Total
646 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3299 | 1 Hashicorp | 1 Nomad | 2024-08-02 | 3.4 Low |
| HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11. | ||||
| CVE-2023-3270 | 1 Sick | 2 Icr890-4, Icr890-4 Firmware | 2024-08-02 | 8.6 High |
| Exposure of Sensitive Information to an Unauthorized Actor in the SICK ICR890-4 could allow an unauthenticated remote attacker to retrieve sensitive information about the system. | ||||
| CVE-2023-2916 | 1 Revmakx | 1 Infinitewp Client | 2024-08-02 | 7.5 High |
| The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges. | ||||
| CVE-2023-2820 | 1 Proofpoint | 1 Threat Response Auto Pull | 2024-08-02 | 6.1 Medium |
| An information disclosure vulnerability in the faye endpoint in Proofpoint Threat Response / Threat Response Auto-Pull (PTR/TRAP) could be used by an attacker on an adjacent network to obtain credentials to integrated services via a man-in-the-middle position or cryptanalysis of the session traffic. An attacker could use these credentials to impersonate PTR/TRAP to these services. All versions prior to 5.10.0 are affected. | ||||
| CVE-2023-2703 | 1 Finexmedia | 1 Competition Management System | 2024-08-02 | 7.5 High |
| Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Finex Media Competition Management System allows Retrieve Embedded Sensitive Data, Collect Data as Provided by Users.This issue affects Competition Management System: before 23.07. | ||||
| CVE-2023-2622 | 1 Hitachienergy | 1 Modular Advanced Control For Hvdc | 2024-08-02 | 2.7 Low |
| Authenticated clients can read arbitrary files on the MAIN Computer system using the remote procedure call (RPC) of the InspectSetup service endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read. | ||||
| CVE-2023-2062 | 1 Mitsubishielectric | 8 Fx5-enet\/ip, Fx5-enet\/ip Firmware, Rj71eip91 and 5 more | 2024-08-02 | 6.2 Medium |
| Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP. | ||||
| CVE-2023-2069 | 1 Gitlab | 1 Gitlab | 2024-08-02 | 6.4 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. A user with the role of developer could use the import project feature to leak CI/CD variables. | ||||
| CVE-2023-2025 | 1 Johnsoncontrols | 1 Openblue Enterprise Manager Data Collector | 2024-08-02 | 5 Medium |
| OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 may expose sensitive information to an unauthorized user under certain circumstances. | ||||
| CVE-2023-1825 | 1 Gitlab | 1 Gitlab | 2024-08-02 | 3.1 Low |
| An issue has been discovered in GitLab EE affecting all versions starting from 15.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. It was possible to disclose issue notes to an unauthorized user at project export. | ||||
| CVE-2023-1775 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 4.3 Medium |
| When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. | ||||
| CVE-2023-1777 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 6.5 Medium |
| Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | ||||
| CVE-2023-1562 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 3.5 Low |
| Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. | ||||
| CVE-2023-1402 | 1 Moodle | 1 Moodle | 2024-08-02 | 4.3 Medium |
| The course participation report required additional checks to prevent roles being displayed which the user did not have access to view. | ||||
| CVE-2023-0485 | 1 Gitlab | 1 Gitlab | 2024-08-02 | 6.5 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role to read project updates by doing a diff with a pre-existing fork. | ||||
| CVE-2023-0481 | 2 Quarkus, Redhat | 2 Quarkus, Quarkus | 2024-08-02 | 3.3 Low |
| In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user. | ||||
| CVE-2024-39553 | 1 Juniper | 1 Junos Os Evolved | 2024-08-02 | 6.5 Medium |
| An Exposure of Resource to Wrong Sphere vulnerability in the sampling service of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to send arbitrary data to the device, which leads msvcsd process to crash with limited availability impacting Denial of Service (DoS) and allows unauthorized network access to the device, potentially impacting system integrity. This issue only happens when inline jflow is configured. This does not impact any forwarding traffic. The impacted services MSVCS-DB app crashes momentarily and recovers by itself. This issue affects Juniper Networks Junos OS Evolved: * 21.4 versions earlier than 21.4R3-S7-EVO; * 22.2 versions earlier than 22.2R3-S3-EVO; * 22.3 versions earlier than 22.3R3-S2-EVO; * 22.4 versions earlier than 22.4R3-EVO; * 23.2 versions earlier than 23.2R1-S2-EVO, 23.2R2-EVO. | ||||
| CVE-2024-35183 | 2024-08-02 | 4.4 Medium | ||
| wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than `github.com`. Most git-dependent functionality in wolfictl relies on its own `git` package, which contains centralized logic for implementing interactions with git repositories. Some of this functionality requires authentication in order to access private repositories. A central function `GetGitAuth` looks for a GitHub token in the environment variable `GITHUB_TOKEN` and returns it as an HTTP basic auth object to be used with the `github.com/go-git/go-git/v5` library. Most callers (direct or indirect) of `GetGitAuth` use the token to authenticate to github.com only; however, in some cases callers were passing this authentication without checking that the remote git repository was hosted on github.com. This behavior has existed in one form or another since commit 0d06e1578300327c212dda26a5ab31d09352b9d0 - committed January 25, 2023. This impacts anyone who ran the `wolfictl check update` commands with a Melange configuration that included a `git-checkout` directive step that referenced a git repository not hosted on github.com. This also impacts anyone who ran `wolfictl update <url>` with a remote URL outside of github.com. Additionally, these subcommands must have run with the `GITHUB_TOKEN` environment variable set to a valid GitHub token. Users should upgrade to version 0.16.10 to receive a patch. | ||||
| CVE-2024-29905 | 2024-08-02 | 8.1 High | ||
| DIRAC is an interware, meaning a software framework for distributed computing. Prior to version 8.0.41, during the proxy generation process (e.g., when using `dirac-proxy-init`), it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then perform any action that is possible with the original proxy. This vulnerability only exists for a short period of time (sub-millsecond) during the generation process. Version 8.0.41 contains a patch for the issue. As a workaround, setting the `X509_USER_PROXY` environment variable to a path that is inside a directory that is only readable to the current user avoids the potential risk. After the file has been written, it can be safely copied to the standard location (`/tmp/x509up_uNNNN`). | ||||
| CVE-2024-27906 | 2024-08-02 | N/A | ||
| Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability | ||||