Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2023-41900	Jetty's OpenId Revoked authentication allows one request Description: Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue. CVSS: LOW (3.5) EPSS Score: 0.17% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-39978	Description: ImageMagick before 6.9.12-91 allows attackers to cause a denial of service (memory consumption) in Magick::Draw. CVSS: LOW (0.0) EPSS Score: 0.06% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-39018	Description: FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple third parties because there are no realistic use cases in which FFmpeg.java uses untrusted input for the path of the executable file. CVSS: LOW (0.0) EPSS Score: 0.25% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-38552	Description: When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. CVSS: LOW (0.0) EPSS Score: 1.53% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-38403	Description: iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. CVSS: LOW (0.0) EPSS Score: 0.58% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-37306	Description: MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error messages. CVSS: LOW (0.0) EPSS Score: 0.13% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-37303	Description: An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to block a user fails after a temporary browser hang and a DBQueryDisconnectedError error message. CVSS: LOW (0.0) EPSS Score: 0.25% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-37301	Description: An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn't use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur. CVSS: LOW (0.0) EPSS Score: 0.07% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-37300	Description: An issue was discovered in the CheckUserLog API in the CheckUser extension for MediaWiki through 1.39.3. There is incorrect access control for visibility of hidden users. CVSS: LOW (0.0) EPSS Score: 0.07% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-37299	Description: Joplin before 2.11.5 allows XSS via an AREA element of an image map. CVSS: LOW (0.0) EPSS Score: 0.09% Source: CVE November 28th, 2024 (5 months ago)