The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2023-20560 | Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD Ryzen™ Master may allow a privileged attacker to provide a null value potentially resulting in a Windows crash leading to denial of service. | -- | Aug 15, 2023 |
| CVE-2023-5909 | KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect. | -- | Nov 30, 2023 |
| CVE-2023-47867 | MachineSense FeverWarn devices are configured as Wi-Fi hosts in a way that attackers within range could connect to the device\'s web services and compromise the device. | -- | Feb 1, 2024 |
| CVE-2023-38582 | Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the field MAIL_RCV. When a legitimate user attempts to access to the vulnerable page of the web application, the XSS payload will be executed. | -- | Sep 19, 2023 |
| CVE-2023-35765 | PiiGAB M-Bus stores credentials in a plaintext file, which could allow a low-level user to gain admin credentials. | -- | Jul 7, 2023 |
| CVE-2023-32652 | PiiGAB M-Bus does not validate identification strings before processing, which could make it vulnerable to cross-site scripting attacks. | -- | Jul 7, 2023 |
| CVE-2023-3703 | Proscend Advice ICR Series routers FW version 1.76 - CWE-1392: Use of Default Credentials | -- | Sep 4, 2023 |
| CVE-2023-46663 | Sielco PolyEco1000 is vulnerable to an attacker bypassing authorization and accessing resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. | -- | Oct 26, 2023 |
| CVE-2023-40459 | The ACEManager component of ALEOS 4.16 and earlier does not adequately perform input sanitization during authentication, which could potentially result in a Denial of Service (DoS) condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by restarting within ten seconds of becoming unavailable. | -- | Dec 5, 2023 |
| CVE-2023-32281 | The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in the FontManager. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. | -- | Jun 6, 2023 |
| CVE-2023-41089 | The affected product is vulnerable to an improper authentication vulnerability, which may allow an attacker to impersonate a legitimate user as long as the device keeps the session active, since the attack takes advantage of the cookie header to generate legitimate requests. | -- | Oct 19, 2023 |
| CVE-2023-33222 | When handling contactless cards, usage of a specific function to get additional information from the card which doesn\'t check the boundary on the data received while reading. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the targeted device | -- | Dec 15, 2023 |
| CVE-2023-33221 | When reading DesFire keys, the function that reads the card isn\'t properly checking the boundaries when copying internally the data received. This allows a heap based buffer overflow that could lead to a potential Remote Code Execution on the targeted device. This is especially problematic if you use Default DESFire key. | -- | Dec 15, 2023 |
| CVE-2023-28412 | When supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. The MAC address of devices can be enumerated in an attack and the OvrC cloud will disclose their information. | -- | May 23, 2023 |
| CVE-2023-1288 | An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows an attacker to read local files on the server. | -- | Mar 9, 2023 |
| CVE-2022-43378 | A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause the user to be tricked into performing unintended actions when external address frames are not properly restricted. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | -- | Apr 18, 2023 |
| CVE-2023-25549 | A CWE-94: Improper Control of Generation of Code (\'Code Injection\') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | -- | Apr 18, 2023 |
| CVE-2023-45213 | A potential attacker with access to the Westermo Lynx device would be able to execute malicious code that could affect the correct functioning of the device. | -- | Feb 7, 2024 |
| CVE-2023-37294 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may cause a heap memory corruption via an adjacent network. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. | -- | Jan 10, 2024 |
| CVE-2023-22846 | Datakit CrossCadWare_x64.dll contains an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted SLDPRT file. This vulnerability could allow an attacker to disclose sensitive information. | -- | Apr 21, 2023 |
| CVE-2023-1145 | Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. | -- | Mar 30, 2023 |
| CVE-2023-33220 | During the retrofit validation process, the firmware doesn\'t properly check the boundaries while copying some attributes to check. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the targeted device | -- | Dec 15, 2023 |
| CVE-2023-43609 | In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition. | -- | Feb 15, 2024 |
| CVE-2023-34394 | In Keysight Geolocation Server v2.4.2 and prior, an attacker could upload a specially crafted malicious file or delete any file or directory with SYSTEM privileges due to an improper path validation, which could result in local privilege escalation or a denial-of-service condition. | -- | Jul 20, 2023 |
| CVE-2023-38584 | In Weintek\'s cMT3000 HMI Web CGI device, the cgi-bin command_wb.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication. | -- | Oct 19, 2023 |
