Total
329 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27979 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2023-12-10 | N/A | 6.5 MEDIUM |
| A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | |||||
| CVE-2023-2987 | 1 Wordapp | 1 Wordapp | 2023-12-10 | N/A | 9.8 CRITICAL |
| The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on the 'wa_pdx_op_config_set' function in versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to the plugin to change the 'validation_token' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation. | |||||
| CVE-2022-39199 | 1 Codenotary | 1 Immudb | 2023-12-10 | N/A | 5.9 MEDIUM |
| immudb is a database with built-in cryptographic proof and verification. immudb client SDKs use server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. SDK does not validate this uuid and can accept any value reported by the server. A malicious server can change the reported UUID tricking the client to treat it as a different server thus accepting a state completely irrelevant to the one previously retrieved from the server. This issue has been patched in version 1.4.1. As a workaround, when initializing an immudb client object a custom state handler can be used to store the state. Providing custom implementation that ignores the server UUID can be used to ensure that even if the server changes the UUID, client will still consider it to be the same server. | |||||
| CVE-2022-37928 | 1 Hpe | 18 Hf20, Hf20 Firmware, Hf20c and 15 more | 2023-12-10 | N/A | 6.5 MEDIUM |
| Insufficient Verification of Data Authenticity vulnerability in Hewlett Packard Enterprise HPE Nimble Storage Hybrid Flash Arrays and Nimble Storage Secondary Flash Arrays. | |||||
| CVE-2022-46370 | 1 Maxum | 1 Rumpus | 2023-12-10 | N/A | 7.5 HIGH |
| Rumpus - FTP server version 9.0.7.1 Improper Token Verification– vulnerability may allow bypassing identity verification. | |||||
| CVE-2023-22315 | 1 Snapav | 2 Wattbox Wb-300-ip-3, Wattbox Wb-300-ip-3 Firmware | 2023-12-10 | N/A | 7.8 HIGH |
| Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior use a proprietary local area network (LAN) protocol that does not verify updates to the device. An attacker could upload a malformed update file to the device and execute arbitrary code. | |||||
| CVE-2022-36111 | 1 Codenotary | 1 Immudb | 2023-12-10 | N/A | 5.3 MEDIUM |
| immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1. | |||||
| CVE-2022-41156 | 2 Etm-s, Microsoft | 2 Ondiskplayeragent, Windows | 2023-12-10 | N/A | 7.8 HIGH |
| Remote code execution vulnerability due to insufficient verification of URLs, etc. in OndiskPlayerAgent. A remote attacker could exploit the vulnerability to cause remote code execution by causing an arbitrary user to download and execute malicious code. | |||||
| CVE-2022-23491 | 1 Certifi Project | 1 Certifi | 2023-12-10 | N/A | 7.5 HIGH |
| Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. | |||||
| CVE-2021-26396 | 1 Amd | 48 Epyc 7003, Epyc 7003 Firmware, Epyc 72f3 and 45 more | 2023-12-10 | N/A | 4.4 MEDIUM |
| Insufficient validation of address mapping to IO in ASP (AMD Secure Processor) may result in a loss of memory integrity in the SNP guest. | |||||
| CVE-2022-3346 | 1 Go-resolver Project | 1 Go-resolver | 2023-12-10 | N/A | 6.5 MEDIUM |
| DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain. | |||||
| CVE-2022-39909 | 1 Samsung | 1 Gear Iconx Pc Manager | 2023-12-10 | N/A | 5.5 MEDIUM |
| Insufficient verification of data authenticity vulnerability in Samsung Gear IconX PC Manager prior to version 2.1.221019.51 allows local attackers to create arbitrary file using symbolic link. | |||||
| CVE-2022-23556 | 1 Codeigniter | 1 Codeigniter | 2023-12-10 | N/A | 7.5 HIGH |
| CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a workaround, do not use `$request->getIPAddress()`. | |||||
| CVE-2022-41960 | 1 Bigbluebutton | 1 Bigbluebutton | 2023-12-10 | N/A | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds. | |||||
| CVE-2022-31877 | 1 Msi | 1 Center | 2023-12-10 | N/A | 8.8 HIGH |
| An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet. | |||||
| CVE-2023-26481 | 1 Goauthentik | 1 Authentik | 2023-12-10 | N/A | 6.5 MEDIUM |
| authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context['is_restored']`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2. | |||||
| CVE-2023-21441 | 1 Samsung | 1 Android | 2023-12-10 | N/A | 5.5 MEDIUM |
| Insufficient Verification of Data Authenticity vulnerability in Routine prior to versions 2.6.30.6 in Android Q(10), 3.1.21.10 in Android R(11) and 3.5.2.23 in Android S(12) allows local attacker to access protected files via unused code. | |||||
| CVE-2022-41961 | 1 Bigbluebutton | 1 Bigbluebutton | 2023-12-10 | N/A | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds. | |||||
| CVE-2023-0350 | 1 Akuvox | 2 E11, E11 Firmware | 2023-12-10 | N/A | 6.5 MEDIUM |
| Akuvox E11 does not ensure that a file extension is associated with the file provided. This could allow an attacker to upload a file to the device by changing the extension of a malicious file to an accepted file type. | |||||
| CVE-2022-3347 | 1 Go-resolver Project | 1 Go-resolver | 2023-12-10 | N/A | 7.5 HIGH |
| DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain. | |||||