Search
Total
21119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34054 | 1 Pivotal | 1 Reactor Netty | 2023-12-04 | N/A | 7.5 HIGH |
| In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled. | |||||
| CVE-2023-46944 | 1 Gitkraken | 1 Gitlens | 2023-12-04 | N/A | 7.8 HIGH |
| An issue in GitKraken GitLens before v.14.0.0 allows an attacker to execute arbitrary code via a crafted file to the Visual Studio Codes workspace trust component. | |||||
| CVE-2023-42505 | 1 Apache | 1 Superset | 2023-12-04 | N/A | 4.3 MEDIUM |
| An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection's username. This issue affects Apache Superset before 3.0.0. | |||||
| CVE-2023-40699 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-12-04 | N/A | 7.5 HIGH |
| IBM InfoSphere Information Server 11.7 could allow a remote attacker to cause a denial of service due to improper input validation. IBM X-Force ID: 265161. | |||||
| CVE-2023-48193 | 1 Fit2cloud | 1 Jumpserver | 2023-12-04 | N/A | 9.8 CRITICAL |
| Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function. | |||||
| CVE-2023-30588 | 1 Nodejs | 1 Node.js | 2023-12-04 | N/A | 5.3 MEDIUM |
| When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. | |||||
| CVE-2023-6248 | 1 Digitalcomtech | 2 Syrus 4g Iot Telematics Gateway, Syrus 4g Iot Telematics Gateway Firmware | 2023-12-04 | N/A | 9.8 CRITICAL |
| The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations: * Get location data of the vehicle the device is connected to * Send CAN bus messages via the ECU module ( https://syrus.digitalcomtech.com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 ) * Immobilize the vehicle via the safe-immobilizer module ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization ) * Get live video through the connected video camera * Send audio messages to the driver ( https://syrus.digitalcomtech.com/docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts ) | |||||
| CVE-2023-5553 | 1 Axis | 2 Axis Os, Axis Os 2022 | 2023-12-04 | N/A | 6.8 MEDIUM |
| During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis' knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | |||||
| CVE-2022-48521 | 1 Opendkim | 1 Opendkim | 2023-12-03 | N/A | 5.3 MEDIUM |
| An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x through 2.11.0-Beta2. It fails to keep track of ordinal numbers when removing fake Authentication-Results header fields, which allows a remote attacker to craft an e-mail message with a fake sender address such that programs that rely on Authentication-Results from OpenDKIM will treat the message as having a valid DKIM signature when in fact it has none. | |||||
| CVE-2023-24023 | 1 Bluetooth | 1 Bluetooth Core Specification | 2023-12-02 | N/A | 6.8 MEDIUM |
| Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS. | |||||
| CVE-2023-30585 | 1 Nodejs | 1 Node.js | 2023-12-02 | N/A | 7.5 HIGH |
| A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or "non-privileged") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged "msiexec.exe" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations. It is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue. | |||||
| CVE-2014-125093 | 1 Getadmiral | 1 Ad Blocking Detector | 2023-12-01 | N/A | 7.5 HIGH |
| A vulnerability has been found in Ad Blocking Detector Plugin up to 1.2.1 on WordPress and classified as problematic. This vulnerability affects unknown code of the file ad-blocking-detector.php. The manipulation leads to information disclosure. The attack can be initiated remotely. Upgrading to version 1.2.2 is able to address this issue. The patch is identified as 3312b9cd79e5710d1e282fc9216a4e5ab31b3d94. It is recommended to upgrade the affected component. VDB-222610 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-48713 | 1 Knative | 1 Serving | 2023-12-01 | N/A | 5.3 MEDIUM |
| Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0. | |||||
| CVE-2023-6202 | 1 Mattermost | 1 Mattermost | 2023-12-01 | N/A | 4.3 MEDIUM |
| Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards. | |||||
| CVE-2023-45223 | 1 Mattermost | 1 Mattermost | 2023-12-01 | N/A | 4.3 MEDIUM |
| Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled. | |||||