| CVE-2023-20564 | Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD Ryzen™ Master may permit a privileged attacker to perform memory reads/writes potentially leading to a loss of confidentiality or arbitrary kernel execution. | -- | Aug 15, 2023 |
| CVE-2023-20561 | Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD ?Prof may allow an authenticated user to send an arbitrary address potentially resulting in a Windows crash leading to denial of service. | -- | Aug 8, 2023 |
| CVE-2023-49115 | MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users. | -- | Feb 1, 2024 |
| CVE-2023-25522 | NVIDIA DGX A100/A800 contains a vulnerability in SBIOS where an attacker may cause improper input validation by providing configuration information in an unexpected format. A successful exploit of this vulnerability may lead to denial of service, information disclosure, and data tampering. | -- | Jul 10, 2023 |
| CVE-2023-35987 | PiiGAB M-Bus contains hard-coded credentials which it uses for authentication. | -- | Jul 7, 2023 |
| CVE-2021-22636 | Texas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in \'HeapMem_allocUnprotected\' and result in code execution. | -- | Nov 20, 2023 |
| CVE-2023-39446 | Thanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malicious actions when a legitimate user is logged into the web application. | -- | Sep 19, 2023 |
| CVE-2023-29503 | The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. | -- | Jun 6, 2023 |
| CVE-2023-36853 | ?In Keysight Geolocation Server v2.4.2 and prior, a low privileged attacker could create a local ZIP file containing a malicious script in any location. The attacker could abuse this to load a DLL with SYSTEM privileges. | -- | Jul 20, 2023 |
| CVE-2023-5399 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command. | -- | Oct 4, 2023 |
| CVE-2022-43377 | A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover when a brute force attack is performed on the account. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | -- | Apr 18, 2023 |
| CVE-2023-25554 | A CWE-78: Improper Neutralization of Special Elements used in an OS Command (\'OS Command Injection\') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | -- | Apr 18, 2023 |
| CVE-2023-37198 | A CWE-94: Improper Control of Generation of Code (\'Code Injection\') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. | -- | Jul 12, 2023 |
| CVE-2023-45735 | A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. | -- | Feb 7, 2024 |
| CVE-2023-6689 | A successful CSRF attack could force the user to perform state changing requests on the application. If the victim is an administrative account, a CSRF attack could compromise the entire web application. | -- | Dec 20, 2023 |
| CVE-2023-37295 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may cause a heap memory corruption via an adjacent network. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. | -- | Jan 10, 2024 |
| CVE-2023-50704 | An attacker could construct a URL within the application that causes a redirection to an arbitrary external domain and could be leveraged to facilitate phishing attacks against application users. | -- | Dec 20, 2023 |
| CVE-2024-21612 | An Improper Handling of Syntactically Invalid Structure vulnerability in Object Flooding Protocol (OFP) service of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). On all Junos OS Evolved platforms, when specific TCP packets are received on an open OFP port, the OFP crashes leading to a restart of Routine Engine (RE). Continuous receipt of these specific TCP packets will lead to a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS Evolved * All versions earlier than 21.2R3-S7-EVO; * 21.3 versions earlier than 21.3R3-S5-EVO ; * 21.4 versions earlier than 21.4R3-S5-EVO; * 22.1 versions earlier than 22.1R3-S4-EVO; * 22.2 versions earlier than 22.2R3-S3-EVO ; * 22.3 versions earlier than 22.3R3-EVO; * 22.4 versions earlier than 22.4R2-EVO, 22.4R3-EVO. | -- | Jan 12, 2024 |
| CVE-2023-37216 | AnaSystem SensMini M4 – Using the configuration tool, an authenticated user can cause Denial of Service for the device | -- | Jul 31, 2023 |
| CVE-2023-25848 | ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed. | -- | Aug 26, 2023 |
| CVE-2023-22354 | Datakit CrossCadWare_x64.dll contains an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted SLDPRT file. This vulnerability could allow an attacker to disclose sensitive information. | -- | Apr 21, 2023 |
| CVE-2022-3089 | Echelon SmartServer 2.2 with i.LON Vision 2.2 stores cleartext credentials in a file, which could allow an attacker to obtain cleartext usernames and passwords of the SmartServer. If the attacker obtains the file, then the credentials could be used to control the web user interface and file transfer protocol (FTP) server. | -- | Feb 13, 2023 |
| CVE-2023-32274 | Enphase Installer Toolkit versions 3.27.0 has hard coded credentials embedded in binary code in the Android application. An attacker can exploit this and gain access to sensitive information. | -- | Jun 20, 2023 |
| CVE-2023-6929 | EuroTel ETL3100 versions v01c01 and v01x37 are vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization, access the hidden resources on the system, and execute privileged functionalities. | -- | Dec 19, 2023 |
| CVE-2023-37222 | Farsight Tech Nordic AB ProVide version 14.5 - Multiple XSS vulnerabilities (CWE-79) can be exploited by a user with administrator privilege. | -- | Sep 4, 2023 |
