Total
433 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-45586 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-08-02 | 4.7 Medium |
| An insufficient verification of data authenticity vulnerability [CWE-345] in Fortinet FortiOS SSL-VPN tunnel mode version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.7 and before 7.0.12 & FortiProxy SSL-VPN tunnel mode version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.7 and before 7.0.13 allows an authenticated VPN user to send (but not receive) packets spoofing the IP of another user via crafted network packets. | ||||
| CVE-2023-45292 | 1 Mojotv | 1 Base64captcha | 2024-08-02 | 5.3 Medium |
| When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct. | ||||
| CVE-2023-44402 | 1 Electronjs | 1 Electron | 2024-08-02 | 6.1 Medium |
| Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `.app` bundle on macOS which these fuses are supposed to protect against. There are no app side workarounds, you must update to a patched version of Electron. | ||||
| CVE-2023-42816 | 1 Nirmata | 1 Kyverno | 2024-08-02 | 6.1 Medium |
| Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild. | ||||
| CVE-2023-38552 | 3 Fedoraproject, Nodejs, Redhat | 3 Fedora, Node.js, Enterprise Linux | 2024-08-02 | 7.5 High |
| When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. | ||||
| CVE-2023-32993 | 1 Jenkins | 1 Saml Single Sign On | 2024-08-02 | 4.8 Medium |
| Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections. | ||||
| CVE-2023-32212 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2024-08-02 | 4.3 Medium |
| An attacker could have positioned a <code>datalist</code> element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. | ||||
| CVE-2023-31502 | 1 Apsystems | 3 Alternergy Power Control Software, Ecu-c, Ecu-r | 2024-08-02 | 7.2 High |
| Altenergy Power Control Software C1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the component /models/management_model.php. | ||||
| CVE-2023-30759 | 1 Ricoh | 1 Printer Driver Packager Nx | 2024-08-02 | 7.8 High |
| The driver installation package created by Printer Driver Packager NX v1.0.02 to v1.1.25 fails to detect its modification and may spawn an unexpected process with the administrative privilege. If a non-administrative user modifies the driver installation package and runs it on the target PC, an arbitrary program may be executed with the administrative privilege. | ||||
| CVE-2023-30559 | 1 Bd | 2 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware | 2024-08-02 | 5.2 Medium |
| The firmware update package for the wireless card is not properly signed and can be modified. | ||||
| CVE-2023-28863 | 1 Ami | 1 Megarac Sp-x | 2024-08-02 | 9.1 Critical |
| AMI MegaRAC SPx12 and SPx13 devices have Insufficient Verification of Data Authenticity. | ||||
| CVE-2023-28386 | 2 Control4, Snapone | 13 Ca-1, Ca-10, Ea-1 and 10 more | 2024-08-02 | 8.6 High |
| Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. The device only calculates the MD5 hash of the firmware and does not check using a private-public key mechanism. The lack of complete PKI system firmware signature could allow attackers to upload arbitrary firmware updates, resulting in code execution. | ||||
| CVE-2023-27982 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2024-08-02 | 8.8 High |
| A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | ||||
| CVE-2023-27979 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2024-08-02 | 6.5 Medium |
| A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | ||||
| CVE-2023-27977 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2024-08-02 | 6.5 Medium |
| A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS project report directory, this could lead to loss of data when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | ||||
| CVE-2023-27748 | 1 Blackvue | 4 Dr750-2ch Ir Lte, Dr750-2ch Ir Lte Firmware, Dr750-2ch Lte and 1 more | 2024-08-02 | 9.8 Critical |
| BlackVue DR750-2CH LTE v.1.012_2022.10.26 does not employ authenticity check for uploaded firmware. This can allow attackers to upload crafted firmware which contains backdoors and enables arbitrary code execution. | ||||
| CVE-2023-27360 | 1 Netgear | 1 Rax30 Firmware | 2024-08-02 | N/A |
| NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the lighttpd HTTP server. The issue results from allowing execution of files from untrusted sources. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19398. | ||||
| CVE-2023-26481 | 1 Goauthentik | 1 Authentik | 2024-08-02 | 9.1 Critical |
| authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context['is_restored']`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2. | ||||
| CVE-2023-26467 | 1 Pega | 1 Synchronization Engine | 2024-08-02 | 5.4 Medium |
| A man in the middle can redirect traffic to a malicious server in a compromised configuration. | ||||
| CVE-2023-25178 | 1 Honeywell | 2 C300, C300 Firmware | 2024-08-02 | 9.8 Critical |
| Controller may be loaded with malicious firmware which could enable remote code execution. See Honeywell Security Notification for recommendations on upgrading and versioning. | ||||