This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-18T15:19:06+00:00 www.secnews.physaphae.fr CVE Liste - Common Vulnerability Exposure Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website. Exploitation is limited to Admin UI users with the contributor role or higher. The vulnerability has been patched in Fides version `2.22.1`.]]> 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46126 www.secnews.physaphae.fr/article.php?IdArticle=8400439 False Vulnerability None None CVE Liste - Common Vulnerability Exposure The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.]]> 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46120 www.secnews.physaphae.fr/article.php?IdArticle=8400435 False Vulnerability None None CVE Liste - Common Vulnerability Exposure rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.`inner_payload_len` should not above 64. This vulnerability has been patched in version 0.0.8.]]> 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46135 www.secnews.physaphae.fr/article.php?IdArticle=8400441 False Vulnerability None None CVE Liste - Common Vulnerability Exposure Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.]]> 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46128 www.secnews.physaphae.fr/article.php?IdArticle=8400440 False Vulnerability None None CVE Liste - Common Vulnerability Exposure Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the environment (also known as a Server-Side Request Forgery). The application does not perform proper validation to block attempts to connect to internal (including localhost) resources. The vulnerability has been patched in Fides version `2.22.1`.]]> 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46124 www.secnews.physaphae.fr/article.php?IdArticle=8400437 False Vulnerability None None CVE Liste - Common Vulnerability Exposure RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.]]> 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46118 www.secnews.physaphae.fr/article.php?IdArticle=8400433 False Vulnerability None None CVE Liste - Common Vulnerability Exposure Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.]]> 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46136 www.secnews.physaphae.fr/article.php?IdArticle=8400442 False Vulnerability None None CVE Liste - Common Vulnerability Exposure The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. The protocol builds on top of MQTT to implement the remote management of the device is encrypted with a hard-coded DES symmetric key, that can be retrieved reversing both the Android Client application and the server-side web application. This issue allows an attacker able to control a malicious MQTT broker on the same subnet network of the device, to craft malicious messages and send them to the HMI device, executing arbitrary commands on the device itself.]]> 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46102 www.secnews.physaphae.fr/article.php?IdArticle=8400432 False None None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46151 www.secnews.physaphae.fr/article.php?IdArticle=8400444 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46152 www.secnews.physaphae.fr/article.php?IdArticle=8400445 False Vulnerability None None CVE Liste - Common Vulnerability Exposure Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.]]> 2023-10-25T18:17:36+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46119 www.secnews.physaphae.fr/article.php?IdArticle=8400434 False Vulnerability None None CVE Liste - Common Vulnerability Exposure An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component.]]> 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46010 www.secnews.physaphae.fr/article.php?IdArticle=8400424 False None None None CVE Liste - Common Vulnerability Exposure Insecure Permissions vulnerability in WenwenaiCMS v.1.0 allows a remote attacker to escalate privileges.]]> 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45990 www.secnews.physaphae.fr/article.php?IdArticle=8400423 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45832 www.secnews.physaphae.fr/article.php?IdArticle=8400416 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46068 www.secnews.physaphae.fr/article.php?IdArticle=8400426 False Vulnerability None None CVE Liste - Common Vulnerability Exposure The vulnerability allows a low privileged user that have access to the device when locked in Kiosk mode to install an arbitrary Android application and leverage it to have access to critical device settings such as the device power management or eventually the device secure settings (ADB debug).]]> 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45844 www.secnews.physaphae.fr/article.php?IdArticle=8400420 False Vulnerability None None CVE Liste - Common Vulnerability Exposure The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication.  This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device]]> 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45851 www.secnews.physaphae.fr/article.php?IdArticle=8400421 False None None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45837 www.secnews.physaphae.fr/article.php?IdArticle=8400419 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46071 www.secnews.physaphae.fr/article.php?IdArticle=8400430 False Vulnerability None None CVE Liste - Common Vulnerability Exposure An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function.]]