Total
437 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27932 | 2 Apple, Debian | 7 Ipados, Iphone Os, Macos and 4 more | 2025-01-29 | N/A | 5.5 MEDIUM |
|
This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, tvOS 16.4, watchOS 9.4. Processing maliciously crafted web content may bypass Same Origin Policy.
|
|||||
| CVE-2023-27962 | 1 Apple | 1 Macos | 2025-01-29 | N/A | 5.5 MEDIUM |
|
A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. An app may be able to modify protected parts of the file system.
|
|||||
| CVE-2023-27944 | 1 Apple | 1 Macos | 2025-01-29 | N/A | 8.6 HIGH |
|
This issue was addressed with a new entitlement. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. An app may be able to break out of its sandbox.
|
|||||
| CVE-2023-28318 | 1 Rocket.chat | 1 Rocket.chat | 2025-01-28 | N/A | 5.3 MEDIUM |
|
A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. This allows users to bypass the intended message deletion behavior, hiding messages and deletion notices.
|
|||||
| CVE-2023-23578 | 1 Seiko-sol | 2 Skybridge Mb-a200, Skybridge Mb-a200 Firmware | 2025-01-28 | N/A | 7.5 HIGH |
|
Improper access control vulnerability in SkyBridge MB-A200 firmware Ver. 01.00.05 and earlier allows a remote unauthenticated attacker to connect to the product's ADB port.
|
|||||
| CVE-2024-22062 | 1 Zte | 1 Zxcloud Irai | 2025-01-28 | N/A | 6.3 MEDIUM |
|
There is a permissions and access control vulnerability in ZXCLOUD IRAI.An attacker can elevate non-administrator permissions to administrator permissions by modifying the configuration.
|
|||||
| CVE-2023-32993 | 1 Jenkins | 1 Saml Single Sign On | 2025-01-23 | N/A | 4.8 MEDIUM |
|
Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.
|
|||||
| CVE-2024-25996 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-01-23 | N/A | 5.3 MEDIUM |
|
An unauthenticated remote attacker can perform a remote code execution due to an origin validation error. The access is limited to the service user.
|
|||||
| CVE-2024-26135 | 1 Meshcentral | 1 Meshcentral | 2025-01-16 | N/A | 8.3 HIGH |
|
MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket co ...
Show More |
|||||
| CVE-2023-23561 | 1 Stormshield | 1 Endpoint Security | 2025-01-14 | N/A | 5.5 MEDIUM |
|
Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control: authenticated users can read sensitive information.
|
|||||
| CVE-2023-29728 | 1 Applika | 1 Call Blocker | 2025-01-13 | N/A | 9.8 CRITICAL |
|
The Call Blocker application 6.6.3 for Android allows attackers to tamper with feature-related data, resulting in a severe elevation of privilege attack.
|
|||||
| CVE-2023-28349 | 2 Faronics, Microsoft | 2 Insight, Windows | 2025-01-13 | N/A | 8.8 HIGH |
|
An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a crafted program that functions similarly to the Teacher Console. This can compel Student Consoles to connect and put themselves at risk automatically. Connected Student Consoles can be compelled to write arbitrary files to arbitrary locations on disk with NT AUTHORITY/SYSTEM level permissions, enabling remote code execution.
|
|||||
| CVE-2023-30196 | 1 Webbax | 1 Salesbooster | 2025-01-13 | N/A | 7.5 HIGH |
|
Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php.
|
|||||
| CVE-2023-29745 | 1 Bestweather Project | 1 Bestweather | 2025-01-13 | N/A | 7.1 HIGH |
|
An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a persistent denial of service attack by manipulating the database.
|
|||||
| CVE-2023-29743 | 1 Bestweather Project | 1 Bestweather | 2025-01-13 | N/A | 7.5 HIGH |
|
An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a persistent denial of service attack by manipulating the database.
|
|||||
| CVE-2023-33740 | 2 Google, Luowice | 2 Android, Luowice | 2025-01-13 | N/A | 7.5 HIGH |
|
Incorrect access control in luowice v3.5.18 allows attackers to access cloud source code information via modification fo the Verify parameter in a warning message.
|
|||||
| CVE-2024-51072 | 2025-01-10 | N/A | 5.3 MEDIUM | ||
|
An issue in KIA Seltos vehicle instrument cluster with software and hardware v1.0 allows attackers to cause a Denial of Service (DoS) via ECU reset UDS service. NOTE: this is disputed by the Supplier because the findings came from a potentially unrealistic test environment (an isolated ECU part that was not in a vehicle), and because the ECUReset specification does not allow a manufacturer to require SecurityAccess and Authentication.
|
|||||
| CVE-2023-27745 | 1 Southrivertech | 1 Titan Ftp Server Nextgen | 2025-01-09 | N/A | 8.8 HIGH |
|
An issue in South River Technologies TitanFTP Before v2.0.1.2102 allows attackers with low-level privileges to perform Administrative actions by sending requests to the user server.
|
|||||
| CVE-2023-28164 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-09 | N/A | 6.5 MEDIUM |
|
Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
|
|||||
| CVE-2023-2589 | 1 Gitlab | 1 Gitlab | 2025-01-07 | N/A | 5.9 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group.
