Total
7706 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-50779 | 1 Jenkins | 1 Paaslane Estimate | 2025-02-13 | 4.3 Medium |
| Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token. | ||||
| CVE-2023-50769 | 1 Jenkins | 1 Nexus Platform | 2025-02-13 | 4.3 Medium |
| Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2023-50767 | 1 Jenkins | 1 Nexus Platform | 2025-02-13 | 5.4 Medium |
| Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. | ||||
| CVE-2023-50765 | 1 Jenkins | 1 Scriptler | 2025-02-13 | 4.3 Medium |
| A missing permission check in Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID. | ||||
| CVE-2023-49674 | 1 Jenkins | 1 Neuvector Vulnerability Scanner | 2025-02-13 | 4.3 Medium |
| A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. | ||||
| CVE-2023-49654 | 1 Jenkins | 1 Matlab | 2025-02-13 | 9.8 Critical |
| Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system. | ||||
| CVE-2023-49620 | 1 Apache | 1 Dolphinscheduler | 2025-02-13 | 6.5 Medium |
| Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability | ||||
| CVE-2023-2183 | 2 Grafana, Redhat | 2 Grafana, Ceph Storage | 2025-02-13 | 4.1 Medium |
| Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix. | ||||
| CVE-2023-26269 | 1 Apache | 2 James, James Server | 2025-02-13 | 7.8 High |
| Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users. | ||||
| CVE-2023-46652 | 1 Jenkins | 1 Lambdatest-automation | 2025-02-13 | 4.3 Medium |
| A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. | ||||
| CVE-2023-3482 | 1 Mozilla | 1 Firefox | 2025-02-13 | 6.5 Medium |
| When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'about:blank'. This could have led to malicious websites storing tracking data without permission. This vulnerability affects Firefox < 115. | ||||
| CVE-2023-2796 | 1 Myeventon | 1 Eventon | 2025-02-13 | 5.3 Medium |
| The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. | ||||
| CVE-2023-26035 | 1 Zoneminder | 1 Zoneminder | 2025-02-13 | 7.2 High |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33. | ||||
| CVE-2022-39335 | 1 Matrix | 1 Synapse | 2025-02-13 | 5 Medium |
| Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade. | ||||
| CVE-2018-14628 | 2 Fedoraproject, Samba | 2 Fedora, Samba | 2025-02-13 | 4.3 Medium |
| An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store. | ||||
| CVE-2023-28623 | 1 Zulip | 1 Zulip | 2025-02-12 | 6.5 Medium |
| Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue. | ||||
| CVE-2023-32677 | 1 Zulip | 1 Zulip | 2025-02-12 | 3.1 Low |
| Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in practice, the behavior does violate security-related controls. This does not let a user invite new users to streams they cannot see, or would not be able to add users to if they had that general permission. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may limit sending of invitations down to users who also have the permission to add users to streams. | ||||
| CVE-2023-0805 | 1 Gitlab | 1 Gitlab | 2025-02-12 | 4.9 Medium |
| An issue has been discovered in GitLab EE affecting all versions starting from 15.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to have access to the public projects of a public group even after being banned from the public group by the owner. | ||||
| CVE-2023-40203 | 1 Mailmunch | 1 Mailchimp Forms | 2025-02-11 | 4.3 Medium |
| Missing Authorization vulnerability in MailMunch MailChimp Forms by MailMunch allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailChimp Forms by MailMunch: from n/a through 3.1.4. | ||||
| CVE-2020-9009 | 1 Shipstation | 1 Shipstation | 2025-02-11 | 3.7 Low |
| The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked. The attacker must guess an order number. | ||||