Export limit exceeded: 12138 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12138 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-34091 | 1 Nirmata | 1 Kyverno | 2025-01-08 | 6.5 Medium |
| Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround. | ||||
| CVE-2023-3095 | 1 Teampass | 1 Teampass | 2025-01-08 | 6.5 Medium |
| Improper Access Control in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | ||||
| CVE-2023-3069 | 1 Corebos | 1 Corebos | 2025-01-08 | 9.8 Critical |
| Unverified Password Change in GitHub repository tsolucio/corebos prior to 8. | ||||
| CVE-2023-3065 | 1 Mobatime | 1 Amxgt 100 | 2025-01-08 | 9.1 Critical |
| Improper Authentication vulnerability in Mobatime mobile application AMXGT100 allows Authentication Bypass.This issue affects Mobatime mobile application AMXGT100 through 1.3.20. | ||||
| CVE-2023-46601 | 1 Siemens | 1 Comos | 2025-01-08 | 9.6 Critical |
| A vulnerability has been identified in COMOS (All versions). The affected application lacks proper access controls in making the SQLServer connection. This could allow an attacker to query the database directly to access information that the user should not have access to. | ||||
| CVE-2023-43505 | 1 Siemens | 1 Comos | 2025-01-08 | 9.6 Critical |
| A vulnerability has been identified in COMOS (All versions). The affected application lacks proper access controls in SMB shares. This could allow an attacker to access files that the user should not have access to. | ||||
| CVE-2023-21670 | 1 Qualcomm | 364 315 5g Iot Modem, 315 5g Iot Modem Firmware, Aqt1000 and 361 more | 2025-01-07 | 7.8 High |
| Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode. | ||||
| CVE-2023-30948 | 1 Palantir | 1 Foundry Comments | 2025-01-07 | 6.5 Medium |
| A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content. This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time. | ||||
| CVE-2024-37147 | 1 Glpi-project | 1 Glpi | 2025-01-07 | 4.3 Medium |
| GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16. | ||||
| CVE-2023-38946 | 1 Multilaser | 2 Re160, Re160 Firmware | 2025-01-07 | 8.8 High |
| An issue in Multilaser RE160 firmware v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01 allows attackers to bypass the access control and gain complete access to the application via supplying a crafted cookie. | ||||
| CVE-2023-33553 | 1 Planet | 2 Wdrt-1800ax, Wdrt-1800ax Firmware | 2025-01-07 | 9.8 Critical |
| An issue in Planet Technologies WDRT-1800AX v1.01-CP21 allows attackers to bypass authentication and escalate privileges to root via manipulation of the LoginStatus cookie. | ||||
| CVE-2023-29152 | 1 Ptc | 1 Vuforia Studio | 2025-01-06 | 6.2 Medium |
| By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account. | ||||
| CVE-2023-24476 | 1 Ptc | 1 Vuforia Studio | 2025-01-06 | 1.8 Low |
| An attacker with local access to the machine could record the traffic, which could allow them to resend requests without the server authenticating that the user or session are valid. | ||||
| CVE-2023-34367 | 1 Microsoft | 1 Windows 7 | 2025-01-06 | 6.5 Medium |
| Windows 7 is vulnerable to a full blind TCP/IP hijacking attack. The vulnerability exists in Windows 7 (any Windows until Windows 8) and in any implementation of TCP/IP, which is vulnerable to the Idle scan attack (including many IoT devices). NOTE: The vendor considers this a low severity issue. | ||||
| CVE-2024-11211 | 1 Eyoucms | 1 Eyoucms | 2025-01-06 | 4.7 Medium |
| A vulnerability classified as critical has been found in EyouCMS up to 1.6.7. Affected is an unknown function of the component Website Logo Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-32220 | 1 Milesight | 2 Ncr\/camera, Ncr\/camera Firmware | 2025-01-06 | 8.2 High |
| Milesight NCR/camera version 71.8.0.6-r5 allows authentication bypass through an unspecified method. | ||||
| CVE-2023-24546 | 1 Arista | 1 Cloudvision Portal | 2025-01-06 | 8.1 High |
| On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service. | ||||
| CVE-2023-51644 | 1 Alltena | 1 Allegra | 2025-01-03 | 7.3 High |
| Allegra SiteConfigAction Improper Access Control Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of Struts. The issue results from improper access control. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22512. | ||||
| CVE-2023-34335 | 1 Ami | 1 Megarac Spx | 2025-01-03 | 7.7 High |
| AMI BMC contains a vulnerability in the IPMI handler, where an unauthenticated host is allowed to write to a host SPI flash, bypassing secure boot protections. An exploitation of this vulnerability may lead to a loss of integrity or denial of service. | ||||
| CVE-2023-30762 | 1 Kbdevice | 12 Kb-ahr04d, Kb-ahr04d Firmware, Kb-ahr08d and 9 more | 2025-01-03 | 9.8 Critical |
| Improper authentication vulnerability exists in KB-AHR series and KB-IRIP series. If this vulnerability is exploited, an arbitrary OS command may be executed on the product or the device settings may be altered. Affected products and versions are as follows: KB-AHR04D versions prior to 91110.1.101106.78, KB-AHR08D versions prior to 91210.1.101106.78, KB-AHR16D versions prior to 91310.1.101106.78, KB-IRIP04A versions prior to 95110.1.100290.78A, KB-IRIP08A versions prior to 95210.1.100290.78A, and KB-IRIP16A versions prior to 95310.1.100290.78A. | ||||