The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2023-33222 | When handling contactless cards, usage of a specific function to get additional information from the card which doesn\'t check the boundary on the data received while reading. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the targeted device | -- | Dec 15, 2023 |
| CVE-2023-33221 | When reading DesFire keys, the function that reads the card isn\'t properly checking the boundaries when copying internally the data received. This allows a heap based buffer overflow that could lead to a potential Remote Code Execution on the targeted device. This is especially problematic if you use Default DESFire key. | -- | Dec 15, 2023 |
| CVE-2023-28412 | When supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. The MAC address of devices can be enumerated in an attack and the OvrC cloud will disclose their information. | -- | May 23, 2023 |
| CVE-2023-1288 | An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows an attacker to read local files on the server. | -- | Mar 9, 2023 |
| CVE-2022-43378 | A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause the user to be tricked into performing unintended actions when external address frames are not properly restricted. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | -- | Apr 18, 2023 |
| CVE-2023-25549 | A CWE-94: Improper Control of Generation of Code (\'Code Injection\') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | -- | Apr 18, 2023 |
| CVE-2023-45213 | A potential attacker with access to the Westermo Lynx device would be able to execute malicious code that could affect the correct functioning of the device. | -- | Feb 7, 2024 |
| CVE-2023-37294 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may cause a heap memory corruption via an adjacent network. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. | -- | Jan 10, 2024 |
| CVE-2023-22846 | Datakit CrossCadWare_x64.dll contains an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted SLDPRT file. This vulnerability could allow an attacker to disclose sensitive information. | -- | Apr 21, 2023 |
| CVE-2023-1145 | Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. | -- | Mar 30, 2023 |
| CVE-2023-33220 | During the retrofit validation process, the firmware doesn\'t properly check the boundaries while copying some attributes to check. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the targeted device | -- | Dec 15, 2023 |
| CVE-2023-43609 | In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition. | -- | Feb 15, 2024 |
| CVE-2023-34394 | In Keysight Geolocation Server v2.4.2 and prior, an attacker could upload a specially crafted malicious file or delete any file or directory with SYSTEM privileges due to an improper path validation, which could result in local privilege escalation or a denial-of-service condition. | -- | Jul 20, 2023 |
| CVE-2023-38584 | In Weintek\'s cMT3000 HMI Web CGI device, the cgi-bin command_wb.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication. | -- | Oct 19, 2023 |
| CVE-2023-20564 | Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD Ryzen™ Master may permit a privileged attacker to perform memory reads/writes potentially leading to a loss of confidentiality or arbitrary kernel execution. | -- | Aug 15, 2023 |
| CVE-2023-20561 | Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD ?Prof may allow an authenticated user to send an arbitrary address potentially resulting in a Windows crash leading to denial of service. | -- | Aug 8, 2023 |
| CVE-2023-49115 | MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users. | -- | Feb 1, 2024 |
| CVE-2023-25522 | NVIDIA DGX A100/A800 contains a vulnerability in SBIOS where an attacker may cause improper input validation by providing configuration information in an unexpected format. A successful exploit of this vulnerability may lead to denial of service, information disclosure, and data tampering. | -- | Jul 10, 2023 |
| CVE-2023-35987 | PiiGAB M-Bus contains hard-coded credentials which it uses for authentication. | -- | Jul 7, 2023 |
| CVE-2021-22636 | Texas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in \'HeapMem_allocUnprotected\' and result in code execution. | -- | Nov 20, 2023 |
| CVE-2023-39446 | Thanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malicious actions when a legitimate user is logged into the web application. | -- | Sep 19, 2023 |
| CVE-2023-29503 | The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. | -- | Jun 6, 2023 |
| CVE-2023-36853 | ?In Keysight Geolocation Server v2.4.2 and prior, a low privileged attacker could create a local ZIP file containing a malicious script in any location. The attacker could abuse this to load a DLL with SYSTEM privileges. | -- | Jul 20, 2023 |
| CVE-2023-5399 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command. | -- | Oct 4, 2023 |
| CVE-2022-43377 | A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover when a brute force attack is performed on the account. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | -- | Apr 18, 2023 |
| CVE-2023-25554 | A CWE-78: Improper Neutralization of Special Elements used in an OS Command (\'OS Command Injection\') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | -- | Apr 18, 2023 |
