ReportizFlow
Filtered by vendor
Subscriptions
Total
712 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-27576 | 1 Phplist | 1 Phplist | 2024-11-21 | 6.7 Medium |
| An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified request (manipulating both the ID parameter and the associated username) can bypass the intended email confirmation requirement. For example, the attacker can start from an updatepassword=1 request with their own ID number, and change the ID number to 1 (representing the super admin account) and change the username to admin2. In the first step, the attacker changes the super admin's email address to one under the attacker's control. In the second step, the attacker performs a password reset for the super admin account. The new password allows login as the super admin, i.e., a successful account takeover. | ||||
| CVE-2023-26984 | 1 Peppermint | 1 Peppermint | 2024-11-21 | 8.1 High |
| An issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request. | ||||
| CVE-2023-26428 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-11-21 | 6.5 Medium |
| Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explicitly shared. We improved permission handling when requesting snippets that are not explicitly shared with other users. No publicly available exploits are known. | ||||
| CVE-2023-26237 | 1 Watchguard | 8 Edr, Edr Firmware, Epdr and 5 more | 2024-11-21 | 6.7 Medium |
| An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to bypass the defensive capabilities by adding a registry key as SYSTEM. | ||||
| CVE-2023-25403 | 1 Yf-exam Project | 1 Yf-exam | 2024-11-21 | 7.5 High |
| CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication. | ||||
| CVE-2023-25160 | 1 Nextcloud | 1 Mail | 2024-11-21 | 4.1 Medium |
| Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available. | ||||
| CVE-2023-24842 | 1 Hgiga | 1 Oaklouds Mailsherlock | 2024-11-21 | 5.3 Medium |
| HGiga MailSherlock has vulnerability of insufficient access control. An unauthenticated remote user can exploit this vulnerability to access partial content of another user’s mail by changing user ID and mail ID within URL. | ||||
| CVE-2023-24834 | 1 Wisdomgarden | 1 Tronclass Ilearn | 2024-11-21 | 6.5 Medium |
| WisdomGarden Tronclass has improper access control when uploading file. An authenticated remote attacker with general user privilege can exploit this vulnerability to access files belonging to other users by modifying the file ID within URL. | ||||
| CVE-2023-24625 | 1 Ladybirdweb | 1 Faveo Servicedesk | 2024-11-21 | 6.5 Medium |
| Faveo 5.0.1 allows remote attackers to obtain sensitive information via a modified user ID in an Insecure Direct Object Reference (IDOR) attack. | ||||
| CVE-2023-23679 | 1 Jshelpdesk | 1 Jshelpdesk | 2024-11-21 | 4.6 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in JS Help Desk js-support-ticket allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk: from n/a through 2.7.7. | ||||
| CVE-2023-22471 | 1 Nextcloud | 1 Deck | 2024-11-21 | 3.5 Low |
| Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Broken access control allows a user to delete attachments of other users. There are currently no known workarounds. It is recommended that the Nextcloud Deck app is upgraded to 1.6.5 or 1.7.3 or 1.8.2. | ||||
| CVE-2023-1750 | 1 Getnexx | 8 Nxal-100, Nxal-100 Firmware, Nxg-100b and 5 more | 2024-11-21 | 7.1 High |
| The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could retrieve device history, set device settings, and retrieve device information. | ||||
| CVE-2023-1749 | 1 Getnexx | 8 Nxal-100, Nxal-100 Firmware, Nxg-100b and 5 more | 2024-11-21 | 6.5 Medium |
| The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could send API requests that the affected devices would execute. | ||||
| CVE-2023-1463 | 1 Teampass | 1 Teampass | 2024-11-21 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. | ||||
| CVE-2023-1462 | 1 Vadi | 1 Digikent | 2024-11-21 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Vadi Corporate Information Systems DigiKent allows Authentication Bypass, Authentication Abuse. This issue affects DigiKent: before 23.03.20. | ||||
| CVE-2023-0967 | 1 Imaworldhealth | 1 Bhima | 2024-11-21 | 6.5 Medium |
| Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform. | ||||
| CVE-2023-0882 | 2 Krontech, Microsoft | 2 Single Connect, Windows | 2024-11-21 | 8.8 High |
| Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Kron Tech Single Connect on Windows allows Privilege Abuse. This issue affects Single Connect: 2.16. | ||||
| CVE-2022-4812 | 1 Usememos | 1 Memos | 2024-11-21 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||
| CVE-2022-4811 | 1 Usememos | 1 Memos | 2024-11-21 | 8.3 High |
| Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1. | ||||
| CVE-2022-4806 | 1 Usememos | 1 Memos | 2024-11-21 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||