Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2023-32623 |
|
|
CVE-2023-32612 |
Description: Client-side enforcement of server-side security issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow an attacker with an administrative privilege to execute OS commands with the root privilege.
CVSS: LOW (0.0) EPSS Score: 0.1%
November 28th, 2024 (6 months ago)
|
|
CVE-2023-32224 |
Description: D-Link DSL-224 firmware version 3.0.10 CWE-307: Improper Restriction of Excessive Authentication Attempts
CVSS: CRITICAL (9.8) EPSS Score: 0.11%
November 28th, 2024 (6 months ago)
|
|
CVE-2023-32223 |
Description: D-Link DSL-224 firmware version 3.0.10 allows post authentication command execution via an unspecified method.
CVSS: HIGH (8.8) EPSS Score: 0.1%
November 28th, 2024 (6 months ago)
|
|
CVE-2023-32222 |
Description: D-Link DSL-G256DG version vBZ_1.00.27 web management interface allows authentication bypass via an unspecified method.
CVSS: CRITICAL (9.8) EPSS Score: 0.16%
November 28th, 2024 (6 months ago)
|
|
CVE-2023-3197 |
Description: The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
November 28th, 2024 (6 months ago)
|
|
CVE-2023-31936 |
|
|
CVE-2023-31137 |
Description: MaraDNS is open-source software that implements the Domain Name System (DNS). In version 3.5.0024 and prior, a remotely exploitable integer underflow vulnerability in the DNS packet decompression function allows an attacker to cause a Denial of Service by triggering an abnormal program termination.
The vulnerability exists in the `decomp_get_rddata` function within the `Decompress.c` file. When handling a DNS packet with an Answer RR of qtype 16 (TXT record) and any qclass, if the `rdlength` is smaller than `rdata`, the result of the line `Decompress.c:886` is a negative number `len = rdlength - total;`. This value is then passed to the `decomp_append_bytes` function without proper validation, causing the program to attempt to allocate a massive chunk of memory that is impossible to allocate. Consequently, the program exits with an error code of 64, causing a Denial of Service.
One proposed fix for this vulnerability is to patch `Decompress.c:887` by breaking `if(len <= 0)`, which has been incorporated in version 3.5.0036 via commit bab062bde40b2ae8a91eecd522e84d8b993bab58.
CVSS: HIGH (7.5) EPSS Score: 1.03%
November 28th, 2024 (6 months ago)
|
|
CVE-2023-30586 |
Description: A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVSS: LOW (0.0) EPSS Score: 0.08%
November 28th, 2024 (6 months ago)
|
|
CVE-2023-30259 |
|