Total
575 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40178 | 2 Node-saml, Node Saml Project | 2 Node-saml, Node Saml | 2024-11-21 | 5.3 Medium |
| Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale. This issue was patched in version 4.0.5. | ||||
| CVE-2023-40012 | 1 Trailofbits | 1 Uthenticode | 2024-11-21 | 5.9 Medium |
| uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability. | ||||
| CVE-2023-39969 | 1 Trailofbits | 1 Uthenticode | 2024-11-21 | 9.1 Critical |
| uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Version 1.0.9 of uthenticode hashed the entire file rather than hashing sections by virtual address, in violation of the Authenticode specification. As a result, an attacker could modify code within a binary without changing its Authenticode hash, making it appear valid from uthenticode's perspective. Versions of uthenticode prior to 1.0.9 are not vulnerable to this attack, nor are versions in the 2.x series. By design, uthenticode does not perform full-chain validation. However, the malleability of signature verification introduced in 1.0.9 was an unintended oversight. The 2.x series addresses the vulnerability. Versions prior to 1.0.9 are also not vulnerable, but users are encouraged to upgrade rather than downgrade. There are no workarounds to this vulnerability. | ||||
| CVE-2023-39393 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Vulnerability of insecure signatures in the ServiceWifiResources module. Successful exploitation of this vulnerability may cause ServiceWifiResources to be maliciously modified and overwritten. | ||||
| CVE-2023-39392 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Vulnerability of insecure signatures in the OsuLogin module. Successful exploitation of this vulnerability may cause OsuLogin to be maliciously modified and overwritten. | ||||
| CVE-2023-39211 | 1 Zoom | 2 Rooms, Zoom | 2024-11-21 | 8.8 High |
| Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via local access. | ||||
| CVE-2023-38418 | 1 F5 | 2 Access Policy Manager Clients, Big-ip Access Policy Manager | 2024-11-21 | 7.8 High |
| The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2023-33959 | 1 Notaryproject | 1 Notation-go | 2024-11-21 | 8.4 High |
| notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries. | ||||
| CVE-2023-33768 | 1 Belkin | 2 Wemo Smart Plug Wsp080, Wemo Smart Plug Wsp080 Firmware | 2024-11-21 | 6.5 Medium |
| Incorrect signature verification of the firmware during the Device Firmware Update process of Belkin Wemo Smart Plug WSP080 v1.2 allows attackers to cause a Denial of Service (DoS) via a crafted firmware file. | ||||
| CVE-2023-28804 | 1 Zscaler | 1 Client Connector | 2024-11-21 | 8.2 High |
| An Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows replacing binaries.This issue affects Linux Client Connector: before 1.4.0.105 | ||||
| CVE-2023-28801 | 1 Zscaler | 1 Zscaler Internet Access Admin Portal | 2024-11-21 | 9.6 Critical |
| An Improper Verification of Cryptographic Signature in the SAML authentication of the Zscaler Admin UI allows a Privilege Escalation.This issue affects Admin UI: from 6.2 before 6.2r. | ||||
| CVE-2023-23773 | 1 Motorola | 5 Ebts Base Radio, Ebts Base Radio Firmware, Ebts Mbts Base Radio and 2 more | 2024-11-21 | 7.2 High |
| Motorola EBTS/MBTS Base Radio fails to check firmware authenticity. The Motorola MBTS Base Radio lacks cryptographic signature validation for firmware update packages, allowing an authenticated attacker to gain arbitrary code execution, extract secret key material, and/or leave a persistent implant on the device. | ||||
| CVE-2023-23772 | 1 Motorola | 2 Mbts Site Controller, Mbts Site Controller Firmware | 2024-11-21 | 7.2 High |
| Motorola MBTS Site Controller fails to check firmware update authenticity. The Motorola MBTS Site Controller lacks cryptographic signature validation for firmware update packages, allowing an authenticated attacker to gain arbitrary code execution, extract secret key material, and/or leave a persistent implant on the device. | ||||
| CVE-2023-23436 | 1 Hihonor | 1 Magic Os | 2024-11-21 | 7.3 High |
| Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file | ||||
| CVE-2023-23435 | 1 Hihonor | 1 Magic Os | 2024-11-21 | 4 Medium |
| Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file | ||||
| CVE-2023-23433 | 1 Hihonor | 2 Nth-an00, Nth-an00 Firmware | 2024-11-21 | 4 Medium |
| Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file. | ||||
| CVE-2023-23431 | 1 Hihonor | 2 Nth-an00, Nth-an00 Firmware | 2024-11-21 | 7.3 High |
| Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file. | ||||
| CVE-2023-20900 | 7 Debian, Fedoraproject, Linux and 4 more | 12 Debian Linux, Fedora, Linux Kernel and 9 more | 2024-11-21 | 7.1 High |
| A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . | ||||
| CVE-2023-20236 | 1 Cisco | 53 8201, 8202, 8208 and 50 more | 2024-11-21 | 6.7 Medium |
| A vulnerability in the iPXE boot function of Cisco IOS XR software could allow an authenticated, local attacker to install an unverified software image on an affected device. This vulnerability is due to insufficient image verification. An attacker could exploit this vulnerability by manipulating the boot parameters for image verification during the iPXE boot process on an affected device. A successful exploit could allow the attacker to boot an unverified software image on the affected device. | ||||
| CVE-2023-20135 | 1 Cisco | 1 Ios Xr | 2024-11-21 | 5.7 Medium |
| A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could allow the attacker to execute arbitrary code on an affected device. | ||||