Total
1547 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-41255 | 1 Boschrexroth | 6 Ctrlx Hmi Web Panel Wr2107, Ctrlx Hmi Web Panel Wr2107 Firmware, Ctrlx Hmi Web Panel Wr2110 and 3 more | 2024-11-21 | N/A | 8.8 HIGH |
| The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on the device itself abusing the lack of authentication of the ‘su’ binary file installed on the device that can be accessed through the ADB (Android Debug Bridge) protocol exposed on the network. | |||||
| CVE-2023-40598 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-11-21 | N/A | 8.5 HIGH |
| In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance. | |||||
| CVE-2023-40585 | 1 Metal3 | 1 Ironic-image | 2024-11-21 | N/A | 7.3 HIGH |
| ironic-image is a container image to run OpenStack Ironic as part of Metal³. Prior to version capm3-v1.4.3, if Ironic is not deployed with TLS and it does not have API and Conductor split into separate services, access to the API is not protected by any authentication. Ironic API is also listening in host network. In case the node is not behind a firewall, the API could be accessed by anyone via network without authentication. By default, Ironic API in Metal3 is protected by TLS and basic authentication, so this vulnerability requires operator to configure API without TLS for it to be vulnerable. TLS and authentication however should not be coupled as they are in versions prior to capm3-v1.4.3. A patch exists in versions capm3-v1.4.3 and newer. Some workarounds are available. Either configure TLS for Ironic API (`deploy.sh -t ...`, `IRONIC_TLS_SETUP=true`) or split Ironic API and Conductor via configuration change (old implementation, not recommended). With both workarounds, services are configured with httpd front-end, which has proper authentication configuration in place. | |||||
| CVE-2023-40545 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | N/A | 8.8 HIGH |
| Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. | |||||
| CVE-2023-40401 | 1 Apple | 1 Macos | 2024-11-21 | N/A | 7.5 HIGH |
| The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.6.1. An attacker may be able to access passkeys without authentication. | |||||
| CVE-2023-40170 | 1 Jupyter | 1 Jupyter Server | 2024-11-21 | N/A | 4.6 MEDIUM |
| jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks. | |||||
| CVE-2023-3104 | 1 Unitree | 2 A1, A1 Firmware | 2024-11-21 | N/A | 5.7 MEDIUM |
| Lack of authentication vulnerability. An unauthenticated local user is able to see through the cameras using the web server due to the lack of any form of authentication. | |||||
| CVE-2023-39981 | 1 Moxa | 1 Mxsecurity | 2024-11-21 | N/A | 7.5 HIGH |
| A vulnerability that allows for unauthorized access has been discovered in MXsecurity versions prior to v1.0.1. This vulnerability arises from inadequate authentication measures, potentially leading to the disclosure of device information by a remote attacker. | |||||
| CVE-2023-39930 | 1 Pingidentity | 1 Pingid Radius Pcv | 2024-11-21 | N/A | 7.5 HIGH |
| A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request. | |||||
| CVE-2023-39436 | 1 Sap | 1 Supplier Relationship Management | 2024-11-21 | N/A | 5.8 MEDIUM |
| SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM. | |||||
| CVE-2023-39380 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 7.5 HIGH |
| Permission control vulnerability in the audio module. Successful exploitation of this vulnerability may cause audio devices to perform abnormally. | |||||
| CVE-2023-39231 | 1 Pingidentity | 1 Pingone Mfa Integration Kit | 2024-11-21 | N/A | 7.3 HIGH |
| PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's first factor credentials. | |||||
| CVE-2023-38523 | 1 Samsung | 66 Fgn1115-wp-wh, Fgn1115-wp-wh Firmware, Fgn1122-cd and 63 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| The web interface on multiple Samsung Harman AMX N-Series devices allows directory listing for the /tmp/ directory, without authentication, exposing sensitive information such as the command history and screenshot of the file being processed. This affects N-Series N1115 Wallplate Video Encoder before 1.15.61, N-Series N1x22A Video Encoder/Decoder before 1.15.61, N-Series N1x33A Video Encoder/Decoder before 1.15.61, N-Series N1x33 Video Encoder/Decoder before 1.15.61, N-Series N2x35 Video Encoder/Decoder before 1.15.61, N-Series N2x35A Video Encoder/Decoder before 1.15.61, N-Series N2xx2 Video Encoder/Decoder before 1.15.61, N-Series N2xx2A Video Encoder/Decoder before 1.15.61, N-Series N3000 Video Encoder/Decoder before 2.12.105, and N-Series N4321 Audio Transceiver before 1.00.06. | |||||
| CVE-2023-38422 | 1 Walchem | 2 Intuition 9, Intuition 9 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| Walchem Intuition 9 firmware versions prior to v4.21 are missing authentication for some of the API routes of the management web server. This could allow an attacker to download and export sensitive data. | |||||
| CVE-2023-38379 | 1 Rigol | 2 Mso5000, Mso5000 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| The web interface on the RIGOL MSO5000 digital oscilloscope with firmware 00.01.03.00.03 allows remote attackers to change the admin password via a zero-length pass0 to the webcontrol changepwd.cgi application, i.e., the entered password only needs to match the first zero characters of the saved password. | |||||
| CVE-2023-38186 | 1 Microsoft | 5 Windows 10 21h2, Windows 10 22h2, Windows 11 21h2 and 2 more | 2024-11-21 | N/A | 8.8 HIGH |
| Windows Mobile Device Management Elevation of Privilege Vulnerability | |||||
| CVE-2023-38030 | 1 Saho | 4 Adm-100, Adm-100 Firmware, Adm-100fp and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
| Saho’s attendance devices ADM100 and ADM-100FP have a vulnerability of missing authentication for critical functions. An unauthenticated remote attacker can execute system commands in partial website URLs to read sensitive device information without permissions. | |||||
| CVE-2023-38028 | 1 Saho | 4 Adm-100, Adm-100 Firmware, Adm-100fp and 1 more | 2024-11-21 | N/A | 9.1 CRITICAL |
| Saho’s attendance devices ADM100 and ADM-100FP have insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication to read system information and operate user's data, but can’t control system or disrupt service. | |||||
| CVE-2023-37483 | 1 Sap | 1 Powerdesigner | 2024-11-21 | N/A | 9.8 CRITICAL |
| SAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy. | |||||
| CVE-2023-37373 | 1 Siemens | 1 Ruggedcom Crossbow | 2024-11-21 | N/A | 5.3 MEDIUM |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.4). The affected applications accept unauthenticated file write messages. An unauthenticated remote attacker could write arbitrary files to the affected application's file system. | |||||