Total
3408 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46327 | 2 Fujifilm, Xerox | 186 Apeos 2560, Apeos 2560 Firmware, Apeos 2560 Gk and 183 more | 2023-11-09 | N/A | 5.9 MEDIUM |
| Multiple MFPs (multifunction printers) provided by FUJIFILM Business Innovation Corp. and Xerox Corporation provide a facility to export the contents of their Address Book with encrypted form, but the encryption strength is insufficient. With the knowledge of the encryption process and the encryption key, the information such as the server credentials may be obtained from the exported Address Book data. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | |||||
| CVE-2021-45036 | 1 Velneo | 1 Vclient | 2023-11-09 | N/A | 7.4 HIGH |
| Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server. | |||||
| CVE-2023-5627 | 1 Moxa | 54 Nport 6150, Nport 6150-t, Nport 6150-t Firmware and 51 more | 2023-11-09 | N/A | 7.5 HIGH |
| A vulnerability has been identified in NPort 6000 Series, making the authentication mechanism vulnerable. This vulnerability arises from the incorrect implementation of sensitive information protection, potentially allowing malicious users to gain unauthorized access to the web service. | |||||
| CVE-2022-43620 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2023-11-08 | N/A | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-1935 1.03 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-16142. | |||||
| CVE-2015-1187 | 2 Dlink, Trendnet | 30 Dir-626l, Dir-626l Firmware, Dir-636l and 27 more | 2023-11-08 | 10.0 HIGH | 9.8 CRITICAL |
| The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr parameter to ping.ccp. | |||||
| CVE-2023-46249 | 1 Goauthentik | 1 Authentik | 2023-11-08 | N/A | 9.8 CRITICAL |
| authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin. | |||||
| CVE-2022-3681 | 1 Motorola | 1 Mr2600 | 2023-11-07 | N/A | 6.5 MEDIUM |
| A vulnerability has been identified in the MR2600 router v1.0.18 and earlier that could allow an attacker within range of the wireless network to successfully brute force the WPS pin, potentially allowing them unauthorized access to a wireless network. | |||||
| CVE-2023-46290 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2023-11-07 | N/A | 8.1 HIGH |
| Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service. | |||||
| CVE-2022-34887 | 1 Lenovo | 6 G263dns, G263dns Firmware, Gm265dn and 3 more | 2023-11-07 | N/A | 5.4 MEDIUM |
| Standard users can directly operate and set printer configuration information , such as IP, in some Lenovo Printers without having to authenticate with the administrator password. | |||||
| CVE-2023-4939 | 1 Salesmanago | 1 Salesmanago | 2023-11-07 | N/A | 5.3 MEDIUM |
| The SALESmanago plugin for WordPress is vulnerable to Log Injection in versions up to, and including, 3.2.4. This is due to the use of a weak authentication token for the /wp-json/salesmanago/v1/callbackApiV3 API endpoint which is simply a SHA1 hash of the site URL and client ID found in the page source of the website. This makes it possible for unauthenticated attackers to inject arbitrary content into the log files, and when combined with another vulnerability this could have significant consequences. | |||||
| CVE-2023-4498 | 1 Tenda | 2 N300, N300 Firmware | 2023-11-07 | N/A | 5.3 MEDIUM |
| Tenda N300 Wireless N VDSL2 Modem Router allows unauthenticated access to pages that in turn should be accessible to authenticated users only | |||||
| CVE-2023-33563 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-11-07 | N/A | 8.8 HIGH |
| In PHP Jabbers Time Slots Booking Calendar 3.3 , lack of verification when changing an email address and/or password (on the Profile Page) allows remote attackers to take over accounts. | |||||
| CVE-2023-30967 | 1 Palantir | 1 Orbital Simulator | 2023-11-07 | N/A | 7.5 HIGH |
| Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system. | |||||
| CVE-2023-30945 | 1 Palantir | 3 Clips2, Video Clip Distributor, Video History Service | 2023-11-07 | N/A | 9.8 CRITICAL |
| Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well. | |||||
| CVE-2023-30725 | 1 Samsung | 1 Gallery | 2023-11-07 | N/A | 5.5 MEDIUM |
| Improper authentication in LocalProvier of Gallery prior to version 14.5.01.2 allows attacker to access the data in content provider. | |||||
| CVE-2023-30724 | 1 Samsung | 1 Gallery | 2023-11-07 | N/A | 3.3 LOW |
| Improper authentication in GallerySearchProvider of Gallery prior to version 14.5.01.2 allows attacker to access search history. | |||||
| CVE-2023-30708 | 1 Samsung | 1 Android | 2023-11-07 | N/A | 7.5 HIGH |
| Improper authentication in SecSettings prior to SMR Sep-2023 Release 1 allows attacker to access Captive Portal Wi-Fi in Reactivation Lock status. | |||||
| CVE-2023-30675 | 1 Samsung | 1 Pass | 2023-11-07 | N/A | 5.5 MEDIUM |
| Improper authentication in Samsung Pass prior to version 4.2.03.1 allows local attacker to access stored account information when Samsung Wallet is not installed. | |||||
| CVE-2023-2706 | 1 Xootix | 1 Otp Login Woocommerce \& Gravity Forms | 2023-11-07 | N/A | 8.1 HIGH |
| The OTP Login Woocommerce & Gravity Forms plugin for WordPress is vulnerable to authentication bypass. This is due to the fact that when generating OTP codes for users to use in order to login via phone number, the plugin returns these codes in an AJAX response. This makes it possible for unauthenticated attackers to obtain login codes for administrators. This does require an attacker have access to the phone number configured for an account, which can be obtained via social engineering or reconnaissance. | |||||
| CVE-2023-2499 | 1 Metagauss | 1 Registrationmagic | 2023-11-07 | N/A | 9.8 CRITICAL |
| The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user being supplied during a Google social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |||||