Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2023-46646
Description: Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected GitHub Enterprise Server version 3.7.0 and above and was fixed in version 3.17.19, 3.8.12, 3.9.7 3.10.4, and 3.11.0.

CVSS: MEDIUM (5.3)

EPSS Score: 0.08%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-36748
Description: A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM ROX RX1501 (All versions < V2.16.0), RUGGEDCOM ROX RX1510 (All versions < V2.16.0), RUGGEDCOM ROX RX1511 (All versions < V2.16.0), RUGGEDCOM ROX RX1512 (All versions < V2.16.0), RUGGEDCOM ROX RX1524 (All versions < V2.16.0), RUGGEDCOM ROX RX1536 (All versions < V2.16.0), RUGGEDCOM ROX RX5000 (All versions < V2.16.0). The affected devices are configured to offer weak ciphers by default. This could allow an unauthorized attacker in a man-in-the-middle position to read and modify any data passed over to and from the affected device.

CVSS: MEDIUM (5.9)

EPSS Score: 0.11%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-35925
FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption
Description: FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3.

CVSS: MEDIUM (6.2)

EPSS Score: 0.04%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-34240
Weak passwords allowed in cloudexplorer-lite
Description: Cloudexplorer-lite is an open source cloud software stack. Weak passwords can be easily guessed and are an easy target for brute force attacks. This can lead to an authentication system failure and compromise system security. Versions of cloudexplorer-lite prior to 1.2.0 did not enforce strong passwords. This vulnerability has been fixed in version 1.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS: MEDIUM (6.5)

EPSS Score: 0.14%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-32728
Code injection in zabbix_agent2 smart.disk.get caused by smartctl plugin
Description: The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.

CVSS: MEDIUM (4.6)

EPSS Score: 0.24%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-28857
LDAP password leak in Apereo CAS - GHSL-2023-009
Description: Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS: MEDIUM (4.0)

EPSS Score: 0.13%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-23570
Description: Client-Side enforcement of Server-Side security for the Command Centre server could be bypassed and lead to invalid configuration with undefined behavior. This issue affects: Gallagher Command Centre 8.90 prior to vEL8.90.1620 (MR2), all versions of 8.80 and prior.

CVSS: MEDIUM (5.4)

EPSS Score: 0.07%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-23424
Description: Some Honor products are affected by file writing vulnerability, successful exploitation could cause code execution

CVSS: MEDIUM (6.5)

EPSS Score: 0.25%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-2232
Description: An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix

CVSS: MEDIUM (6.5)

EPSS Score: 0.12%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-1783
OrangeScrum 2.0.11 - AWS Credentials Leak via PDF Rendering
Description: OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.

CVSS: MEDIUM (6.5)

EPSS Score: 0.11%

Source: CVE
November 28th, 2024 (5 months ago)