The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2023-6593 | Client side permission bypass in Devolutions Remote Desktop Manager 2023.3.4.0 and earlier on iOS allows an attacker that has access to the application to execute entries in a SQL data source without restriction. | -- | Dec 12, 2023 | n/a |
CVE-2023-31183 | Cybonet PineApp Mail Secure A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint. | -- | May 11, 2023 | n/a |
CVE-2023-31182 | EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method. | -- | May 9, 2023 | n/a |
CVE-2023-45237 | EDK2\'s Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | -- | Jan 16, 2024 | n/a |
CVE-2023-45236 | EDK2\'s Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | -- | Jan 16, 2024 | n/a |
CVE-2023-42490 | EisBaer Scada - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | -- | Oct 25, 2023 | n/a |
CVE-2023-5575 | Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compromised a low privileged user to access entries via a specific combination of permissions in the entry and in its parent. | -- | Oct 16, 2023 | n/a |
CVE-2023-27857 | In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field in Rockwell Automation\'s ThinManager ThinServer. An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation. | -- | Mar 22, 2023 | n/a |
CVE-2023-35663 | In Init of protocolnetadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | Oct 19, 2023 | n/a |
CVE-2023-7242 | Industrial Control Systems Network Protocol Parsers (ICSNPP) - Ethercat Zeek Plugin versions d78dda6 and prior are vulnerable to out-of-bounds read during the process of analyzing a specific Ethercat packet. This could allow an attacker to crash the Zeek process and leak some information in memory. | -- | Mar 1, 2024 | n/a |
CVE-2023-30797 | Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur. | -- | Apr 20, 2023 | n/a |
CVE-2023-39378 | SiberianCMS - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') by an unauthenticated user | -- | Sep 27, 2023 | n/a |
CVE-2022-3161 | The APDFL.dll contains a memory corruption vulnerability while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process. | -- | Jan 13, 2023 | n/a |
CVE-2023-45228 | The application suffers from improper access control when editing users. A user with read permissions can manipulate users, passwords, and permissions by sending a single HTTP POST request with modified parameters. | -- | Oct 26, 2023 | n/a |
CVE-2023-3243 | ** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash and utilize it to create new sessions. The hash is also a poorly salted MD5 hash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X. Recommended fix: Upgrade to a supported product such as Alerton ACM.] Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. | -- | Jun 29, 2023 | n/a |
CVE-2023-37221 | 7Twenty BOT - CWE-79: Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\'). | -- | Sep 4, 2023 | n/a |
CVE-2023-4212 | ?A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick. | -- | Aug 22, 2023 | n/a |
CVE-2023-3395 | ?All versions of the TWinSoft Configuration Tool store encrypted passwords as plaintext in memory. An attacker with access to system files could open a file to load the document into memory, including sensitive information associated with document, such as password. The attacker could then obtain the plaintext password by using a memory viewer. | -- | Jul 7, 2023 | n/a |
CVE-2023-30765 | ?Delta Electronics InfraSuite Device Master versions prior to 1.0.7 contain improper access controls that could allow an attacker to alter privilege management configurations, resulting in privilege escalation. | -- | Jul 11, 2023 | n/a |
CVE-2023-4296 | ?If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device. | -- | Aug 29, 2023 | n/a |
CVE-2023-36610 | ?The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves. | -- | Jul 7, 2023 | n/a |
CVE-2023-41821 | A an improper export vulnerability was reported in the Motorola Setup application that could allow a local attacker to read sensitive user information. | -- | May 3, 2024 | n/a |
CVE-2023-21407 | A broken access control was found allowing for privileged escalation of the operator account to gain administrator privileges. | -- | Aug 3, 2023 | n/a |
CVE-2024-22472 | A buffer Overflow vulnerability in Silicon Labs 500 Series Z-Wave devices may allow Denial of Service, and potential Remote Code execution This issue affects all versions of Silicon Labs 500 Series SDK prior to v6.85.2 running on Silicon Labs 500 series Z-wave devices. | -- | May 7, 2024 | n/a |
CVE-2024-0213 | A buffer overflow vulnerability in TA for Linux and TA for MacOS prior to 5.8.1 allows a local user to gain elevated permissions, or cause a Denial of Service (DoS), through exploiting a memory corruption issue in the TA service, which runs as root. This may also result in the disabling of event reporting to ePO, caused by failure to validate input from the file correctly. | -- | Jan 9, 2024 | n/a |
CVE-2024-3286 | A buffer overflow vulnerability was identified in some Lenovo printers that could allow an unauthenticated user to trigger a device restart by sending a specially crafted web request. | -- | May 16, 2024 | n/a |
CVE-2024-23594 | A buffer overflow vulnerability was reported in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014 that could allow a privileged attacker with local access to execute arbitrary code. | -- | Apr 15, 2024 | n/a |
