Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-863
Total 1299 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-1164 1 Kylinos 1 Kylin Os 2023-03-10 N/A 7.8 HIGH
A vulnerability was found in KylinSoft kylin-activation and classified as critical. Affected by this issue is some unknown functionality of the component File Import. The manipulation leads to improper authorization. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.11-23 and 1.30.10-5.p23 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222260.
CVE-2023-0952 1 Devolutions 1 Devolutions Server 2023-03-10 N/A 6.5 MEDIUM
Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data without proper authorization.
CVE-2022-47648 1 Bosch 2 B420, B420 Firmware 2023-03-07 N/A 8.8 HIGH
** UNSUPPORTED WHEN ASSIGNED ** Bosch Security Systems B420 firmware 02.02.0001 employs IP based authorization in its authentication mechanism, allowing attackers to access the device as long as they are on the same network as a legitimate user.
CVE-2022-48284 1 Huawei 1 Hilink Ai Life 2023-03-07 N/A 9.8 CRITICAL
A piece of Huawei whole-home intelligence software has an Incorrect Privilege Assignment vulnerability. Successful exploitation of this vulnerability could allow attackers to access restricted functions.
CVE-2022-48283 1 Huawei 1 Hilink Ai Life 2023-03-07 N/A 9.8 CRITICAL
A piece of Huawei whole-home intelligence software has an Incorrect Privilege Assignment vulnerability. Successful exploitation of this vulnerability could allow attackers to access restricted functions.
CVE-2022-34908 1 Aremis 1 Aremis 4 Nomads 2023-03-07 N/A 7.5 HIGH
An issue was discovered in the A4N (Aremis 4 Nomad) application 1.5.0 for Android. It possesses an authentication mechanism; however, some features do not require any token or cookie in a request. Therefore, an attacker may send a simple HTTP request to the right endpoint, and obtain authorization to retrieve application data.
CVE-2022-47002 1 Masacms 1 Masacms 2023-03-06 N/A 9.8 CRITICAL
A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.
CVE-2022-47003 1 Murasoftware 1 Mura Cms 2023-03-06 N/A 9.8 CRITICAL
A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request.
CVE-2018-20826 1 Atlassian 1 Jira 2023-03-03 4.0 MEDIUM 4.3 MEDIUM
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.
CVE-2023-0298 1 Firefly-iii 1 Firefly Iii 2023-03-01 N/A 6.5 MEDIUM
Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.
CVE-2022-4811 1 Usememos 1 Memos 2023-03-01 N/A 5.4 MEDIUM
Incorrect Authorization in GitHub repository usememos/memos prior to 0.9.1.
CVE-2022-43400 1 Siemens 1 Siveillance Video Mobile Server 2023-03-01 N/A 9.8 CRITICAL
A vulnerability has been identified in Siveillance Video Mobile Server V2022 R2 (All versions < V22.2a (80)). The mobile server component of affected applications improperly handles the log in for Active Directory accounts that are part of Administrators group. This could allow an unauthenticated remote attacker to access the application without a valid account.
CVE-2022-31692 2 Netapp, Vmware 2 Active Iq Unified Manager, Spring Security 2023-03-01 N/A 9.8 CRITICAL
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
CVE-2023-23064 1 Totolink 2 A720r, A720r Firmware 2023-02-28 N/A 9.8 CRITICAL
TOTOLINK A720R V4.1.5cu.532_ B20210610 is vulnerable to Incorrect Access Control.
CVE-2018-3778 1 Aedes Project 1 Aedes 2023-02-28 5.0 MEDIUM 5.3 MEDIUM
Improper authorization in aedes version <0.35.0 will publish a LWT in a channel when a client is not authorized.
CVE-2021-32163 1 Linuxfoundation 1 Modular Open Smart Network 2023-02-28 N/A 9.8 CRITICAL
Authentication vulnerability in MOSN v.0.23.0 allows attacker to escalate privileges via case-sensitive JWT authorization.
CVE-2019-13386 1 Centos-webpanel 1 Centos Web Panel 2023-02-28 6.5 MEDIUM 8.8 HIGH
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege.
CVE-2023-23947 1 Linuxfoundation 1 Argo-cd 2023-02-27 N/A 8.5 HIGH
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields.
CVE-2023-22945 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2023-02-27 N/A 4.3 MEDIUM
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.
CVE-2022-45544 1 Schlix 1 Cms 2023-02-26 N/A 8.8 HIGH
** DISPUTED ** Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an "attacker" role.