Total
8067 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-24838 | 1 Hgiga | 2 Powerstation, Powerstation Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| HGiga PowerStation has a vulnerability of Information Leakage. An unauthenticated remote attacker can exploit this vulnerability to obtain the administrator's credential. This credential can then be used to login PowerStation or Secure Shell to achieve remote code execution. | |||||
| CVE-2023-24069 | 4 Apple, Linux, Microsoft and 1 more | 4 Macos, Linux Kernel, Windows and 1 more | 2024-11-21 | N/A | 3.3 LOW |
| Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation. (Local filesystem access is needed by the attacker.) NOTE: the vendor disputes the relevance of this finding because the product is not intended to protect against adversaries with this degree of local access. | |||||
| CVE-2023-23629 | 1 Metabase | 1 Metabase | 2024-11-21 | N/A | 6.3 MEDIUM |
| Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround. | |||||
| CVE-2023-23628 | 1 Metabase | 1 Metabase | 2024-11-21 | N/A | 5.7 MEDIUM |
| Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds. | |||||
| CVE-2023-23624 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 4.3 MEDIUM |
| Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, someone can use the `exclude_tag param` to filter out topics and deduce which ones were using a specific hidden tag. This affects any Discourse site using hidden tags in public categories. This issue is patched in version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches. As a workaround, secure any categories that are using hidden tags, change any existing hidden tags to not include private data, or remove any hidden tags currently in use. | |||||
| CVE-2023-23620 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 5.3 MEDIUM |
| Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, the contents of latest/top routes for restricted tags can be accessed by unauthorized users. This issue is patched in version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2023-23613 | 1 Amazon | 1 Opensearch | 2024-11-21 | N/A | 5.7 MEDIUM |
| OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue. | |||||
| CVE-2023-22875 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-11-21 | N/A | 8.4 HIGH |
| IBM QRadar SIEM 7.4 and 7.5copies certificate key files used for SSL/TLS in the QRadar web user interface to managed hosts in the deployment that do not require that key. IBM X-Force ID: 244356. | |||||
| CVE-2023-22586 | 1 Danfoss | 2 Ak-em100, Ak-em100 Firmware | 2024-11-21 | N/A | 7.7 HIGH |
| The Danfoss AK-EM100 web applications allow for Local File Inclusion in the file parameter. | |||||
| CVE-2023-22580 | 1 Sequelizejs | 1 Sequelize | 2024-11-21 | N/A | 5.3 MEDIUM |
| Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. | |||||
| CVE-2023-22503 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-11-21 | N/A | 5.3 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature. This vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team. The affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0. | |||||
| CVE-2023-22453 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 5.3 MEDIUM |
| Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, the number of times a user posted in an arbitrary topic is exposed to unauthorized users through the `/u/username.json` endpoint. The issue is patched in version 2.8.14 and 3.0.0.beta16. There is no known workaround. | |||||
| CVE-2023-22086 | 1 Oracle | 1 Weblogic Server | 2024-11-21 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2023-22019 | 1 Oracle | 1 Http Server | 2024-11-21 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2023-21267 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.5 MEDIUM |
| In multiple functions of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-1263 | 1 Niteothemes | 1 Coming Soon \& Maintenance | 2024-11-21 | N/A | 5.3 MEDIUM |
| The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 4.1.6 via the cmp_get_post_detail function. This can allow unauthenticated individuals to obtain the contents of any non-password-protected, published post or page even when maintenance mode is enabled. | |||||
| CVE-2023-0994 | 1 Rosariosis | 1 Rosariosis | 2024-11-21 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository francoisjacquet/rosariosis prior to 10.8.2. | |||||
| CVE-2023-0321 | 1 Campbellsci | 10 Cr1000, Cr1000 Firmware, Cr300 and 7 more | 2024-11-21 | N/A | 9.1 CRITICAL |
| Campbell Scientific dataloggers CR6, CR300, CR800, CR1000 and CR3000 may allow an attacker to download configuration files, which may contain sensitive information about the internal network. From factory defaults, the mentioned datalogges have HTTP and PakBus enabled. The devices, with the default configuration, allow this situation via the PakBus port. The exploitation of this vulnerability may allow an attacker to download, modify, and upload new configuration files. | |||||
| CVE-2023-0113 | 1 Netis-systems | 2 Netcore Router, Netcore Router Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in Netis Netcore Router up to 2.2.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file param.file.tgz of the component Backup Handler. The manipulation leads to information disclosure. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-217591. | |||||
| CVE-2023-0027 | 1 Rockwellautomation | 1 Modbus Tcp Server Add On Instructions | 2024-11-21 | N/A | 5.3 MEDIUM |
| Rockwell Automation Modbus TCP Server AOI prior to 2.04.00 is vulnerable to an unauthorized user sending a malformed message that could cause the controller to respond with a copy of the most recent response to the last valid request. If exploited, an unauthorized user could read the connected device’s Modbus TCP Server AOI information. | |||||