The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2023-30765 | ?Delta Electronics InfraSuite Device Master versions prior to 1.0.7 contain improper access controls that could allow an attacker to alter privilege management configurations, resulting in privilege escalation. | -- | Jul 11, 2023 | n/a |
| CVE-2023-4296 | ?If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device. | -- | Aug 29, 2023 | n/a |
| CVE-2023-36610 | ?The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves. | -- | Jul 7, 2023 | n/a |
| CVE-2023-21407 | A broken access control was found allowing for privileged escalation of the operator account to gain administrator privileges. | -- | Aug 3, 2023 | n/a |
| CVE-2024-0213 | A buffer overflow vulnerability in TA for Linux and TA for MacOS prior to 5.8.1 allows a local user to gain elevated permissions, or cause a Denial of Service (DoS), through exploiting a memory corruption issue in the TA service, which runs as root. This may also result in the disabling of event reporting to ePO, caused by failure to validate input from the file correctly. | -- | Jan 9, 2024 | n/a |
| CVE-2024-23594 | A buffer overflow vulnerability was reported in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014 that could allow a privileged attacker with local access to execute arbitrary code. | -- | Apr 15, 2024 | n/a |
| CVE-2022-4312 | A cleartext storage of sensitive information vulnerability exists in PcVue versions 8.10 through 15.2.3. This could allow an unauthorized user with access the email and short messaging service (SMS) accounts configuration files to discover the associated simple mail transfer protocol (SMTP) account credentials and the SIM card PIN code. Successful exploitation of this vulnerability could allow an unauthorized user access to the underlying email account and SIM card. | -- | Dec 15, 2022 | n/a |
| CVE-2023-3665 | A code injection vulnerability in Trellix ENS 10.7.0 April 2023 release and earlier, allowed a local user to disable the ENS AMSI component via environment variables, leading to denial of service and or the execution of arbitrary code. | -- | Oct 4, 2023 | n/a |
| CVE-2024-1367 | A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Logging parameters, which could lead to the execution of arbitrary code on the Security Center host. | -- | Feb 15, 2024 | n/a |
| CVE-2023-0976 | A command Injection Vulnerability in TA for mac-OS prior to version 5.7.9 allows local users to place an arbitrary file into the /Library/Trellix/Agent/bin/ folder. The malicious file is executed by running the TA deployment feature located in the System Tree. | -- | Jun 8, 2023 | n/a |
| CVE-2023-0978 | A command injection vulnerability in Trellix Intelligent Sandbox CLI for version 5.2 and earlier, allows a local user to inject and execute arbitrary operating system commands using specially crafted strings. This vulnerability is due to insufficient validation of arguments that are passed to specific CLI command. The vulnerability allows the attack | -- | Mar 17, 2023 | n/a |
| CVE-2024-2659 | A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system commands when performing a specific administrative function. | -- | Apr 15, 2024 | n/a |
| CVE-2023-4855 | A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute unauthorized commands via IPMI. | -- | Apr 15, 2024 | n/a |
| CVE-2024-21601 | A Concurrent Execution using Shared Resource with Improper Synchronization (\'Race Condition\') vulnerability in the Flow-processing Daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). On SRX Series devices when two different threads try to simultaneously process a queue which is used for TCP events flowd will crash. One of these threads can not be triggered externally, so the exploitation of this race condition is outside the attackers direct control. Continued exploitation of this issue will lead to a sustained DoS. This issue affects Juniper Networks Junos OS: * 21.2 versions earlier than 21.2R3-S5; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S4; * 22.1 versions earlier than 22.1R3-S3; * 22.2 versions earlier than 22.2R3-S1; * 22.3 versions earlier than 22.3R2-S2, 22.3R3; * 22.4 versions earlier than 22.4R2-S1, 22.4R3. This issue does not affect Juniper Networks Junos OS versions earlier than 21.2R1. | -- | Jan 12, 2024 | n/a |
| CVE-2024-0310 | A content-security-policy vulnerability in ENS Control browser extension prior to 10.7.0 Update 15 allows a remote attacker to alter the response header parameter setting to switch the content security policy into report-only mode, allowing an attacker to bypass the content-security-policy configuration. | -- | Jan 10, 2024 | n/a |
| CVE-2023-2444 | A cross site request forgery vulnerability exists in Rockwell Automation\'s FactoryTalk Vantagepoint. This vulnerability can be exploited in two ways. If an attacker sends a malicious link to a computer that is on the same domain as the FactoryTalk Vantagepoint server and a user clicks the link, the attacker could impersonate the legitimate user and send requests to the affected product. Additionally, if an attacker sends an untrusted link to a computer that is not on the same domain as the server and a user opens the FactoryTalk Vantagepoint website, enters credentials for the FactoryTalk Vantagepoint server, and clicks on the malicious link a cross site request forgery attack would be successful as well. | -- | May 11, 2023 | n/a |
