Total
3930 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32682 | 1 Matrix | 1 Synapse | 2024-11-21 | N/A | 5.4 MEDIUM |
| Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade. | |||||
| CVE-2023-32661 | 1 Intel | 3 Nuc Kit Nuc7cjyh, Nuc Kit Nuc7pjyh, Realtek Sd Card Reader Driver | 2024-11-21 | N/A | 6.7 MEDIUM |
| Improper authentication in some Intel(R) NUC Kits NUC7PJYH and NUC7CJYH Realtek* SD Card Reader Driver installation software before version 10.0.19041.29098 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-32620 | 1 Wavlink | 2 Wl-wn531ax2, Wl-wn531ax2 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| Improper authentication vulnerability in WL-WN531AX2 firmware versions prior to 2023526 allows a network-adjacent attacker to obtain a password for the wireless network. | |||||
| CVE-2023-32524 | 1 Trendmicro | 1 Mobile Security | 2024-11-21 | N/A | 8.8 HIGH |
| Affected versions of Trend Micro Mobile Security (Enterprise) 9.8 SP5 contain some widgets that would allow a remote user to bypass authentication and potentially chain with other vulnerabilities. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit these vulnerabilities. This is similar to, but not identical to CVE-2023-32523. | |||||
| CVE-2023-32523 | 1 Trendmicro | 1 Mobile Security | 2024-11-21 | N/A | 8.8 HIGH |
| Affected versions of Trend Micro Mobile Security (Enterprise) 9.8 SP5 contain some widgets that would allow a remote user to bypass authentication and potentially chain with other vulnerabilities. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit these vulnerabilities. This is similar to, but not identical to CVE-2023-32524. | |||||
| CVE-2023-32453 | 1 Dell | 222 Alienware M15 R7, Alienware M15 R7 Firmware, Alienware M16 and 219 more | 2024-11-21 | N/A | 4.6 MEDIUM |
| Dell BIOS contains an improper authentication vulnerability. A malicious user with physical access to the system may potentially exploit this vulnerability in order to modify a security-critical UEFI variable without knowledge of the BIOS administrator. | |||||
| CVE-2023-32347 | 1 Teltonika | 1 Remote Management System | 2024-11-21 | N/A | 8.1 HIGH |
| Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device. This could allow an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices. | |||||
| CVE-2023-32243 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2024-11-21 | N/A | 9.8 CRITICAL |
| Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. | |||||
| CVE-2023-32222 | 1 Dlink | 2 Dsl-g256dg, Dsl-g256dg Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| D-Link DSL-G256DG version vBZ_1.00.27 web management interface allows authentication bypass via an unspecified method. | |||||
| CVE-2023-32202 | 1 Walchem | 2 Intuition 9, Intuition 9 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| Walchem Intuition 9 firmware versions prior to v4.21 are vulnerable to improper authentication. Login credentials are stored in a format that could allow an attacker to use them as-is to login and gain access to the device. | |||||
| CVE-2023-32090 | 1 Pega | 1 Pega Platform | 2024-11-21 | N/A | 9.8 CRITICAL |
| Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials | |||||
| CVE-2023-32081 | 1 Eclipse | 1 Vert.x Stomp | 2024-11-21 | N/A | 6.5 MEDIUM |
| Vert.x STOMP is a vert.x implementation of the STOMP specification that provides a STOMP server and client. From versions 3.1.0 until 3.9.16 and 4.0.0 until 4.4.2, a Vert.x STOMP server processes client STOMP frames without checking that the client send an initial CONNECT frame replied with a successful CONNECTED frame. The client can subscribe to a destination or publish message without prior authentication. Any Vert.x STOMP server configured with an authentication handler is impacted. The issue is patched in Vert.x 3.9.16 and 4.4.2. There are no trivial workarounds. | |||||
| CVE-2023-31242 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | N/A | 8.1 HIGH |
| An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2023-31224 | 1 Jamf | 1 Jamf | 2024-11-21 | N/A | 9.8 CRITICAL |