> 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45960 www.secnews.physaphae.fr/article.php?IdArticle=8400422 False None None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45833 www.secnews.physaphae.fr/article.php?IdArticle=8400417 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46069 www.secnews.physaphae.fr/article.php?IdArticle=8400427 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46070 www.secnews.physaphae.fr/article.php?IdArticle=8400429 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:35+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45835 www.secnews.physaphae.fr/article.php?IdArticle=8400418 False Vulnerability None None CVE Liste - Common Vulnerability Exposure Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Scroll post excerpt plugin ]]> 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45764 www.secnews.physaphae.fr/article.php?IdArticle=8400409 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45755 www.secnews.physaphae.fr/article.php?IdArticle=8400404 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45759 www.secnews.physaphae.fr/article.php?IdArticle=8400407 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45768 www.secnews.physaphae.fr/article.php?IdArticle=8400411 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45769 www.secnews.physaphae.fr/article.php?IdArticle=8400412 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45758 www.secnews.physaphae.fr/article.php?IdArticle=8400406 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45756 www.secnews.physaphae.fr/article.php?IdArticle=8400405 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45761 www.secnews.physaphae.fr/article.php?IdArticle=8400408 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45770 www.secnews.physaphae.fr/article.php?IdArticle=8400413 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45767 www.secnews.physaphae.fr/article.php?IdArticle=8400410 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45772 www.secnews.physaphae.fr/article.php?IdArticle=8400414 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:34+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45829 www.secnews.physaphae.fr/article.php?IdArticle=8400415 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45640 www.secnews.physaphae.fr/article.php?IdArticle=8400398 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45634 www.secnews.physaphae.fr/article.php?IdArticle=8400396 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45646 www.secnews.physaphae.fr/article.php?IdArticle=8400400 False Vulnerability None None CVE Liste - Common Vulnerability Exposure The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user.]]> 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45220 www.secnews.physaphae.fr/article.php?IdArticle=8400392 False None None None CVE Liste - Common Vulnerability Exposure File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker to execute arbitrary code via modification of the imageext parameter from jpg, jpeg,gif, and png to jpg, jpeg,gif, png, pphphp.]]> 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45554 www.secnews.physaphae.fr/article.php?IdArticle=8400394 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45754 www.secnews.physaphae.fr/article.php?IdArticle=8400403 False Vulnerability None None CVE Liste - Common Vulnerability Exposure File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker to execute arbitrary code via a crafted file to the down_url function in zzz.php file.]]> 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45555 www.secnews.physaphae.fr/article.php?IdArticle=8400395 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45637 www.secnews.physaphae.fr/article.php?IdArticle=8400397 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45644 www.secnews.physaphae.fr/article.php?IdArticle=8400399 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45750 www.secnews.physaphae.fr/article.php?IdArticle=8400402 False Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45747 www.secnews.physaphae.fr/article.php?IdArticle=8400401 False Vulnerability None None CVE Liste - Common Vulnerability Exposure The Android Client application, when enrolled with the define method 1 (the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user. Due to the lack of encryption of HTTP,this issue allows an attacker placed in the same subnet network of the HMI device to intercept username and password necessary to authenticate to the MQTT server responsible to implement the remote management protocol.]]> 2023-10-25T18:17:33+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45321 www.secnews.physaphae.fr/article.php?IdArticle=8400393 False None None None CVE Liste - Common Vulnerability Exposure A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.]]> 2023-10-25T18:17:32+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44769 www.secnews.physaphae.fr/article.php?IdArticle=8400390 False Vulnerability None None CVE Liste - Common Vulnerability Exposure An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.]]> 2023-10-25T18:17:32+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44794 www.secnews.physaphae.fr/article.php?IdArticle=8400391 False None None None CVE Liste - Common Vulnerability Exposure A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to send notifications to computers that are running ClearPass OnGuard. These notifications can then be used to phish users or trick them into downloading malicious software.]]> 2023-10-25T18:17:32+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43509 www.secnews.physaphae.fr/article.php?IdArticle=8400385 False Vulnerability None None CVE Liste - Common Vulnerability Exposure GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.]]> 2023-10-25T18:17:32+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43795 www.secnews.physaphae.fr/article.php?IdArticle=8400387 False Vulnerability None None CVE Liste - Common Vulnerability Exposure A File upload vulnerability in RiteCMS 3.0 allows a local attacker to upload a SVG file with XSS content.]]> 2023-10-25T18:17:32+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44767 www.secnews.physaphae.fr/article.php?IdArticle=8400389 False Vulnerability None None CVE Liste - Common Vulnerability Exposure A vulnerability in the ClearPass Policy Manager web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a non-privileged user on the underlying operating system leading to partial system compromise.]]> 2023-10-25T18:17:32+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43510 www.secnews.physaphae.fr/article.php?IdArticle=8400386 False Vulnerability None None CVE Liste - Common Vulnerability Exposure An issue in Dromara SaToken version 1.3.50RC and before when using Spring dynamic controllers, a specially crafted request may cause an authentication bypass.]]