Total
1628 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-24047 | 2024-11-21 | N/A | 6.8 MEDIUM | ||
| An Insecure Credential Management issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via use of weak hashing algorithm. | |||||
| CVE-2023-24029 | 1 Progress | 1 Ws Ftp Server | 2024-11-21 | N/A | 7.2 HIGH |
| In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows. | |||||
| CVE-2023-23947 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | N/A | 9.1 CRITICAL |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields. | |||||
| CVE-2023-23924 | 1 Dompdf Project | 1 Dompdf | 2024-11-21 | N/A | 10.0 CRITICAL |
| Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available. | |||||
| CVE-2023-23918 | 1 Nodejs | 1 Node.js | 2024-11-21 | N/A | 7.5 HIGH |
| A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. | |||||
| CVE-2023-23751 | 1 Joomla | 1 Joomla\! | 2024-11-21 | N/A | 4.3 MEDIUM |
| An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs. | |||||
| CVE-2023-23696 | 1 Dell | 1 Command \| Intel Vpro Out Of Band | 2024-11-21 | N/A | 7.0 HIGH |
| Dell Command Intel vPro Out of Band, versions prior to 4.3.1, contain an Improper Authorization vulnerability. A locally authenticated malicious users could potentially exploit this vulnerability in order to write arbitrary files to the system. | |||||
| CVE-2023-23594 | 1 Sato-global | 2 Cl4nx Plus, Cl4nx Plus Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability in the web client interface for the CL4NX printer before firmware version 1.13.3-u724_r2 provides remote unauthenticated attackers with access to execute commands intended only for valid/authenticated users, such as file uploads and configuration changes. | |||||
| CVE-2023-23476 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation For Cloud Pak | 2024-11-21 | N/A | 3.1 LOW |
| IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes. IBM X-Force ID: 245425. | |||||
| CVE-2023-23446 | 1 Sick | 14 Ftmg-esd15axx, Ftmg-esd15axx Firmware, Ftmg-esd20axx and 11 more | 2024-11-21 | N/A | 7.5 HIGH |
| Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to download files by using a therefore unpriviledged account via the REST interface. | |||||
| CVE-2023-23445 | 1 Sick | 14 Ftmg-esd15axx, Ftmg-esd15axx Firmware, Ftmg-esd20axx and 11 more | 2024-11-21 | N/A | 7.5 HIGH |
| Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to gain unauthorized access to data fields by using a therefore unpriviledged account via the REST interface. | |||||
| CVE-2023-23192 | 1 Isdecisions | 1 Userlock | 2024-11-21 | N/A | 7.2 HIGH |
| IS Decisions UserLock MFA 11.01 is vulnerable to authentication bypass using scheduled task. | |||||
| CVE-2023-23064 | 1 Totolink | 2 A720r, A720r Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| TOTOLINK A720R V4.1.5cu.532_ B20210610 is vulnerable to Incorrect Access Control. | |||||
| CVE-2023-22945 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-11-21 | N/A | 4.3 MEDIUM |
| In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. | |||||
| CVE-2023-22891 | 1 Smartbear | 1 Zephyr Enterprise | 2024-11-21 | N/A | 8.1 HIGH |
| There exists a privilege escalation vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by authorized users to reset passwords for other accounts. | |||||
| CVE-2023-22833 | 1 Palantir | 1 Foundry | 2024-11-21 | N/A | 7.6 HIGH |
| Palantir Foundry deployments running Lime2 versions between 2.519.0 and 2.532.0 were vulnerable a bug that allowed authenticated users within a Foundry organization to bypass discretionary or mandatory access controls under certain circumstances. | |||||
| CVE-2023-22620 | 1 Securepoint | 1 Unified Threat Management | 2024-11-21 | N/A | 7.5 HIGH |
| An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface. | |||||
| CVE-2023-22610 | 1 Schneider-electric | 3 Ecostruxure Geo Scada Expert 2019, Ecostruxure Geo Scada Expert 2020, Ecostruxure Geo Scada Expert 2021 | 2024-11-21 | N/A | 9.1 CRITICAL |
| A CWE-863: Incorrect Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port. | |||||
| CVE-2023-22593 | 2 Ibm, Redhat | 2 Robotic Process Automation, Openshift | 2024-11-21 | N/A | 4.0 MEDIUM |
| IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.7.3 and 23.0.0 through 23.0.3 is vulnerable to security misconfiguration of the Redis container which may provide elevated privileges. IBM X-Force ID: 244074. | |||||
| CVE-2023-22518 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-11-21 | N/A | 9.8 CRITICAL |
| All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. | |||||