Total
27865 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23541 | 1 Auth0 | 1 Jsonwebtoken | 2023-02-27 | N/A | 6.3 MEDIUM |
| jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0. | |||||
| CVE-2022-36289 | 1 Intel | 1 Media Software Development Kit | 2023-02-27 | N/A | 5.5 MEDIUM |
| Protection mechanism failure in the Intel(R) Media SDK software before version 22.2.2 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2023-0475 | 1 Hashicorp | 1 Go-getter | 2023-02-27 | N/A | 6.5 MEDIUM |
| HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0. | |||||
| CVE-2020-14400 | 4 Canonical, Debian, Libvncserver Project and 1 more | 4 Ubuntu Linux, Debian Linux, Libvncserver and 1 more | 2023-02-27 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust boundary. | |||||
| CVE-2020-14399 | 4 Canonical, Debian, Libvncserver Project and 1 more | 4 Ubuntu Linux, Debian Linux, Libvncserver and 1 more | 2023-02-27 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary crossed." | |||||
| CVE-2023-0916 | 1 Auto Dealer Management System Project | 1 Auto Dealer Management System | 2023-02-27 | N/A | 8.8 HIGH |
| A vulnerability classified as critical was found in SourceCodester Auto Dealer Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /adms/classes/Users.php. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221491. | |||||
| CVE-2022-33902 | 1 Intel | 1 Quartus Prime | 2023-02-27 | N/A | 7.8 HIGH |
| Insufficient control flow management in the Intel(R) Quartus Prime Pro and Standard edition software may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-25725 | 2 Debian, Haproxy | 2 Debian Linux, Haproxy | 2023-02-24 | N/A | 9.1 CRITICAL |
| HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31. | |||||
| CVE-2023-0821 | 1 Hashicorp | 1 Nomad | 2023-02-24 | N/A | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4. | |||||
| CVE-2022-29054 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-02-24 | N/A | 3.3 LOW |
| A missing cryptographic steps vulnerability [CWE-325] in the functions that encrypt the DHCP and DNS keys in Fortinet FortiOS version 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.9, 6.2.x and 6.0.x may allow an attacker in possession of the encrypted key to decipher it. | |||||
| CVE-2022-27170 | 1 Intel | 1 Media Software Development Kit | 2023-02-24 | N/A | 7.8 HIGH |
| Protection mechanism failure in the Intel(R) Media SDK software before version 22.2.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-24484 | 1 Citrix | 1 Workspace | 2023-02-24 | N/A | 5.5 MEDIUM |
| A malicious user can cause log files to be written to a directory that they do not have permission to write to. | |||||
| CVE-2022-46892 | 1 Amperecomputing | 4 Ampere Altra, Ampere Altra Firmware, Ampere Altra Max and 1 more | 2023-02-24 | N/A | 9.8 CRITICAL |
| In Ampere AltraMax and Ampere Altra before 2.10c, improper access controls allows the OS to reinitialize a disabled root complex. | |||||
| CVE-2022-4304 | 1 Openssl | 1 Openssl | 2023-02-24 | N/A | 5.9 MEDIUM |
| A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. | |||||
| CVE-2023-23752 | 1 Joomla | 1 Joomla\! | 2023-02-24 | N/A | 5.3 MEDIUM |
| An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. | |||||
| CVE-2023-23461 | 1 Libpeconv Project | 1 Libpeconv | 2023-02-24 | N/A | 9.8 CRITICAL |
| Libpeconv – access violation, before commit b076013 (30/11/2022). | |||||
| CVE-2021-43946 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2023-02-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from version 8.14.0 before 8.20.9. | |||||
| CVE-2022-20144 | 1 Google | 1 Android | 2023-02-23 | 7.2 HIGH | 7.8 HIGH |
| In multiple functions of AvatarPhotoController.java, there is a possible access to content owned by system content providers due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-250637906 | |||||
| CVE-2022-45724 | 1 Comfast | 2 Cf-wr610n, Cf-wr610n Firmware | 2023-02-22 | N/A | 5.4 MEDIUM |
| Incorrect Access Control in Comfast router CF-WR6110N V2.3.1 allows a remote attacker on the same network to perform any HTTP request to an unauthenticated page to force the server to generate a SESSION_ID, and using this SESSION_ID an attacker can then perform authenticated requests. | |||||
| CVE-2023-25240 | 1 Pimcore | 1 Pimcore | 2023-02-22 | N/A | 8.8 HIGH |
| An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code. | |||||