Search
Total
6056 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43677 | 1 Free5gc | 1 Free5gc | 2023-12-08 | N/A | 5.5 MEDIUM |
| In free5GC 3.2.1, a malformed NGAP message can crash the AMF and NGAP decoders via an index-out-of-range panic in aper.GetBitString. | |||||
| CVE-2023-49914 | 1 Choosemuse | 2 Muse 2, Muse 2 Firmware | 2023-12-07 | N/A | 6.5 MEDIUM |
| InteraXon Muse 2 devices allow remote attackers to cause a denial of service (incorrect Muse App report of an outstanding, calm meditation state) via a 480 MHz RF carrier that is modulated by a "false" brain wave, aka a Brain-Hack attack. For example, the Muse App does not display the reception of a strong RF carrier, and alert the user that a report may be misleading if this carrier has been modulated by a low-frequency signal. | |||||
| CVE-2023-32858 | 2 Google, Mediatek | 11 Android, Mt6761, Mt6765 and 8 more | 2023-12-07 | N/A | 4.4 MEDIUM |
| In GZ, there is a possible information disclosure due to a missing data erasing. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07806008; Issue ID: ALPS07806008. | |||||
| CVE-2023-42721 | 2 Google, Unisoc | 2 Android, Sc9863a | 2023-12-07 | N/A | 5.5 MEDIUM |
| In flv extractor, there is a possible missing verification incorrect input. This could lead to local denial of service with no additional execution privileges needed | |||||
| CVE-2023-32852 | 2 Google, Mediatek | 2 Android, Mt6779 | 2023-12-07 | N/A | 4.4 MEDIUM |
| In cameraisp, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07670971; Issue ID: ALPS07670971. | |||||
| CVE-2023-49948 | 1 Forgejo | 1 Forgejo | 2023-12-07 | N/A | 5.3 MEDIUM |
| Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL. | |||||
| CVE-2022-40433 | 1 Oracle | 1 Openjdk | 2023-12-06 | N/A | 4.9 MEDIUM |
| An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service. Note: Vendor states that this to is Defense in Depth at most due to the nature of the issue and the special circumstances required (server must be running particular code locally, code compiled with an old, old version of javac, etc.). | |||||
| CVE-2023-4912 | 1 Gitlab | 1 Gitlab | 2023-12-06 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input. | |||||
| CVE-2023-4317 | 1 Gitlab | 1 Gitlab | 2023-12-06 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch. | |||||
| CVE-2023-3964 | 1 Gitlab | 1 Gitlab | 2023-12-06 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings. | |||||
| CVE-2023-3949 | 1 Gitlab | 1 Gitlab | 2023-12-06 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members. | |||||
| CVE-2023-3443 | 1 Gitlab | 1 Gitlab | 2023-12-06 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items. | |||||
| CVE-2023-26533 | 1 Gesundheit-bewegt | 1 Zippy | 2023-12-06 | N/A | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.1. | |||||
| CVE-2023-36523 | 1 Gopiplus | 1 Email Download Link | 2023-12-06 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gopi Ramasamy Email download link.This issue affects Email download link: from n/a through 3.7. | |||||
| CVE-2023-36507 | 1 Reputeinfosystems | 1 Bookingpress | 2023-12-06 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Repute Infosystems BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin.This issue affects BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin: from n/a through 1.0.64. | |||||
| CVE-2023-45834 | 1 Libsyn | 1 Libsyn Publisher Hub | 2023-12-06 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Libsyn Libsyn Publisher Hub.This issue affects Libsyn Publisher Hub: from n/a through 1.4.4. | |||||
| CVE-2023-46820 | 1 Iuliacazan | 1 Image Regenerate \& Select Crop | 2023-12-06 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Iulia Cazan Image Regenerate & Select Crop.This issue affects Image Regenerate & Select Crop: from n/a through 7.3.0. | |||||
| CVE-2023-48333 | 1 Booster | 1 Booster For Woocommerce | 2023-12-06 | N/A | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pluggabl LLC Booster for WooCommerce.This issue affects Booster for WooCommerce: from n/a through 7.1.1. | |||||
| CVE-2023-25057 | 1 Libsyn | 1 Libsyn Publisher Hub | 2023-12-06 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Libsyn Libsyn Publisher Hub.This issue affects Libsyn Publisher Hub: from n/a through 1.3.2. | |||||
| CVE-2023-34872 | 1 Freedesktop | 1 Poppler | 2023-12-06 | N/A | 5.5 MEDIUM |
