Total
3369 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46327 | 2 Fujifilm, Xerox | 186 Apeos 2560, Apeos 2560 Firmware, Apeos 2560 Gk and 183 more | 2024-02-28 | N/A | 5.9 MEDIUM |
| Multiple MFPs (multifunction printers) provided by FUJIFILM Business Innovation Corp. and Xerox Corporation provide a facility to export the contents of their Address Book with encrypted form, but the encryption strength is insufficient. With the knowledge of the encryption process and the encryption key, the information such as the server credentials may be obtained from the exported Address Book data. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | |||||
| CVE-2023-30724 | 1 Samsung | 1 Gallery | 2024-02-28 | N/A | 3.3 LOW |
| Improper authentication in GallerySearchProvider of Gallery prior to version 14.5.01.2 allows attacker to access search history. | |||||
| CVE-2023-37266 | 1 Icewhale | 1 Casaos | 2024-02-28 | N/A | 9.8 CRITICAL |
| CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. | |||||
| CVE-2023-37268 | 1 Warpgate Project | 1 Warpgate | 2024-02-28 | N/A | 8.8 HIGH |
| Warpgate is an SSH, HTTPS and MySQL bastion host for Linux that doesn't need special client apps. When logging in as a user with SSO enabled an attacker may authenticate as an other user. Any user account which does not have a second factor enabled could be compromised. This issue has been addressed in commit `8173f6512a` and in releases starting with version 0.7.3. Users are advised to upgrade. Users unable to upgrade should require their users to use a second factor in authentication. | |||||
| CVE-2023-42442 | 1 Fit2cloud | 1 Jumpserver | 2024-02-28 | N/A | 5.3 MEDIUM |
| JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`). | |||||
| CVE-2023-41904 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-02-28 | N/A | 5.4 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs. | |||||
| CVE-2023-20252 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2024-02-28 | N/A | 9.8 CRITICAL |
| A vulnerability in the Security Assertion Markup Language (SAML) APIs of Cisco Catalyst SD-WAN Manager Software could allow an unauthenticated, remote attacker to gain unauthorized access to the application as an arbitrary user. This vulnerability is due to improper authentication checks for SAML APIs. An attacker could exploit this vulnerability by sending requests directly to the SAML API. A successful exploit could allow the attacker to generate an authorization token sufficient to gain access to the application. | |||||
| CVE-2022-47848 | 1 Bezeq | 4 Vtech Iad604-il, Vtech Iad604-il Firmware, Vtech Nb403-il and 1 more | 2024-02-28 | N/A | 7.5 HIGH |
| An issue was discovered in Bezeq Vtech NB403-IL version BZ_2.02.07.09.13.01 and Vtech IAD604-IL versions BZ_2.02.07.09.13.01, BZ_2.02.07.09.13T, and BZ_2.02.07.09.09T, allows remote attackers to gain sensitive information via rootDesc.xml page of the UPnP service. | |||||
| CVE-2023-39415 | 1 Northgrid | 1 Proself | 2024-02-28 | N/A | 7.5 HIGH |
| Improper authentication vulnerability in Proself Enterprise/Standard Edition Ver5.61 and earlier, Proself Gateway Edition Ver1.62 and earlier, and Proself Mail Sanitize Edition Ver1.07 and earlier allow a remote unauthenticated attacker to log in to the product's Control Panel and perform an unintended operation. | |||||
| CVE-2023-30559 | 1 Bd | 2 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware | 2024-02-28 | N/A | 5.7 MEDIUM |
| The firmware update package for the wireless card is not properly signed and can be modified. | |||||
| CVE-2022-3681 | 1 Motorola | 1 Mr2600 | 2024-02-28 | N/A | 6.5 MEDIUM |
| A vulnerability has been identified in the MR2600 router v1.0.18 and earlier that could allow an attacker within range of the wireless network to successfully brute force the WPS pin, potentially allowing them unauthorized access to a wireless network. | |||||
| CVE-2023-39069 | 1 Strangebee | 2 Cortex, Thehive | 2024-02-28 | N/A | 9.8 CRITICAL |
| An issue in StrangeBee TheHive v.5.0.8, v.4.1.21 and Cortex v.3.1.6 allows a remote attacker to gain privileges via Active Directory authentication mechanism. | |||||
| CVE-2023-1935 | 1 Emerson | 10 Dl8000, Dl8000 Firmware, Roc809 and 7 more | 2024-02-28 | N/A | 9.4 CRITICAL |
| ROC800-Series RTU devices are vulnerable to an authentication bypass, which could allow an attacker to gain unauthorized access to data or control of the device and cause a denial-of-service condition. | |||||
| CVE-2023-3591 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 8.2 HIGH |
| Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created. | |||||
| CVE-2021-27715 | 1 Mofinetwork | 2 Mofi4500-4gxelte-v2, Mofi4500-4gxelte-v2 Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
| An issue was discovered in MoFi Network MOFI4500-4GXeLTE-V2 3.5.6-xnet-5052 allows attackers to bypass the authentication and execute arbitrary code via crafted HTTP request. | |||||
| CVE-2023-34196 | 1 Keyfactor | 1 Ejbca | 2024-02-28 | N/A | 8.2 HIGH |
| In the Keyfactor EJBCA before 8.0.0, the RA web certificate distribution servlet /ejbca/ra/cert allows partial denial of service due to an authentication issue. In configurations using OAuth, disclosure of CA certificates (attributes and public keys) to unauthenticated or less privileged users may occur. | |||||
| CVE-2023-27877 | 1 Ibm | 1 Cloud Pak For Data | 2024-02-28 | N/A | 7.5 HIGH |
| IBM Planning Analytics Cartridge for Cloud Pak for Data 4.0 connects to a CouchDB server. An attacker can exploit an insecure password policy to the CouchDB server and collect sensitive information from the database. IBM X-Force ID: 247905. | |||||
| CVE-2023-3263 | 1 Dataprobe | 44 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 41 more | 2024-02-28 | N/A | 7.5 HIGH |
| The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass in the REST API due to the mishandling of special characters when parsing credentials.Successful exploitation allows the malicious agent to obtain a valid authorization token and read information relating to the state of the relays and power distribution. | |||||
| CVE-2023-37362 | 1 Weintek | 1 Weincloud | 2024-02-28 | N/A | 8.8 HIGH |
| Weintek Weincloud v0.13.6 could allow an attacker to abuse the registration functionality to login with testing credentials to the official website. | |||||
| CVE-2023-32202 | 1 Walchem | 2 Intuition 9, Intuition 9 Firmware | 2024-02-28 | N/A | 8.8 HIGH |
| Walchem Intuition 9 firmware versions prior to v4.21 are vulnerable to improper authentication. Login credentials are stored in a format that could allow an attacker to use them as-is to login and gain access to the device. | |||||