Total
2030 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-25923 | 1 Ibm | 1 Security Key Lifecycle Manager | 2025-02-26 | 2.7 Low |
| IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an attacker to upload files that could be used in a denial of service attack due to incorrect authorization. IBM X-Force ID: 247629. | ||||
| CVE-2024-22133 | 1 Sap | 1 Fiori Front End Server | 2025-02-26 | 4.6 Medium |
| SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. This could lead to creation of request with incorrect approver causing low impact on Confidentiality and Integrity with no impact on Availability of the application. | ||||
| CVE-2024-9902 | 1 Redhat | 4 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 1 more | 2025-02-25 | 6.3 Medium |
| A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. | ||||
| CVE-2023-28611 | 1 Omicronenergy | 2 Stationguard, Stationscout | 2025-02-25 | 9.8 Critical |
| Incorrect authorization in OMICRON StationGuard 1.10 through 2.20 and StationScout 1.30 through 2.20 allows an attacker to bypass intended access restrictions. | ||||
| CVE-2023-1603 | 1 Devolutions | 1 Devolutions Server | 2025-02-25 | 6.5 Medium |
| Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision. | ||||
| CVE-2023-20975 | 1 Google | 1 Android | 2025-02-25 | 7.8 High |
| In getAvailabilityStatus of EnableContentCapturePreferenceController.java, there is a possible way to bypass DISALLOW_CONTENT_CAPTURE due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-250573776 | ||||
| CVE-2023-20971 | 1 Google | 1 Android | 2025-02-25 | 7.8 High |
| In removePermission of PermissionManagerServiceImpl.java, there is a possible way to obtain dangerous permissions without user consent due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-23192 | 1 Isdecisions | 1 Userlock | 2025-02-25 | 7.2 High |
| IS Decisions UserLock MFA 11.01 is vulnerable to authentication bypass using scheduled task. | ||||
| CVE-2023-21035 | 1 Google | 1 Android | 2025-02-25 | 7.8 High |
| In multiple functions of BackupHelper.java, there is a possible way for an app to get permissions previously granted to another app with the same package name due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-184847040 | ||||
| CVE-2023-27485 | 1 Thm | 1 Feedbacksystem | 2025-02-25 | 4.3 Medium |
| thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying `subresults`, it is possible to query `subresults` from other users due to insufficient authorisation. This is only possible for logged-in users and it is not possible to associate the subresults with a specific user. This bug was fixed in commit `f1ae67d8bb2`and released with version 1.5.3. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2023-27486 | 1 Xcat Project | 1 Xcat | 2025-02-25 | 8.1 High |
| xCAT is a toolkit for deployment and administration of computer clusters. In versions prior to 2.16.5 if zones are configured as a mechanism to secure clusters in XCAT, it is possible for a local root user from one node to obtain credentials to SSH to any node in any zone, except the management node of the default zone. XCAT zones are not enabled by default. Only users that use the optional zone feature are impacted. All versions of xCAT prior to xCAT 2.16.5 are vulnerable. This problem has been fixed in xCAT 2.16.5. Users making use of zones should upgrade to 2.16.5. Users unable to upgrade may mitigate the issue by disabling zones or patching the management node with the fix contained in commit `85149c37f49`. | ||||
| CVE-2022-39214 | 1 Combodo | 1 Itop | 2025-02-25 | 9.6 Critical |
| Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. | ||||
| CVE-2023-26484 | 1 Kubevirt | 1 Kubevirt | 2025-02-25 | 8.2 High |
| KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node. | ||||
| CVE-2023-27594 | 1 Cilium | 1 Cilium | 2025-02-25 | 4.2 Medium |
| Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. This issue only manifests when Cilium is routing IPv6 traffic and NodePorts are used to route traffic to pods. IPv6 and endpoint routes are both disabled by default. The problem has been fixed and is available on versions 1.11.15, 1.12.8, and 1.13.1. As a workaround, disable IPv6 routing. | ||||
| CVE-2023-27578 | 1 Galaxyproject | 1 Galaxy | 2025-02-25 | 9.1 Critical |
| Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally, they can copy or import any Galaxy Visualization given they know the encoded ID of it. Patches are available for versions 22.01, 22.05, and 23.0. For the changes to take effect, you must restart all Galaxy server processes. There are no supported workarounds. | ||||
| CVE-2025-26531 | 2025-02-25 | 3.1 Low | ||
| Insufficient capability checks made it possible to disable badges a user does not have permission to access. | ||||
| CVE-2025-26532 | 2025-02-25 | 3.1 Low | ||
| Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored. | ||||
| CVE-2025-26526 | 2025-02-24 | 6.5 Medium | ||
| Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities. | ||||
| CVE-2023-24880 | 1 Microsoft | 10 Windows 10 1607, Windows 10 1809, Windows 10 20h2 and 7 more | 2025-02-24 | 4.4 Medium |
| Windows SmartScreen Security Feature Bypass Vulnerability | ||||
| CVE-2023-21715 | 1 Microsoft | 1 365 Apps | 2025-02-24 | 7.3 High |
| Microsoft Publisher Security Feature Bypass Vulnerability | ||||