Filtered by CWE-732
Filtered by vendor Subscriptions
Total 1406 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-32990 1 Jenkins 1 Azure Vm Agents 2024-11-21 6.5 Medium
A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.
CVE-2023-32986 1 Jenkins 1 File Parameters 2024-11-21 8.8 High
Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.
CVE-2023-32979 2 Jenkins, Redhat 2 Email Extension, Openshift 2024-11-21 4.3 Medium
Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.
CVE-2023-32724 1 Zabbix 1 Zabbix 2024-11-21 9.1 Critical
Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.
CVE-2023-32723 1 Zabbix 1 Zabbix 2024-11-21 8.5 High
Request to LDAP is sent before user permissions are checked.
CVE-2023-32303 1 Planet 1 Planet 2024-11-21 5.2 Medium
Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.
CVE-2023-32162 2 Microsoft, Wacom 3 Windows, Driver, Drivers For Windows 2024-11-21 7.8 High
Wacom Drivers for Windows Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Wacom Drivers for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the WacomInstallI.txt file by the PrefUtil.exe utility. The issue results from incorrect permissions on the WacomInstallI.txt file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-16318.
CVE-2023-32114 1 Sap 1 Netweaver 2024-11-21 2.7 Low
SAP NetWeaver (Change and Transport System) - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an authenticated user with admin privileges to maliciously run a benchmark program repeatedly in intent to slowdown or make the server unavailable which may lead to a limited impact on Availability with No impact on Confidentiality and Integrity of the application.
CVE-2023-32005 1 Nodejs 1 Node.js 2024-11-21 5.3 Medium
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2023-31874 1 Yank-note 1 Yank Note 2024-11-21 8.8 High
Yank Note (YN) 3.52.1 allows execution of arbitrary code when a crafted file is opened, e.g., via nodeRequire('child_process').
CVE-2023-31748 1 Wondershare 1 Mobiletrans 2024-11-21 7.8 High
Insecure permissions in MobileTrans v4.0.11 allows attackers to escalate privileges to local admin via replacing the executable file.
CVE-2023-31454 1 Apache 1 Inlong 2024-11-21 7.5 High
Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0.  The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.[1] https://github.com/apache/inlong/pull/7947 https://github.com/apache/inlong/pull/7947
CVE-2023-31453 1 Apache 1 Inlong 2024-11-21 7.5 High
Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949
CVE-2023-31445 1 Cassianetworks 1 Access Controller 2024-11-21 5.3 Medium
Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users.
CVE-2023-31238 1 Siemens 2 Q200, Q200 Firmware 2024-11-21 5.5 Medium
A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60). Affected devices are missing cookie protection flags when using the default settings. An attacker who gains access to a session token can use it to impersonate a legitimate application user.
CVE-2023-31142 1 Discourse 1 Discourse 2024-11-21 2 Low
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, if a site has modified their general category permissions, they could be set back to the default. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. A workaround, only if you are modifying the general category permissions, is to use a new category for the same purpose.
CVE-2023-30897 1 Siemens 1 Wincc 2024-11-21 7.8 High
A vulnerability has been identified in SIMATIC WinCC (All versions < V7.5.2.13). Affected applications fail to set proper access rights for their installation folder if a non-default installation path was chosen during installation. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges.
CVE-2023-30606 1 Discourse 1 Discourse 2024-11-21 4.2 Medium
Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-30512 1 Linuxfoundation 1 Cubefs 2024-11-21 6.5 Medium
CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. This occurs because DaemonSet has cfs-csi-cluster-role and can thus list all secrets, including the admin secret.
CVE-2023-30399 1 Garo 6 Wallbox Glb, Wallbox Glb Firmware, Wallbox Gtb and 3 more 2024-11-21 8.1 High
Insecure permissions in the settings page of GARO Wallbox GLB/GTB/GTC before v189 allows attackers to redirect users to a crafted update package link via a man-in-the-middle attack.