| CVE-2023-5444 | A Cross Site Request Forgery vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2 allows a remote low privilege user to successfully add a new user with administrator privileges to the ePO server. This impacts the dashboard area of the user interface. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server. | -- | Nov 17, 2023 | n/a |
| CVE-2023-29024 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. | -- | May 11, 2023 | n/a |
| CVE-2023-29029 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
| CVE-2023-29028 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
| CVE-2023-29027 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
| CVE-2023-29026 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
| CVE-2023-29025 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
| CVE-2023-29022 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
| CVE-2023-29031 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. | -- | May 11, 2023 | n/a |
| CVE-2023-29030 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. | -- | May 11, 2023 | n/a |
| CVE-2023-29023 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. | -- | May 11, 2023 | n/a |
| CVE-2023-31174 | A Cross-Site Request Forgery (CSRF) vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20. | -- | Aug 31, 2023 | n/a |
| CVE-2023-38423 | A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | -- | Aug 2, 2023 | n/a |
| CVE-2023-6072 | A cross-site scripting vulnerability in Trellix Central Management (CM) prior to 9.1.3.97129 allows a remote authenticated attacker to craft CM dashboard internal requests causing arbitrary content to be injected into the response when accessing the CM dashboard. | -- | Feb 13, 2024 | n/a |
| CVE-2023-3953 | A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause memory corruption when an authenticated user opens a tampered log file from GP-Pro EX. | -- | Aug 9, 2023 | n/a |
| CVE-2023-29414 | A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability exists that could cause user privilege escalation if a local user sends specific string input to a local function call. | -- | Jul 12, 2023 | n/a |
| CVE-2023-29410 | A CWE-20: Improper Input Validation vulnerability exists that could allow an authenticated attacker to gain the same privilege as the application on the server when a malicious payload is provided over HTTP for the server to execute. | -- | Apr 18, 2023 | n/a |
| CVE-2023-6032 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists that could cause a file system enumeration and file download when an attacker navigates to the Network Management Card via HTTPS. | -- | Nov 15, 2023 | n/a |
| CVE-2023-6407 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker. | -- | Dec 14, 2023 | n/a |
| CVE-2023-1548 | A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above) | -- | Apr 18, 2023 | n/a |
| CVE-2023-25556 | A CWE-287: Improper Authentication vulnerability exists that could allow a device to be compromised when a key of less than seven digits is entered and the attacker has access to the KNX installation. | -- | Apr 18, 2023 | n/a |
| CVE-2023-4516 | A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service that could allow a local attacker to change update source, potentially leading to remote code execution when the attacker force an update containing malicious content. | -- | Sep 14, 2023 | n/a |
| CVE-2023-29411 | A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface. | -- | Apr 18, 2023 | n/a |
| CVE-2022-32528 | A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause access to manipulate and read specific files in the IGSS project report directory, potentially leading to a denial-of-service condition when an attacker sends specific messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170) | -- | Jan 31, 2023 | n/a |
| CVE-2023-29413 | A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service. | -- | Apr 18, 2023 | n/a |
| CVE-2022-46680 | A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic. | -- | May 22, 2023 | n/a |
| CVE-2022-34755 | A CWE-427 - Uncontrolled Search Path Element vulnerability exists that could allow an attacker with a local privileged account to place a specially crafted file on the target machine, which may give the attacker the ability to execute arbitrary code during the installation process initiated by a valid user. Affected Products: Easergy Builder Installer (1.7.23 and prior) | -- | Apr 18, 2023 | n/a |
| CVE-2023-5984 | A CWE-494 Download of Code Without Integrity Check vulnerability exists that could allow modified firmware to be uploaded when an authorized admin user begins a firmware update procedure which could result in full control over the device. | -- | Nov 15, 2023 | n/a |
| CVE-2023-3001 | A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file. | -- | Jun 14, 2023 | n/a |
| CVE-2023-7032 | A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker logged in with a user level account to gain higher privileges by providing a harmful serialized object. | -- | Jan 10, 2024 | n/a |
| CVE-2023-5986 | A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the software’s web application to redirect to the chosen domain after a successful login is performed. | -- | Nov 15, 2023 | n/a |
| CVE-2023-5629 | A CWE-601:URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability exists that could cause disclosure of information through phishing attempts over HTTP. | -- | Dec 14, 2023 | n/a |
| CVE-2023-37200 | A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. | -- | Jul 12, 2023 | n/a |
| CVE-2023-2161 | A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. | -- | May 16, 2023 | n/a |
