The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2023-45163 | The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruction upload UI | -- | Nov 6, 2023 |
CVE-2021-27429 | Texas Instruments TI-RTOS returns a valid pointer to a small buffer on extremely large values. This can trigger an integer overflow vulnerability in \'HeapTrack_alloc\' and result in code execution. | -- | Nov 20, 2023 |
CVE-2023-32347 | Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device. This could allow an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices. | -- | May 22, 2023 |
CVE-2023-2588 | Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a URL in the Remote Management System cloud subdomain. This URL could be shared with others without Remote Management System authentication . An attacker could exploit this vulnerability to create a malicious webpage that uses a trusted and certified domain. An attacker could initiate a reverse shell when a victim connects to the malicious webpage, achieving remote code execution on the victim device. | -- | May 22, 2023 |
CVE-2023-32348 | Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN. | -- | May 22, 2023 |
CVE-2023-32346 | Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System. | -- | May 22, 2023 |
CVE-2023-2587 | Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices. | -- | May 22, 2023 |
CVE-2023-2586 | Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the RMS management feature enabled by default, then an attacker could register that device to themselves. This could enable the attacker to perform different operations on the user\'s devices, including remote code execution with \'root\' privileges (using the \'Task Manager\' feature on RMS). | -- | May 22, 2023 |
CVE-2023-6116 | Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the camera. An attacker could inject malicious into http request packets to execute arbitrary code. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer\'s report for details and workarounds. | -- | Apr 26, 2024 |
CVE-2023-37219 | Tadiran Telecom Composit - CWE-1236: Improper Neutralization of Formula Elements in a CSV File | -- | Jul 31, 2023 |
CVE-2023-37218 | Tadiran Telecom Aeonix - CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') | -- | Jul 31, 2023 |
CVE-2023-37217 | Tadiran Telecom Aeonix - CWE-204: Observable Response Discrepancy | -- | Jul 31, 2023 |
CVE-2023-7227 | SystemK NVR 504/508/516 versions 2.3.5SK.30084998 and prior are vulnerable to a command injection vulnerability in the dynamic domain name system (DDNS) settings that could allow an attacker to execute arbitrary commands with root privileges. | -- | Jan 25, 2024 |
CVE-2024-27775 | SysAid before version 23.2.14 b18 - CWE-918: Server-Side Request Forgery (SSRF) may allow exposing the local OS user\'s NTLMv2 hash | -- | Mar 28, 2024 |
CVE-2023-32225 | Sysaid - CWE-434: Unrestricted Upload of File with Dangerous Type - A malicious user with administrative privileges may be able to upload a dangerous filetype via an unspecified method. | -- | Jul 31, 2023 |
CVE-2023-32226 | Sysaid - CWE-552: Files or Directories Accessible to External Parties - Authenticated users may exfiltrate files from the server via an unspecified method. | -- | Jul 31, 2023 |
CVE-2023-37220 | Synel Terminals - CWE-494: Download of Code Without Integrity Check | -- | Sep 4, 2023 |
CVE-2023-32227 | Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Credentials | -- | Jul 31, 2023 |
CVE-2023-37213 | Synel SYnergy Fingerprint Terminals - CWE-78: \'OS Command Injection\' | -- | Jul 31, 2023 |
CVE-2022-34392 | SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information. | -- | Feb 12, 2023 |
CVE-2022-34385 | SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. | -- | Feb 12, 2023 |
CVE-2023-35850 | SUNNET WMPro portal\'s file management function has a vulnerability of insufficient filtering for user input. A remote attacker with administrator privilege or a privileged account can exploit this vulnerability to inject and execute arbitrary system commands to perform arbitrary system operations or disrupt service. | -- | Sep 18, 2023 |
