CVEs Today
Latest Information on Common Vulnerabilities and Exposures (CVEs)
Last updated: September 13, 2024. 03:00:39 UTC
click on an item for more info;
| ID | Description | Modified | References |
|---|---|---|---|
| CVE-2023-31133 | Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`. | May 8, 2023. 21:15:00 | [github.com][github.com] |
| CVE-2023-31140 | OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround. | May 8, 2023. 21:15:00 | [www.openproject.org][github.com] |
| CVE-2023-31141 | OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue. | May 8, 2023. 21:15:00 | [github.com] |
| CVE-2023-31182 | EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method. | May 8, 2023. 21:15:00 | [www.gov.il] |
| CVE-2023-29950 | swfrender v0.9.2 was discovered to contain a heap buffer overflow in the function enumerateUsedIDs_fillstyle at modules/swftools.c | May 8, 2023. 20:22:00 | [github.com] |
| CVE-2022-32822 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none. | May 8, 2023. 20:15:00 | |
| CVE-2022-32856 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none. | May 8, 2023. 20:15:00 | |
| CVE-2022-32804 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none. | May 8, 2023. 20:15:00 | |
| CVE-2022-32808 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none. | May 8, 2023. 20:15:00 | |
| CVE-2023-26064 | Certain Lexmark devices through 2023-02-19 have an Out-of-bounds Write. | May 8, 2023. 19:49:00 | [publications.lexmark.com][support.lexmark.com] |
| CVE-2023-26063 | Certain Lexmark devices through 2023-02-19 access a Resource By Using an Incompatible Type. | May 8, 2023. 19:42:00 | [publications.lexmark.com][support.lexmark.com] |
| CVE-2023-29815 | mccms v2.6.3 is vulnerable to Cross Site Request Forgery (CSRF). | May 8, 2023. 18:47:00 | [github.com] |
| CVE-2023-20853 | aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ asynchronized message process. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands to perform arbitrary system operation or disrupt service. | May 8, 2023. 18:45:00 | [www.twcert.org.tw] |
| CVE-2023-2335 | Plaintext Password in Registry vulnerability in 42gears surelock windows surelockwinsetupv2.40.0.Exe on Windows (Registery modules) allows Retrieve Admin user credentials This issue affects surelock windows: from 2.3.12 through 2.40.0. | May 8, 2023. 18:42:00 | [www.42gears.com] |
| CVE-2023-26070 | Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 4 of 4). | May 8, 2023. 18:39:00 | [publications.lexmark.com][support.lexmark.com] |
| CVE-2023-1786 | Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. | May 8, 2023. 18:38:00 | [bugs.launchpad.net][ubuntu.com] |
| CVE-2023-1778 | This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to insecure default credentials which allows remote attacker to login as superuser by using default username/password via web-based management interface and/or exposed SSH port thereby enabling remote attackers to execute arbitrary commands with administrative/superuser privileges on the targeted systems. The vulnerability has been addressed by forcing the user to change their default password to a new non-default password. | May 8, 2023. 18:34:00 | [www.cert-in.org.in] |
| CVE-2023-28770 | The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file. | May 8, 2023. 18:27:00 | [www.zyxel.com] |
| CVE-2023-2327 | Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. | May 8, 2023. 18:25:00 | [github.com][huntr.dev] |
| CVE-2023-2328 | Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. | May 8, 2023. 18:21:00 | [huntr.dev][github.com] |
Page 1337 of 1342