| CVE-2023-43754 | 1 Mattermost | 1 Mattermost | 2023-12-01 | N/A | 4.3 MEDIUM |
| Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled. | |||||
| CVE-2023-5845 | 1 Wpbrigade | 1 Simple Social Buttons | 2023-12-01 | N/A | 5.3 MEDIUM |
| The Simple Social Media Share Buttons WordPress plugin before 5.1.1 leaks password-protected post content to unauthenticated visitors in some meta tags | |||||
| CVE-2023-5906 | 1 Themehigh | 1 Job Manager \& Career | 2023-12-01 | N/A | 7.5 HIGH |
| The Job Manager & Career WordPress plugin before 1.4.4 contains a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users without their permission. | |||||
| CVE-2023-48796 | 1 Apache | 1 Dolphinscheduler | 2023-12-01 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue. | |||||
| CVE-2023-47503 | 1 Jflyfox | 1 Jfinal Cms | 2023-12-01 | N/A | 9.8 CRITICAL |
| An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp component in the template management module. | |||||
| CVE-2023-5239 | 1 Cleantalk | 1 Security \& Malware Scan | 2023-12-01 | N/A | 7.5 HIGH |
| The Security & Malware scan by CleanTalk WordPress plugin before 2.121 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass bruteforce protection. | |||||
| CVE-2023-48646 | 1 Zohocorp | 1 Manageengine Recoverymanager Plus | 2023-12-01 | N/A | 7.2 HIGH |
| Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings. | |||||
| CVE-2023-49322 | 4 Apple, F-secure, Linux and 1 more | 10 Macos, Atlant, Client Security and 7 more | 2023-12-01 | N/A | 7.5 HIGH |
| Certain WithSecure products allow a Denial of Service because there is an unpack handler crash that can lead to a scanning engine crash. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, WithSecure Linux Security 64 12.0, WithSecure Linux Protection 12.0, and WithSecure Atlant 1.0.35-1. | |||||
| CVE-2023-49321 | 4 Apple, F-secure, Linux and 1 more | 10 Macos, Atlant, Client Security and 7 more | 2023-12-01 | N/A | 5.3 MEDIUM |
| Certain WithSecure products allow a Denial of Service because scanning a crafted file takes a long time, and causes the scanner to hang. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, WithSecure Linux Security 64 12.0, WithSecure Linux Protection 12.0, and WithSecure Atlant 1.0.35-1. | |||||
| CVE-2023-49102 | 1 Nzbget | 1 Nzbget | 2023-12-01 | N/A | 8.8 HIGH |
| NZBGet 21.1 allows authenticated remote code execution because the unarchive programs (7za and unrar) preserve executable file permissions. An attacker with the Control capability can execute a file by setting the value of SevenZipCommand or UnrarCmd. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-47263 | 4 Apple, Linux, Microsoft and 1 more | 10 Macos, Linux Kernel, Windows and 7 more | 2023-12-01 | N/A | 7.5 HIGH |
| Certain WithSecure products allow a Denial of Service (DoS) in the antivirus engine when scanning a fuzzed PE32 file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, WithSecure Linux Security 64 12.0, WithSecure Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 15 and later. | |||||
| CVE-2023-20084 | 1 Cisco | 2 Secure Endpoint, Secure Endpoint Private Cloud | 2023-12-01 | N/A | 4.4 MEDIUM |
| A vulnerability in the endpoint software of Cisco Secure Endpoint for Windows could allow an authenticated, local attacker to evade endpoint protection within a limited time window. This vulnerability is due to a timing issue that occurs between various software components. An attacker could exploit this vulnerability by persuading a user to put a malicious file into a specific folder and then persuading the user to execute the file within a limited time window. A successful exploit could allow the attacker to cause the endpoint software to fail to quarantine the malicious file or kill its process. Note: This vulnerability only applies to deployments that have the Windows Folder Redirection feature enabled. | |||||
| CVE-2023-49068 | 1 Apache | 1 Dolphinscheduler | 2023-12-01 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators. | |||||
| CVE-2023-48948 | 1 Openlinksw | 1 Virtuoso | 2023-11-30 | N/A | 7.5 HIGH |
| An issue in the box_div function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement. | |||||
