| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.)
Specifically, an application is vulnerable when all of the following are true:
* Spring MVC is on the classpath
* Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet)
* The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints
An application is not vulnerable if any of the following is true:
* The application does not have Spring MVC on the classpath
* The application secures no servlets other than Spring MVC’s DispatcherServlet
* The application uses requestMatchers(String) only for Spring MVC endpoints
|
| Missing Authorization vulnerability in Woo WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.1.51. |
| The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level.
|
| Missing Authorization vulnerability in Elementor Elementor Website Builder.This issue affects Elementor Website Builder: from n/a through 3.13.2. |
| In vowifiservice, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges |
| In vowifiservice, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges |
| In vowifiservice, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges |
| In LTE protocol stack, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed |
| In Contacts service, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges |
| In vowifi service, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges |
| In Contacts Service, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges |
| In Contacts service, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges |
| In ims service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges |
| In Contacts Service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges |
| In Contacts Service, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges |
| In bluetooth service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. |
| In bluetooth service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. |
| KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior to 4.0.1.1326 exhibit a vulnerability that enables remote manipulation of the device. This vulnerability involves extracting the connection confirmation code remotely, bypassing the need to obtain it directly from the physical screen. |
| TN-5900 Series firmware version v3.3 and prior is vulnerable to improper-authentication vulnerability. This vulnerability arises from inadequate authentication measures implemented in the web API handler, allowing low-privileged APIs to execute restricted actions that only high-privileged APIs are allowed This presents a potential risk of unauthorized exploitation by malicious actors. |
| Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. This issue has been addressed in version 4.2.1-rc4. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
