Filtered by CWE-863
Filtered by vendor Subscriptions
Total 1853 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-44301 1 Apple 1 Macos 2024-12-12 5.5 Medium
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system.
CVE-2024-4006 1 Gitlab 1 Gitlab 2024-12-12 4.3 Medium
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions
CVE-2024-10043 1 Gitlab 1 Gitlab 2024-12-12 3.1 Low
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.
CVE-2023-34161 1 Huawei 1 Emui 2024-12-12 7.5 High
nappropriate authorization vulnerability in the SettingsProvider module.Successful exploitation of this vulnerability may cause features to perform abnormally.
CVE-2024-0199 1 Gitlab 1 Gitlab 2024-12-11 7.7 High
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions.
CVE-2023-35866 1 Keepassxc 1 Keepassxc 2024-12-11 5.5 Medium
In KeePassXC through 2.7.5, a local attacker can make changes to the Database security settings, including master password and second-factor authentication, within an authenticated KeePassXC Database session, without the need to authenticate these changes by entering the password and/or second-factor authentication to confirm changes. NOTE: the vendor's position is "asking the user for their password prior to making any changes to the database settings adds no additional protection against a local attacker."
CVE-2024-25149 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-12-11 5.4 Medium
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site.
CVE-2024-25604 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-12-11 6.5 Medium
Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.
CVE-2024-38002 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2024-12-11 9 Critical
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.
CVE-2024-23675 1 Splunk 2 Cloud, Splunk 2024-12-10 6.5 Medium
In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.
CVE-2024-27798 1 Apple 1 Macos 2024-12-09 7.8 High
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.5. An attacker may be able to elevate privileges.
CVE-2023-52361 1 Huawei 1 Harmonyos 2024-12-09 7.5 High
The VerifiedBoot module has a vulnerability that may cause authentication errors.Successful exploitation of this vulnerability may affect integrity.
CVE-2024-23262 1 Apple 3 Ipados, Iphone Os, Visionos 2024-12-09 4.3 Medium
This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 1.1, iOS 17.4 and iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6. An app may be able to spoof system notifications and UI.
CVE-2021-37864 1 Mattermost 1 Mattermost 2024-12-07 2.6 Low
Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs.
CVE-2022-2408 1 Mattermost 1 Mattermost 2024-12-07 4.3 Medium
The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels.
CVE-2023-2515 1 Mattermost 1 Mattermost Server 2024-12-07 4.7 Medium
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
CVE-2023-35166 1 Xwiki 1 Xwiki 2024-12-07 10 Critical
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5.
CVE-2024-45204 2024-12-06 N/A
A vulnerability exists where a low-privileged user can exploit insufficient permissions in credential handling to leak NTLM hashes of saved credentials. The exploitation involves using retrieved credentials to expose sensitive NTLM hashes, impacting systems beyond the initial target and potentially leading to broader security vulnerabilities.
CVE-2023-29708 1 Wavlink 1 Wavrouter App 2024-12-06 7.5 High
An issue was discovered in /cgi-bin/adm.cgi in WavLink WavRouter version RPT70HA1.x, allows attackers to force a factory reset via crafted payload.
CVE-2024-11680 1 Projectsend 1 Projectsend 2024-12-06 9.8 Critical
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.