Total
392 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-51542 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in WPMU DEV Branda allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Branda: from n/a through 3.4.14. | |||||
| CVE-2023-51350 | 1 Ujcms | 1 Ujcms | 2024-11-21 | N/A | 9.8 CRITICAL |
| A spoofing attack in ujcms v.8.0.2 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the X-Forwarded-For function in the header. | |||||
| CVE-2023-50463 | 1 Caddyserver | 1 Caddy | 2024-11-21 | N/A | 6.5 MEDIUM |
| The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions). | |||||
| CVE-2023-50224 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. . Was ZDI-CAN-19899. | |||||
| CVE-2023-4566 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 7.5 HIGH |
| Vulnerability of trust relationships being inaccurate in distributed scenarios. Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2023-4178 | 1 Neutron | 1 Smart Vms | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Spoofing vulnerability in Neutron Neutron Smart VMS allows Authentication Bypass.This issue affects Neutron Smart VMS: before b1130.1.0.1. | |||||
| CVE-2023-4001 | 3 Fedoraproject, Gnu, Redhat | 3 Fedora, Grub2, Enterprise Linux | 2024-11-21 | N/A | 6.8 MEDIUM |
| An authentication bypass flaw was found in GRUB due to the way that GRUB uses the UUID of a device to search for the configuration file that contains the password hash for the GRUB password protection feature. An attacker capable of attaching an external drive such as a USB stick containing a file system with a duplicate UUID (the same as in the "/boot/" file system) can bypass the GRUB password protection feature on UEFI systems, which enumerate removable drives before non-removable ones. This issue was introduced in a downstream patch in Red Hat's version of grub2 and does not affect the upstream package. | |||||
| CVE-2023-49794 | 1 Kernelsu | 1 Kernelsu | 2024-11-21 | N/A | 6.7 MEDIUM |
| KernelSU is a Kernel-based root solution for Android devices. In versions 0.7.1 and prior, the logic of get apk path in KernelSU kernel module can be bypassed, which causes any malicious apk named `me.weishu.kernelsu` get root permission. If a KernelSU module installed device try to install any not checked apk which package name equal to the official KernelSU Manager, it can take over root privileges on the device. As of time of publication, a patched version is not available. | |||||
| CVE-2023-49741 | 2024-11-21 | N/A | 3.7 LOW | ||
| Authentication Bypass by Spoofing vulnerability in wpdevart Coming soon and Maintenance mode allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coming soon and Maintenance mode: from n/a through 3.7.3. | |||||
| CVE-2023-48753 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in 10up Restricted Site Access allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Restricted Site Access: from n/a through 7.4.1. | |||||
| CVE-2023-48396 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version 1.0.1, which fixes the issue. | |||||
| CVE-2023-48271 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in yonifre Maspik – Spam blacklist allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Maspik – Spam blacklist: from n/a through 0.10.3. | |||||
| CVE-2023-47769 | 2024-11-21 | N/A | 3.7 LOW | ||
| Authentication Bypass by Spoofing vulnerability in WP Maintenance allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Maintenance: from n/a through 6.1.3. | |||||
| CVE-2023-44463 | 1 Rami | 1 Pretix | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application. | |||||
| CVE-2023-44447 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| TP-Link TL-WR902AC loginFs Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR902AC routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-21529. | |||||
| CVE-2023-44117 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 7.5 HIGH |
| Vulnerability of trust relationships being inaccurate in distributed scenarios. Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2023-41329 | 1 Wiremock | 4 Python Wiremock, Studio, Wiremock and 1 more | 2024-11-21 | N/A | 3.9 LOW |
| WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Users are advised to upgrade. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names. | |||||
| CVE-2023-41134 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in pluginkollektiv Antispam Bee allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Antispam Bee: from n/a through 2.11.3. | |||||
| CVE-2023-40702 | 2024-11-21 | N/A | N/A | ||
| PingOne MFA Integration Kit contains a vulnerability where the skipMFA action can be configured such that user authentication does not require the second factor authentication from the user's existing registered devices. A threat actor might be able to exploit this vulnerability to authenticate as a target user if they have existing knowledge of the target user’s first-factor credentials. | |||||
| CVE-2023-40356 | 2024-11-21 | N/A | N/A | ||
| PingOne MFA Integration Kit contains a vulnerability related to the Prompt Users to Set Up MFA configuration. Under certain conditions, this configuration could allow for a new MFA device to be paired with a target user account without requiring second-factor authentication from the target’s existing registered devices. A threat actor might be able to exploit this vulnerability to register their own MFA device with a target user’s account if they have existing knowledge of the target user’s first factor credential. | |||||