|
|||||
| CVE-2023-33443 | 1 Besder | 2 Bes--6024pb-i50h1, Videoplaytool | 2025-01-06 | N/A | 9.8 CRITICAL |
|
Incorrect access control in the administrative functionalities of BES--6024PB-I50H1 VideoPlayTool v2.0.1.0 allow attackers to execute arbitrary administrative commands via a crafted payload sent to the desired endpoints.
|
|||||
| CVE-2023-29751 | 1 Yandex | 1 Navigator | 2025-01-06 | N/A | 5.5 MEDIUM |
|
An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.
|
|||||
| CVE-2023-29756 | 1 Urbanandroid | 1 Twilight | 2025-01-06 | N/A | 5.5 MEDIUM |
|
An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.
|
|||||
| CVE-2023-29753 | 1 Ekatox | 1 Facemoji\ | 2025-01-06 | N/A | 5.5 MEDIUM |
|
An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows a local attacker to cause a denial of service via the SharedPreference files.
|
|||||
| CVE-2023-27360 | 1 Netgear | 2 Rax30, Rax30 Firmware | 2025-01-03 | N/A | 8.8 HIGH |
|
NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the configuration of the lighttpd HTTP server. The issue results from allowing execution of files from untrusted sources. An attacker can leverage this vulnerability to execute code in the context of root. ...
Show More |
|||||
| CVE-2024-44212 | 1 Apple | 6 Ipados, Iphone Os, Safari and 3 more | 2024-12-20 | N/A | 5.3 MEDIUM |
|
A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1, visionOS 2.1, tvOS 18.1, iOS 18.1 and iPadOS 18.1, watchOS 11.1. Cookies belonging to one origin may be sent to another origin.
|
|||||
| CVE-2023-30996 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-12-17 | N/A | 5.3 MEDIUM |
|
IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 could be vulnerable to information leakage due to unverified sources in messages sent between Windows objects of different origins. IBM X-Force ID: 254290.
|
|||||
| CVE-2024-2447 | 1 Mattermost | 1 Mattermost Server | 2024-12-13 | N/A | 6.5 MEDIUM |
|
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
|
|||||
| CVE-2023-29711 | 1 Interlink | 2 Psg-5124, Psg-5124 Firmware | 2024-12-12 | N/A | 9.8 CRITICAL |
|
An incorrect access control issue was discovered in Interlink PSG-5124 version 1.0.4, allows attackers to execute arbitrary code via crafted GET request.
|
|||||
| CVE-2023-25366 | 1 Siglent | 2 Sds 1104x-e, Sds 1104x-e Firmware | 2024-12-12 | N/A | 9.8 CRITICAL |
|
In Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS, insecure SCPI interface discloses web password.
|
|||||
| CVE-2023-25188 | 1 Nokia | 2 Asika Airscale, Asika Airscale Firmware | 2024-12-12 | N/A | 5.1 MEDIUM |
|
An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. If/when CSP (as a BTS administrator) removes security hardenings from the Nokia Single RAN BTS baseband unit, the BTS baseband unit diagnostic tool AaShell (which is by default disabled) allows unauthenticated access from the mobile network solution internal BTS management network to the BTS embedded Linux operating-system level.
|
|||||
| CVE-2024-0009 | 1 Paloaltonetworks | 1 Pan-os | 2024-12-09 | N/A | 6.3 MEDIUM |
|
An improper verification vulnerability in the GlobalProtect gateway feature of Palo Alto Networks PAN-OS software enables a malicious user with stolen credentials to establish a VPN connection from an unauthorized IP address.
|
|||||
| CVE-2022-46718 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2024-12-05 | N/A | 5.5 MEDIUM |
|
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 15.7.2 and iPadOS 15.7.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, macOS Monterey 12.6.2. An app may be able to read sensitive location information
|
|||||
| CVE-2022-42860 | 1 Apple | 1 Macos | 2024-12-05 | N/A | 5.5 MEDIUM |
|
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Monterey 12.6.1, macOS Big Sur 11.7.1, macOS Ventura 13. An app may be able to modify protected parts of the file system
|
|||||
| CVE-2023-28191 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2024-12-05 | N/A | 5.5 MEDIUM |
|
This issue was addressed with improved redaction of sensitive information. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5. An app may be able to bypass Privacy preferences.
|
|||||
| CVE-2024-45495 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
|
MSA FieldServer Gateway 5.0.0 through 6.5.2 allows cross-origin WebSocket hijacking.
|
|||||
| CVE-2023-32553 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2024-12-04 | N/A | 5.3 MEDIUM |
|
An Improper access control vulnerability in Trend Micro Apex One and Apex One as a Service could allow an unauthenticated user under certain circumstances to disclose sensitive information on agents.
This is similar to, but not identical to CVE-2023-32552.
|
|||||
| CVE-2023-32223 | 1 Dlink | 2 Dsl-224, Dsl-224 Firmware | 2024-11-27 | N/A | 8.8 HIGH |
|
D-Link DSL-224 firmware version 3.0.10 allows post authentication command execution via an unspecified method.
|
|||||
| CVE-2021-47157 | 2024-11-25 | N/A | 9.8 CRITICAL | ||
|
The Kossy module before 0.60 for Perl allows JSON hijacking because of X-Requested-With mishandling.
|
|||||
| CVE-2022-21712 | 3 Debian, Fedoraproject, Twisted | 3 Debian Linux, Fedora, Twisted | 2024-11-25 | 5.0 MEDIUM | 7.5 HIGH |
|
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.
|
|||||