| CVE-2023-37198 | A CWE-94: Improper Control of Generation of Code (\'Code Injection\') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. | -- | Jul 12, 2023 |
| CVE-2023-45735 | A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. | -- | Feb 7, 2024 |
| CVE-2023-6689 | A successful CSRF attack could force the user to perform state changing requests on the application. If the victim is an administrative account, a CSRF attack could compromise the entire web application. | -- | Dec 20, 2023 |
| CVE-2023-37295 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may cause a heap memory corruption via an adjacent network. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. | -- | Jan 10, 2024 |
| CVE-2023-50704 | An attacker could construct a URL within the application that causes a redirection to an arbitrary external domain and could be leveraged to facilitate phishing attacks against application users. | -- | Dec 20, 2023 |
| CVE-2024-21612 | An Improper Handling of Syntactically Invalid Structure vulnerability in Object Flooding Protocol (OFP) service of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). On all Junos OS Evolved platforms, when specific TCP packets are received on an open OFP port, the OFP crashes leading to a restart of Routine Engine (RE). Continuous receipt of these specific TCP packets will lead to a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS Evolved * All versions earlier than 21.2R3-S7-EVO; * 21.3 versions earlier than 21.3R3-S5-EVO ; * 21.4 versions earlier than 21.4R3-S5-EVO; * 22.1 versions earlier than 22.1R3-S4-EVO; * 22.2 versions earlier than 22.2R3-S3-EVO ; * 22.3 versions earlier than 22.3R3-EVO; * 22.4 versions earlier than 22.4R2-EVO, 22.4R3-EVO. | -- | Jan 12, 2024 |
| CVE-2023-37216 | AnaSystem SensMini M4 – Using the configuration tool, an authenticated user can cause Denial of Service for the device | -- | Jul 31, 2023 |
| CVE-2023-25848 | ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed. | -- | Aug 26, 2023 |
| CVE-2023-22354 | Datakit CrossCadWare_x64.dll contains an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted SLDPRT file. This vulnerability could allow an attacker to disclose sensitive information. | -- | Apr 21, 2023 |
| CVE-2022-3089 | Echelon SmartServer 2.2 with i.LON Vision 2.2 stores cleartext credentials in a file, which could allow an attacker to obtain cleartext usernames and passwords of the SmartServer. If the attacker obtains the file, then the credentials could be used to control the web user interface and file transfer protocol (FTP) server. | -- | Feb 13, 2023 |
| CVE-2023-32274 | Enphase Installer Toolkit versions 3.27.0 has hard coded credentials embedded in binary code in the Android application. An attacker can exploit this and gain access to sensitive information. | -- | Jun 20, 2023 |
| CVE-2023-6929 | EuroTel ETL3100 versions v01c01 and v01x37 are vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization, access the hidden resources on the system, and execute privileged functionalities. | -- | Dec 19, 2023 |
| CVE-2023-37222 | Farsight Tech Nordic AB ProVide version 14.5 - Multiple XSS vulnerabilities (CWE-79) can be exploited by a user with administrator privilege. | -- | Sep 4, 2023 |
| CVE-2023-2504 | Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials. | -- | May 23, 2023 |
| CVE-2023-32628 | In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution. | -- | Jun 6, 2023 |
| CVE-2023-51761 | In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities. | -- | Feb 15, 2024 |
| CVE-2023-20556 | Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD ?Prof may allow an authenticated user to send an arbitrary buffer potentially resulting in a Windows crash leading to denial of service. | -- | Aug 8, 2023 |
| CVE-2023-5908 | KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak information. | -- | Nov 30, 2023 |
| CVE-2024-22100 | MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior are affected by a heap-based buffer overflow vulnerability, which could allow an attacker to execute arbitrary code on affected installations of DICOM Viewer. A user must open a malicious DCM file in order to exploit the vulnerability. | -- | Mar 1, 2024 |
| CVE-2023-25521 | NVIDIA DGX A100/A800 contains a vulnerability in SBIOS where an attacker may cause execution with unnecessary privileges by leveraging a weakness whereby proper input parameter validation is not performed. A successful exploit of this vulnerability may lead to denial of service, information disclosure, and data tampering. | -- | Jul 10, 2023 |
| CVE-2023-31277 | PiiGAB M-Bus transmits credentials in plaintext format. | -- | Jul 7, 2023 |
| CVE-2023-31200 | PTC Vuforia Studio does not require a token; this could allow an attacker with local access to perform a cross-site request forgery attack or a replay attack. | -- | Jun 8, 2023 |
| CVE-2023-2306 | Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records. | -- | Oct 5, 2023 |
| CVE-2023-5059 | Santesoft Sante FFT Imaging lacks proper validation of user-supplied data when parsing DICOM files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. | -- | Oct 19, 2023 |
