Total
34395 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40359 | 1 Invisible-island | 1 Xterm | 2024-11-21 | 9.8 Critical |
| xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue. This can only occur for xterm installations that are configured at compile time to use a certain experimental feature. | ||||
| CVE-2023-40348 | 1 Jenkins | 1 Gogs | 2024-11-21 | 5.3 Medium |
| The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output. | ||||
| CVE-2023-40340 | 1 Jenkins | 1 Nodejs | 2024-11-21 | 7.5 High |
| Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. | ||||
| CVE-2023-40339 | 3 Jenkins, Jenkins Project, Redhat | 3 Config File Provider, Jenkins Config File Provider Plugin, Ocp Tools | 2024-11-21 | 7.5 High |
| Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. | ||||
| CVE-2023-40315 | 1 Opennms | 2 Horizon, Meridian | 2024-11-21 | 5.3 Medium |
| In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 and related Meridian versions, any user that has the ROLE_FILESYSTEM_EDITOR can easily escalate their privileges to ROLE_ADMIN or any other role. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue. | ||||
| CVE-2023-40313 | 1 Opennms | 2 Horizon, Meridian | 2024-11-21 | 7.1 High |
| A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | ||||
| CVE-2023-40299 | 3 Apple, Kong Insomnia, Konghq | 3 Macos, Macos, Insomnia | 2024-11-21 | 7.8 High |
| Kong Insomnia 2023.4.0 on macOS allows attackers to execute code and access restricted files, or make requests for TCC permissions, by using the DYLD_INSERT_LIBRARIES environment variable. | ||||
| CVE-2023-40292 | 1 Samsung | 1 Harman Infotainment | 2024-11-21 | 4.3 Medium |
| Harman Infotainment 20190525031613 and later discloses the IP address via CarPlay CTRL packets. | ||||
| CVE-2023-40291 | 1 Samsung | 1 Harman Infotainment | 2024-11-21 | 6.8 Medium |
| Harman Infotainment 20190525031613 allows root access via SSH over a USB-to-Ethernet dongle with a password that is an internal project name. | ||||
| CVE-2023-40235 | 1 Opengroup | 1 Archi | 2024-11-21 | 6.5 Medium |
| An NTLM Hash Disclosure was discovered in ArchiMate Archi before 5.1.0. When parsing the XMLNS value of an ArchiMate project file, if the namespace does not match the expected ArchiMate URL, the parser will access the provided resource. If the provided resource is a UNC path pointing to a share server that does not accept a guest account, the host will try to authenticate on the share by using the current user's session. NOTE: this issue occurs because Archi uses an unsafe configuration of the Eclipse Modeling Framework. | ||||
| CVE-2023-40220 | 1 Intel | 4 Nuc6cayh, Nuc6cayh Firmware, Nuc6cays and 1 more | 2024-11-21 | 5.3 Medium |
| Improper buffer restrictions in some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access. | ||||
| CVE-2023-40211 | 1 Pickplugins | 1 Post Grid Combo | 2024-11-21 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PickPlugins Post Grid Combo – 36+ Gutenberg Blocks.This issue affects Post Grid Combo – 36+ Gutenberg Blocks: from n/a through 2.2.50. | ||||
| CVE-2023-40165 | 1 Rubygems | 1 Rubygems.org | 2024-11-21 | 7.4 High |
| rubygems.org is the Ruby community's primary gem (library) hosting service. Insufficient input validation allowed malicious actors to replace any uploaded gem version that had a platform, version number, or gem name matching `/-\d/`, permanently replacing the legitimate upload in the canonical gem storage bucket, and triggering an immediate CDN purge so that the malicious gem would be served immediately. The maintainers have checked all gems matching the `/-\d/` pattern and can confirm that no unexpected `.gem`s were found. As a result, we believe this vulnerability was _not_ exploited. The easiest way to ensure that a user's applications were not exploited by this vulnerability is to check that all of your downloaded .gems have a checksum that matches the checksum recorded in the RubyGems.org database. RubyGems contributor Maciej Mensfeld wrote a tool to automatically check that all downloaded .gem files match the checksums recorded in the RubyGems.org database. You can use it by running: `bundle add bundler-integrity` followed by `bundle exec bundler-integrity`. Neither this tool nor anything else can prove you were not exploited, but the can assist your investigation by quickly comparing RubyGems API-provided checksums with the checksums of files on your disk. The issue has been patched with improved input validation and the changes are live. No action is required on the part of the user. Users are advised to validate their local gems. | ||||
| CVE-2023-40161 | 1 Intel | 1 Unite | 2024-11-21 | 6.6 Medium |
| Improper access control in some Intel Unite(R) Client software before version 4.2.35041 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-40154 | 1 Intel | 1 System Usage Report | 2024-11-21 | 6.7 Medium |
| Incorrect default permissions in the Intel(R) SUR for Gameplay Software before version 2.0.1901 may allow privillaged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-40142 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In TBD of TBD, there is a possible way to bypass carrier restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-40098 | 1 Google | 1 Android | 2024-11-21 | 5.5 Medium |
| In mOnDone of NotificationConversationInfo.java, there is a possible way to access app notification data of another user due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-40096 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In OpRecordAudioMonitor::onFirstRef of AudioRecordClient.cpp, there is a possible way to record audio from the background due to a missing flag. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-40079 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In injectSendIntentSender of ShortcutService.java, there is a possible background activity launch due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-40075 | 1 Google | 1 Android | 2024-11-21 | 5.5 Medium |
| In forceReplaceShortcutInner of ShortcutPackage.java, there is a possible way to register unlimited packages due to a missing bounds check. This could lead to local denial of service which results in a boot loop with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||