Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-11484
Code4Berry Decoration Management System User Image update_image.php access control
Description: A vulnerability classified as critical was found in Code4Berry Decoration Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /decoration/admin/update_image.php of the component User Image Handler. The manipulation of the argument productimage1 leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. In Code4Berry Decoration Management System 1.0 wurde eine kritische Schwachstelle entdeckt. Hierbei betrifft es unbekannten Programmcode der Datei /decoration/admin/update_image.php der Komponente User Image Handler. Mittels dem Manipulieren des Arguments productimage1 mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.3)

EPSS Score: 0.06%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2024-0967
OpenText / Micro Focus ArcSight Enterprise Security Manager Remote Vulnerability
Description: A potential vulnerability has been identified in OpenText / Micro Focus ArcSight Enterprise Security Manager (ESM). The vulnerability could be remotely exploited.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2023-6459
Public endpoint /metrics of Calls plugin reveals channel IDs
Description: Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

CVSS: MEDIUM (5.3)

EPSS Score: 0.06%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2023-6061
Phantom DLL Vulnerability in Iconics Suite
Description: Multiple components of Iconics SCADA Suite are prone to a Phantom DLL loading vulnerability. This issue arises from the applications improperly searching for and loading dynamic link libraries, potentially allowing an attacker to execute malicious code via a DLL with a matching name in an accessible search path. The affected components are: * MMXFax.exe * winfax.dll * MelSim2ComProc.exe * Sim2ComProc.dll * MMXCall_in.exe * libdxxmt.dll * libsrlmt.dll

CVSS: MEDIUM (6.6)

EPSS Score: 0.04%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2023-5797
An improper privilege management vulnerability in the debug CLI command of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX...
Description: An improper privilege management vulnerability in the debug CLI command of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, VPN series firmware versions 4.30 through 5.37, NWA50AX firmware version 6.29(ABYW.2), WAC500 firmware version 6.65(ABVS.1), WAX300H firmware version 6.60(ACHF.1), and WBE660S firmware version 6.65(ACGG.1), could allow an authenticated local attacker to access the administrator’s logs on an affected device.

CVSS: MEDIUM (5.5)

EPSS Score: 0.04%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2023-49922
Beats Insertion of Sensitive Information into Log File
Description: An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Beats or Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default.

CVSS: MEDIUM (6.8)

EPSS Score: 0.06%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2023-42564
Improper access control in knoxcustom service prior to SMR Dec-2023 Release 1 allows attacker to send broadcast with system privilege.
Description: Improper access control in knoxcustom service prior to SMR Dec-2023 Release 1 allows attacker to send broadcast with system privilege.

CVSS: MEDIUM (6.6)

EPSS Score: 0.04%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2023-42558
Out of bounds write vulnerability in HDCP in HAL prior to SMR Dec-2023 Release 1 allows attacker to perform code execution.
Description: Out of bounds write vulnerability in HDCP in HAL prior to SMR Dec-2023 Release 1 allows attacker to perform code execution.

CVSS: MEDIUM (6.0)

EPSS Score: 0.04%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2023-41268
Possible stack overflow due to insufficient input validation
Description: Improper input validation vulnerability in Samsung Open Source Escargot allows stack overflow and segmentation fault. This issue affects Escargot: from 3.0.0 through 4.0.0.

CVSS: MEDIUM (5.3)

EPSS Score: 0.16%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2023-34389
Allocation of resources without limits could lead to denial of service
Description: An allocation of resources without limits or throttling vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote authenticated attacker to make the system unavailable for an indefinite amount of time. See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS: MEDIUM (4.5)

EPSS Score: 0.09%

Source: CVE
December 3rd, 2024 (5 months ago)