Search
Total
21119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50443 | 2 Microsoft, Primx | 2 Windows, Cryhod | 2023-12-20 | N/A | 4.6 MEDIUM |
| Encrypted disks created by PRIMX CRYHOD for Windows before Q.2020.4 (ANSSI qualification submission) or CRYHOD for Windows before 2023.5 can be modified by an unauthenticated attacker to include a UNC reference so that it could trigger outbound network traffic from computers on which disks are opened. | |||||
| CVE-2023-6660 | 1 Freebsd | 1 Freebsd | 2023-12-20 | N/A | 6.5 MEDIUM |
| When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever data had been in the packet buffer previously. Thus, an unprivileged user with access to an affected system may abuse the bug to trigger disclosure of sensitive information. In particular, the leak is limited to data previously stored in mbufs, which are used for network transmission and reception, and for certain types of inter-process communication. The bug can also be triggered unintentionally by system applications, in which case the data written by the application to an NFS mount may be corrupted. Corrupted data is written over the network to the NFS server, and thus also susceptible to being snooped by other hosts on the network. Note that the bug exists only in the NFS client; the version and implementation of the server has no effect on whether a given system is affected by the problem. | |||||
| CVE-2023-45725 | 1 Apache | 1 Couchdb | 2023-12-20 | N/A | 5.7 MEDIUM |
| Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document. These design document functions are: * list * show * rewrite * update An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an "update" function. For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document. Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers | |||||
| CVE-2023-50441 | 1 Primx | 1 Zonecentral | 2023-12-20 | N/A | 5.5 MEDIUM |
| Encrypted folders created by PRIMX ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission) or ZONECENTRAL for Windows before 2023.5 can be modified by an unauthenticated attacker to include a UNC reference so that it could trigger outbound network traffic from computers on which folders are opened. | |||||
| CVE-2023-50439 | 1 Primx | 3 Zed\!, Zedmail, Zonecentral | 2023-12-20 | N/A | 5.3 MEDIUM |
| ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission), ZED! for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before 2023.5, or ZEDMAIL for Windows before 2023.5 disclose the original path in which the containers were created, which allows an unauthenticated attacker to obtain some information regarding the context of use (project name, etc.). | |||||
| CVE-2023-50442 | 1 Primx | 1 Zonecentral | 2023-12-20 | N/A | 5.5 MEDIUM |
| Encrypted folders created by PRIMX ZONECENTRAL through 2023.5 can be modified by a local attacker (with appropriate privileges) so that specific file types are excluded from encryption temporarily. (This modification can, however, be detected, as described in the Administrator Guide.) | |||||
| CVE-2023-50440 | 1 Primx | 3 Zed\!, Zedmail, Zonecentral | 2023-12-20 | N/A | 5.5 MEDIUM |
| ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before 2023.5; ZEDMAIL for Windows before 2023.5; ZED! for Windows, Mac, Linux before 2023.5; ZEDFREE for Windows, Mac, Linux before 2023.5; or ZEDPRO for Windows, Mac, Linux before 2023.5 can be modified by an unauthenticated attacker to include a UNC reference so that it could trigger network access to an attacker-controlled computer when opened by the victim. | |||||
| CVE-2022-24480 | 1 Microsoft | 1 Outlook | 2023-12-20 | N/A | 6.3 MEDIUM |
| Outlook for Android Elevation of Privilege Vulnerability | |||||
| CVE-2023-39340 | 1 Ivanti | 1 Connect Secure | 2023-12-20 | N/A | 7.5 HIGH |
| A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker can send a specific request which may lead to Denial of Service (DoS) of the appliance. | |||||
| CVE-2023-28022 | 1 Hcltech | 1 Connections | 2023-12-20 | N/A | 6.5 MEDIUM |
| HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data. | |||||
| CVE-2023-45894 | 1 Parallels | 1 Remote Application Server | 2023-12-20 | N/A | 10.0 CRITICAL |
| The Remote Application Server in Parallels RAS before 19.2.23975 does not segment virtualized applications from the server, which allows a remote attacker to achieve remote code execution via standard kiosk breakout techniques. | |||||
| CVE-2020-17485 | 1 Uffizio | 1 Gps Tracker | 2023-12-20 | N/A | 9.8 CRITICAL |
| A Remote Code Execution vulnerability exist in Uffizio's GPS Tracker all versions. The web server can be compromised by uploading and executing a web/reverse shell. An attacker could then run commands, browse system files, and browse local resources | |||||