| There is broken access control during authentication in Jamf Pro Server before 10.46.1. | |||||
| CVE-2023-31190 | 1 Bluemark | 2 Dronescout Ds230, Dronescout Ds230 Firmware | 2024-11-21 | N/A | 8.1 HIGH |
| DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an Improper Authentication vulnerability during the firmware update procedure. Specifically, the firmware update procedure ignores and does not check the validity of the TLS certificate of the HTTPS endpoint from which the firmware update package (.tar.bz2 file) is downloaded. An attacker with the ability to put himself in a Man-in-the-Middle situation (e.g., DNS poisoning, ARP poisoning, control of a node on the route to the endpoint, etc.) can trick the DroneScout ds230 to install a crafted malicious firmware update containing arbitrary files (e.g., executable and configuration) and gain administrative (root) privileges on the underlying Linux operating system. This issue affects DroneScout ds230 firmware from version 20211210-1627 through 20230329-1042. | |||||
| CVE-2023-31189 | 2024-11-21 | N/A | 5.2 MEDIUM | ||
| Improper authentication in some Intel(R) Server Product OpenBMC firmware before version egs-1.09 may allow an authenticated user to enable escalation of privilege via local access. | |||||
| CVE-2023-31152 | 1 Selinc | 20 Sel-2241 Rtac Module, Sel-2241 Rtac Module Firmware, Sel-3350 and 17 more | 2024-11-21 | N/A | 4.0 MEDIUM |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface allows Authentication Bypass. See SEL Service Bulletin dated 2022-11-15 for more details. | |||||
| CVE-2023-31127 | 1 Dmtf | 1 Libspdm | 2024-11-21 | N/A | 9.0 CRITICAL |
| libspdm is a sample implementation that follows the DMTF SPDM specifications. A vulnerability has been identified in SPDM session establishment in libspdm prior to version 2.3.1. If a device supports both DHE session and PSK session with mutual authentication, the attacker may be able to establish the session with `KEY_EXCHANGE` and `PSK_FINISH` to bypass the mutual authentication. This is most likely to happen when the Requester begins a session using one method (DHE, for example) and then uses the other method's finish (PSK_FINISH in this example) to establish the session. The session hashes would be expected to fail in this case, but the condition was not detected. This issue only impacts the SPDM responder, which supports `KEY_EX_CAP=1 and `PSK_CAP=10b` at same time with mutual authentication requirement. The SPDM requester is not impacted. The SPDM responder is not impacted if `KEY_EX_CAP=0` or `PSK_CAP=0` or `PSK_CAP=01b`. The SPDM responder is not impacted if mutual authentication is not required. libspdm 1.0, 2.0, 2.1, 2.2, 2.3 are all impacted. Older branches are not maintained, but users of the 2.3 branch may receive a patch in version 2.3.2. The SPDM specification (DSP0274) does not contain this vulnerability. | |||||
| CVE-2023-31123 | 1 Effectindex | 1 Tripreporter | 2024-11-21 | N/A | 9.1 CRITICAL |
| `effectindex/tripreporter` is a community-powered, universal platform for submitting and analyzing trip reports. Prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b, any user with an account on an instance of `effectindex/tripreporter`, e.g. `subjective.report`, may be affected by an improper password verification vulnerability. The vulnerability allows any user with a password matching the password requirements to log in as any user. This allows access to accounts / data loss of the user. This issue is patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. No action necessary for users of `subjective.report`, and anyone running their own instance should update to this commit or newer as soon as possible. As a workaround, someone running their own instance may apply the patch manually. | |||||
| CVE-2023-31015 | 1 Nvidia | 2 Dgx H100, Dgx H100 Firmware | 2024-11-21 | N/A | 6.6 MEDIUM |
| NVIDIA DGX H100 BMC contains a vulnerability in the REST service where a host user may cause as improper authentication issue. A successful exploit of this vulnerability may lead to escalation of privileges, information disclosure, code execution, and denial of service. | |||||