Total
2047 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22593 | 2 Ibm, Redhat | 2 Robotic Process Automation, Openshift | 2024-11-21 | N/A | 4.0 MEDIUM |
| IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.7.3 and 23.0.0 through 23.0.3 is vulnerable to security misconfiguration of the Redis container which may provide elevated privileges. IBM X-Force ID: 244074. | |||||
| CVE-2023-22500 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 7.5 HIGH |
| GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. As a workaround, disable native inventory and delete inventory files from server (default location is `files/_inventory`). | |||||
| CVE-2023-22482 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | N/A | 9.0 CRITICAL |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds. | |||||
| CVE-2023-22480 | 1 Fit2cloud | 1 Kubeoperator | 2024-11-21 | N/A | 7.3 HIGH |
| KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4. | |||||
| CVE-2023-22251 | 1 Adobe | 2 Commerce, Magento Open Source | 2024-11-21 | N/A | 4.3 MEDIUM |
| Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure. | |||||
| CVE-2023-22248 | 1 Adobe | 2 Commerce, Magento | 2024-11-21 | N/A | 7.5 HIGH |
| Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to leak another user's data. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-21670 | 1 Qualcomm | 364 315 5g Iot Modem, 315 5g Iot Modem Firmware, Aqt1000 and 361 more | 2024-11-21 | N/A | 7.8 HIGH |
| Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode. | |||||
| CVE-2023-21560 | 1 Microsoft | 15 Windows 10 1607, Windows 10 1809, Windows 10 20h2 and 12 more | 2024-11-21 | N/A | 6.6 MEDIUM |
| Windows Boot Manager Security Feature Bypass Vulnerability | |||||
| CVE-2023-21424 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 5.1 MEDIUM |
| Improper Handling of Insufficient Permissions or Privileges vulnerability in SemChameleonHelper prior to SMR Jan-2023 Release 1 allows attacker to modify network related values, network code, carrier id and operator brand. | |||||
| CVE-2023-21423 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 5.1 MEDIUM |
| Improper authorization vulnerability in ChnFileShareKit prior to SMR Jan-2023 Release 1 allows attacker to control BLE advertising without permission using unprotected action. | |||||
| CVE-2023-21422 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 5.7 MEDIUM |
| Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Release 1 allows attackers to set custom DNS server without permission via binding WifiService. | |||||
| CVE-2023-21390 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
| In Sim, there is a possible way to evade mobile preference restrictions due to a permission bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21311 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.5 MEDIUM |
| In Settings, there is a possible way to control private DNS settings from a secondary user due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21256 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
| In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2023-21254 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
| In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21225 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
| there is a possible way to bypass the protected confirmation screen due to Failure to lock display power. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-270403821References: N/A | |||||
| CVE-2023-20800 | 3 Google, Linuxfoundation, Mediatek | 9 Android, Yocto, Mt6879 and 6 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| In imgsys, there is a possible system crash due to a mssing ptr check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07420968; Issue ID: ALPS07420955. | |||||
| CVE-2023-20191 | 1 Cisco | 1 Ios Xr | 2024-11-21 | N/A | 5.8 MEDIUM |
| A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incomplete support for this feature. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device. There are workarounds that address this vulnerability. This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication . | |||||
| CVE-2023-20190 | 1 Cisco | 1 Ios Xr | 2024-11-21 | N/A | 5.8 MEDIUM |
| A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device. This vulnerability is due to incorrect destination address range encoding in the compression module of an ACL that is applied to an interface of an affected device. An attacker could exploit this vulnerability by sending traffic through the affected device that should be denied by the configured ACL. A successful exploit could allow the attacker to bypass configured ACL protections on the affected device, allowing the attacker to access trusted networks that the device might be protecting. There are workarounds that address this vulnerability. This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication . | |||||
| CVE-2023-20018 | 1 Cisco | 44 Ip Phone 7800, Ip Phone 7800 Firmware, Ip Phone 7811 and 41 more | 2024-11-21 | N/A | 8.6 HIGH |
| A vulnerability in the web-based management interface of Cisco IP Phone 7800 and 8800 Series Phones could allow an unauthenticated, remote attacker to bypass authentication on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to access certain parts of the web interface that would normally require authentication. | |||||