Total
13187 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-39386 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Vulnerability of input parameters being not strictly verified in the PMS module. Successful exploitation of this vulnerability may cause newly installed apps to fail to restart. | ||||
| CVE-2023-39382 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Input verification vulnerability in the audio module. Successful exploitation of this vulnerability may cause virtual machines (VMs) to restart. | ||||
| CVE-2023-39381 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Input verification vulnerability in the storage module. Successful exploitation of this vulnerability may cause the device to restart. | ||||
| CVE-2023-39251 | 1 Dell | 26 Inspiron 7510, Inspiron 7510 Firmware, Inspiron 7610 and 23 more | 2024-11-21 | 6.7 Medium |
| Dell BIOS contains an Improper Input Validation vulnerability. A local malicious user with high privileges could potentially exploit this vulnerability in order to corrupt memory on the system. | ||||
| CVE-2023-39209 | 1 Zoom | 1 Zoom | 2024-11-21 | 5.9 Medium |
| Improper input validation in Zoom Desktop Client for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via network access. | ||||
| CVE-2023-39208 | 1 Zoom | 1 Zoom | 2024-11-21 | 6.5 Medium |
| Improper input validation in Zoom Desktop Client for Linux before version 5.15.10 may allow an unauthenticated user to conduct a denial of service via network access. | ||||
| CVE-2023-39137 | 1 Archive Project | 1 Archive | 2024-11-21 | 7.8 High |
| An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing. | ||||
| CVE-2023-38802 | 5 Debian, Fedoraproject, Frrouting and 2 more | 9 Debian Linux, Fedora, Frrouting and 6 more | 2024-11-21 | 7.5 High |
| FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote attacker to cause a denial of service via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation). | ||||
| CVE-2023-38737 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 5.9 Medium |
| IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 262567. | ||||
| CVE-2023-38704 | 1 Datadoghq | 1 Import-in-the-middle | 2024-11-21 | 8.1 High |
| import-in-the-middle is a module loading interceptor specifically for ESM modules. The import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. Prior to version 1.4.2, it allows for remote code execution in cases where an application passes user-supplied input directly to the `import()` function. This vulnerability has been patched in import-in-the-middle version 1.4.2. Some workarounds are available. Do not pass any user-supplied input to `import()`. Instead, verify it against a set of allowed values. If using import-in-the-middle, directly or indirectly, and support for EcmaScript Modules is not needed, ensure that no options are set, either via command-line or the `NODE_OPTIONS` environment variable, that would enable loader hooks. | ||||
| CVE-2023-38701 | 1 Iohk | 1 Hydra | 2024-11-21 | 9.1 Critical |
| Hydra is the layer-two scalability solution for Cardano. Users of the Hydra head protocol send the UTxOs they wish to commit into the Hydra head first to the `commit` validator, where they remain until they are either collected into the `head` validator or the protocol initialisation is aborted and the value in the committed UTxOs is returned to the users who committed them. Prior to version 0.12.0, the `commit` validator contains a flawed check when the `ViaAbort` redeemer is used, which allows any user to spend any UTxO which is at the validator arbitrarily, meaning an attacker can steal the funds that users are trying to commit into the head validator. The intended behavior is that the funds must be returned to the user which committed the funds and can only be performed by a participant of the head. The `initial` validator also is similarly affected as the same flawed check is performed for the `ViaAbort` redeemer. Due to this issue, an attacker can steal any funds that user's try to commit into a Hydra head. Also, an attacker can prevent any Hydra head from being successfully opened. It does not allow an attacker to take funds which have been successfully collected into and currently reside in the `head` validator. Version 0.12.0 contains a fix for this issue. | ||||
| CVE-2023-38690 | 2 Matrix, Matrix-org | 2 Matrix Irc Bridge, Matrix-appservice-irc | 2024-11-21 | 5.8 Medium |
| matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. Versions 1.0.1 and above are patched. There are no robust workarounds to the bug. One may disable dynamic channels in the config to disable the most common execution method but others may exist. | ||||
| CVE-2023-38502 | 1 Tdengine | 1 Tdengine | 2024-11-21 | 6.5 Medium |
| TDengine is an open source, time-series database optimized for Internet of Things devices. Prior to version 3.0.7.1, TDengine DataBase crashes on UDF nested query. This issue affects TDengine Databases which let users connect and run arbitrary queries. Version 3.0.7.1 has a patch for this issue. | ||||
| CVE-2023-38495 | 2 Cncf, Crossplane | 2 Crossplane, Crossplane | 2024-11-21 | 8.4 High |
| Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only. | ||||
| CVE-2023-38131 | 4 Apple, Google, Intel and 1 more | 4 Iphone Os, Android, Unison Software and 1 more | 2024-11-21 | 6.5 Medium |
| Improper input validationation for some Intel Unison software may allow an authenticated user to potentially enable denial of service via network access. | ||||
| CVE-2023-38057 | 1 Otrs | 1 Survey | 2024-11-21 | 4.1 Medium |
| An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22. | ||||
| CVE-2023-37948 | 1 Jenkins | 1 Cloud Infrastructure Compute | 2024-11-21 | 3.7 Low |
| Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not validate SSH host keys when connecting OCI clouds, enabling man-in-the-middle attacks. | ||||
| CVE-2023-37915 | 1 Objectcomputing | 1 Opendds | 2024-11-21 | 7.5 High |
| OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS). OpenDDS crashes while parsing a malformed `PID_PROPERTY_LIST` in a DATA submessage during participant discovery. Attackers can remotely crash OpenDDS processes by sending a DATA submessage containing the malformed parameter to the known multicast port. This issue has been addressed in version 3.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-37833 | 1 Elenos | 2 Etg150, Etg150 Firmware | 2024-11-21 | 2.7 Low |
| Improper access control in Elenos ETG150 FM transmitter v3.12 allows attackers to make arbitrary configuration edits that are only accessed by privileged users. | ||||
| CVE-2023-37559 | 1 Codesys | 16 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 13 more | 2024-11-21 | 6.5 Medium |
| After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37558 | ||||