Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50348 | 1 Hcltech | 1 Dryice Myxalytics | 2024-01-09 | N/A | 5.3 MEDIUM |
| HCL DRYiCE MyXalytics is impacted by an improper error handling vulnerability. The application returns detailed error messages that can provide an attacker with insight into the application, system, etc. | |||||
| CVE-2023-50346 | 1 Hcltech | 1 Dryice Myxalytics | 2024-01-09 | N/A | 4.3 MEDIUM |
| HCL DRYiCE MyXalytics is impacted by an information disclosure vulnerability. Certain endpoints within the application disclose detailed file information. | |||||
| CVE-2023-50345 | 1 Hcltech | 1 Dryice Myxalytics | 2024-01-09 | N/A | 6.1 MEDIUM |
| HCL DRYiCE MyXalytics is impacted by an Open Redirect vulnerability which could allow an attacker to redirect users to malicious sites, potentially leading to phishing attacks or other security threats. | |||||
| CVE-2023-50092 | 1 Apiida | 1 Api Gateway Manager | 2024-01-09 | N/A | 6.1 MEDIUM |
| APIIDA API Gateway Manager for Broadcom Layer7 v2023.2 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2023-33037 | 1 Qualcomm | 166 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 163 more | 2024-01-09 | N/A | 5.5 MEDIUM |
| Cryptographic issue in Automotive while unwrapping the key secs2d and verifying with RPMB data. | |||||
| CVE-2023-6981 | 1 Veronalabs | 1 Wp Sms | 2024-01-09 | N/A | 4.9 MEDIUM |
| The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to SQL Injection via the 'group_id' parameter in all versions up to, and including, 6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can leveraged to achieve Reflected Cross-site Scripting. | |||||
| CVE-2023-6621 | 1 Wpexperts | 1 Post Smtp | 2024-01-09 | N/A | 6.1 MEDIUM |
| The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2023-26159 | 1 Follow-redirects | 1 Follow Redirects | 2024-01-09 | N/A | 6.1 MEDIUM |
| Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches. | |||||
| CVE-2024-0193 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2024-01-09 | N/A | 6.7 MEDIUM |
| A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system. | |||||
| CVE-2023-50342 | 1 Hcltech | 1 Dryice Myxalytics | 2024-01-09 | N/A | 4.3 MEDIUM |
| HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability. A user can obtain certain details about another user as a result of improper access control. | |||||
| CVE-2023-50343 | 1 Hcltech | 1 Dryice Myxalytics | 2024-01-09 | N/A | 6.5 MEDIUM |
| HCL DRYiCE MyXalytics is impacted by an Improper Access Control (Controller APIs) vulnerability. Certain API endpoints are accessible to Customer Admin Users that can allow access to sensitive information about other users. | |||||
| CVE-2023-50344 | 1 Hcltech | 1 Dryice Myxalytics | 2024-01-09 | N/A | 5.4 MEDIUM |
| HCL DRYiCE MyXalytics is impacted by improper access control (Unauthenticated File Download) vulnerability. An unauthenticated user can download certain files. | |||||
| CVE-2023-49554 | 1 Yasm Project | 1 Yasm | 2024-01-09 | N/A | 5.5 MEDIUM |
| Use After Free vulnerability in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the do_directive function in the modules/preprocs/nasm/nasm-pp.c component. | |||||
| CVE-2023-4467 | 1 Poly | 2 Trio 8800, Trio 8800 Firmware | 2024-01-09 | N/A | 6.6 MEDIUM |
| A vulnerability was found in Poly Trio 8800 7.2.6.0019 and classified as critical. Affected by this issue is some unknown functionality of the component Test Automation Mode. The manipulation leads to backdoor. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249260. | |||||
| CVE-2023-4466 | 1 Poly | 8 Ccx 400, Ccx 400 Firmware, Ccx 600 and 5 more | 2024-01-09 | N/A | 4.9 MEDIUM |
| A vulnerability has been found in Poly CCX 400, CCX 600, Trio 8800 and Trio C60 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Web Interface. The manipulation leads to protection mechanism failure. The attack can be launched remotely. The vendor explains that they do not regard this as a vulnerability as this is a feature that they offer to their customers who have a variety of environmental needs that are met through different firmware builds. To avoid potential roll-back attacks, they remove vulnerable builds from the public servers as a remediation effort. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249259. | |||||
