Total
3616 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46327 | 2 Fujifilm, Xerox | 186 Apeos 2560, Apeos 2560 Firmware, Apeos 2560 Gk and 183 more | 2024-11-21 | N/A | 5.9 MEDIUM |
| Multiple MFPs (multifunction printers) provided by FUJIFILM Business Innovation Corp. and Xerox Corporation provide a facility to export the contents of their Address Book with encrypted form, but the encryption strength is insufficient. With the knowledge of the encryption process and the encryption key, the information such as the server credentials may be obtained from the exported Address Book data. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | |||||
| CVE-2023-46290 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2024-11-21 | N/A | 8.1 HIGH |
| Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service. | |||||
| CVE-2023-45669 | 1 Webauthn4j | 1 Spring Security | 2024-11-21 | N/A | 4.8 MEDIUM |
| WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. This issue has been addressed in version `0.9.1.RELEASE`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-44397 | 1 Fit2cloud | 1 Cloudexplorer Lite | 2024-11-21 | N/A | 7.5 HIGH |
| CloudExplorer Lite is an open source, lightweight cloud management platform. Prior to version 1.4.1, the gateway filter of CloudExplorer Lite uses a controller with path starting with `matching/API/`, which can cause a permission bypass. Version 1.4.1 contains a patch for this issue. | |||||
| CVE-2023-44302 | 1 Dell | 2 Powerprotect Data Manager Dm5500, Powerprotect Data Manager Dm5500 Firmware | 2024-11-21 | N/A | 8.1 HIGH |
| Dell DM5500 5.14.0.0 and prior contain an improper authentication vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access of resources or functionality that could possibly lead to execute arbitrary code. | |||||
| CVE-2023-44252 | 1 Fortinet | 1 Fortiwan | 2024-11-21 | N/A | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED **An improper authentication vulnerability [CWE-287] in Fortinet FortiWAN version 5.2.0 through 5.2.1 and version 5.1.1 through 5.1.2 may allow an authenticated attacker to escalate his privileges via HTTP or HTTPs requests with crafted JWT token values. | |||||
| CVE-2023-44152 | 4 Acronis, Apple, Linux and 1 more | 4 Cyber Protect, Macos, Linux Kernel and 1 more | 2024-11-21 | N/A | 9.1 CRITICAL |
| Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979. | |||||
| CVE-2023-43809 | 1 Charm | 1 Soft Serve | 2024-11-21 | N/A | 7.5 HIGH |
| Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `allow-keyless` setting, and the public key requires additional client-side verification for example using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this vulnerability by presenting manipulated SSH requests using keyboard-interactive authentication mode. This could potentially result in unauthorized access to the Soft Serve. Users should upgrade to the latest Soft Serve version `v0.6.2` to receive the patch for this issue. To workaround this vulnerability without upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication using the `allow-keyless` setting. | |||||
| CVE-2023-43805 | 1 Nexryai | 1 Nexkey | 2024-11-21 | N/A | 7.5 HIGH |
| Nexkey is a fork of Misskey, an open source, decentralized social media platform. Prior to version 12.121.9, incomplete URL validation can allow users to bypass authentication for access to the job queue dashboard. Version 12.121.9 contains a fix for this issue. As a workaround, it may be possible to avoid this by blocking access using tools such as Cloudflare's WAF. | |||||
| CVE-2023-43793 | 1 Misskey | 1 Misskey | 2024-11-21 | N/A | 7.5 HIGH |
| Misskey is an open source, decentralized social media platform. Prior to version 2023.9.0, by editing the URL, a user can bypass the authentication of the Bull dashboard, which is the job queue management UI, and access it. Version 2023.9.0 contains a fix. There are no known workarounds. | |||||
| CVE-2023-43582 | 1 Zoom | 4 Meetings, Rooms, Virtual Desktop Infrastructure and 1 more | 2024-11-21 | N/A | 5.5 MEDIUM |
| Improper authorization in some Zoom clients may allow an authorized user to conduct an escalation of privilege via network access. | |||||
| CVE-2023-42771 | 1 Furunosystems | 4 Acera 1310, Acera 1310 Firmware, Acera 1320 and 1 more | 2024-11-21 | N/A | 8.8 HIGH |
| Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode. | |||||
| CVE-2023-42576 | 1 Samsung | 1 Pass | 2024-11-21 | N/A | 5.4 MEDIUM |
| Improper Authentication vulnerability in Samsung Pass prior to version 4.3.00.17 allows physical attackers to bypass authentication due to invalid exception handler. | |||||
| CVE-2023-42531 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 6.2 MEDIUM |
| Improper access control vulnerability in SmsController prior to SMR Nov-2023 Release1 allows local attackers to bypass restrictions on starting activities from the background. | |||||
| CVE-2023-42442 | 1 Fit2cloud | 1 Jumpserver | 2024-11-21 | N/A | 8.2 HIGH |
| JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`). | |||||
| CVE-2023-41999 | 1 Arcserve | 1 Udp | 2024-11-21 | N/A | 9.8 CRITICAL |
| An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication. | |||||
| CVE-2023-41904 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | N/A | 5.4 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs. | |||||
| CVE-2023-41900 | 2 Debian, Eclipse | 2 Debian Linux, Jetty | 2024-11-21 | N/A | 3.5 LOW |
| Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue. | |||||
| CVE-2023-41751 | 2 Acronis, Microsoft | 2 Agent, Windows | 2024-11-21 | N/A | 5.5 MEDIUM |
| Sensitive information disclosure due to improper token expiration validation. The following products are affected: Acronis Agent (Windows) before build 32047. | |||||
| CVE-2023-41442 | 1 Kloudq | 4 Tor Equip Gateway, Tor Lenz, Tor Loco Min and 1 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in Kloudq Technologies Limited Tor Equip 1.0, Tor Loco Mini 1.0 through 3.1 allows a remote attacker to execute arbitrary code via a crafted request to the MQTT component. | |||||