Total
29483 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6538 | 1 Hitachi | 2 System Management Unit, System Management Unit Firmware | 2024-11-21 | N/A | 7.6 HIGH |
| SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles. | |||||
| CVE-2023-6467 | 1 Thecosy | 1 Icecms | 2024-11-21 | 2.1 LOW | 3.1 LOW |
| A vulnerability was found in Thecosy IceCMS 2.0.1. It has been rated as problematic. This issue affects some unknown processing of the file /Websquare/likeClickComment/ of the component Comment Like Handler. The manipulation leads to improper enforcement of a single, unique action. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-246617 was assigned to this vulnerability. | |||||
| CVE-2023-6447 | 1 Metagauss | 1 Eventprime | 2024-11-21 | N/A | 5.3 MEDIUM |
| The EventPrime WordPress plugin before 3.3.6 lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name. | |||||
| CVE-2023-6189 | 1 M-files | 1 M-files Server | 2024-11-21 | N/A | 4.3 MEDIUM |
| Missing access permissions checks in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export jobs using the M-Files API methods. | |||||
| CVE-2023-6017 | 1 H2o | 1 H2o | 2024-11-21 | N/A | 7.1 HIGH |
| H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL. | |||||
| CVE-2023-5916 | 1 Dashy | 1 Dashy | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. This affects an unknown part of the file /config-manager/save of the component Configuration Handler. The manipulation of the argument config leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-244305 was assigned to this vulnerability. | |||||
| CVE-2023-5875 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | N/A | 3.7 LOW |
| Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server | |||||
| CVE-2023-5815 | 1 Infornweb | 1 News \& Blog Designer Pack | 2024-11-21 | N/A | 8.1 HIGH |
| The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() function. This makes it possible for unauthenticated attackers to include arbitrary PHP files and achieve remote code execution. On vulnerable Docker configurations it may be possible for an attacker to create a PHP file and then subsequently include it to achieve RCE. | |||||
| CVE-2023-5765 | 2 Devolutions, Microsoft | 2 Remote Desktop Manager, Windows | 2024-11-21 | N/A | 9.8 CRITICAL |
| Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and earlier on Windows allows an attacker to bypass permissions via data source switching. | |||||
| CVE-2023-5764 | 2 Fedoraproject, Redhat | 7 Extra Packages For Enterprise Linux, Fedora, Ansible and 4 more | 2024-11-21 | N/A | 7.1 HIGH |
| A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data. | |||||
| CVE-2023-5719 | 1 Redlion | 3 Crimson, Da50a, Da70a | 2024-11-21 | N/A | 8.8 HIGH |
| The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability. | |||||
| CVE-2023-5583 | 1 Maca134 | 1 Wp Simple Galleries | 2024-11-21 | N/A | 8.8 HIGH |
| The WP Simple Galleries plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.34 via deserialization of untrusted input from the 'wpsimplegallery_gallery' post meta via 'wpsgallery' shortcode. This allows authenticated attackers, with contributor-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2023-5570 | 1 Inohom | 1 Home Manager Gateway | 2024-11-21 | N/A | 7.5 HIGH |
| Improper Protection for Outbound Error Messages and Alert Signals vulnerability in Inohom Home Manager Gateway allows Account Footprinting.This issue affects Home Manager Gateway: before v.1.27.12. | |||||
| CVE-2023-5563 | 1 Zephyrproject | 1 Zephyr | 2024-11-21 | N/A | 7.1 HIGH |
| The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception. | |||||
| CVE-2023-5550 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2024-11-21 | N/A | 6.5 MEDIUM |
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. | |||||
| CVE-2023-5448 | 1 Aviplugins | 1 Wp Register Profile With Shortcode | 2024-11-21 | N/A | 8.8 HIGH |
| The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.9. This is due to missing or incorrect nonce validation on the update_password_validate function. This makes it possible for unauthenticated attackers to reset a user's password via a forged request granted they can trick the user into performing an action such as clicking on a link. | |||||
| CVE-2023-5389 | 1 Honeywell | 4 Controledge Unit Operations Controller, Controledge Unit Operations Controller Firmware, Controledge Virtual Unit Operations Controller and 1 more | 2024-11-21 | N/A | 9.1 CRITICAL |
| An attacker could potentially exploit this vulnerability, leading to the ability to modify files on Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC . This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. | |||||
| CVE-2023-5358 | 1 Devolutions | 1 Devolutions Server | 2024-11-21 | N/A | 5.3 MEDIUM |
| Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier allows attackers to retrieve logs from vaults or entries they are not allowed to access via the report request url query parameters. | |||||
| CVE-2023-5299 | 1 Fujielectric | 1 Tellus Lite V-simulator | 2024-11-21 | N/A | 7.3 HIGH |
| A user with a standard account in Fuji Electric Tellus Lite may overwrite files in the system. | |||||
| CVE-2023-5240 | 1 Devolutions | 1 Devolutions Server | 2024-11-21 | N/A | 7.5 HIGH |
| Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allows an attack with permission to manage PAM propagation scripts to retrieve passwords stored in it via a GET request. | |||||