| A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a remote attacker to cause a Denial of Service (DoS) (crash) via a crafted PDF file in OutlineItem::open. | |||||
| CVE-2023-34390 | 1 Selinc | 2 Sel-451, Sel-451 Firmware | 2023-12-06 | N/A | 6.5 MEDIUM |
| An input validation vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote authenticated attacker to create a denial of service against the system and locking out services. See product Instruction Manual Appendix A dated 20230830 for more details. | |||||
| CVE-2023-37868 | 1 Leap13 | 1 Premium Addons | 2023-12-05 | N/A | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons PRO.This issue affects Premium Addons PRO: from n/a through 2.9.0. | |||||
| CVE-2023-42505 | 1 Apache | 1 Superset | 2023-12-04 | N/A | 4.3 MEDIUM |
| An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection's username. This issue affects Apache Superset before 3.0.0. | |||||
| CVE-2023-30588 | 1 Nodejs | 1 Node.js | 2023-12-04 | N/A | 5.3 MEDIUM |
| When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. | |||||
| CVE-2023-5553 | 1 Axis | 2 Axis Os, Axis Os 2022 | 2023-12-04 | N/A | 6.8 MEDIUM |
| During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis' knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | |||||
| CVE-2022-48521 | 1 Opendkim | 1 Opendkim | 2023-12-03 | N/A | 5.3 MEDIUM |
| An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x through 2.11.0-Beta2. It fails to keep track of ordinal numbers when removing fake Authentication-Results header fields, which allows a remote attacker to craft an e-mail message with a fake sender address such that programs that rely on Authentication-Results from OpenDKIM will treat the message as having a valid DKIM signature when in fact it has none. | |||||
| CVE-2023-24023 | 1 Bluetooth | 1 Bluetooth Core Specification | 2023-12-02 | N/A | 6.8 MEDIUM |
| Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS. | |||||
| CVE-2023-48713 | 1 Knative | 1 Serving | 2023-12-01 | N/A | 5.3 MEDIUM |
| Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0. | |||||
| CVE-2023-6202 | 1 Mattermost | 1 Mattermost | 2023-12-01 | N/A | 4.3 MEDIUM |
| Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards. | |||||
| CVE-2023-45223 | 1 Mattermost | 1 Mattermost | 2023-12-01 | N/A | 4.3 MEDIUM |
| Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled. | |||||
| CVE-2023-43754 | 1 Mattermost | 1 Mattermost | 2023-12-01 | N/A | 4.3 MEDIUM |
| Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled. | |||||
| CVE-2023-5845 | 1 Wpbrigade | 1 Simple Social Buttons | 2023-12-01 | N/A | 5.3 MEDIUM |
| The Simple Social Media Share Buttons WordPress plugin before 5.1.1 leaks password-protected post content to unauthenticated visitors in some meta tags | |||||
| CVE-2023-49321 | 4 Apple, F-secure, Linux and 1 more | 10 Macos, Atlant, Client Security and 7 more | 2023-12-01 | N/A | 5.3 MEDIUM |
| Certain WithSecure products allow a Denial of Service because scanning a crafted file takes a long time, and causes the scanner to hang. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, WithSecure Linux Security 64 12.0, WithSecure Linux Protection 12.0, and WithSecure Atlant 1.0.35-1. | |||||
| CVE-2023-20084 | 1 Cisco | 2 Secure Endpoint, Secure Endpoint Private Cloud | 2023-12-01 | N/A | 4.4 MEDIUM |
| A vulnerability in the endpoint software of Cisco Secure Endpoint for Windows could allow an authenticated, local attacker to evade endpoint protection within a limited time window. This vulnerability is due to a timing issue that occurs between various software components. An attacker could exploit this vulnerability by persuading a user to put a malicious file into a specific folder and then persuading the user to execute the file within a limited time window. A successful exploit could allow the attacker to cause the endpoint software to fail to quarantine the malicious file or kill its process. Note: This vulnerability only applies to deployments that have the Windows Folder Redirection feature enabled. | |||||
| CVE-2016-1285 | 7 Canonical, Debian, Fedoraproject and 4 more | 47 Ubuntu Linux, Debian Linux, Fedora and 44 more | 2023-11-30 | 4.3 MEDIUM | 6.8 MEDIUM |
| named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fetch reply messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c. | |||||
| CVE-2023-23978 | 1 Switchwp | 1 Wp Client Reports | 2023-11-30 | N/A | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SwitchWP WP Client Reports plugin <= 1.0.16 versions. | |||||
