Total
2262 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13302 | 2025-01-10 | 5.3 Medium | ||
| Incorrect Authorization vulnerability in Drupal Pages Restriction Access allows Forceful Browsing.This issue affects Pages Restriction Access: from 2.0.0 before 2.0.3. | ||||
| CVE-2023-25729 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2025-01-10 | 8.8 High |
| Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. | ||||
| CVE-2023-23604 | 1 Mozilla | 1 Firefox | 2025-01-10 | 6.5 Medium |
| A duplicate <code>SystemPrincipal</code> object could be created when parsing a non-system html document via <code>DOMParser::ParseFromSafeString</code>. This could have lead to bypassing web security checks. This vulnerability affects Firefox < 109. | ||||
| CVE-2024-13282 | 2025-01-10 | 8.8 High | ||
| Incorrect Authorization vulnerability in Drupal Block permissions allows Forceful Browsing.This issue affects Block permissions: from 1.0.0 before 1.2.0. | ||||
| CVE-2024-13281 | 2025-01-10 | 9.1 Critical | ||
| Incorrect Authorization vulnerability in Drupal Monster Menus allows Forceful Browsing.This issue affects Monster Menus: from 0.0.0 before 9.3.2. | ||||
| CVE-2024-13278 | 2025-01-10 | 9.1 Critical | ||
| Incorrect Authorization vulnerability in Drupal Diff allows Functionality Misuse.This issue affects Diff: from 0.0.0 before 1.8.0. | ||||
| CVE-2024-13277 | 2025-01-10 | 9.1 Critical | ||
| Incorrect Authorization vulnerability in Drupal Smart IP Ban allows Forceful Browsing.This issue affects Smart IP Ban: from 7.X-1.0 before 7.X-1.1. | ||||
| CVE-2024-1738 | 1 Lunary | 1 Lunary | 2025-01-10 | 7.5 High |
| An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results. | ||||
| CVE-2024-1740 | 1 Lunary | 1 Lunary | 2025-01-10 | 9.1 Critical |
| In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions. | ||||
| CVE-2024-4011 | 1 Gitlab | 1 Gitlab | 2025-01-09 | 3.1 Low |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives. | ||||
| CVE-2023-34218 | 1 Jetbrains | 1 Teamcity | 2025-01-09 | 9.1 Critical |
| In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible | ||||
| CVE-2023-34219 | 1 Jetbrains | 1 Teamcity | 2025-01-09 | 4.3 Medium |
| In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API | ||||
| CVE-2023-25749 | 1 Mozilla | 1 Firefox | 2025-01-09 | 4.3 Medium |
| Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. <br>*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111. | ||||
| CVE-2024-31990 | 3 Argoproj, Kubernetes, Redhat | 3 Argo Cd, Argo-cd, Openshift Gitops | 2025-01-09 | 4.8 Medium |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16. | ||||
| CVE-2024-8001 | 1 Viwis | 2 Learning Management System, Lms | 2025-01-09 | 5.3 Medium |
| A vulnerability was found in VIWIS LMS 9.11. It has been classified as critical. Affected is an unknown function of the component Print Handler. The manipulation leads to missing authorization. It is possible to launch the attack remotely. A user with the role learner can use the administrative print function with an active session before and after an exam slot to access the entire exam including solutions in the web application. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-22449 | 2025-01-09 | 3.8 Low | ||
| Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. | ||||
| CVE-2022-46308 | 1 Sguda | 2 U-lock, U-lock Firmware | 2025-01-09 | 8.8 High |
| SGUDA U-Lock central lock control service’s user management function has incorrect authorization. A remote attacker with general user privilege can exploit this vulnerability to call privileged APIs to access, modify and delete user information. | ||||
| CVE-2022-46307 | 1 Sguda | 2 U-lock, U-lock Firmware | 2025-01-09 | 8.8 High |
| SGUDA U-Lock central lock control service’s lock management function has incorrect authorization. A remote attacker with general privilege can exploit this vulnerability to call privileged APIs to acquire information, manipulate or disrupt the functionality of arbitrary electronic locks. | ||||
| CVE-2024-29892 | 1 Zitadel | 1 Zitadel | 2025-01-08 | 6.1 Medium |
| ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17. | ||||
| CVE-2023-28698 | 1 Wddgroup | 1 Fantsy | 2025-01-08 | 9.8 Critical |
| Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service. | ||||