Total
3616 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-51708 | 1 Bentley | 2 Assetwise Alim For Transportation, Eb System Management Console | 2024-11-21 | N/A | 8.6 HIGH |
| Bentley eB System Management Console applications within Assetwise Integrity Information Server allow an unauthenticated user to view configuration options via a crafted request, leading to information disclosure. This affects eB System management Console before 23.00.02.03 and Assetwise ALIM For Transportation before 23.00.01.25. | |||||
| CVE-2023-51511 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Improper Authentication vulnerability in Pluggabl LLC Booster Elite for WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booster Elite for WooCommerce: from n/a before 7.1.3. | |||||
| CVE-2023-51484 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Improper Authentication vulnerability in wp-buy Login as User or Customer (User Switching) allows Privilege Escalation.This issue affects Login as User or Customer (User Switching): from n/a through 3.8. | |||||
| CVE-2023-51482 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
| Improper Authentication vulnerability in EazyPlugins Eazy Plugin Manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Eazy Plugin Manager: from n/a through 4.1.2. | |||||
| CVE-2023-51477 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Improper Authentication vulnerability in BUDDYBOSS DMCC BuddyBoss Theme allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BuddyBoss Theme: from n/a through 2.4.60. | |||||
| CVE-2023-51472 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Improper Authentication vulnerability in Mestres do WP Checkout Mestres WP allows Privilege Escalation.This issue affects Checkout Mestres WP: from n/a through 7.1.9.7. | |||||
| CVE-2023-51471 | 2024-11-21 | N/A | 8.2 HIGH | ||
| Improper Authentication vulnerability in Mestres do WP Checkout Mestres WP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Checkout Mestres WP: from n/a through 7.1.9.7. | |||||
| CVE-2023-51442 | 1 Navidrome | 1 Navidrome | 2024-11-21 | N/A | 8.6 HIGH |
| Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key "not so secret". The vulnerability can only be exploited on instances that have never been restarted. Navidrome supports an extension to the subsonic authentication scheme, where a JWT can be provided using a `jwt` query parameter instead of the traditional password or token and salt (corresponding to resp. the `p` or `t` and `s` query parameters). This authentication bypass vulnerability potentially affects all instances that don't protect the subsonic endpoint `/rest/`, which is expected to be most instances in a standard deployment, and most instances in the reverse proxy setup too (as the documentation mentions to leave that endpoint unprotected). This issue has been patched in version 0.50.2. | |||||
| CVE-2023-50934 | 1 Ibm | 1 Powersc | 2024-11-21 | N/A | 5.3 MEDIUM |
| IBM PowerSC 1.3, 2.0, and 2.1 uses single-factor authentication which can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. IBM X-Force ID: 275114. | |||||
| CVE-2023-50714 | 1 Yiiframework | 1 Yii2-authclient | 2024-11-21 | N/A | 6.8 MEDIUM |
| yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` should be removed after usage (similar to `authState`). Second, there is a risk for a `downgrade attack` if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available. | |||||
| CVE-2023-50275 | 1 Hp | 1 Oneview | 2024-11-21 | N/A | 7.5 HIGH |
| HPE OneView may allow clusterService Authentication Bypass resulting in denial of service. | |||||
| CVE-2023-50127 | 1 Hozard | 1 Alarm System | 2024-11-21 | N/A | 5.9 MEDIUM |
| Hozard alarm system (Alarmsysteem) v1.0 is vulnerable to Improper Authentication. Commands sent via the SMS functionality are accepted from random phone numbers, which allows an attacker to bring the alarm system to a disarmed state from any given phone number. | |||||
| CVE-2023-4985 | 1 Supcon | 1 Inplant Scada | 2024-11-21 | 4.6 MEDIUM | 5.9 MEDIUM |
| A vulnerability classified as critical has been found in Supcon InPlant SCADA up to 20230901. Affected is an unknown function of the file Project.xml. The manipulation leads to improper authentication. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239796. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4939 | 1 Salesmanago | 1 Salesmanago | 2024-11-21 | N/A | 5.3 MEDIUM |
| The SALESmanago plugin for WordPress is vulnerable to Log Injection in versions up to, and including, 3.2.4. This is due to the use of a weak authentication token for the /wp-json/salesmanago/v1/callbackApiV3 API endpoint which is simply a SHA1 hash of the site URL and client ID found in the page source of the website. This makes it possible for unauthenticated attackers to inject arbitrary content into the log files, and when combined with another vulnerability this could have significant consequences. | |||||
| CVE-2023-4816 | 1 Hitachienergy | 1 Asset Suite | 2024-11-21 | N/A | 6.9 MEDIUM |
| A vulnerability exists in the Equipment Tag Out authentication, when configured with Single Sign-On (SSO) with password validation in T214. This vulnerability can be exploited by an authenticated user per-forming an Equipment Tag Out holder action (Accept, Release, and Clear) for another user and entering an arbitrary password in the holder action confirmation dialog box. Despite entering an arbitrary password in the confirmation box, the system will execute the selected holder action. | |||||
| CVE-2023-4669 | 1 Exagate | 2 Sysguard 3001, Sysguard 3001 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Assumed-Immutable Data vulnerability in Exagate SYSGuard 3001 allows Authentication Bypass.This issue affects SYSGuard 3001: before 3.2.20.0. | |||||
| CVE-2023-4641 | 2 Redhat, Shadow-maint | 9 Codeready Linux Builder, Codeready Linux Builder For Arm64, Codeready Linux Builder For Ibm Z Systems and 6 more | 2024-11-21 | N/A | 4.7 MEDIUM |
| A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. | |||||
| CVE-2023-4568 | 1 Papercut | 1 Papercut Ng | 2024-11-21 | N/A | 6.5 MEDIUM |
| PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch. | |||||
| CVE-2023-4562 | 1 Mitsubishielectric | 380 Fx3g-14 Mr\/ds, Fx3g-14 Mr\/ds Firmware, Fx3g-14 Mr\/es and 377 more | 2024-11-21 | N/A | 9.1 CRITICAL |
| Improper Authentication vulnerability in Mitsubishi Electric Corporation MELSEC-F Series main modules allows a remote unauthenticated attacker to obtain sequence programs from the product or write malicious sequence programs or improper data in the product without authentication by sending illegitimate messages. | |||||
| CVE-2023-4501 | 1 Microfocus | 5 Cobol Server, Enterprise Developer, Enterprise Server and 2 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations. When the vulnerability is active, authentication succeeds with any valid username, regardless of whether the password is correct; it may also succeed with an invalid username (and any password). This allows an attacker with access to the product to impersonate any user. Mitigations: The issue is corrected in the upcoming patch update for each affected product. Product overlays and workaround instructions are available through OpenText Support. The vulnerable configurations are believed to be uncommon. Administrators can test for the vulnerability in their installations by attempting to sign on to a Visual COBOL or Enterprise Server component such as ESCWA using a valid username and incorrect password. | |||||