Total
3710 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5844 | 1 Pimcore | 1 Admin Classic Bundle | 2024-11-21 | N/A | 7.2 HIGH |
| Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0. | |||||
| CVE-2023-5830 | 1 Documentlocator | 1 Document Locator | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical has been found in ColumbiaSoft Document Locator. This affects an unknown part of the file /api/authentication/login of the component WebTools. The manipulation of the argument Server leads to improper authentication. It is possible to initiate the attack remotely. Upgrading to version 7.2 SP4 and 2021.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-243729 was assigned to this vulnerability. | |||||
| CVE-2023-5808 | 2 Hitachi, Microsoft | 2 Vantara Hitachi Network Attached Storage, Windows | 2024-11-21 | N/A | 7.6 HIGH |
| SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in a Storage administrative role are able to access HNAS configuration backup and diagnostic data, that would normally be barred to that specific administrative role. | |||||
| CVE-2023-5627 | 1 Moxa | 54 Nport 6150, Nport 6150-t, Nport 6150-t Firmware and 51 more | 2024-11-21 | N/A | 7.5 HIGH |
| A vulnerability has been identified in NPort 6000 Series, making the authentication mechanism vulnerable. This vulnerability arises from the incorrect implementation of sensitive information protection, potentially allowing malicious users to gain unauthorized access to the web service. | |||||
| CVE-2023-5376 | 1 Korenix | 84 Jetnet 4508, Jetnet 4508-w, Jetnet 4508-w Firmware and 81 more | 2024-11-21 | N/A | 8.6 HIGH |
| An Improper Authentication vulnerability in Korenix JetNet TFTP allows abuse of this service. This issue affects JetNet devices older than firmware version 2024/01. | |||||
| CVE-2023-5329 | 1 F-logic | 2 Datacube4, Datacube4 Firmware | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in Field Logic DataCube4 up to 20231001. This vulnerability affects unknown code of the file /api/ of the component Web API. The manipulation leads to improper authentication. The exploit has been disclosed to the public and may be used. VDB-241030 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-5328 | 1 Sato | 2 Cl4nx-j Plus, Cl4nx-j Plus Firmware | 2024-11-21 | 5.8 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in SATO CL4NX-J Plus 1.13.2-u455_r2. This affects an unknown part of the component Cookie Handler. The manipulation with the input auth=user,level1,settings; web=true leads to improper authentication. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used. The identifier VDB-241029 was assigned to this vulnerability. | |||||
| CVE-2023-5326 | 1 Sato | 2 Cl4nx-j Plus, Cl4nx-j Plus Firmware | 2024-11-21 | 5.8 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in SATO CL4NX-J Plus 1.13.2-u455_r2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component WebConfig. The manipulation leads to improper authentication. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-241027. | |||||
| CVE-2023-5246 | 1 Sick | 26 Fx0-gent00000, Fx0-gent00000 Firmware, Fx0-gent00010 and 23 more | 2024-11-21 | N/A | 8.8 HIGH |
| Authentication Bypass by Capture-replay in SICK Flexi Soft Gateways with Partnumbers 1044073, 1127717, 1130282, 1044074, 1121597, 1099832, 1051432, 1127487, 1069070, 1112296, 1044072, 1121596, 1099830 allows an unauthenticated remote attacker to potentially impact the availability, integrity and confidentiality of the gateways via an authentication bypass by capture-replay. | |||||
| CVE-2023-52161 | 1 Intel | 1 Inet Wireless Daemon | 2024-11-21 | N/A | 7.5 HIGH |
| The Access Point functionality in eapol_auth_key_handle in eapol.c in iNet wireless daemon (IWD) before 2.14 allows attackers to gain unauthorized access to a protected Wi-Fi network. An attacker can complete the EAPOL handshake by skipping Msg2/4 and instead sending Msg4/4 with an all-zero key. | |||||
| CVE-2023-51708 | 1 Bentley | 2 Assetwise Alim For Transportation, Eb System Management Console | 2024-11-21 | N/A | 8.6 HIGH |
| Bentley eB System Management Console applications within Assetwise Integrity Information Server allow an unauthenticated user to view configuration options via a crafted request, leading to information disclosure. This affects eB System management Console before 23.00.02.03 and Assetwise ALIM For Transportation before 23.00.01.25. | |||||
| CVE-2023-51511 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Improper Authentication vulnerability in Pluggabl LLC Booster Elite for WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booster Elite for WooCommerce: from n/a before 7.1.3. | |||||
| CVE-2023-51484 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Improper Authentication vulnerability in wp-buy Login as User or Customer (User Switching) allows Privilege Escalation.This issue affects Login as User or Customer (User Switching): from n/a through 3.8. | |||||
| CVE-2023-51482 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
| Improper Authentication vulnerability in EazyPlugins Eazy Plugin Manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Eazy Plugin Manager: from n/a through 4.1.2. | |||||
| CVE-2023-51477 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Improper Authentication vulnerability in BUDDYBOSS DMCC BuddyBoss Theme allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BuddyBoss Theme: from n/a through 2.4.60. | |||||
| CVE-2023-51472 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Improper Authentication vulnerability in Mestres do WP Checkout Mestres WP allows Privilege Escalation.This issue affects Checkout Mestres WP: from n/a through 7.1.9.7. | |||||
| CVE-2023-51471 | 2024-11-21 | N/A | 8.2 HIGH | ||
| Improper Authentication vulnerability in Mestres do WP Checkout Mestres WP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Checkout Mestres WP: from n/a through 7.1.9.7. | |||||
| CVE-2023-51442 | 1 Navidrome | 1 Navidrome | 2024-11-21 | N/A | 8.6 HIGH |
| Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key "not so secret". The vulnerability can only be exploited on instances that have never been restarted. Navidrome supports an extension to the subsonic authentication scheme, where a JWT can be provided using a `jwt` query parameter instead of the traditional password or token and salt (corresponding to resp. the `p` or `t` and `s` query parameters). This authentication bypass vulnerability potentially affects all instances that don't protect the subsonic endpoint `/rest/`, which is expected to be most instances in a standard deployment, and most instances in the reverse proxy setup too (as the documentation mentions to leave that endpoint unprotected). This issue has been patched in version 0.50.2. | |||||
| CVE-2023-50934 | 1 Ibm | 1 Powersc | 2024-11-21 | N/A | 5.3 MEDIUM |
| IBM PowerSC 1.3, 2.0, and 2.1 uses single-factor authentication which can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. IBM X-Force ID: 275114. | |||||
| CVE-2023-50714 | 1 Yiiframework | 1 Yii2-authclient | 2024-11-21 | N/A | 6.8 MEDIUM |
| yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` should be removed after usage (similar to `authState`). Second, there is a risk for a `downgrade attack` if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available. | |||||