| CVE-2020-17483 | 1 Uffizio | 1 Gps Tracker | 2023-12-20 | N/A | 7.5 HIGH |
| An improper access control vulnerability exists in Uffizio's GPS Tracker all versions that lead to sensitive information disclosure of all the connected devices. By visiting the vulnerable host at port 9000, we see it responds with a JSON body that has all the details about the devices which have been deployed. | |||||
| CVE-2021-42794 | 1 Aveva | 1 Edge | 2023-12-20 | N/A | 5.3 MEDIUM |
| An issue was discovered in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior. The application allows a client to provide a malicious connection string that could allow an adversary to port scan the LAN, depending on the hosts' responses. | |||||
| CVE-2023-5870 | 2 Postgresql, Redhat | 16 Postgresql, Codeready Linux Builder Eus, Codeready Linux Builder Eus For Power Little Endian Eus and 13 more | 2023-12-20 | N/A | 4.4 MEDIUM |
| A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack. | |||||
| CVE-2023-39418 | 2 Postgresql, Redhat | 2 Postgresql, Enterprise Linux | 2023-12-20 | N/A | 4.3 MEDIUM |
| A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows. | |||||
| CVE-2023-5868 | 2 Postgresql, Redhat | 16 Postgresql, Codeready Linux Builder Eus, Codeready Linux Builder Eus For Power Little Endian Eus and 13 more | 2023-12-20 | N/A | 4.3 MEDIUM |
| A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory. | |||||
| CVE-2023-47271 | 1 Sfu | 1 Pkp Web Application Library | 2023-12-20 | N/A | 5.3 MEDIUM |
| PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an issue cover image. | |||||
| CVE-2023-42883 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2023-12-19 | N/A | 5.5 MEDIUM |
| The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2, tvOS 17.2, iOS 16.7.3 and iPadOS 16.7.3. Processing an image may lead to a denial-of-service. | |||||
| CVE-2023-50720 | 1 Xwiki | 1 Xwiki | 2023-12-19 | N/A | 5.3 MEDIUM |
| XWiki Platform is a generic wiki platform. Prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for `objcontent:email*` using XWiki's regular search interface. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1 by not indexing email address properties when obfuscation is enabled. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-4020 | 1 Silabs | 1 Gecko Software Development Kit | 2023-12-19 | N/A | 9.1 CRITICAL |
| An unvalidated input in a library function responsible for communicating between secure and non-secure memory in Silicon Labs TrustZone implementation allows reading/writing of memory in the secure region of memory from the non-secure region of memory. | |||||
| CVE-2023-36878 | 1 Microsoft | 1 Edge Chromium | 2023-12-19 | N/A | 4.3 MEDIUM |
| Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | |||||
| CVE-2023-27317 | 1 Netapp | 1 Ontap | 2023-12-19 | N/A | 4.6 MEDIUM |
| ONTAP 9 versions 9.12.1P8, 9.13.1P4, and 9.13.1P5 are susceptible to a vulnerability which will cause all SAS-attached FIPS 140-2 drives to become unlocked after a system reboot or power cycle or a single SAS-attached FIPS 140-2 drive to become unlocked after reinsertion. This could lead to disclosure of sensitive information to an attacker with physical access to the unlocked drives. | |||||
| CVE-2023-25650 | 1 Zte | 2 Zxcloud Irai, Zxcloud Irai Firmware | 2023-12-19 | N/A | 6.5 MEDIUM |
| There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads. | |||||
| CVE-2023-48085 | 1 Nagios | 1 Nagios Xi | 2023-12-19 | N/A | 9.8 CRITICAL |
| Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php. | |||||
| CVE-2023-47261 | 1 Dokmee | 1 Enterprise Content Management | 2023-12-19 | N/A | 9.8 CRITICAL |
| Dokmee ECM 7.4.6 allows remote code execution because the response to a GettingStarted/SaveSQLConnectionAsync /#/gettingstarted request contains a connection string for privileged SQL Server database access, and xp_cmdshell can be enabled. | |||||
| CVE-2023-48671 | 1 Dell | 3 Powermax Os, Solutions Enabler Virtual Appliance, Unisphere For Powermax Virtual Appliance | 2023-12-19 | N/A | 7.5 HIGH |
| Dell vApp Manager, versions prior to 9.2.4.x contain an information disclosure vulnerability. A remote attacker could potentially exploit this vulnerability leading to obtain sensitive information that may aid in further attacks. | |||||
| CVE-2023-50918 | 1 Misp | 1 Misp | 2023-12-19 | N/A | 9.8 CRITICAL |
| app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. | |||||
| CVE-2023-43583 | 1 Zoom | 3 Meeting Software Development Kit, Video Software Development Kit, Zoom | 2023-12-19 | N/A | 4.9 MEDIUM |
| Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access. | |||||
| CVE-2023-50709 | 1 Cube | 1 Cube.js | 2023-12-19 | N/A | 7.5 HIGH |
| Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. The issue has been patched in `v0.34.34` and it's recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption. There are currently no workaround for older versions, and the recommendation is to upgrade. | |||||
| CVE-2023-49580 | 1 Sap | 1 Graphical User Interface | 2023-12-19 | N/A | 7.3 HIGH |
| SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability, e.g. also increasing the response times of the AS ABAP. | |||||
| CVE-2023-50011 | 1 Popojicms | 1 Popojicms | 2023-12-19 | N/A | 7.2 HIGH |
| PopojiCMS version 2.0.1 is vulnerable to remote command execution in the Meta Social field. | |||||
| CVE-2023-45166 | 1 Ibm | 2 Aix, Vios | 2023-12-19 | N/A | 7.8 HIGH |
| IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the piodmgrsu command to obtain elevated privileges. IBM X-Force ID: 267964. | |||||
| CVE-2023-45170 | 1 Ibm | 2 Aix, Vios | 2023-12-19 | N/A | 7.8 HIGH |
| IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the piobe command to escalate privileges or cause a denial of service. IBM X-Force ID: 267968. | |||||
| CVE-2023-45174 | 1 Ibm | 2 Aix, Vios | 2023-12-19 | N/A | 7.8 HIGH |
| IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a privileged local user to exploit a vulnerability in the qdaemon command to escalate privileges or cause a denial of service. IBM X-Force ID: 267972. | |||||
| CVE-2023-41720 | 1 Ivanti | 1 Connect Secure | 2023-12-19 | N/A | 7.8 HIGH |
| A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure (ICS) appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to gain elevated execution privileges on the affected system. | |||||
| CVE-2023-41719 | 1 Ivanti | 1 Connect Secure | 2023-12-19 | N/A | 7.2 HIGH |
| A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution. | |||||
| CVE-2023-25644 | 1 Zte | 4 Mc801a, Mc801a1, Mc801a1 Firmware and 1 more | 2023-12-18 | N/A | 7.5 HIGH |
| There is a denial of service vulnerability in some ZTE mobile internet products. Due to insufficient validation of Web interface parameter, an attacker could use the vulnerability to perform a denial of service attack. | |||||
| CVE-2023-6381 | 1 Supermailer | 1 Supermailer | 2023-12-18 | N/A | 5.5 MEDIUM |
| Improper input validation vulnerability in Newsletter Software SuperMailer affecting version 11.20.0.2204. An attacker could exploit this vulnerability by sending a malicious configuration file (file with SMB extension) to a user via a link or email attachment and persuade the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to crash the application when attempting to load the malicious file. | |||||
| CVE-2023-21751 | 1 Microsoft | 1 Azure Devops Server | 2023-12-18 | N/A | 6.5 MEDIUM |
| Azure DevOps Server Spoofing Vulnerability | |||||
| CVE-2023-34064 | 1 Vmware | 1 Workspace One Launcher | 2023-12-18 | N/A | 4.6 MEDIUM |
| Workspace ONE Launcher contains a Privilege Escalation Vulnerability. A malicious actor with physical access to Workspace ONE Launcher could utilize the Edge Panel feature to bypass setup to gain access to sensitive information. | |||||
| CVE-2023-4694 | 1 Hp | 24 Officejet Pro 8730 D9l19a, Officejet Pro 8730 D9l19a Firmware, Officejet Pro 8730 J7a28a and 21 more | 2023-12-18 | N/A | 7.5 HIGH |
| Certain HP OfficeJet Pro printers are potentially vulnerable to a Denial of Service when sending a SOAP message to the service on TCP port 3911 that contains a body but no header. | |||||
| CVE-2023-50495 | 1 Invisible-island | 1 Ncurse | 2023-12-18 | N/A | 6.5 MEDIUM |
| NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry(). | |||||
| CVE-2023-50764 | 1 Jenkins | 1 Scriptler | 2023-12-18 | N/A | 8.1 HIGH |
| Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system. | |||||
| CVE-2023-36004 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2023-12-18 | N/A | 7.5 HIGH |
| Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability | |||||
| CVE-2023-36006 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2023-12-18 | N/A | 8.8 HIGH |
| Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | |||||
| CVE-2023-36003 | 1 Microsoft | 11 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 8 more | 2023-12-18 | N/A | 7.3 HIGH |
| XAML Diagnostics Elevation of Privilege Vulnerability | |||||
| CVE-2023-36005 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2023-12-18 | N/A | 8.1 HIGH |
| Windows Telephony Server Elevation of Privilege Vulnerability | |||||
| CVE-2023-36009 | 1 Microsoft | 2 365 Apps, Office | 2023-12-18 | N/A | 5.5 MEDIUM |
| Microsoft Word Information Disclosure Vulnerability | |||||
| CVE-2023-36010 | 1 Microsoft | 1 Malware Protection Platform | 2023-12-18 | N/A | 7.5 HIGH |
| Microsoft Defender Denial of Service Vulnerability | |||||