| CVE-2023-4465 | 1 Poly | 8 Ccx 400, Ccx 400 Firmware, Ccx 600 and 5 more | 2024-01-09 | N/A | 6.5 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Poly Trio 8300, Trio 8500, Trio 8800, Trio C60, CCX 350, CCX 400, CCX 500, CCX 505, CCX 600, CCX 700, EDGE E100, EDGE E220, EDGE E300, EDGE E320, EDGE E350, EDGE E400, EDGE E450, EDGE E500, EDGE E550, VVX 101, VVX 150, VVX 201, VVX 250, VVX 300, VVX 301, VVX 310, VVX 311, VVX 350, VVX 400, VVX 401, VVX 410, VVX 411, VVX 450, VVX 500, VVX 501, VVX 600 and VVX 601. Affected is an unknown function of the component Configuration File Import. The manipulation of the argument device.auth.localAdminPassword leads to unverified password change. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249258 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-4462 | 1 Poly | 8 Ccx 400, Ccx 400 Firmware, Ccx 600 and 5 more | 2024-01-09 | N/A | 5.9 MEDIUM |
| A vulnerability classified as problematic has been found in Poly Trio 8300, Trio 8500, Trio 8800, Trio C60, CCX 350, CCX 400, CCX 500, CCX 505, CCX 600, CCX 700, EDGE E100, EDGE E220, EDGE E300, EDGE E320, EDGE E350, EDGE E400, EDGE E450, EDGE E500, EDGE E550, VVX 101, VVX 150, VVX 201, VVX 250, VVX 300, VVX 301, VVX 310, VVX 311, VVX 350, VVX 400, VVX 401, VVX 410, VVX 411, VVX 450, VVX 500, VVX 501, VVX 600 and VVX 601. This affects an unknown part of the component Web Configuration Application. The manipulation leads to insufficiently random values. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249255. | |||||
| CVE-2023-49555 | 1 Yasm Project | 1 Yasm | 2024-01-09 | N/A | 5.5 MEDIUM |
| An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expand_smacro function in the modules/preprocs/nasm/nasm-pp.c component. | |||||
| CVE-2023-49556 | 1 Yasm Project | 1 Yasm | 2024-01-09 | N/A | 5.5 MEDIUM |
| Buffer Overflow vulnerability in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expr_delete_term function in the libyasm/expr.c component. | |||||
| CVE-2023-49557 | 1 Yasm Project | 1 Yasm | 2024-01-09 | N/A | 5.5 MEDIUM |
| An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the yasm_section_bcs_first function in the libyasm/section.c component. | |||||
| CVE-2023-49558 | 1 Yasm Project | 1 Yasm | 2024-01-09 | N/A | 5.5 MEDIUM |
| An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expand_mmac_params function in the modules/preprocs/nasm/nasm-pp.c component. | |||||
| CVE-2023-48308 | 1 Nextcloud | 1 Calendar | 2024-01-09 | N/A | 6.5 MEDIUM |
| Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain access to stacktrace and internal paths of the server when generating an exception while editing a calendar appointment. It is recommended that the Nextcloud Calendar app is upgraded to 4.5.3 | |||||
| CVE-2023-4164 | 1 Google | 2 Android, Pixel | 2024-01-09 | N/A | 5.5 MEDIUM |
| There is a possible information disclosure due to a missing permission check. This could lead to local information disclosure of health data with no additional execution privileges needed. | |||||
| CVE-2018-25097 | 1 Acumos | 1 Design Studio | 2024-01-09 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Acumos Design Studio up to 2.0.7. Affected is an unknown function. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.0.8 is able to address this issue. The name of the patch is 0df8a5e8722188744973168648e4c74c69ce67fd. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-249420. | |||||
| CVE-2023-6094 | 1 Moxa | 2 Oncell G3150a-lte, Oncell G3150a-lte Firmware | 2024-01-09 | N/A | 5.3 MEDIUM |
| A vulnerability has been identified in OnCell G3150A-LTE Series firmware versions v1.3 and prior. The vulnerability results from lack of protection for sensitive information during transmission. An attacker eavesdropping on the traffic between the web browser and server may obtain sensitive information. This type of attack could be executed to gather sensitive information or to facilitate a subsequent attack against the target. | |||||
| CVE-2023-33014 | 1 Qualcomm | 74 Ar8035, Ar8035 Firmware, Fastconnect6700 and 71 more | 2024-01-09 | N/A | 6.8 MEDIUM |
