Total
426 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-33768 | 1 Belkin | 2 Wemo Smart Plug Wsp080, Wemo Smart Plug Wsp080 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| Incorrect signature verification of the firmware during the Device Firmware Update process of Belkin Wemo Smart Plug WSP080 v1.2 allows attackers to cause a Denial of Service (DoS) via a crafted firmware file. | |||||
| CVE-2023-33185 | 1 Django-ses Project | 1 Django-ses | 2024-11-21 | N/A | 4.6 MEDIUM |
| Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0. | |||||
| CVE-2023-32449 | 1 Dell | 11 Powerstore 1000t, Powerstore 1200t, Powerstore 3000t and 8 more | 2024-11-21 | N/A | 7.2 HIGH |
| Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing cryptographic signature checks | |||||
| CVE-2023-2030 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 3.5 LOW |
| An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. | |||||
| CVE-2023-28818 | 1 Veritas | 2 Aptare It Analytics, Netbackup It Analytics | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in Veritas NetBackup IT Analytics 11 before 11.2.0. The application upgrade process included unsigned files that could be exploited and result in a customer installing unauthentic components. A malicious actor could install rogue Collector executable files (aptare.jar or upgrademanager.zip) on the Portal server, which might then be downloaded and installed on collectors. | |||||
| CVE-2023-28804 | 1 Zscaler | 1 Client Connector | 2024-11-21 | N/A | 8.2 HIGH |
| An Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows replacing binaries.This issue affects Linux Client Connector: before 1.4.0.105 | |||||
| CVE-2023-28801 | 1 Zscaler | 1 Zscaler Internet Access Admin Portal | 2024-11-21 | N/A | 9.6 CRITICAL |
| An Improper Verification of Cryptographic Signature in the SAML authentication of the Zscaler Admin UI allows a Privilege Escalation.This issue affects Admin UI: from 6.2 before 6.2r. | |||||
| CVE-2023-28796 | 1 Zscaler | 1 Client Connector | 2024-11-21 | N/A | 7.1 HIGH |
| Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows Code Injection. This issue affects Zscaler Client Connector for Linux: before 1.3.1.6. | |||||
| CVE-2023-28602 | 1 Zoom | 1 Zoom | 2024-11-21 | N/A | 2.8 LOW |
| Zoom for Windows clients prior to 5.13.5 contain an improper verification of cryptographic signature vulnerability. A malicious user may potentially downgrade Zoom Client components to previous versions. | |||||
| CVE-2023-28228 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2024-11-21 | N/A | 5.5 MEDIUM |
| Windows Spoofing Vulnerability | |||||
| CVE-2023-28226 | 1 Microsoft | 8 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 5 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| Windows Enroll Engine Security Feature Bypass Vulnerability | |||||
| CVE-2023-28113 | 1 Russh Project | 1 Russh | 2024-11-21 | N/A | 5.9 MEDIUM |
| russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1 | |||||
| CVE-2023-25934 | 1 Dell | 1 Elastic Cloud Storage | 2024-11-21 | N/A | 5.9 MEDIUM |
| DELL ECS prior to 3.8.0.2 contains an improper verification of cryptographic signature vulnerability. A network attacker with an ability to intercept the request could potentially exploit this vulnerability to modify the body data of the request. | |||||
| CVE-2023-25718 | 1 Connectwise | 1 Control | 2024-11-21 | N/A | 9.8 CRITICAL |
| In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719. NOTE: the vendor's position is that this purported vulnerability represents a "fundamental lack of understanding of Authenticode code signing behavior." | |||||
| CVE-2023-24025 | 1 Pqclean Project | 1 Pqclean | 2024-11-21 | N/A | 7.5 HIGH |
| CRYSTALS-DILITHIUM (in Post-Quantum Cryptography Selected Algorithms 2022) in PQClean d03da30 may allow universal forgeries of digital signatures via a template side-channel attack because of intermediate data leakage of one vector. | |||||
| CVE-2023-23940 | 1 Openzeppelin | 1 Contracts | 2024-11-21 | N/A | 6.4 MEDIUM |
| OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1. | |||||
| CVE-2023-23928 | 1 Reason-jose Project | 1 Reason-jose | 2024-11-21 | N/A | 5.9 MEDIUM |
| reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2. | |||||
| CVE-2023-23773 | 1 Motorola | 4 Ebts Base Radio, Ebts Base Radio Firmware, Mbts Base Radio and 1 more | 2024-11-21 | N/A | 7.2 HIGH |
| Motorola EBTS/MBTS Base Radio fails to check firmware authenticity. The Motorola MBTS Base Radio lacks cryptographic signature validation for firmware update packages, allowing an authenticated attacker to gain arbitrary code execution, extract secret key material, and/or leave a persistent implant on the device. | |||||
| CVE-2023-23772 | 1 Motorola | 2 Mbts Site Controller, Mbts Site Controller Firmware | 2024-11-21 | N/A | 7.2 HIGH |
| Motorola MBTS Site Controller fails to check firmware update authenticity. The Motorola MBTS Site Controller lacks cryptographic signature validation for firmware update packages, allowing an authenticated attacker to gain arbitrary code execution, extract secret key material, and/or leave a persistent implant on the device. | |||||
| CVE-2023-23436 | 1 Hihonor | 1 Magic Os | 2024-11-21 | N/A | 7.3 HIGH |
| Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file | |||||