Total
1009 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-31136 | 1 Vapor | 1 Postgresnio | 2023-12-10 | N/A | 5.9 MEDIUM |
PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users. | |||||
CVE-2023-25495 | 1 Lenovo | 218 Thinkagile Hx1021, Thinkagile Hx1021 Firmware, Thinkagile Hx1320 and 215 more | 2023-12-10 | N/A | 4.9 MEDIUM |
A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured | |||||
CVE-2023-29168 | 1 Ptc | 1 Vuforia Studio | 2023-12-10 | N/A | 7.5 HIGH |
The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication. | |||||
CVE-2023-25760 | 1 Uniguest | 1 Tripleplay | 2023-12-10 | N/A | 8.8 HIGH |
Incorrect Access Control in Tripleplay Platform releases prior to Caveman 3.4.0 allows authenticated user to modify other users passwords via a crafted request payload | |||||
CVE-2023-2632 | 1 Jenkins | 1 Code Dx | 2023-12-10 | N/A | 4.3 MEDIUM |
Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
CVE-2023-31187 | 1 Avaya | 1 Ix Workforce Engagement | 2023-12-10 | N/A | 6.5 MEDIUM |
Avaya IX Workforce Engagement v15.2.7.1195 - CWE-522: Insufficiently Protected Credentials | |||||
CVE-2023-2335 | 1 42gears | 1 Surelock | 2023-12-10 | N/A | 7.5 HIGH |
Plaintext Password in Registry vulnerability in 42gears surelock windows surelockwinsetupv2.40.0.Exe on Windows (Registery modules) allows Retrieve Admin user credentials This issue affects surelock windows: from 2.3.12 through 2.40.0. | |||||
CVE-2023-36476 | 1 Nixos | 1 Calamares-nixos-extensions | 2023-12-10 | N/A | 5.5 MEDIUM |
calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users of calamares-nixos-extensions version 0.3.12 and prior who installed NixOS through the graphical calamares installer, with an unencrypted `/boot`, on either non-UEFI systems or with a LUKS partition different from `/` have their LUKS key file in `/boot` as a plaintext CPIO archive attached to their NixOS initrd. A patch is available and anticipated to be part of version 0.3.13 to backport to NixOS 22.11, 23.05, and unstable channels. Expert users who have a copy of their data may, as a workaround, re-encrypt the LUKS partition(s) themselves. | |||||
CVE-2022-45859 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2023-12-10 | N/A | 4.4 MEDIUM |
An insufficiently protected credentials vulnerability [CWE-522] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions, 8.7.0 all versions may allow a local attacker with system access to retrieve users' passwords. | |||||
CVE-2023-28090 | 1 Hp | 1 Oneview | 2023-12-10 | N/A | 5.5 MEDIUM |
An HPE OneView appliance dump may expose SNMPv3 read credentials | |||||
CVE-2023-22862 | 1 Ibm | 2 Aspera Cargo, Aspera Connect | 2023-12-10 | N/A | 7.5 HIGH |
IBM Aspera Connect 4.2.5 and IBM Aspera Cargo 4.2.5 transmits authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. IBM X-Force ID: 244107. | |||||
CVE-2023-28088 | 1 Hp | 1 Oneview | 2023-12-10 | N/A | 7.8 HIGH |
An HPE OneView appliance dump may expose SAN switch administrative credentials | |||||
CVE-2023-28084 | 2 Hp, Hpe | 2 Oneview, Oneview Global Dashboard | 2023-12-10 | N/A | 5.5 MEDIUM |
HPE OneView and HPE OneView Global Dashboard appliance dumps may expose authentication tokens | |||||
CVE-2023-1778 | 1 Gajshield | 2 Data Security Firewall, Data Security Firewall Firmware | 2023-12-10 | N/A | 9.8 CRITICAL |
This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to insecure default credentials which allows remote attacker to login as superuser by using default username/password via web-based management interface and/or exposed SSH port thereby enabling remote attackers to execute arbitrary commands with administrative/superuser privileges on the targeted systems. The vulnerability has been addressed by forcing the user to change their default password to a new non-default password. | |||||
CVE-2023-25407 | 1 Aten | 2 Pe8108, Pe8108 Firmware | 2023-12-10 | N/A | 7.2 HIGH |
Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. Restricted users have read access to administrator credentials. | |||||
CVE-2023-28131 | 1 Expo | 1 Expo Software Development Kit | 2023-12-10 | N/A | 9.6 CRITICAL |
A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc). | |||||
CVE-2023-1763 | 2 Apple, Canon | 3 Mac Os X, Macos, Ij Network Tool | 2023-12-10 | N/A | 6.5 MEDIUM |
Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the software. | |||||
CVE-2023-28857 | 1 Apereo | 1 Central Authentication Service | 2023-12-10 | N/A | 7.5 HIGH |
Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-32988 | 1 Jenkins | 1 Azure Vm Agents | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
CVE-2022-48433 | 1 Jetbrains | 1 Intellij Idea | 2023-12-10 | N/A | 7.5 HIGH |
In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server. |