The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2023-29158 | SUBNET PowerSYSTEM Center versions 2020 U10 and prior are vulnerable to replay attacks which may result in a denial-of-service condition or a loss of data integrity. | -- | Jun 20, 2023 |
| CVE-2023-41966 | The application suffers from a privilege escalation vulnerability. A user with read permissions can elevate privileges by sending a HTTP POST to set a parameter. | -- | Oct 26, 2023 |
| CVE-2023-31426 | The Brocade Fabric OS Commands “configupload” and “configdownload” before Brocade Fabric OS v9.1.1c, v8.2.3d, v9.2.0 print scp, sftp, ftp servers passwords in supportsave. This could allow a remote authenticated attacker to access sensitive information. | -- | Aug 1, 2023 |
| CVE-2023-4489 | The first S0 encryption key is generated with an uninitialized PRNG in Z/IP Gateway products running Silicon Labs Z/IP Gateway SDK v7.18.3 and earlier. This makes the first S0 key generated at startup predictable, potentially allowing network key prediction and unauthorized S0 network access. | -- | Dec 14, 2023 |
| CVE-2023-33868 | The number of login attempts is not limited. This could allow an attacker to perform a brute force on HTTP basic authentication. | -- | Jul 7, 2023 |
| CVE-2023-33218 | The Parameter Zone Read and Parameter Zone Write command handlers allow performing a Stack buffer overflow. This could potentially lead to a Remote Code execution on the targeted device. | -- | Dec 15, 2023 |
| CVE-2022-2484 | The signature check in the Nokia ASIK AirScale system module version 474021A.101 can be bypassed allowing an attacker to run modified firmware. This could result in the execution of a malicious kernel, arbitrary programs, or modified Nokia programs. | -- | Jan 8, 2023 |
| CVE-2023-25643 | There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands. | -- | Dec 14, 2023 |
| CVE-2023-25647 | There is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could monitor the touch event. | -- | Aug 17, 2023 |
| CVE-2023-40052 | This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 . An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server’s remaining ability to process valid requests. | -- | Jan 18, 2024 |
| CVE-2024-1886 | This vulnerability allows remote attackers to traverse the directory on the affected webOS of LG Signage. | -- | Feb 26, 2024 |
| CVE-2023-46747 | Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | -- | Oct 26, 2023 |
| CVE-2023-5777 | Weintek EasyBuilder Pro contains a vulnerability that, even when the private key is immediately deleted after the crash report transmission is finished, the private key is exposed to the public, which could result in obtaining remote control of the crash report server. | -- | Nov 7, 2023 |
| CVE-2023-37362 | Weintek Weincloud v0.13.6 could allow an attacker to abuse the registration functionality to login with testing credentials to the official website. | -- | Jul 20, 2023 |
| CVE-2023-34429 | Weintek Weincloud v0.13.6 could allow an attacker to cause a denial-of-service condition for Weincloud by sending a forged JWT token. | -- | Jul 20, 2023 |
| CVE-2023-32657 | Weintek Weincloud v0.13.6 could allow an attacker to efficiently develop a brute force attack on credentials with authentication hints from error message responses. | -- | Jul 20, 2023 |
| CVE-2023-35134 | Weintek Weincloud v0.13.6 could allow an attacker to reset a password with the corresponding account’s JWT token only. | -- | Jul 20, 2023 |
| CVE-2024-21789 | When a BIG-IP ASM/Advanced WAF security policy is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | -- | Feb 14, 2024 |
| CVE-2024-23982 | When a BIG-IP PEM classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This issue affects classification engines using signatures released between 09-08-2022 and 02-16-2023. See the table in the F5 Security Advisory for a complete list of affected classification signature files. NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated | -- | Feb 14, 2024 |
| CVE-2024-21849 | When an Advanced WAF/ASM security policy and a Websockets profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | -- | Feb 14, 2024 |
| CVE-2023-40151 | When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge. | -- | Nov 21, 2023 |
| CVE-2022-46678 | Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious admin user can edit general client policy for which the user is not authorized. | -- | Feb 12, 2023 |
| CVE-2023-4039 | **DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. | -- | Sep 13, 2023 |
| CVE-2023-5766 | A remote code execution vulnerability in Remote Desktop Manager 2023.2.33 and earlier on Windows allows an attacker to remotely execute code from another windows user session on the same host via a specially crafted TCP packet. | -- | Nov 1, 2023 |
