Total
284 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-33228 | 1 Solarwinds | 1 Network Configuration Manager | 2024-11-21 | N/A | 4.5 MEDIUM |
| The SolarWinds Network Configuration Manager was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to obtain sensitive information. | |||||
| CVE-2023-33037 | 1 Qualcomm | 166 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 163 more | 2024-11-21 | N/A | 7.1 HIGH |
| Cryptographic issue in Automotive while unwrapping the key secs2d and verifying with RPMB data. | |||||
| CVE-2023-32982 | 1 Jenkins | 1 Ansible | 2024-11-21 | N/A | 4.3 MEDIUM |
| Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2023-32290 | 1 Vk.company | 1 Mymail | 2024-11-21 | N/A | 7.5 HIGH |
| The myMail app through 14.30 for iOS sends cleartext credentials in a situation where STARTTLS is expected by a server. | |||||
| CVE-2023-31825 | 1 Inageya | 1 Inageya | 2024-11-21 | N/A | 7.5 HIGH |
| An issue found in Inageya v.13.4.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp Inageya function. | |||||
| CVE-2023-31822 | 1 Entetsu | 1 Entetsu Store | 2024-11-21 | N/A | 7.5 HIGH |
| An issue found in Entetsu Store v.13.4.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp Entetsu Store function. | |||||
| CVE-2023-31820 | 1 Shizutetsu | 1 Shizutetsu Store | 2024-11-21 | N/A | 7.5 HIGH |
| An issue found in Shizutetsu Store v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp function. | |||||
| CVE-2023-31819 | 1 Livre | 1 Keisei Store | 2024-11-21 | N/A | 7.5 HIGH |
| An issue found in KEISEI STORE Co, Ltd. LIVRE KEISEI v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp function. | |||||
| CVE-2023-30561 | 1 Bd | 2 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware | 2024-11-21 | N/A | 6.1 MEDIUM |
| The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running. | |||||
| CVE-2023-28999 | 1 Nextcloud | 2 Desktop, Nextcloud | 2024-11-21 | N/A | 6.9 MEDIUM |
| Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.? This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available. | |||||
| CVE-2023-28841 | 1 Mobyproject | 1 Moby | 2024-11-21 | N/A | 6.8 MEDIUM |
| Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. An iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation. Encrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees. It is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster. | |||||
| CVE-2023-28045 | 1 Dell | 1 Cloudiq Collector | 2024-11-21 | N/A | 6.3 MEDIUM |
| Dell CloudIQ Collector version 1.10.2 contains a missing encryption of sensitive data vulnerability. An attacker with low privileges could potentially exploit this vulnerability, leading to gain access to unauthorized data. | |||||
| CVE-2023-23127 | 1 Connectwise | 1 Connectwise | 2024-11-21 | N/A | 5.3 MEDIUM |
| In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting. | |||||
| CVE-2023-22948 | 1 Tigergraph | 1 Tigergraph | 2024-11-21 | N/A | 4.9 MEDIUM |
| An issue was discovered in TigerGraph Enterprise Free Edition 3.x. There is unsecured read access to an SSH private key. Any code that runs as the tigergraph user is able to read the SSH private key. With this, an attacker is granted password-less SSH access to all machines in the TigerGraph cluster. | |||||
| CVE-2023-21404 | 1 Axis | 1 Axis Os | 2024-11-21 | N/A | 5.3 MEDIUM |
| AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is not used in any other secure communication nor can it be used to compromise the device or any customer data. | |||||
| CVE-2023-0750 | 1 Lynx-technik | 2 Yellobrik Pec 1864, Yellobrik Pec 1864 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Yellobrik PEC-1864 implements authentication checks via javascript in the frontend interface. When the device can be accessed over the network an attacker could bypass authentication. This would allow an attacker to : - Change the password, resulting in a DOS of the users - Change the streaming source, compromising the integrity of the stream - Change the streaming destination, compromising the confidentiality of the stream This issue affects Yellowbrik: PEC 1864. No patch has been issued by the manufacturer as this model was discontinued. | |||||
| CVE-2023-0690 | 1 Hashicorp | 1 Boundary | 2024-11-21 | N/A | 5.0 MEDIUM |
| HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0. | |||||
| CVE-2022-4683 | 1 Usememos | 1 Memos | 2024-11-21 | N/A | 6.5 MEDIUM |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0. | |||||
| CVE-2022-4409 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | N/A | 7.5 HIGH |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9. | |||||
| CVE-2022-47715 | 1 Lastyard | 1 Last Yard | 2024-11-21 | N/A | 5.3 MEDIUM |
| In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic. | |||||