Total
29717 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-22600 | 1 Inhandnetworks | 4 Inrouter302, Inrouter302 Firmware, Inrouter615-s and 1 more | 2025-01-16 | 10 Critical |
| InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic. This includes the ability to send GET/SET configuration commands, reboot commands, and push firmware updates. | ||||
| CVE-2022-43494 | 1 Ge | 1 Proficy Historian | 2025-01-16 | 7.5 High |
| An unauthorized user could be able to read any file on the system, potentially exposing sensitive information. | ||||
| CVE-2022-46331 | 1 Ge | 1 Proficy Historian | 2025-01-16 | 7.5 High |
| An unauthorized user could possibly delete any file on the system. | ||||
| CVE-2023-0451 | 1 Econolite | 1 Eos | 2025-01-16 | 7.5 High |
| Econolite EOS versions prior to 3.2.23 lack a password requirement for gaining “READONLY” access to log files and certain database and configuration files. One such file contains tables with MD5 hashes and usernames for all defined users in the control software, including administrators and technicians. | ||||
| CVE-2023-0348 | 1 Akuvox | 2 E11, E11 Firmware | 2025-01-16 | 7.5 High |
| Akuvox E11 allows direct SIP calls. No access control is enforced by the SIP servers, which could allow an attacker to contact any device within Akuvox to call any other device. | ||||
| CVE-2024-2047 | 1 Wpmet | 1 Elements Kit Elementor Addons | 2025-01-16 | 8.8 High |
| The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2023-1143 | 1 Deltaww | 1 Infrasuite Device Master | 2025-01-16 | 8.8 High |
| In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code. | ||||
| CVE-2023-0344 | 1 Akuvox | 2 E11, E11 Firmware | 2025-01-16 | 9.1 Critical |
| Akuvox E11 appears to be using a custom version of dropbear SSH server. This server allows an insecure option that by default is not in the official dropbear SSH server. | ||||
| CVE-2023-5719 | 1 Redlion | 3 Crimson, Da50a, Da70a | 2025-01-16 | 8.8 High |
| The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability. | ||||
| CVE-2024-2291 | 1 Progress | 1 Moveit Transfer | 2025-01-16 | 4.3 Medium |
| In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly. | ||||
| CVE-2024-34077 | 1 Mantisbt | 1 Mantisbt | 2025-01-16 | 7.3 High |
| MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password. A brute-force attack calling account_update.php with increasing user IDs is possible. A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to. Version 2.26.2 contains a patch for the issue. As a workaround, one may mitigate the risk by reducing the verification token's validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in `constants_inc.php`). | ||||
| CVE-2023-33355 | 1 Thecosy | 1 Icecms | 2025-01-16 | 7.5 High |
| IceCMS v1.0.0 has Insecure Permissions. There is unauthorized access to the API, resulting in the disclosure of sensitive information. | ||||
| CVE-2024-3499 | 1 Wpmet | 1 Elements Kit Elementor Addons | 2025-01-16 | 8.8 High |
| The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the generate_navigation_markup function of the Onepage Scroll module. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2021-46887 | 1 Huawei | 1 Emui | 2025-01-15 | 9.8 Critical |
| Lack of length check vulnerability in the HW_KEYMASTER module. Successful exploitation of this vulnerability may cause out-of-bounds read. | ||||
| CVE-2023-2882 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2025-01-15 | 9.8 Critical |
| Generation of Incorrect Security Tokens vulnerability in CBOT Chatbot allows Token Impersonation, Privilege Abuse.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | ||||
| CVE-2022-48478 | 1 Huawei | 1 Harmonyos | 2025-01-15 | 9.8 Critical |
| The facial recognition TA of some products lacks memory length verification. Successful exploitation of this vulnerability may cause exceptions of the facial recognition service. | ||||
| CVE-2024-22343 | 1 Ibm | 1 Txseries For Multiplatform | 2025-01-14 | 4 Medium |
| IBM TXSeries for Multiplatforms 8.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 280190. | ||||
| CVE-2023-32335 | 1 Ibm | 2 Maximo Application Suite, Maximo Asset Management | 2025-01-14 | 3.7 Low |
| IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 255075. | ||||
| CVE-2019-9513 | 12 Apache, Apple, Canonical and 9 more | 25 Traffic Server, Mac Os X, Swiftnio and 22 more | 2025-01-14 | 7.5 High |
| Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. | ||||
| CVE-2023-33192 | 1 Tweedegolf | 1 Ntpd-rs | 2025-01-14 | 7.5 High |
| ntpd-rs is an NTP implementation written in Rust. ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially crafted NTP packet containing a cookie shorter than what the server expects. The server also crashes when it is not configured to handle NTS packets. The issue was caused by improper slice indexing. The indexing operations were replaced by safer alternatives that do not crash the ntpd-rs server process but instead properly handle the error condition. A patch was released in version 0.3.3. | ||||