Total
29527 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46245 | 1 Kimai | 1 Kimai | 2024-01-12 | N/A | 7.2 HIGH |
| Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates. | |||||
| CVE-2023-46813 | 1 Linux | 1 Linux Kernel | 2024-01-11 | N/A | 7.0 HIGH |
| An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it. | |||||
| CVE-2023-51074 | 1 Json-path | 1 Jayway Jsonpath | 2024-01-11 | N/A | 5.3 MEDIUM |
| json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method. | |||||
| CVE-2024-20802 | 1 Samsung | 1 Dex | 2024-01-10 | N/A | 5.5 MEDIUM |
| Improper access control vulnerability in Samsung DeX prior to SMR Jan-2024 Release 1 allows owner to access other users' notification in a multi-user environment. | |||||
| CVE-2024-20806 | 1 Samsung | 1 Android | 2024-01-10 | N/A | 5.5 MEDIUM |
| Improper access control in Notification service prior to SMR Jan-2024 Release 1 allows local attacker to access notification data. | |||||
| CVE-2024-20808 | 1 Samsung | 1 Nearby Device Scanning | 2024-01-10 | N/A | 5.5 MEDIUM |
| Improper access control vulnerability in Nearby device scanning prior version 11.1.14.7 allows local attacker to access data. | |||||
| CVE-2024-20809 | 1 Samsung | 1 Nearby Device Scanning | 2024-01-10 | N/A | 5.5 MEDIUM |
| Improper access control vulnerability in Nearby device scanning prior version 11.1.14.7 allows local attacker to access data. | |||||
| CVE-2023-7102 | 1 Barracuda | 10 Email Security Gateway 300, Email Security Gateway 300 Firmware, Email Security Gateway 400 and 7 more | 2024-01-09 | N/A | 9.8 CRITICAL |
| Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic. | |||||
| CVE-2023-47882 | 1 Kamivision | 1 Yi Iot | 2024-01-09 | N/A | 7.1 HIGH |
| The Kami Vision YI IoT com.yunyi.smartcamera application through 4.1.9_20231127 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component. | |||||
| CVE-2019-18342 | 1 Siemens | 1 Control Center Server | 2024-01-09 | 7.5 HIGH | 9.9 CRITICAL |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The SFTP service (default port 22/tcp) of the Control Center Server (CCS) does not properly limit its capabilities to the specified purpose. In conjunction with CVE-2019-18341, an unauthenticated remote attacker with network access to the CCS server could exploit this vulnerability to read or delete arbitrary files, or access other resources on the same server. | |||||
| CVE-2023-50333 | 1 Mattermost | 1 Mattermost Server | 2024-01-08 | N/A | 4.3 MEDIUM |
| Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names. | |||||
| CVE-2023-47858 | 1 Mattermost | 1 Mattermost Server | 2024-01-08 | N/A | 4.3 MEDIUM |
| Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint. | |||||
| CVE-2023-39909 | 1 Ericsson | 1 Network Manager | 2024-01-08 | N/A | 8.8 HIGH |
| Ericsson Network Manager before 23.2 mishandles Access Control and thus unauthenticated low-privilege users can access the NCM application. | |||||
| CVE-2023-50708 | 1 Yiiframework | 1 Yii2-authclient | 2024-01-08 | N/A | 9.8 CRITICAL |
| yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 `state` and OpenID Connect `nonce` is vulnerable for a `timing attack` since it is compared via regular string comparison (instead of `Yii::$app->getSecurity()->compareString()`). Version 2.2.15 contains a patch for the issue. No known workarounds are available. | |||||
| CVE-2023-31293 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-01-08 | N/A | 4.3 MEDIUM |
| An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) 6.3.8.6 (#718), allows remote attackers to obtain sensitive information and bypass profile restriction via improper access control in the Reader system user's web browser, allowing the journal to be displayed, despite the option being disabled. | |||||
| CVE-2023-50559 | 1 Openxiangshan | 1 Xiangshan | 2024-01-05 | N/A | 5.5 MEDIUM |
| An issue was discovered in XiangShan v2.1, allows local attackers to obtain sensitive information via the L1D cache. | |||||
| CVE-2023-23570 | 1 Gallagher | 1 Command Centre | 2024-01-05 | N/A | 8.1 HIGH |
| Client-Side enforcement of Server-Side security for the Command Centre server could be bypassed and lead to invalid configuration with undefined behavior. This issue affects: Gallagher Command Centre 8.90 prior to vEL8.90.1620 (MR2), all versions of 8.80 and prior. | |||||
| CVE-2023-23576 | 1 Gallagher | 1 Command Centre | 2024-01-05 | N/A | 4.3 MEDIUM |
| Incorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. This issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), all versions of 8.50 and prior. | |||||
| CVE-2023-50332 | 1 Weseek | 1 Growi | 2024-01-05 | N/A | 6.5 MEDIUM |
| Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account without the user's intention. | |||||
| CVE-2023-49002 | 1 Xenomtechnologies | 1 Phone Dialer-voice Call Dialer | 2024-01-05 | N/A | 7.5 HIGH |
| An issue in Xenom Technologies (sinous) Phone Dialer-voice Call Dialer v.1.2.5 allows an attacker to bypass intended access restrictions via interaction with com.funprime.calldialer.ui.activities.OutgoingActivity. | |||||