207 matches found
CVE-2024-20432
A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller NDFC could allow an authenticated, low-privileged, remote attacker to perform a command injection attack against an affected device. This vulnerability is due to improper user authorization and insufficient...
CVE-2024-20432 Cisco Nexus Dashboard Fabric Controller Web UI Command Injection Vulnerability
A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller NDFC could allow an authenticated, low-privileged, remote attacker to perform a command injection attack against an affected device. This vulnerability is due to improper user authorization and insufficient...
CVE-2024-20432
Cisco Nexus Dashboard Fabric Controller (NDFC) is affected by CVE-2024-20432 via a REST API and web UI command-injection flaw caused by improper user authorization and insufficient validation of command arguments. A low-privilege, authenticated attacker could submit crafted commands to affected R...
PT-2024-6593 · Cisco · Cisco Nexus Dashboard Fabric Controller
Name of the Vulnerable Software and Affected Versions: Cisco Nexus Dashboard Fabric Controller versions 11.5 and earlier Description: A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller could allow an authenticated, low-privileged, remote attacker to perform a...
ZITADEL 安全漏洞
ZITADEL is a modern open source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak built for the age of containers and serverless, open sourced by ZITADEL in Switzerland. ZITADEL suffers from a security vulnerability that stems from the user authorization deactivation mechanism not...
CVE-2024-23282
CVE-2024-23282 is an Apple iOS/macOS/iPadOS FaceTime-related vulnerability: a maliciously crafted email may initiate FaceTime calls without user authorization. Connected sources confirm remediation: Apple patches in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, and older iOS/iPadOS v...
MGASA-2024-0176 Updated sssd packages fix security vulnerability
A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. CVE-2023-3758...
CVE-2024-1797
CVE-2024-1797 concerns the WP ULike plugin for WordPress. The initial description states a SQL Injection via the status and id attributes of the wp_ulike_counter and wp_ulike shortcodes, affecting all versions up to 4.6.9, with authenticated attackers (contributor+ level) able to inject extra SQL...
CVE-2024-32730
CVE-2024-32730 concerns SAP Enable Now Manager, where an authenticated user can bypass authorization checks and escalate privileges. The root cause is a failure to enforce access controls, enabling an attacker with the role Learner to access other users’ data within the manager, with high impact ...
Fedora: Security Advisory for voms-clients-java (FEDORA-2024-129d8ca6fc)
The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
BIT-GRAFANA-2022-21713 Exposure of Sensitive Information in Grafana
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. /teams/:teamId will allow an authenticated attacker to view unintended data by querying for the specific team ID,...
BIT-COUCHDB-2023-45725 Apache CouchDB, IBM Cloudant: Privilege Escalation Using _design Documents
Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document. These design document functions are: list show rewrite update An attacker can leak the session component using an HTML-like output,...
AVEVA PI Server
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION : Exploitable remotely/low attack complexity Vendor : AVEVA Equipment : PI Server Vulnerabilities : Improper Check or Handling of Exceptional Conditions, Missing Release of Resource after Effective Lifetime 2. RISK EVALUATION Successful...
CVE-2024-22407
Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for order...
CVE-2024-22407 Broken Access Control order API in Shopware
Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for order...
CVE-2023-6741
The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address...
CVE-2023-49261
The "tokenKey" value used in user authorization is visible in the HTML source of the login page...
CVE-2023-49261
The "tokenKey" value used in user authorization is visible in the HTML source of the login page...
CVE-2023-49261 Sensitive authentication-related value accessible publicly
The "tokenKey" value used in user authorization is visible in the HTML source of the login page...
CVE-2023-49261
CVE-2023-49261: Red Hat entries confirm the issue that the tokenKey used in user authorization is visible in the HTML source of the login page. The Red Hat advisories list this description; the connected documents do not provide affected product/version details, exploit information, or remediatio...