Total
9890 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-50950 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-11-21 | 3.7 Low |
| IBM QRadar SIEM 7.5 could disclose sensitive email information in responses from offense rules. IBM X-Force ID: 275709. | ||||
| CVE-2023-50720 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 5.3 Medium |
| XWiki Platform is a generic wiki platform. Prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for `objcontent:email*` using XWiki's regular search interface. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1 by not indexing email address properties when obfuscation is enabled. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-50719 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 7.5 High |
| XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-50715 | 1 Home-assistant | 1 Home-assistant | 2024-11-21 | 4.3 Medium |
| Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles. However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it. | ||||
| CVE-2023-50705 | 1 Efacec | 2 Uc 500e, Uc 500e Firmware | 2024-11-21 | 5.3 Medium |
| An attacker could create malicious requests to obtain sensitive information about the web server. | ||||
| CVE-2023-50271 | 1 Hp | 2 Hp-ux, System Management Homepage | 2024-11-21 | 7.2 High |
| A potential security vulnerability has been identified with HP-UX System Management Homepage (SMH). This vulnerability could be exploited locally or remotely to disclose information. | ||||
| CVE-2023-50263 | 1 Networktocode | 1 Nautobot | 2024-11-21 | 3.7 Low |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job in question runs. In the default implementation used in Nautobot, as provided by `django-db-file-storage`, these URLs do not by default require any user authentication to access; they should instead be restricted to only users who have permissions to view Nautobot's `FileProxy` model instances. Note that no URL mechanism is provided for listing or traversal of the available file `name` values, so in practice an unauthenticated user would have to guess names to discover arbitrary files for download, but if a user knows the file name/path value, they can access it without authenticating, so we are considering this a vulnerability. Fixes are included in Nautobot 1.6.7 and Nautobot 2.0.6. No known workarounds are available other than applying the patches included in those versions. | ||||
| CVE-2023-4877 | 1 Hamza417 | 1 Inure | 2024-11-21 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository hamza417/inure prior to build92. | ||||
| CVE-2023-4876 | 1 Hamza417 | 1 Inure | 2024-11-21 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository hamza417/inure prior to build92. | ||||
| CVE-2023-4714 | 1 Playtube | 1 Playtube | 2024-11-21 | 4.3 Medium |
| A vulnerability was found in PlayTube 3.0.1 and classified as problematic. This issue affects some unknown processing of the component Redirect Handler. The manipulation leads to information disclosure. The attack may be initiated remotely. The identifier VDB-238577 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-4272 | 1 Arm | 4 Bifrost Gpu Kernel Driver, Mali Gpu Kernel Driver, Midgard Gpu Kernel Driver and 1 more | 2024-11-21 | 5.5 Medium |
| A local non-privileged user can make GPU processing operations that expose sensitive data from previously freed memory. | ||||
| CVE-2023-4230 | 1 Moxa | 3 Iologik 4000 Series, Iologik E4200, Iologik E4200 Firmware | 2024-11-21 | 5.3 Medium |
| A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which has the potential to facilitate the collection of information on ioLogik 4000 Series devices. This vulnerability may enable attackers to gather information for the purpose of assessing vulnerabilities and potential attack vectors. | ||||
| CVE-2023-4177 | 1 Empowerid | 1 Empowerid | 2024-11-21 | 2.6 Low |
| A vulnerability was found in EmpowerID up to 7.205.0.0. It has been rated as problematic. This issue affects some unknown processing of the component Multi-Factor Authentication Code Handler. The manipulation leads to information disclosure. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 7.205.0.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-236213 was assigned to this vulnerability. | ||||
| CVE-2023-4168 | 1 Templatecookie | 1 Adlisting | 2024-11-21 | 4.3 Medium |
| A vulnerability was found in Templatecookie Adlisting 2.14.0. It has been classified as problematic. Affected is an unknown function of the file /ad-list of the component Redirect Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-236184. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-4164 | 1 Google | 2 Android, Pixel | 2024-11-21 | 8.4 High |
| There is a possible information disclosure due to a missing permission check. This could lead to local information disclosure of health data with no additional execution privileges needed. | ||||
| CVE-2023-49981 | 2024-11-21 | 7.5 High | ||
| A directory listing vulnerability in School Fees Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization. | ||||
| CVE-2023-49877 | 1 Ibm | 6 Virtualization Engine Ts7760 3957-vec, Virtualization Engine Ts7760 3957-vec Firmware, Virtualization Engine Ts7770 3948-ved and 3 more | 2024-11-21 | 4.3 Medium |
| IBM System Storage Virtualization Engine TS7700 3957-VEC, 3948-VED and 3957-VEC could allow a remote authenticated user to obtain sensitive information, caused by improper filtering of URLs. By submitting a specially crafted HTTP GET request, an attacker could exploit this vulnerability to view application source code, system configuration information, or other sensitive data related to the Management Interface. IBM X-Force ID: 272651. | ||||
| CVE-2023-49822 | 2024-11-21 | 3.7 Low | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in David Vongries Ultimate Dashboard allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Ultimate Dashboard: from n/a through 3.7.10. | ||||
| CVE-2023-49774 | 2024-11-21 | 5.3 Medium | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005. | ||||
| CVE-2023-49762 | 1 Appmysite | 1 Appmysite | 2024-11-21 | 5.3 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AppMySite AppMySite – Create an app with the Best Mobile App Builder.This issue affects AppMySite – Create an app with the Best Mobile App Builder: from n/a through 3.11.0. | ||||