| Information disclosure in Core services while processing a Diag command. | |||||
| CVE-2017-20188 | 1 Zimbra | 1 Zm-ajax | 2024-01-09 | N/A | 4.7 MEDIUM |
| A vulnerability has been found in Zimbra zm-ajax up to 8.8.1 and classified as problematic. Affected by this vulnerability is the function XFormItem.prototype.setError of the file WebRoot/js/ajax/dwt/xforms/XFormItem.js. The manipulation of the argument message leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 8.8.2 is able to address this issue. The identifier of the patch is 8d039d6efe80780adc40c6f670c06d21de272105. It is recommended to upgrade the affected component. The identifier VDB-249421 was assigned to this vulnerability. | |||||
| CVE-2023-48121 | 1 Ezviz | 8 Cs-c3n-a0-3h2wfrl, Cs-c3n-a0-3h2wfrl Firmware, Cs-c6cn-a0-3h2wfr and 5 more | 2024-01-09 | N/A | 5.3 MEDIUM |
| An authentication bypass vulnerability in the Direct Connection Module in Ezviz CS-C6N-xxx prior to v5.3.x build 20230401, Ezviz CS-CV310-xxx prior to v5.3.x build 20230401, Ezviz CS-C6CN-xxx prior to v5.3.x build 20230401, Ezviz CS-C3N-xxx prior to v5.3.x build 20230401 allows remote attackers to obtain sensitive information by sending crafted messages to the affected devices. | |||||
| CVE-2015-10128 | 1 Royaltechbd | 1 Royal Prettyphoto | 2024-01-09 | N/A | 6.1 MEDIUM |
| A vulnerability was found in rt-prettyphoto Plugin up to 1.2 on WordPress and classified as problematic. Affected by this issue is the function royal_prettyphoto_plugin_links of the file rt-prettyphoto.php. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.3 is able to address this issue. The patch is identified as 0d3d38cfa487481b66869e4212df1cefc281ecb7. It is recommended to upgrade the affected component. VDB-249422 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-42797 | 2024-01-09 | N/A | 6.6 MEDIUM | ||
| A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05.20), CP-8050 MASTER MODULE (All versions < CPCI85 V05.20). The network configuration service of affected devices contains a flaw in the conversion of ipv4 addresses that could lead to an uninitialized variable being used in succeeding validation steps. By uploading specially crafted network configuration, an authenticated remote attacker could be able to inject commands that are executed on the device with root privileges during device startup. | |||||
| CVE-2023-46282 | 1 Siemens | 4 Opcenter Quality, Simatic Pcs Neo, Sinumerik Integrate Runmyhmi \/automotive and 1 more | 2024-01-09 | N/A | 6.1 MEDIUM |
| A vulnerability has been identified in Opcenter Quality (All versions), SIMATIC PCS neo (All versions < V4.1), SINUMERIK Integrate RunMyHMI /Automotive (All versions), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 7), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the affected applications that could allow an attacker to inject arbitrary JavaScript code. The code could be potentially executed later by another (possibly privileged) user. | |||||
| CVE-2023-31238 | 1 Siemens | 2 Q200, Q200 Firmware | 2024-01-09 | N/A | 4.8 MEDIUM |
| A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60). Affected devices are missing cookie protection flags when using the default settings. An attacker who gains access to a session token can use it to impersonate a legitimate application user. | |||||
| CVE-2019-19296 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 4.9 MEDIUM | 6.8 MEDIUM |
| A vulnerability has been identified in SiNVR/SiVMS Video Server (All versions < V5.0.0). The two FTP services (default ports 21/tcp and 5411/tcp) of the SiVMS/SiNVR Video Server contain a path traversal vulnerability that could allow an authenticated remote attacker to access and download arbitrary files from the server, if the FTP services are enabled. | |||||
| CVE-2019-19295 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The Control Center Server (CCS) does not enforce logging of security-relevant activities in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. An authenticated remote attacker could exploit this vulnerability to perform covert actions that are not visible in the application log. | |||||