| CVE-2024-23492 | A weak encoding is used to transmit credentials for WS203VICM. | -- | Mar 1, 2024 |
| CVE-2023-3622 | Access Control Bypass Vulnerability in the SolarWinds Platform that allows an underprivileged user to read arbitrary resource | -- | Jul 26, 2023 |
| CVE-2023-34471 | AMI SPx contains a vulnerability in the BMC where a user may cause a missing cryptographic step by generating a hash-based message authentication code (HMAC). A successful exploit of this vulnerability may lead to the loss confidentiality, integrity, and authentication. | -- | Jul 5, 2023 |
| CVE-2022-43494 | An unauthorized user could be able to read any file on the system, potentially exposing sensitive information. | -- | Jan 25, 2023 |
| CVE-2023-29152 | By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account. | -- | Jun 8, 2023 |
| CVE-2023-6593 | Client side permission bypass in Devolutions Remote Desktop Manager 2023.3.4.0 and earlier on iOS allows an attacker that has access to the application to execute entries in a SQL data source without restriction. | -- | Dec 12, 2023 |
| CVE-2023-31183 | Cybonet PineApp Mail Secure A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint. | -- | May 11, 2023 |
| CVE-2023-31182 | EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method. | -- | May 9, 2023 |
| CVE-2023-45237 | EDK2\'s Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | -- | Jan 16, 2024 |
| CVE-2023-45236 | EDK2\'s Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | -- | Jan 16, 2024 |
| CVE-2023-42490 | EisBaer Scada - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | -- | Oct 25, 2023 |
| CVE-2023-5575 | Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compromised a low privileged user to access entries via a specific combination of permissions in the entry and in its parent. | -- | Oct 16, 2023 |
| CVE-2023-27857 | In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field in Rockwell Automation\'s ThinManager ThinServer. An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation. | -- | Mar 22, 2023 |
| CVE-2023-35663 | In Init of protocolnetadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | Oct 19, 2023 |
| CVE-2023-7242 | Industrial Control Systems Network Protocol Parsers (ICSNPP) - Ethercat Zeek Plugin versions d78dda6 and prior are vulnerable to out-of-bounds read during the process of analyzing a specific Ethercat packet. This could allow an attacker to crash the Zeek process and leak some information in memory. | -- | Mar 1, 2024 |
| CVE-2024-3706 | Information exposure vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to view a php backup file (controlaccess.php-LAST) where database credentials are stored. | -- | Apr 15, 2024 |
| CVE-2023-30797 | Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur. | -- | Apr 20, 2023 |
| CVE-2023-39378 | SiberianCMS - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') by an unauthenticated user | -- | Sep 27, 2023 |
| CVE-2022-3161 | The APDFL.dll contains a memory corruption vulnerability while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process. | -- | Jan 13, 2023 |
| CVE-2023-45228 | The application suffers from improper access control when editing users. A user with read permissions can manipulate users, passwords, and permissions by sending a single HTTP POST request with modified parameters. | -- | Oct 26, 2023 |
| CVE-2023-3243 | ** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash and utilize it to create new sessions. The hash is also a poorly salted MD5 hash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X. Recommended fix: Upgrade to a supported product such as Alerton ACM.] Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. | -- | Jun 29, 2023 |
| CVE-2023-37221 | 7Twenty BOT - CWE-79: Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\'). | -- | Sep 4, 2023 |
| CVE-2023-4212 | ?A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick. | -- | Aug 22, 2023 |
| CVE-2023-3395 | ?All versions of the TWinSoft Configuration Tool store encrypted passwords as plaintext in memory. An attacker with access to system files could open a file to load the document into memory, including sensitive information associated with document, such as password. The attacker could then obtain the plaintext password by using a memory viewer. | -- | Jul 7, 2023 |
| CVE-2023-30765 | ?Delta Electronics InfraSuite Device Master versions prior to 1.0.7 contain improper access controls that could allow an attacker to alter privilege management configurations, resulting in privilege escalation. | -- | Jul 11, 2023 |
| CVE-2023-4296 | ?If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device. | -- | Aug 29, 2023 |
