Total
29 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46098 | 1 Siemens | 1 Simatic Pcs Neo | 2024-08-02 | 8 High |
| A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior. | ||||
| CVE-2023-45213 | 1 Westermo | 2 L206-f2g, L206-f2g Firmware | 2024-08-02 | 6.6 Medium |
| A potential attacker with access to the Westermo Lynx device would be able to execute malicious code that could affect the correct functioning of the device. | ||||
| CVE-2023-38572 | 2 Apple, Redhat | 7 Ipados, Iphone Os, Macos and 4 more | 2024-08-02 | 7.5 High |
| The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. A website may be able to bypass Same Origin Policy. | ||||
| CVE-2023-38125 | 2024-08-02 | N/A | ||
| Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Softing edgeAggregator. Authentication is required to exploit this vulnerability. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-20542. | ||||
| CVE-2023-38122 | 2024-08-02 | N/A | ||
| Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-20539. | ||||
| CVE-2023-37526 | 2024-08-02 | 6.5 Medium | ||
| HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks. | ||||
| CVE-2023-2360 | 1 Acronis | 1 Cyber Infrastructure | 2024-08-02 | 7.5 High |
| Sensitive information disclosure due to CORS misconfiguration. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.2.0-135. | ||||
| CVE-2024-37131 | 2024-08-02 | 7.5 High | ||
| SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of malicious actions on the application in the context of the authenticated user. | ||||
| CVE-2024-23823 | 2024-08-01 | 4.2 Medium | ||
| vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies. This issue has been addressed in commit `70bb4e1d8` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability. | ||||