| CVE-2019-19294 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 3.5 LOW | 6.3 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains multiple stored Cross-site Scripting (XSS) vulnerabilities in several input fields. This could allow an authenticated remote attacker to inject malicious JavaScript code into the CCS web application that is later executed in the browser context of any other user who views the relevant CCS web content. | |||||
| CVE-2019-19293 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains a reflected Cross-site Scripting (XSS) vulnerability that could allow an unauthenticated remote attacker to steal sensitive data or execute administrative actions on behalf of a legitimate administrator of the CCS web interface. | |||||
| CVE-2019-19291 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 3.5 LOW | 5.3 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0). The FTP services of the SiVMS/SiNVR Video Server and the Control Center Server (CCS) maintain log files that store login credentials in cleartext. In configurations where the FTP service is enabled, authenticated remote attackers could extract login credentials of other users of the service. | |||||
| CVE-2019-19290 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The DOWNLOADS section in the web interface of the Control Center Server (CCS) contains a path traversal vulnerability that could allow an authenticated remote attacker to access and download arbitrary files from the server where CCS is installed. | |||||
| CVE-2019-18341 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The SFTP service (default port 22/tcp) of the Control Center Server (CCS) contains an authentication bypass vulnerability. A remote attacker with network access to the CCS server could exploit this vulnerability to read data from the EDIR directory (for example, the list of all configured stations). | |||||
| CVE-2019-18340 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), Control Center Server (CCS) (All versions >= V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0), SiNVR/SiVMS Video Server (All versions >= V5.0.0). Both the SiVMS/SiNVR Video Server and the Control Center Server (CCS) store user and device passwords by applying weak cryptography. A local attacker could exploit this vulnerability to extract the passwords from the user database and/or the device configuration files to conduct further attacks. | |||||
| CVE-2019-13947 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The user configuration menu in the web interface of the Control Center Server (CCS) transfers user passwords in clear to the client (browser). An attacker with administrative privileges for the web interface could be able to read (and not only reset) passwords of other CCS users. | |||||
| CVE-2023-51765 | 3 Freebsd, Redhat, Sendmail | 3 Freebsd, Enterprise Linux, Sendmail | 2024-01-09 | N/A | 5.3 MEDIUM |
| sendmail through 8.17.2 allows SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports <LF>.<CR><LF> but some other popular e-mail servers do not. This is resolved in 8.18 and later versions with 'o' in srv_features. | |||||
| CVE-2020-24706 | 1 Wso2 | 6 Api Manager, Api Manager Analytics, Identity Server and 3 more | 2024-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0. | |||||
| CVE-2022-34781 | 1 Jenkins | 1 Xebialabs Xl Release | 2024-01-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-30957 | 1 Jenkins | 1 Ssh | 2024-01-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-28133 | 1 Jenkins | 1 Bitbucket Server Integration | 2024-01-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers. | |||||
| CVE-2022-47928 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-01-09 | N/A | 6.1 MEDIUM |
| In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp. | |||||
| CVE-2023-28884 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-01-09 | N/A | 6.1 MEDIUM |
| In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index. | |||||
| CVE-2023-37307 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-01-09 | N/A | 5.4 MEDIUM |
| In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts. | |||||
| CVE-2023-2541 | 1 Knime | 1 Business Hub | 2024-01-09 | N/A | 5.3 MEDIUM |
| The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed. | |||||