Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2023-31999 |
Description: All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it.
v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object.
CVSS: LOW (0.0) EPSS Score: 0.15%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-31997 |
Description: UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (2) hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen2 and Cloud Key Gen2 Plus.
CVSS: LOW (0.0) EPSS Score: 0.04%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-31543 |
|
|
CVE-2023-31492 |
|
|
CVE-2023-31293 |
Description: An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) 6.3.8.6 (#718), allows remote attackers to obtain sensitive information and bypass profile restriction via improper access control in the Reader system user's web browser, allowing the journal to be displayed, despite the option being disabled.
CVSS: LOW (0.0) EPSS Score: 0.07%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-31222 |
Description: Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.
CVSS: CRITICAL (9.8) EPSS Score: 0.11%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-3063 |
Description: The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above, to change user passwords and potentially take over administrator accounts.
CVSS: HIGH (8.8) EPSS Score: 0.04%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-29487 |
Description: An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module. NOTE: Heimdal asserts this is not a valid vulnerability. Their DNS Security for Endpoint solution includes an optional feature to provide extra information on the originating process that made a DNS request. The lack of process identification in DNS logs is therefore falsely categorized as a DoS issue.
CVSS: LOW (0.0) EPSS Score: 0.06%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-29241 |
|
|
CVE-2023-29147 |
Description: In Malwarebytes EDR 1.0.11 for Linux, it is possible to bypass the detection layers that depend on inode identifiers, because an identifier may be reused when a file is replaced, and because two files on different filesystems can have the same identifier.
CVSS: LOW (0.0) EPSS Score: 0.04%
November 27th, 2024 (5 months ago)
|