| CVE-2023-2446 | 1 Userproplugin | 1 Userpro | 2023-11-30 | N/A | 6.5 MEDIUM |
| The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account. | |||||
| CVE-2023-4297 | 1 Mediamanifesto | 1 Mmm Simple File List | 2023-11-30 | N/A | 4.3 MEDIUM |
| The Mmm Simple File List WordPress plugin through 2.3 does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories. | |||||
| CVE-2023-4252 | 1 Metagauss | 1 Eventprime | 2023-11-30 | N/A | 5.3 MEDIUM |
| The EventPrime WordPress plugin through 3.2.9 specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment. | |||||
| CVE-2022-36777 | 1 Ibm | 2 Cloud Pak For Security, Qradar Suite | 2023-11-30 | N/A | 6.5 MEDIUM |
| IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.16.0could allow an authenticated user to obtain sensitive version information that could aid in further attacks against the system. IBM X-Force ID: 233665. | |||||
| CVE-2021-39008 | 1 Ibm | 1 Qradar Wincollect | 2023-11-30 | N/A | 4.9 MEDIUM |
| IBM QRadar WinCollect Agent 10.0 through 10.1.7 could allow a privileged user to obtain sensitive information due to missing best practices. IBM X-Force ID: 213551. | |||||
| CVE-2023-48294 | 1 Librenms | 1 Librenms | 2023-11-29 | N/A | 4.3 MEDIUM |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. In affected versions of LibreNMS when a user accesses their device dashboard, one request is sent to `graph.php` to access graphs generated on the particular Device. This request can be accessed by a low privilege user and they can enumerate devices on librenms with their id or hostname. Leveraging this vulnerability a low privilege user can see all devices registered by admin users. This vulnerability has been addressed in commit `489978a923` which has been included in release version 23.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-48223 | 1 Nearform | 1 Fast-jwt | 2023-11-29 | N/A | 5.9 MEDIUM |
| fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to version 3.3.2, the fast-jwt library does not properly prevent JWT algorithm confusion for all public key types. The 'publicKeyPemMatcher' in 'fast-jwt/src/crypto.js' does not properly match all common PEM formats for public keys. To exploit this vulnerability, an attacker needs to craft a malicious JWT token containing the HS256 algorithm, signed with the public RSA key of the victim application. This attack will only work if the victim application utilizes a public key containing the `BEGIN RSA PUBLIC KEY` header. Applications using the RS256 algorithm, a public key with a `BEGIN RSA PUBLIC KEY` header, and calling the verify function without explicitly providing an algorithm, are vulnerable to this algorithm confusion attack which allows attackers to sign arbitrary payloads which will be accepted by the verifier. Version 3.3.2 contains a patch for this issue. As a workaround, change line 29 of `blob/master/src/crypto.js` to include a regular expression. | |||||
| CVE-2023-41145 | 1 Autodesk | 1 Customer Portal | 2023-11-29 | N/A | 5.3 MEDIUM |
| Autodesk users who no longer have an active license for an account can still access cases for that account. | |||||
| CVE-2023-41146 | 1 Autodesk | 1 Customer Portal | 2023-11-29 | N/A | 4.3 MEDIUM |
| Autodesk Customer Support Portal allows cases created by users under an account to see cases created by other users on the same account. | |||||
| CVE-2023-47392 | 1 Mercedes-benz | 1 Mercedes Me | 2023-11-29 | N/A | 5.3 MEDIUM |
| An access control issue in Mercedes me IOS APP v1.34.0 and below allows attackers to view the carts of other users via sending a crafted add order request. | |||||
| CVE-2023-47393 | 1 Mercedes-benz | 1 Mercedes Me | 2023-11-29 | N/A | 5.3 MEDIUM |
| An access control issue in Mercedes me IOS APP v1.34.0 and below allows attackers to view the maintenance orders of other users and access sensitive user information via unspecified vectors. | |||||
| CVE-2023-47643 | 1 Salesagility | 1 Suitecrm | 2023-11-29 | N/A | 5.3 MEDIUM |
| SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds. | |||||
| CVE-2023-21416 | 1 Axis | 2 Axis Os, Axis Os 2022 | 2023-11-28 | N/A | 6.5 MEDIUM |
| Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | |||||
| CVE-2023-40002 | 1 Booster | 1 Booster For Woocommerce | 2023-11-28 | N/A | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pluggabl LLC Booster for WooCommerce plugin <= 7.1.1 versions. | |||||