Total
4062 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2626 | 1 Google | 10 Nest Hub, Nest Hub Firmware, Nest Hub Max and 7 more | 2024-11-21 | 7.5 High |
| There exists an authentication bypass vulnerability in OpenThread border router devices and implementations. This issue allows unauthenticated nodes to craft radio frames using “Key ID Mode 2”: a special mode using a static encryption key to bypass security checks, resulting in arbitrary IP packets being allowed on the Thread network. This provides a pathway for an attacker to send/receive arbitrary IPv6 packets to devices on the LAN, potentially exploiting them if they lack additional authentication or contain any network vulnerabilities that would normally be mitigated by the home router’s NAT firewall. Effected devices have been mitigated through an automatic update beyond the affected range. | ||||
| CVE-2023-29975 | 1 Pfsense | 1 Pfsense | 2024-11-21 | 7.2 High |
| An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification. | ||||
| CVE-2023-29062 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2024-11-21 | 3.8 Low |
| The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems. | ||||
| CVE-2023-29032 | 1 Apache | 1 Openmeetings | 2024-11-21 | 8.1 High |
| An attacker that has gained access to certain private information can use this to act as other user. Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0 | ||||
| CVE-2023-28377 | 1 Intel | 3 Nuc 11 Enthusiast Kit Nuc11phki7c, Nuc 11 Enthusiast Mini Pc Nuc11phki7caa, Usb Firmware | 2024-11-21 | 6.7 Medium |
| Improper authentication in some Intel(R) NUC Kit NUC11PH USB firmware installation software before version 1.1 for Windows may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-28121 | 1 Automattic | 2 Woocommerce Payments, Woopayments | 2024-11-21 | 9.8 Critical |
| An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated. | ||||
| CVE-2023-27877 | 1 Ibm | 1 Cloud Pak For Data | 2024-11-21 | 5.3 Medium |
| IBM Planning Analytics Cartridge for Cloud Pak for Data 4.0 connects to a CouchDB server. An attacker can exploit an insecure password policy to the CouchDB server and collect sensitive information from the database. IBM X-Force ID: 247905. | ||||
| CVE-2023-27377 | 1 Idattend | 1 Idweb | 2024-11-21 | 7.5 High |
| Missing authentication in the StudentPopupDetails_EmergencyContactDetails method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction of sensitive student data by unauthenticated attackers. | ||||
| CVE-2023-26455 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.6 Medium |
| RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are known. | ||||
| CVE-2023-26150 | 1 Freeopcua | 1 Opcua-asyncio | 2024-11-21 | 6.5 Medium |
| Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. **Note:** This issue is a result of missing checks for services that require an active session. | ||||
| CVE-2023-24831 | 1 Apache | 1 Iotdb | 2024-11-21 | 9.8 Critical |
| Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4. | ||||
| CVE-2023-24479 | 1 Yifanwireless | 2 Yf325, Yf325 Firmware | 2024-11-21 | 9.8 Critical |
| An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability. | ||||
| CVE-2023-22663 | 4 Apple, Google, Intel and 1 more | 4 Iphone Os, Android, Unison Software and 1 more | 2024-11-21 | 5.9 Medium |
| Improper authentication for some Intel Unison software may allow an authenticated user to potentially enable escalation of privilege via network access. | ||||
| CVE-2023-22501 | 1 Atlassian | 1 Jira Service Management | 2024-11-21 | 9.1 Critical |
| An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: * If the attacker is included on Jira issues or requests with these users, or * If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account. | ||||
| CVE-2023-21841 | 1 Oracle | 1 Weblogic Server | 2024-11-21 | 7.5 High |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | ||||
| CVE-2023-21626 | 1 Qualcomm | 371 Apq8009, Apq8009 Firmware, Apq8017 and 368 more | 2024-11-21 | 7.1 High |
| Cryptographic issue in HLOS due to improper authentication while performing key velocity checks using more than one key. | ||||
| CVE-2023-21307 | 1 Google | 1 Android | 2024-11-21 | 5.0 Medium |
| In Bluetooth, there is a possible way for a paired Bluetooth device to access a long term identifier for an Android device due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2023-21297 | 1 Google | 1 Android | 2024-11-21 | 4.4 Medium |
| In SEPolicy, there is a possible way to access the factory MAC address due to a permissions bypass. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-20214 | 1 Cisco | 2 Catalyst Sd-wan Manager, Sd-wan Vmanage | 2024-11-21 | 9.1 Critical |
| A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. This vulnerability is due to insufficient request validation when using the REST API feature. An attacker could exploit this vulnerability by sending a crafted API request to an affected vManage instance. A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance. This vulnerability only affects the REST API and does not affect the web-based management interface or the CLI. | ||||
| CVE-2023-20199 | 1 Cisco | 1 Duo | 2024-11-21 | 6.2 Medium |
| A vulnerability in Cisco Duo Two-Factor Authentication for macOS could allow an authenticated, physical attacker to bypass secondary authentication and access an affected macOS device. This vulnerability is due to the incorrect handling of responses from Cisco Duo when the application is configured to fail open. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the affected device without valid permission. | ||||