Total
10626 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-48223 | 1 Nearform | 1 Fast-jwt | 2023-11-29 | N/A | 5.9 MEDIUM |
| fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to version 3.3.2, the fast-jwt library does not properly prevent JWT algorithm confusion for all public key types. The 'publicKeyPemMatcher' in 'fast-jwt/src/crypto.js' does not properly match all common PEM formats for public keys. To exploit this vulnerability, an attacker needs to craft a malicious JWT token containing the HS256 algorithm, signed with the public RSA key of the victim application. This attack will only work if the victim application utilizes a public key containing the `BEGIN RSA PUBLIC KEY` header. Applications using the RS256 algorithm, a public key with a `BEGIN RSA PUBLIC KEY` header, and calling the verify function without explicitly providing an algorithm, are vulnerable to this algorithm confusion attack which allows attackers to sign arbitrary payloads which will be accepted by the verifier. Version 3.3.2 contains a patch for this issue. As a workaround, change line 29 of `blob/master/src/crypto.js` to include a regular expression. | |||||
| CVE-2023-32469 | 1 Dell | 6 Precision 5820, Precision 5820 Firmware, Precision 7820 and 3 more | 2023-11-29 | N/A | 6.7 MEDIUM |
| Dell Precision Tower BIOS contains an Improper Input Validation vulnerability. A locally authenticated malicious user with admin privileges could potentially exploit this vulnerability to perform arbitrary code execution. | |||||
| CVE-2023-27519 | 1 Intel | 10 Optane Memory H20 With Solid State Storage, Optane Memory H20 With Solid State Storage Firmware, Optane Ssd 900p and 7 more | 2023-11-29 | N/A | 7.8 HIGH |
| Improper input validation in firmware for some Intel(R) Optane(TM) SSD products may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-48310 | 1 Nc3 | 1 Testing Platform | 2023-11-29 | N/A | 7.5 HIGH |
| TestingPlatform is a testing platform for Internet Security Standards. Prior to version 2.1.1, user input is not filtered correctly. Nmap options are accepted. In this particular case, the option to create log files is accepted in addition to a host name (and even without). A log file is created at the location specified. These files are created as root. If the file exists, the existing file is being rendered useless. This can result in denial of service. Additionally, input for scanning can be any CIDR blocks passed to nmap. An attacker can scan 0.0.0.0/0 or even local networks. Version 2.1.1 contains a patch for this issue. | |||||
| CVE-2023-48226 | 1 Openreplay | 1 Openreplay | 2023-11-29 | N/A | 3.5 LOW |
| OpenReplay is a self-hosted session replay suite. In version 1.14.0, due to lack of validation Name field - Account Settings (for registration looks like validation is correct), a bad actor can send emails with HTML injected code to the victims. Bad actors can use this to phishing actions for example. Email is really send from OpenReplay, but bad actors can add there HTML code injected (content spoofing). Please notice that during Registration steps for FullName looks like is validated correct - can not type there, but using this kind of bypass/workaround - bad actors can achieve own goal. As of time of publication, no known fixes or workarounds are available. | |||||
| CVE-2009-4491 | 1 Acme | 1 Thttpd | 2023-11-28 | 5.0 MEDIUM | N/A |
| thttpd 2.25b0 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. | |||||
| CVE-2023-0139 | 2 Google, Microsoft | 2 Chrome, Windows | 2023-11-25 | N/A | 6.5 MEDIUM |
| Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 109.0.5414.74 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Low) | |||||
| CVE-2022-4186 | 1 Google | 1 Chrome | 2023-11-25 | N/A | 4.3 MEDIUM |
| Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2022-3201 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Chrome and 1 more | 2023-11-25 | N/A | 5.4 MEDIUM |
| Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2023-40314 | 1 Opennms | 2 Horizon, Meridian | 2023-11-25 | N/A | 6.1 MEDIUM |
| Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Moshe Apelbaum for reporting this issue. | |||||
| CVE-2023-26364 | 1 Adobe | 1 Css-tools | 2023-11-24 | N/A | 5.3 MEDIUM |
| @adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a minor denial of service while attempting to parse CSS. Exploitation of this issue does not require user interaction or privileges. | |||||
| CVE-2023-44355 | 1 Adobe | 1 Coldfusion | 2023-11-22 | N/A | 4.3 MEDIUM |
| Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to impact a minor integrity feature. Exploitation of this issue does require user interaction. | |||||
| CVE-2023-5079 | 1 Lenovo | 1 Lecloud | 2023-11-22 | N/A | 7.5 HIGH |
| Lenovo LeCloud App improper input validation allows attackers to access arbitrary components and arbitrary file downloads, which could result in information disclosure. | |||||
| CVE-2023-22272 | 2 Adobe, Microsoft | 2 Robohelp Server, Windows | 2023-11-22 | N/A | 7.5 HIGH |
| Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Input Validation vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-39535 | 1 Ami | 1 Aptio V | 2023-11-22 | N/A | 7.8 HIGH |
| AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper input validation via the local network. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity and availability. | |||||
| CVE-2023-39536 | 1 Ami | 1 Aptio V | 2023-11-22 | N/A | 7.8 HIGH |
| AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper input validation via the local network. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity and availability. | |||||
| CVE-2023-39537 | 1 Ami | 1 Aptio V | 2023-11-22 | N/A | 7.8 HIGH |
| AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper input validation via the local network. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity and availability. | |||||
| CVE-2022-45875 | 1 Apache | 1 Dolphinscheduler | 2023-11-22 | N/A | 9.8 CRITICAL |
| Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS. | |||||
| CVE-2023-23549 | 1 Tribe29 | 1 Checkmk | 2023-11-21 | N/A | 2.7 LOW |
| Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 allows priviledged attackers to cause partial denial of service of the UI via too long hostnames. | |||||
| CVE-2023-32641 | 1 Intel | 1 Quickassist Technology | 2023-11-21 | N/A | 8.8 HIGH |
| Improper input validation in firmware for Intel(R) QAT before version QAT20.L.1.0.40-00004 may allow escalation of privilege and denial of service via adjacent access. | |||||