and 13 more | 2024-12-17 | 7.1 High |
Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request. | ||||
CVE-2024-24761 | 1 Galette | 1 Galette | 2024-12-17 | 7.5 High |
Galette is a membership management web application for non profit organizations. Starting in version 1.0.0 and prior to version 1.0.2, public pages are per default restricted to only administrators and staff members. From configuration, it is possible to restrict to up-to-date members or to everyone. Version 1.0.2 fixes this issue. | ||||
CVE-2024-9654 | 2024-12-17 | 3.7 Low | ||
The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased. | ||||
CVE-2022-48495 | 1 Huawei | 1 Emui | 2024-12-17 | 5.3 Medium |
Vulnerability of unauthorized access to foreground app information.Successful exploitation of this vulnerability may cause foreground app information to be obtained. | ||||
CVE-2024-37775 | 2024-12-17 | 7.5 High | ||
Incorrect access control in Sunbird DCIM dcTrack v9.1.2 allows attackers to create or update a ticket with a location which bypasses an RBAC check. | ||||
CVE-2024-55579 | 2024-12-17 | 8.8 High | ||
An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February 2024 Patch 14, November 2023 Patch 16, August 2023 Patch 16, May 2023 Patch 18, and February 2023 Patch 15. | ||||
CVE-2024-21987 | 1 Netapp | 1 Snapcenter | 2024-12-17 | 5.4 Medium |
SnapCenter versions 4.8 prior to 5.0 are susceptible to a vulnerability which could allow an authenticated SnapCenter Server user to modify system logging configuration settings |