Total
7426 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-43617 | 1 Schollz | 1 Croc | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name. | |||||
| CVE-2023-42846 | 1 Apple | 4 Ipados, Iphone Os, Tvos and 1 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| This issue was addressed by removing the vulnerable code. This issue is fixed in watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, tvOS 17.1, iOS 17.1 and iPadOS 17.1. A device may be passively tracked by its Wi-Fi MAC address. | |||||
| CVE-2023-42780 | 1 Apache | 1 Airflow | 2024-11-21 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. | |||||
| CVE-2023-42454 | 1 Lovasoa | 1 Sqlpage | 2024-11-21 | N/A | 10.0 CRITICAL |
| SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly, with a database connection string specified in the `sqlpage/sqlpage.json` configuration file (not in an environment variable), with the web_root is the current working directory (the default), and with their database exposed publicly, is vulnerable to an attacker retrieving database connection information from SQLPage and using it to connect to their database directly. Version 0.11.0 fixes this issue. Some workarounds are available. Using an environment variable instead of the configuration file to specify the database connection string prevents exposing it on vulnerable versions. Using a different web root (that is not a parent of the SQLPage configuration directory) fixes the issue. One should also avoid exposing one's database publicly. | |||||
| CVE-2023-42387 | 1 Tdsql Chitu Project | 1 Tdsql Chitu | 2024-11-21 | N/A | 7.5 HIGH |
| An issue in TDSQL Chitu management platform v.10.3.19.5.0 allows a remote attacker to obtain sensitive information via get_db_info function in install.php. | |||||
| CVE-2023-41988 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2024-11-21 | N/A | 6.8 MEDIUM |
| This issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sonoma 14.1, watchOS 10.1, iOS 17.1 and iPadOS 17.1. An attacker with physical access may be able to use Siri to access sensitive user data. | |||||
| CVE-2023-41752 | 2 Apache, Fedoraproject | 2 Traffic Server, Fedora | 2024-11-21 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue. | |||||
| CVE-2023-41293 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 7.5 HIGH |
| Data security classification vulnerability in the DDMP module. Successful exploitation of this vulnerability may affect confidentiality. | |||||
| CVE-2023-41260 | 1 Bestpractical | 1 Request Tracker | 2024-11-21 | N/A | 7.5 HIGH |
| Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls. | |||||
| CVE-2023-41259 | 1 Bestpractical | 1 Request Tracker | 2024-11-21 | N/A | 7.5 HIGH |
| Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call. | |||||
| CVE-2023-41050 | 1 Zope | 2 Accesscontrol, Zope | 2024-11-21 | N/A | 6.8 MEDIUM |
| AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-40712 | 1 Apache | 1 Airflow | 2024-11-21 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability. | |||||
| CVE-2023-40511 | 2024-11-21 | N/A | 7.5 HIGH | ||
| LG Simple Editor checkServer Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the checkServer method. The issue results from the exposure of plaintext credentials. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-20013. | |||||
| CVE-2023-40510 | 2024-11-21 | N/A | 7.5 HIGH | ||
| LG Simple Editor getServerSetting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getServerSetting method. The issue results from the exposure of plaintext credentials. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-20012. | |||||
| CVE-2023-40348 | 1 Jenkins | 1 Gogs | 2024-11-21 | N/A | 5.3 MEDIUM |
| The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output. | |||||
| CVE-2023-40278 | 2024-11-21 | N/A | 7.5 HIGH | ||
| An issue was discovered in OpenClinic GA 5.247.01. An Information Disclosure vulnerability has been identified in the printAppointmentPdf.jsp component of OpenClinic GA. By changing the AppointmentUid parameter, an attacker can determine whether a specific appointment exists based on the error message. | |||||
| CVE-2023-40276 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| An issue was discovered in OpenClinic GA 5.247.01. An Unauthenticated File Download vulnerability has been discovered in pharmacy/exportFile.jsp. | |||||
| CVE-2023-40275 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| An issue was discovered in OpenClinic GA 5.247.01. It allows retrieval of patient lists via queries such as findFirstname= to _common/search/searchByAjax/patientslistShow.jsp. | |||||
| CVE-2023-40159 | 1 Philips | 1 Vue Pacs | 2024-11-21 | N/A | 8.2 HIGH |
| A validated user not explicitly authorized to have access to certain sensitive information could access Philips Vue PACS on the same network to expose that information. | |||||
| CVE-2023-3819 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4. | |||||