Total
34395 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3379 | 1 Wago | 14 Compact Controller 100, Compact Controller 100 Firmware, Edge Controller and 11 more | 2024-11-21 | 5.3 Medium |
| Wago web-based management of multiple products has a vulnerability which allows an local authenticated attacker to change the passwords of other non-admin users and thus to escalate non-root privileges. | ||||
| CVE-2023-3273 | 2 Sick, Sick Ag | 3 Icr890-4, Icr890-4 Firmware, Icr890-4 | 2024-11-21 | 7.5 High |
| Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP address based on missing access control. | ||||
| CVE-2023-3271 | 2 Sick, Sick Ag | 3 Icr890-4, Icr890-4 Firmware, Icr890-4 | 2024-11-21 | 8.2 High |
| Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to gather information about the system and download data via the REST API by accessing unauthenticated endpoints. | ||||
| CVE-2023-3252 | 1 Tenable | 1 Nessus | 2024-11-21 | 6.8 Medium |
| An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges could alter logging variables to overwrite arbitrary files on the remote host with log data, which could lead to a denial of service condition. | ||||
| CVE-2023-3243 | 1 Honeywell | 2 Alerton Bcm-web, Alerton Bcm-web Firmware | 2024-11-21 | 8.3 High |
| ** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash and utilize it to create new sessions. The hash is also a poorly salted MD5 hash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X. Recommended fix: Upgrade to a supported product such as Alerton ACM.] Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. | ||||
| CVE-2023-3231 | 1 Ujcms | 1 Ujcms | 2024-11-21 | 3.1 Low |
| A vulnerability has been found in UJCMS up to 6.0.2 and classified as problematic. This vulnerability affects unknown code of the component ZIP Package Handler. The manipulation of the argument dir leads to information disclosure. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-231502 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-3223 | 1 Redhat | 21 Enterprise Linux, Integration, Jboss Data Grid and 18 more | 2024-11-21 | 7.5 High |
| A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null. | ||||
| CVE-2023-3132 | 1 Mainwp | 1 Mainwp Child | 2024-11-21 | 5.9 Medium |
| The MainWP Child plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.4.1.1 due to insufficient controls on the storage of back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including the entire installations database if a backup occurs and the deletion of the back-up files fail. | ||||
| CVE-2023-39973 | 1 Acymailing | 1 Acymailing | 2024-11-21 | 4.3 Medium |
| Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns. | ||||
| CVE-2023-39972 | 1 Acymailing | 1 Acymailing | 2024-11-21 | 4.3 Medium |
| Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized users to create new mailing lists. | ||||
| CVE-2023-39963 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 8.1 High |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. | ||||
| CVE-2023-39951 | 2 Linuxfoundation, Opentelemetry | 2 Opentelemetry Instrumentation For Java, Opentelemetry-java-instrumentation | 2024-11-21 | 6.5 Medium |
| OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. OpenTelemetry Java Instrumentation prior to version 1.28.0 contains an issue related to the instrumentation of Java applications using the AWS SDK v2 with Amazon Simple Email Service (SES) v1 API. When SES POST requests are instrumented, the query parameters of the request are inserted into the trace `url.path` field. This behavior leads to the http body, containing the email subject and message, to be present in the trace request url metadata. Any user using a version before 1.28.0 of OpenTelemetry Java Instrumentation to instrument AWS SDK v2 call to SES’s v1 SendEmail API is affected. The e-mail content sent to SES may end up in telemetry backend. This exposes the e-mail content to unintended audiences. The issue can be mitigated by updating OpenTelemetry Java Instrumentation to version 1.28.0 or later. | ||||
| CVE-2023-39941 | 1 Intel | 1 System Usage Report For Gameplay | 2024-11-21 | 7.1 High |
| Improper access control in some Intel(R) SUR software before version 2.4.10587 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | ||||
| CVE-2023-39915 | 1 Nlnetlabs | 1 Routinator | 2024-11-21 | 7.5 High |
| NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914. | ||||
| CVE-2023-39914 | 1 Nlnetlabs | 1 Bcder | 2024-11-21 | 7.5 High |
| NLnet Labs' bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding. | ||||
| CVE-2023-39748 | 2 Tp-link, Tp Link | 3 Tl-wr1041n V2, Tl-wr1041n V2 Firmware, Tl-wr1041n | 2024-11-21 | 7.5 High |
| An issue in the component /userRpm/NetworkCfgRpm of TP-Link TL-WR1041N V2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | ||||
| CVE-2023-39740 | 1 Linecorp | 1 Onigiriya-musubee | 2024-11-21 | 8.2 High |
| The leakage of the client secret in Onigiriya-musubee Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages. | ||||
| CVE-2023-39739 | 1 Linecorp | 1 Regina Sweets\&bakery | 2024-11-21 | 8.2 High |
| The leakage of the client secret in REGINA SWEETS&BAKERY Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages. | ||||
| CVE-2023-39737 | 1 Linecorp | 1 Matsuya | 2024-11-21 | 8.2 High |
| The leakage of the client secret in Matsuya Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages. | ||||
| CVE-2023-39736 | 1 Linecorp | 1 Fukunaga Memberscard | 2024-11-21 | 8.2 High |
| The leakage of the client secret in Fukunaga_memberscard Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages. | ||||