Total
9531 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37939 | 1 Fortinet | 1 Forticlient | 2024-11-21 | N/A | 3.3 LOW |
| An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Windows 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions, Linux 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions and Mac 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions, 6.2 all versions, may allow a local authenticated attacker with no Administrative privileges to retrieve the list of files or folders excluded from malware scanning. | |||||
| CVE-2023-37916 | 1 Fit2cloud | 1 Kubepi | 2024-11-21 | N/A | 6.5 MEDIUM |
| KubePi is an opensource kubernetes management panel. The endpoint /kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password hash of any user (including admin). A sufficiently motivated attacker may be able to crack leaded password hashes. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-37868 | 1 Leap13 | 1 Premium Addons | 2024-11-21 | N/A | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons PRO.This issue affects Premium Addons PRO: from n/a through 2.9.0. | |||||
| CVE-2023-37263 | 1 Strapi | 1 Strapi | 2024-11-21 | N/A | 6.8 MEDIUM |
| Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue. | |||||
| CVE-2023-37239 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 7.5 HIGH |
| Format string vulnerability in the distributed file system. Attackers who bypass the selinux permission can exploit this vulnerability to crash the program. | |||||
| CVE-2023-36908 | 1 Microsoft | 12 Windows 10, Windows 10 1607, Windows 10 1809 and 9 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| Windows Hyper-V Information Disclosure Vulnerability | |||||
| CVE-2023-36817 | 1 Kingstemple | 1 The King\'s Temple Church Website | 2024-11-21 | N/A | 7.5 HIGH |
| `tktchurch/website` contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized party gains access to this key, they could potentially carry out transactions on behalf of the organization, leading to financial losses. Additionally, they could access sensitive customer information, leading to privacy violations and potential legal implications. The affected component is the codebase of our project, specifically the file(s) where the Stripe API key is embedded. The key should have been stored securely, and not committed to the codebase. The maintainers plan to revoke the leaked Stripe API key immediately, generate a new one, and not commit the key to the codebase. | |||||
| CVE-2023-36763 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
| Microsoft Outlook Information Disclosure Vulnerability | |||||
| CVE-2023-36551 | 1 Fortinet | 1 Fortisiem | 2024-11-21 | N/A | 4.3 MEDIUM |
| A exposure of sensitive information to an unauthorized actor in Fortinet FortiSIEM version 6.7.0 through 6.7.5 allows attacker to information disclosure via a crafted http request. | |||||
| CVE-2023-36539 | 1 Zoom | 14 Meetings, Poly Ccx 600, Poly Ccx 600 Firmware and 11 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| Exposure of information intended to be encrypted by some Zoom clients may lead to disclosure of sensitive information. | |||||
| CVE-2023-36523 | 1 Gopiplus | 1 Email Download Link | 2024-11-21 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gopi Ramasamy Email download link.This issue affects Email download link: from n/a through 3.7. | |||||
| CVE-2023-36507 | 1 Reputeinfosystems | 1 Bookingpress | 2024-11-21 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Repute Infosystems BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin.This issue affects BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin: from n/a through 1.0.64. | |||||
| CVE-2023-36476 | 1 Nixos | 1 Calamares-nixos-extensions | 2024-11-21 | N/A | 7.9 HIGH |
| calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users of calamares-nixos-extensions version 0.3.12 and prior who installed NixOS through the graphical calamares installer, with an unencrypted `/boot`, on either non-UEFI systems or with a LUKS partition different from `/` have their LUKS key file in `/boot` as a plaintext CPIO archive attached to their NixOS initrd. A patch is available and anticipated to be part of version 0.3.13 to backport to NixOS 22.11, 23.05, and unstable channels. Expert users who have a copy of their data may, as a workaround, re-encrypt the LUKS partition(s) themselves. | |||||
| CVE-2023-36472 | 1 Strapi | 1 Strapi | 2024-11-21 | N/A | 5.8 MEDIUM |
| Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7. | |||||
| CVE-2023-36043 | 1 Microsoft | 1 System Center Operations Manager | 2024-11-21 | N/A | 6.5 MEDIUM |
| Open Management Infrastructure Information Disclosure Vulnerability | |||||
| CVE-2023-35934 | 4 Fedoraproject, Youtube-dlc Project, Yt-dl and 1 more | 4 Fedora, Youtube-dlc, Youtube-dl and 1 more | 2024-11-21 | N/A | 6.1 MEDIUM |
| yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later). At the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped. yt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders' built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping Some workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM. | |||||
| CVE-2023-35900 | 3 Ibm, Microsoft, Redhat | 5 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak and 2 more | 2024-11-21 | N/A | 4.3 MEDIUM |
| IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.4 and 23.0.0 through 23.0.5 is vulnerable to disclosing server version information which may be used to determine software vulnerabilities at the operating system level. IBM X-Force ID: 259368. | |||||
| CVE-2023-35898 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2024-11-21 | N/A | 4.3 MEDIUM |
| IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information due to an insecure security configuration in InfoSphere Data Flow Designer. IBM X-Force ID: 259352. | |||||
| CVE-2023-35636 | 1 Microsoft | 3 365 Apps, Office, Office Long Term Servicing Channel | 2024-11-21 | N/A | 6.5 MEDIUM |
| Microsoft Outlook Information Disclosure Vulnerability | |||||
| CVE-2023-35625 | 1 Microsoft | 1 Azure Machine Learning Software Development Kit | 2024-11-21 | N/A | 4.7 MEDIUM |
| Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability | |||||