Export limit exceeded: 10880 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10880 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-43067 | 1 Dell | 3 Unity Operating Environment, Unity Xt Operating Environment, Unityvsa Operating Environment | 2024-11-21 | 4.9 Medium |
| Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system. | ||||
| CVE-2023-42768 | 1 F5 | 19 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 16 more | 2024-11-21 | 7.2 High |
| When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2023-42718 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-11-21 | 5.5 Medium |
| In dialer, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed | ||||
| CVE-2023-42717 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-11-21 | 7.5 High |
| In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed | ||||
| CVE-2023-42715 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-11-21 | 5.5 Medium |
| In telephony service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed | ||||
| CVE-2023-42551 | 1 Samsung | 1 Account | 2024-11-21 | 5.5 Medium |
| Use of implicit intent for sensitive communication vulnerability in startTncActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege. | ||||
| CVE-2023-42549 | 1 Samsung | 1 Account | 2024-11-21 | 5.5 Medium |
| Use of implicit intent for sensitive communication vulnerability in startNameValidationActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege. | ||||
| CVE-2023-42547 | 1 Samsung | 1 Account | 2024-11-21 | 5.5 Medium |
| Use of implicit intent for sensitive communication vulnerability in startEmailValidationActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege. | ||||
| CVE-2023-42546 | 1 Samsung | 1 Account | 2024-11-21 | 5.5 Medium |
| Use of implicit intent for sensitive communication vulnerability in startAgreeToDisclaimerActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege. | ||||
| CVE-2023-42502 | 1 Apache | 1 Superset | 2024-11-21 | 4.8 Medium |
| An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0. | ||||
| CVE-2023-42481 | 1 Sap | 1 Commerce Cloud | 2024-11-21 | 8.1 High |
| In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity. | ||||
| CVE-2023-42460 | 1 Vyperlang | 1 Vyper | 2024-11-21 | 5.3 Medium |
| Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release `0.3.10`. Users are advised to reference pull request #3626. | ||||
| CVE-2023-42455 | 1 Wazuh | 2 Wazuh-dashboard, Wazuh-kibana-app | 2024-11-21 | 8.8 High |
| Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds. | ||||
| CVE-2023-42446 | 1 Powauth | 1 Pow | 2024-11-21 | 6.5 Medium |
| Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated. | ||||
| CVE-2023-42441 | 1 Vyperlang | 1 Vyper | 2024-11-21 | 5.3 Medium |
| Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string. | ||||
| CVE-2023-42334 | 1 Fl3xx | 2 Crew, Dispatch | 2024-11-21 | 6.5 Medium |
| An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter. | ||||
| CVE-2023-42132 | 1 Mhlw | 1 Fd Application | 2024-11-21 | 5.5 Medium |
| FD Application Apr. 2022 Edition (Version 9.01) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | ||||
| CVE-2023-42016 | 1 Ibm | 1 Sterling B2b Integrator | 2024-11-21 | 4.3 Medium |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 265559. | ||||
| CVE-2023-41936 | 1 Jenkins | 1 Google Login | 2024-11-21 | 7.5 High |
| Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token. | ||||
| CVE-2023-41935 | 1 Jenkins | 1 Azure Ad | 2024-11-21 | 7.5 High |
| Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce. | ||||