CVE-2023-35851 | SUNNET WMPro portal\'s FAQ function has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL commands to obtain sensitive information via a database. | -- | Sep 18, 2023 |
CVE-2023-32659 | SUBNET PowerSYSTEM Center versions 2020 U10 and prior contain a cross-site scripting vulnerability that may allow an attacker to inject malicious code into report header graphic files that could propagate out of the system and reach users who are subscribed to email notifications. | -- | Jun 20, 2023 |
CVE-2023-29454 | Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages. | -- | Jul 13, 2023 |
CVE-2023-0973 | STEPTools v18SP1 ifcmesh library (v18.1) is affected due to a null pointer dereference, which could allow an attacker to deny application usage when reading a specially constructed file, resulting in an application crash. | -- | Mar 13, 2023 |
CVE-2023-39369 | StarTrinity Softswitch version 2023-02-16 - Multiple Reflected XSS (CWE-79) | -- | Sep 4, 2023 |
CVE-2023-46724 | Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid\'s patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages. | -- | Nov 2, 2023 |
CVE-2024-28891 | SQL injection vulnerability exists in the script Handler_CFG.ashx. | -- | Mar 21, 2024 |
CVE-2024-25937 | SQL injection vulnerability exists in the script DIAE_tagHandler.ashx. | -- | Mar 21, 2024 |
CVE-2024-25574 | SQL injection vulnerability exists in GetDIAE_usListParameters. | -- | Apr 2, 2024 |
CVE-2024-23494 | SQL injection vulnerability exists in GetDIAE_unListParameters. | -- | Mar 21, 2024 |
CVE-2024-23975 | SQL injection vulnerability exists in GetDIAE_slogListParameters. | -- | Mar 21, 2024 |
CVE-2024-28040 | SQL injection vulnerability exists in GetDIAE_astListParameters. | -- | Mar 21, 2024 |
CVE-2023-50395 | SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited | -- | Feb 6, 2024 |
CVE-2023-35188 | SQL Injection Remote Code Execution Vulnerability was found using a create statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited. | -- | Feb 6, 2024 |
CVE-2023-2832 | SQL Injection in GitHub repository unilogies/bumsys prior to 2.2.0. | -- | May 22, 2023 |
CVE-2023-5350 | SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1. | -- | Oct 4, 2023 |
CVE-2023-3820 | SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4. | -- | Jul 24, 2023 |
CVE-2023-3673 | SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24. | -- | Jul 14, 2023 |
CVE-2023-4899 | SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. | -- | Sep 12, 2023 |
CVE-2023-5591 | SQL Injection in GitHub repository librenms/librenms prior to 23.10.0. | -- | Oct 16, 2023 |
CVE-2023-4928 | SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1. | -- | Sep 13, 2023 |
CVE-2023-4188 | SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1-git. | -- | Aug 6, 2023 |
CVE-2023-3490 | SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3. | -- | Jul 6, 2023 |
CVE-2023-38027 | SpotCam Co., Ltd. SpotCam Sense’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to perform arbitrary system commands or disrupt service. | -- | Aug 29, 2023 |
CVE-2023-38024 | SpotCam Co., Ltd. SpotCam FHD 2’s hidden Telnet function has a vulnerability of using hard-coded Telnet credentials. An remote unauthenticated attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service. | -- | Aug 29, 2023 |
CVE-2023-38025 | SpotCam Co., Ltd. SpotCam FHD 2’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to arbitrary system commands or disrupt service. | -- | Aug 29, 2023 |
CVE-2023-38026 | SpotCam Co., Ltd. SpotCam FHD 2 has a vulnerability of using hard-coded uBoot credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service. | -- | Aug 29, 2023 |
CVE-2023-3470 | Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. On vCMP systems, all Guests share the same deterministic password, allowing those with TMSH access on one Guest to access keys of a different Guest. The following BIG-IP hardware platforms are affected: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F. The BIG-IP rSeries r5920-DF and r10920-DF are not affected, nor does the issue affect software FIPS implementations or network HSM configurations. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | -- | Aug 2, 2023 |