Total
29023 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6930 | 1 Eurotel | 2 Etl3100, Etl3100 Firmware | 2024-11-21 | N/A | 9.4 CRITICAL |
| EuroTel ETL3100 versions v01c01 and v01x37 suffer from an unauthenticated configuration and log download vulnerability. This enables the attacker to disclose sensitive information and assist in authentication bypass, privilege escalation, and full system access. | |||||
| CVE-2023-6840 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.7 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR. | |||||
| CVE-2023-6578 | 1 Softwareag | 1 Webmethods | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical has been found in Software AG WebMethods 10.11.x/10.15.x. Affected is an unknown function of the file wm.server/connect/. The manipulation leads to improper access controls. It is possible to launch the attack remotely. To access a file like /assets/ a popup may request username and password. By just clicking CANCEL you will be redirected to the directory. If you visited /invoke/wm.server/connect, you'll be able to see details like internal IPs, ports, and versions. In some cases if access to /assets/ is refused, you may enter /assets/x as a wrong value, then come back to /assets/ which we will show the requested data. It appears that insufficient access control is depending on referrer header data. VDB-247158 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-6566 | 1 Microweber | 1 Microweber | 2024-11-21 | N/A | 6.5 MEDIUM |
| Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. | |||||
| CVE-2023-6564 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches. | |||||
| CVE-2023-6547 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 3.7 LOW |
| Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. | |||||
| CVE-2023-6538 | 1 Hitachi | 2 System Management Unit, System Management Unit Firmware | 2024-11-21 | N/A | 7.6 HIGH |
| SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles. | |||||
| CVE-2023-6467 | 1 Thecosy | 1 Icecms | 2024-11-21 | 2.1 LOW | 3.1 LOW |
| A vulnerability was found in Thecosy IceCMS 2.0.1. It has been rated as problematic. This issue affects some unknown processing of the file /Websquare/likeClickComment/ of the component Comment Like Handler. The manipulation leads to improper enforcement of a single, unique action. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-246617 was assigned to this vulnerability. | |||||
| CVE-2023-6447 | 1 Metagauss | 1 Eventprime | 2024-11-21 | N/A | 5.3 MEDIUM |
| The EventPrime WordPress plugin before 3.3.6 lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name. | |||||
| CVE-2023-6189 | 1 M-files | 1 M-files Server | 2024-11-21 | N/A | 4.3 MEDIUM |
| Missing access permissions checks in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export jobs using the M-Files API methods. | |||||
| CVE-2023-6017 | 1 H2o | 1 H2o | 2024-11-21 | N/A | 7.1 HIGH |
| H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL. | |||||
| CVE-2023-5916 | 1 Dashy | 1 Dashy | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. This affects an unknown part of the file /config-manager/save of the component Configuration Handler. The manipulation of the argument config leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-244305 was assigned to this vulnerability. | |||||
| CVE-2023-5875 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | N/A | 3.7 LOW |
| Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server | |||||
| CVE-2023-5815 | 1 Infornweb | 1 News \& Blog Designer Pack | 2024-11-21 | N/A | 8.1 HIGH |
| The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() function. This makes it possible for unauthenticated attackers to include arbitrary PHP files and achieve remote code execution. On vulnerable Docker configurations it may be possible for an attacker to create a PHP file and then subsequently include it to achieve RCE. | |||||
| CVE-2023-5765 | 2 Devolutions, Microsoft | 2 Remote Desktop Manager, Windows | 2024-11-21 | N/A | 9.8 CRITICAL |
| Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and earlier on Windows allows an attacker to bypass permissions via data source switching. | |||||
| CVE-2023-5764 | 2 Fedoraproject, Redhat | 7 Extra Packages For Enterprise Linux, Fedora, Ansible and 4 more | 2024-11-21 | N/A | 7.1 HIGH |
| A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data. | |||||
| CVE-2023-5719 | 1 Redlion | 3 Crimson, Da50a, Da70a | 2024-11-21 | N/A | 8.8 HIGH |
| The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability. | |||||
| CVE-2023-5583 | 1 Maca134 | 1 Wp Simple Galleries | 2024-11-21 | N/A | 8.8 HIGH |
| The WP Simple Galleries plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.34 via deserialization of untrusted input from the 'wpsimplegallery_gallery' post meta via 'wpsgallery' shortcode. This allows authenticated attackers, with contributor-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2023-5570 | 1 Inohom | 1 Home Manager Gateway | 2024-11-21 | N/A | 7.5 HIGH |
| Improper Protection for Outbound Error Messages and Alert Signals vulnerability in Inohom Home Manager Gateway allows Account Footprinting.This issue affects Home Manager Gateway: before v.1.27.12. | |||||
| CVE-2023-5563 | 1 Zephyrproject | 1 Zephyr | 2024-11-21 | N/A | 7.1 HIGH |
| The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception. | |||||