Search Results (363262 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-23063 1 Cellinx 1 Nvt Web Server 2024-11-21 7.5 High
Cellinx NVT v1.0.6.002b was discovered to contain a local file disclosure vulnerability via the component /cgi-bin/GetFileContent.cgi.
CVE-2023-22984 1 Axis 2 207w, 207w Firmware 2024-11-21 6.1 Medium
A Vulnerability was discovered in Axis 207W network camera. There is a reflected XSS vulnerability in the web administration portal, which allows an attacker to execute arbitrary JavaScript via URL.
CVE-2023-22975 1 Jflyfox 1 Jfinal Cms 2024-11-21 6.1 Medium
A cross-site scripting (XSS) vulnerability in JFinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter under /front/person/profile.html.
CVE-2023-22957 2 Audiocodes, Audiocodes Ltd 13 405hd, 405hd Firmware, 445hd and 10 more 2024-11-21 7.5 High
An issue was discovered in libac_des3.so on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of hard-coded cryptographic key, an attacker with access to backup or configuration files is able to decrypt encrypted values and retrieve sensitive information, e.g., the device root password.
CVE-2023-22956 2 Audiocodes, Audiocodes Ltd 13 405hd, 405hd Firmware, 445hd and 10 more 2024-11-21 7.5 High
An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of a hard-coded cryptographic key, an attacker is able to decrypt encrypted configuration files and retrieve sensitive information.
CVE-2023-22953 1 Expressionengine 1 Expressionengine 2024-11-21 8.8 High
In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.
CVE-2023-22946 1 Apache 1 Spark 2024-11-21 6.4 Medium
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
CVE-2023-22888 1 Apache 1 Airflow 2024-11-21 6.5 Medium
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected
CVE-2023-22887 1 Apache 1 Airflow 2024-11-21 6.5 Medium
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected
CVE-2023-22886 1 Apache 1 Apache-airflow-providers-jdbc 2024-11-21 8.8 High
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0.
CVE-2023-22877 1 Ibm 1 Infosphere Information Server 2024-11-21 7 High
IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 244368.
CVE-2023-22870 2 Ibm, Linux 2 Aspera Faspex, Linux Kernel 2024-11-21 5.9 Medium
IBM Aspera Faspex 5.0.5 transmits sensitive information in cleartext which could be obtained by an attacker using man in the middle techniques. IBM X-Force ID: 244121.
CVE-2023-22848 1 Intel 1 Thunderbolt Dch Driver 2024-11-21 5.5 Medium
Improper access control in some Intel(R) Thunderbolt(TM) DCH drivers for Windows before version 88 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2023-22845 1 Openimageio 1 Openimageio 2024-11-21 7.5 High
An out-of-bounds read vulnerability exists in the TGAInput::decode_pixel() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2023-22843 1 Nozominetworks 2 Cmc, Guardian 2024-11-21 6.4 Medium
An authenticated attacker with administrative access to the web management interface can inject malicious JavaScript code inside the definition of a Threat Intelligence rule, that will be stored and can later be executed by another legitimate user viewing the details of such a rule. Via stored Cross-Site Scripting (XSS), an attacker may be able to perform unauthorized actions on behalf of legitimate users and/or gather sensitive information. JavaScript injection was possible in the contents for Yara rules, while limited HTML injection has been proven for packet and STYX rules.
CVE-2023-22835 1 Palantir 2 Foundry Frontend, Foundry Issues 2024-11-21 7.7 High
A security defect was identified that enabled a user of Foundry Issues to perform a Denial of Service attack by submitting malformed data in an Issue that caused loss of frontend functionality to all issue participants. This defect was resolved with the release of Foundry Issues 2.510.0 and Foundry Frontend 6.228.0.
CVE-2023-22834 1 Palantir 1 Contour 2024-11-21 2.7 Low
The Contour Service was not checking that users had permission to create an analysis for a given dataset. This could allow an attacker to clutter up Compass folders with extraneous analyses, that the attacker would otherwise not have permission to create.
CVE-2023-22819 1 Westerndigital 24 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 21 more 2024-11-21 4.9 Medium
An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.5.1-104; ibi: before 9.5.1-104; My Cloud OS 5: before 5.27.161.
CVE-2023-22818 1 Westerndigital 1 Sandisk Security Installer 2024-11-21 7.3 High
Multiple DLL Search Order Hijack vulnerabilities were addressed in the SanDisk Security Installer for Windows that could allow attackers with local access to execute arbitrary code by executing the installer in the same folder as the malicious DLL. This can lead to the execution of arbitrary code with the privileges of the vulnerable application or obtain a certain level of persistence on the compromised host. 
CVE-2023-22817 1 Westerndigital 26 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 23 more 2024-11-21 5.5 Medium
Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.