Total
3987 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3337 | 1 Online Shopping System Advanced Project | 1 Online Shopping System Advanced | 2024-11-21 | 7.3 High |
| A vulnerability was found in PuneethReddyHC Online Shopping System Advanced 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/reg.php of the component Admin Registration. The manipulation leads to improper authentication. The attack can be launched remotely. The identifier VDB-232009 was assigned to this vulnerability. | ||||
| CVE-2023-3263 | 1 Dataprobe | 45 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 42 more | 2024-11-21 | 7.5 High |
| The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass in the REST API due to the mishandling of special characters when parsing credentials.Successful exploitation allows the malicious agent to obtain a valid authorization token and read information relating to the state of the relays and power distribution. | ||||
| CVE-2023-3127 | 1 Johnsoncontrols | 8 Edge G2, Edge G2 Firmware, Istar Ultra and 5 more | 2024-11-21 | 7.5 High |
| An unauthenticated user could log into iSTAR Ultra, iSTAR Ultra LT, iSTAR Ultra G2, and iSTAR Edge G2 with administrator rights. | ||||
| CVE-2023-39981 | 1 Moxa | 1 Mxsecurity | 2024-11-21 | 7.5 High |
| A vulnerability that allows for unauthorized access has been discovered in MXsecurity versions prior to v1.0.1. This vulnerability arises from inadequate authentication measures, potentially leading to the disclosure of device information by a remote attacker. | ||||
| CVE-2023-39846 | 1 Pantsel | 1 Konga | 2024-11-21 | 9.8 Critical |
| An issue in Konga v0.14.9 allows attackers to bypass authentication via a crafted JWT token. | ||||
| CVE-2023-39531 | 1 Sentry | 1 Sentry | 2024-11-21 | 6.5 Medium |
| Sentry is an error tracking and performance monitoring platform. Starting in version 10.0.0 and prior to version 23.7.2, an attacker with sufficient client-side exploits could retrieve a valid access token for another user during the OAuth token exchange due to incorrect credential validation. The client ID must be known and the API application must have already been authorized on the targeted user account. Sentry SaaS customers do not need to take any action. Self-hosted installations should upgrade to version 23.7.2 or higher. There are no direct workarounds, but users should review applications authorized on their account and remove any that are no longer needed. | ||||
| CVE-2023-39415 | 1 Northgrid | 4 Proself, Proself Enterprise Standard Edition, Proself Gateway Edition and 1 more | 2024-11-21 | 7.5 High |
| Improper authentication vulnerability in Proself Enterprise/Standard Edition Ver5.61 and earlier, Proself Gateway Edition Ver1.62 and earlier, and Proself Mail Sanitize Edition Ver1.07 and earlier allow a remote unauthenticated attacker to log in to the product's Control Panel and perform an unintended operation. | ||||
| CVE-2023-39380 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Permission control vulnerability in the audio module. Successful exploitation of this vulnerability may cause audio devices to perform abnormally. | ||||
| CVE-2023-39349 | 2 Getsentry, Sentry | 2 Sentry, Sentry | 2024-11-21 | 8.1 High |
| Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query `/api/0/api-tokens/` for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on `sentry.io`. For self-hosted users, it is advised to rotate user auth tokens. A fix is available in version 23.7.2 of `sentry` and `self-hosted`. There are no known workarounds. | ||||
| CVE-2023-39345 | 1 Strapi | 1 Strapi | 2024-11-21 | 7.6 High |
| strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version 4.13.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-39303 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-11-21 | 5.3 Medium |
| An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later | ||||
| CVE-2023-39215 | 1 Zoom | 3 Meeting Software Development Kit, Virtual Desktop Infrastructure, Zoom | 2024-11-21 | 7.1 High |
| Improper authentication in Zoom clients may allow an authenticated user to conduct a denial of service via network access. | ||||
| CVE-2023-39112 | 1 Shopex | 1 Ecshop | 2024-11-21 | 6.5 Medium |
| ECShop v4.1.16 contains an arbitrary file deletion vulnerability in the Admin Panel. | ||||
| CVE-2023-39069 | 1 Strangebee | 2 Cortex, Thehive | 2024-11-21 | 9.8 Critical |
| An issue in StrangeBee TheHive v.5.0.8, v.4.1.21 and Cortex v.3.1.6 allows a remote attacker to gain privileges via Active Directory authentication mechanism. | ||||
| CVE-2023-38735 | 1 Ibm | 1 Cognos Dashboards On Cloud Pak For Data | 2024-11-21 | 5.7 Medium |
| IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 262482. | ||||
| CVE-2023-38691 | 1 Matrix | 1 Matrix-appservice-bridge | 2024-11-21 | 5 Medium |
| matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library does not check that the servername part of the `sub` parameter (containing the user's *claimed* MXID) is the the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a `sub` parameter according to the user they want to act as and use the resulting token to perform provisioning requests. Versions 8.1.2 and 9.0.1 contain a patch. As a workaround, disable the provisioning API. | ||||
| CVE-2023-38585 | 1 Cbc | 46 Dr-16f42a, Dr-16f42a Firmware, Dr-16f45at and 43 more | 2024-11-21 | 8.8 High |
| Improper authentication vulnerability in the CBC products allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter its settings. As for the affected products/versions, see the detailed information provided by the vendor. Note that NR4H, NR8H, NR16H series and DR-16F, DR-8F, DR-4F, DR-16H, DR-8H, DR-4H, DR-4M41 series are no longer supported, therefore updates for those products are not provided. | ||||
| CVE-2023-38555 | 1 Fujitsu | 32 Si-r220d, Si-r220d Firmware, Si-r370b and 29 more | 2024-11-21 | 8.8 High |
| Authentication bypass vulnerability in Fujitsu network devices Si-R series and SR-M series allows a network-adjacent unauthenticated attacker to obtain, change, and/or reset configuration settings of the affected products. Affected products and versions are as follows: Si-R 30B all versions, Si-R 130B all versions, Si-R 90brin all versions, Si-R570B all versions, Si-R370B all versions, Si-R220D all versions, Si-R G100 V02.54 and earlier, Si-R G200 V02.54 and earlier, Si-R G100B V04.12 and earlier, Si-R G110B V04.12 and earlier, Si-R G200B V04.12 and earlier, Si-R G210 V20.52 and earlier, Si-R G211 V20.52 and earlier, Si-R G120 V20.52 and earlier, Si-R G121 V20.52 and earlier, and SR-M 50AP1 all versions. | ||||
| CVE-2023-38534 | 2024-11-21 | 8.6 High | ||
| Improper authentication vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.0 and 12.5.1. The vulnerability could allow disclosure of restricted information in unauthenticated RPC. | ||||
| CVE-2023-37918 | 2 Dapr, Linuxfoundation | 2 Dapr, Dapr | 2024-11-21 | 6.8 Medium |
| Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability. | ||||