CVE-2022-4312 | A cleartext storage of sensitive information vulnerability exists in PcVue versions 8.10 through 15.2.3. This could allow an unauthorized user with access the email and short messaging service (SMS) accounts configuration files to discover the associated simple mail transfer protocol (SMTP) account credentials and the SIM card PIN code. Successful exploitation of this vulnerability could allow an unauthorized user access to the underlying email account and SIM card. | -- | Dec 15, 2022 | n/a |
CVE-2023-3665 | A code injection vulnerability in Trellix ENS 10.7.0 April 2023 release and earlier, allowed a local user to disable the ENS AMSI component via environment variables, leading to denial of service and or the execution of arbitrary code. | -- | Oct 4, 2023 | n/a |
CVE-2024-1367 | A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Logging parameters, which could lead to the execution of arbitrary code on the Security Center host. | -- | Feb 15, 2024 | n/a |
CVE-2023-0976 | A command Injection Vulnerability in TA for mac-OS prior to version 5.7.9 allows local users to place an arbitrary file into the /Library/Trellix/Agent/bin/ folder. The malicious file is executed by running the TA deployment feature located in the System Tree. | -- | Jun 8, 2023 | n/a |
CVE-2023-0978 | A command injection vulnerability in Trellix Intelligent Sandbox CLI for version 5.2 and earlier, allows a local user to inject and execute arbitrary operating system commands using specially crafted strings. This vulnerability is due to insufficient validation of arguments that are passed to specific CLI command. The vulnerability allows the attack | -- | Mar 17, 2023 | n/a |
CVE-2024-2659 | A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system commands when performing a specific administrative function. | -- | Apr 15, 2024 | n/a |
CVE-2023-4855 | A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute unauthorized commands via IPMI. | -- | Apr 15, 2024 | n/a |
CVE-2024-21601 | A Concurrent Execution using Shared Resource with Improper Synchronization (\'Race Condition\') vulnerability in the Flow-processing Daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). On SRX Series devices when two different threads try to simultaneously process a queue which is used for TCP events flowd will crash. One of these threads can not be triggered externally, so the exploitation of this race condition is outside the attackers direct control. Continued exploitation of this issue will lead to a sustained DoS. This issue affects Juniper Networks Junos OS: * 21.2 versions earlier than 21.2R3-S5; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S4; * 22.1 versions earlier than 22.1R3-S3; * 22.2 versions earlier than 22.2R3-S1; * 22.3 versions earlier than 22.3R2-S2, 22.3R3; * 22.4 versions earlier than 22.4R2-S1, 22.4R3. This issue does not affect Juniper Networks Junos OS versions earlier than 21.2R1. | -- | Jan 12, 2024 | n/a |
CVE-2024-0310 | A content-security-policy vulnerability in ENS Control browser extension prior to 10.7.0 Update 15 allows a remote attacker to alter the response header parameter setting to switch the content security policy into report-only mode, allowing an attacker to bypass the content-security-policy configuration. | -- | Jan 10, 2024 | n/a |
CVE-2023-2444 | A cross site request forgery vulnerability exists in Rockwell Automation\'s FactoryTalk Vantagepoint. This vulnerability can be exploited in two ways. If an attacker sends a malicious link to a computer that is on the same domain as the FactoryTalk Vantagepoint server and a user clicks the link, the attacker could impersonate the legitimate user and send requests to the affected product. Additionally, if an attacker sends an untrusted link to a computer that is not on the same domain as the server and a user opens the FactoryTalk Vantagepoint website, enters credentials for the FactoryTalk Vantagepoint server, and clicks on the malicious link a cross site request forgery attack would be successful as well. | -- | May 11, 2023 | n/a |
CVE-2023-5444 | A Cross Site Request Forgery vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2 allows a remote low privilege user to successfully add a new user with administrator privileges to the ePO server. This impacts the dashboard area of the user interface. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server. | -- | Nov 17, 2023 | n/a |
CVE-2023-29024 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. | -- | May 11, 2023 | n/a |
CVE-2023-29029 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
CVE-2023-29028 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
CVE-2023-29027 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
CVE-2023-29026 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
CVE-2023-29025 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
CVE-2023-29022 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. | -- | May 11, 2023 | n/a |
CVE-2023-29031 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. | -- | May 11, 2023 | n/a |
CVE-2023-29030 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. | -- | May 11, 2023 | n/a |
CVE-2023-29023 | A cross site scripting vulnerability was discovered in Rockwell Automation\'s ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. | -- | May 11, 2023 | n/a |
CVE-2023-31174 | A Cross-Site Request Forgery (CSRF) vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20. | -- | Aug 31, 2023 | n/a |
CVE-2023-38423 | A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | -- | Aug 2, 2023 | n/a |