| CVE-2023-48947 | 1 Openlinksw | 1 Virtuoso | 2023-11-30 | N/A | 7.5 HIGH |
| An issue in the cha_cmp function of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement. | |||||
| CVE-2023-48946 | 1 Openlinksw | 1 Virtuoso | 2023-11-30 | N/A | 7.5 HIGH |
| An issue in the box_mpy function of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement. | |||||
| CVE-2023-48949 | 1 Openlinksw | 1 Virtuoso | 2023-11-30 | N/A | 7.5 HIGH |
| An issue in the box_add function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement. | |||||
| CVE-2023-48950 | 1 Openlinksw | 1 Virtuoso | 2023-11-30 | N/A | 7.5 HIGH |
| An issue in the box_col_len function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement. | |||||
| CVE-2023-48951 | 1 Openlinksw | 1 Virtuoso | 2023-11-30 | N/A | 7.5 HIGH |
| An issue in the box_equal function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement. | |||||
| CVE-2023-6156 | 1 Tribe29 | 1 Checkmk | 2023-11-30 | N/A | 8.8 HIGH |
| Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | |||||
| CVE-2023-6157 | 1 Tribe29 | 1 Checkmk | 2023-11-30 | N/A | 8.8 HIGH |
| Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | |||||
| CVE-2023-48176 | 1 Mizhexiaoxiao | 1 Websiteguide | 2023-11-30 | N/A | 9.8 CRITICAL |
| An Insecure Permissions issue in WebsiteGuide v.0.2 allows a remote attacker to gain escalated privileges via crafted jwt (JSON web token). | |||||
| CVE-2023-5559 | 1 10web | 1 10web Booster | 2023-11-30 | N/A | 9.1 CRITICAL |
| The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service. | |||||
| CVE-2021-37942 | 1 Elastic | 1 Apm Java Agent | 2023-11-30 | N/A | 7.8 HIGH |
| A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user typically has access to. | |||||
| CVE-2023-38156 | 1 Microsoft | 1 Azure Hdinsights | 2023-11-30 | N/A | 7.2 HIGH |
| Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability | |||||
| CVE-2023-36419 | 1 Microsoft | 1 Azure Hdinsights | 2023-11-30 | N/A | 9.8 CRITICAL |
| Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability | |||||
| CVE-2022-25181 | 1 Jenkins | 1 Pipeline\ | 2023-11-30 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists. | |||||
| CVE-2022-25182 | 1 Jenkins | 1 Pipeline\ | 2023-11-30 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller JVM using specially crafted library names if a global Pipeline library is already configured. | |||||
| CVE-2021-37937 | 1 Elastic | 1 Elasticsearch | 2023-11-30 | N/A | 8.8 HIGH |
| An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server service account could escalate themselves to a super-user. | |||||
| CVE-2016-1286 | 7 Canonical, Debian, Fedoraproject and 4 more | 47 Ubuntu Linux, Debian Linux, Fedora and 44 more | 2023-11-30 | 5.0 MEDIUM | 8.6 HIGH |
| named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted signature record for a DNAME record, related to db.c and resolver.c. | |||||
| CVE-2016-1285 | 7 Canonical, Debian, Fedoraproject and 4 more | 47 Ubuntu Linux, Debian Linux, Fedora and 44 more | 2023-11-30 | 4.3 MEDIUM | 6.8 MEDIUM |
| named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fetch reply messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c. | |||||
| CVE-2023-47244 | 1 Omnisend | 1 Email Marketing For Woocommerce | 2023-11-30 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Omnisend Email Marketing for WooCommerce by Omnisend.This issue affects Email Marketing for WooCommerce by Omnisend: from n/a through 1.13.8. | |||||
| CVE-2023-47529 | 1 Themeisle | 1 Cloud Templates \& Patterns Collection | 2023-11-30 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ThemeIsle Cloud Templates & Patterns collection.This issue affects Cloud Templates & Patterns collection: from n/a through 1.2.2. | |||||
| CVE-2023-28813 | 1 Hikvision | 1 Localservicecomponents | 2023-11-30 | N/A | 7.5 HIGH |
| An attacker could exploit a vulnerability by sending crafted messages to computers installed with this plug-in to modify plug-in parameters, which could cause affected computers to download malicious files. | |||||
| CVE-2023-5720 | 1 Quarkus | 1 Quarkus | 2023-11-30 | N/A | 7.5 HIGH |
| A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application. | |||||