How severe is CVE-2023-32680?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.6 out of 10.

What type of vulnerability is CVE-2023-32680?

This is classified as CWE-306, which is a common weakness in software security.

CVE-2023-32680

CRITICAL Year: 2023

CVSS v3 Score

9.6

Critical

Weakness Type

CWE-306

View all →

Vulnerability Description

Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.

CVE-2021-36779

CRITICAL

CVSS:9.6(Critical)

A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This iss...

CWE-3062021

CVE-2024-40087

CRITICAL

CVSS:9.6(Critical)

Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Insecure Permissions. Lack of authentication in the custom TCP service on port 5432 allows remote, unauthenticated attackers to gain administrativ...

CWE-3062024

CVE-2019-10919

CRITICAL

CVSS:9.4(Critical)

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). Attackers with access to port 10005/tcp could perform device reconfigurations and obtain project files ...

CWE-3062019

CVE-2019-17354

CRITICAL

CVSS:9.4(Critical)

wan.htm page on Zyxel NBG-418N v2 with firmware version V1.00(AARP.9)C0 can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leve...

CWE-3062019

CVE-2020-10265

CRITICAL

CVSS:9.4(Critical)

Universal Robots Robot Controllers Version CB2 SW Version 1.4 upwards, CB3 SW Version 3.0 and upwards, e-series SW Version 5.0 and upwards expose a service called DashBoard server at port 29999 that a...

CWE-3062020

CVE-2020-25747

CRITICAL

CVSS:9.4(Critical)

The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, t...

CWE-3062020

CVE-2023-32680

Vulnerability Description

Related Vulnerabilities

CVE-2021-36779

CVE-2024-40087

CVE-2019-10919

CVE-2019-17354

CVE-2020-10265

CVE-2020-25747