Total
2039 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5509 | 1 Premio | 1 Mystickymenu | 2024-11-21 | N/A | 5.4 MEDIUM |
| The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions. | |||||
| CVE-2023-5356 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 7.3 HIGH |
| Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user. | |||||
| CVE-2023-5198 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys. | |||||
| CVE-2023-5195 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 6.5 MEDIUM |
| Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of | |||||
| CVE-2023-5194 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 2.7 LOW |
| Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager | |||||
| CVE-2023-5193 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.9 MEDIUM |
| Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation. | |||||
| CVE-2023-5159 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 3.8 LOW |
| Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots. | |||||
| CVE-2023-5106 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 8.2 HIGH |
| An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports. | |||||
| CVE-2023-5009 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 8.2 HIGH |
| An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact. | |||||
| CVE-2023-52111 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 7.5 HIGH |
| Authorization vulnerability in the BootLoader module. Successful exploitation of this vulnerability may affect service integrity. | |||||
| CVE-2023-52077 | 1 Nexryai | 1 Nexkey | 2024-11-21 | N/A | 8.9 HIGH |
| Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server settings, as well as compromise object storage and email server credentials. This issue has been patched in 12.23Q4.5. | |||||
| CVE-2023-51649 | 1 Networktocode | 1 Nautobot | 2024-11-21 | N/A | 3.5 LOW |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0 | |||||
| CVE-2023-50732 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 8.3 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1. | |||||
| CVE-2023-50705 | 1 Efacec | 2 Uc 500e, Uc 500e Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
| An attacker could create malicious requests to obtain sensitive information about the web server. | |||||
| CVE-2023-50363 | 1 Qnap | 2 Qts, Quts Hero | 2024-11-21 | N/A | 7.4 HIGH |
| An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later | |||||
| CVE-2023-4853 | 2 Quarkus, Redhat | 13 Quarkus, Build Of Optaplanner, Build Of Quarkus and 10 more | 2024-11-21 | N/A | 8.1 HIGH |
| A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. | |||||
| CVE-2023-4814 | 1 Trellix | 1 Data Loss Prevention | 2024-11-21 | N/A | 7.1 HIGH |
| A Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to. | |||||
| CVE-2023-4812 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 7.6 HIGH |
| An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request. | |||||
| CVE-2023-4658 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 3.1 LOW |
| An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group. | |||||
| CVE-2023-4532 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of. | |||||