> 2023-10-25T18:17:32+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43961 www.secnews.physaphae.fr/article.php?IdArticle=8400388 False None None None CVE Liste - Common Vulnerability Exposure The vulnerability allows a low privileged (untrusted) application to modify a critical system property that should be denied, in order to enable the ADB (Android Debug Bridge) protocol to be exposed on the network, exploiting it to gain a privileged shell on the device without requiring the physical access through USB.]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43488 www.secnews.physaphae.fr/article.php?IdArticle=8400381 False Vulnerability None None CVE Liste - Common Vulnerability Exposure EisBaer Scada - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\')]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42488 www.secnews.physaphae.fr/article.php?IdArticle=8400359 False None None None CVE Liste - Common Vulnerability Exposure A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster.]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43507 www.secnews.physaphae.fr/article.php?IdArticle=8400383 False Vulnerability None None CVE Liste - Common Vulnerability Exposure Double Free vulnerability in Nothings Stb Image.h v.2.28 allows a remote attacker to cause a denial of service via a crafted file to the stbi_load_gif_main function.]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43281 www.secnews.physaphae.fr/article.php?IdArticle=8400379 False Vulnerability None None CVE Liste - Common Vulnerability Exposure A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance.]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43506 www.secnews.physaphae.fr/article.php?IdArticle=8400382 False Vulnerability None None CVE Liste - Common Vulnerability Exposure Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43360 www.secnews.physaphae.fr/article.php?IdArticle=8400380 False Vulnerability None None CVE Liste - Common Vulnerability Exposure EisBaer Scada - CWE-749: Exposed Dangerous Method or Function]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42494 www.secnews.physaphae.fr/article.php?IdArticle=8400365 False None None None CVE Liste - Common Vulnerability Exposure EisBaer Scada - CWE-732: Incorrect Permission Assignment for Critical Resource]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42489 www.secnews.physaphae.fr/article.php?IdArticle=8400360 False None None None CVE Liste - Common Vulnerability Exposure EisBaer Scada - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42490 www.secnews.physaphae.fr/article.php?IdArticle=8400361 False None None None CVE Liste - Common Vulnerability Exposure EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42492 www.secnews.physaphae.fr/article.php?IdArticle=8400363 False None None None CVE Liste - Common Vulnerability Exposure Vulnerabilities in the web-based management interface of ClearPass Policy Manager allow an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of these vulnerabilities allow an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform.]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43508 www.secnews.physaphae.fr/article.php?IdArticle=8400384 False Vulnerability None None CVE Liste - Common Vulnerability Exposure IBM TXSeries for Multiplatforms, 8.1, 8.2, and 9.1, CICS TX Standard CICS TX Advanced 10.1 and 11.1 could allow a privileged user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 266016.]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42031 www.secnews.physaphae.fr/article.php?IdArticle=8400357 False None None None CVE Liste - Common Vulnerability Exposure The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive settings of the Android Client application itself.]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41960 www.secnews.physaphae.fr/article.php?IdArticle=8400348 False Vulnerability None None CVE Liste - Common Vulnerability Exposure EisBaer Scada - CWE-285: Improper Authorization]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42491 www.secnews.physaphae.fr/article.php?IdArticle=8400362 False None None None CVE Liste - Common Vulnerability Exposure EisBaer Scada - CWE-256: Plaintext Storage of a Password]]> 2023-10-25T18:17:31+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42493 www.secnews.physaphae.fr/article.php?IdArticle=8400364 False None None None CVE Liste - Common Vulnerability Exposure GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2.]]> 2023-10-25T18:17:30+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41339 www.secnews.physaphae.fr/article.php?IdArticle=8400345 False Vulnerability None None CVE Liste - Common Vulnerability Exposure A vulnerability was reported in Elliptic Labs Virtual Lock Sensor for ThinkPad T14 Gen 3 that could allow an attacker with local access to execute code with elevated privileges.]]> 2023-10-25T18:17:30+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3112 www.secnews.physaphae.fr/article.php?IdArticle=8400292 False Vulnerability None None CVE Liste - Common Vulnerability Exposure The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on the device itself abusing the lack of authentication of the ‘su’ binary file installed on the device that can be accessed through the ADB (Android Debug Bridge) protocol exposed on the network.]]> 2023-10-25T18:17:30+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41255 www.secnews.physaphae.fr/article.php?IdArticle=8400344 False Vulnerability None None CVE Liste - Common Vulnerability Exposure Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. and earlier, implement device adoption with improper access control logic, creating a risk of access to device configuration information by a malicious actor with preexisting access to the network. Affected Products: UDM UDM-PRO UDM-SE UDR UDW Mitigation: Update UniFi Network to Version 7.5.187 or later.]]> 2023-10-25T18:17:30+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41721 www.secnews.physaphae.fr/article.php?IdArticle=8400347 False None None None CVE Liste - Common Vulnerability Exposure The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of the Android Client application, inducing it to connect to an attacker - controlled malicious server.This is possible by forging a valid broadcast intent encrypted with a hardcoded RSA key pair]]> 2023-10-25T18:17:30+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41372 www.secnews.physaphae.fr/article.php?IdArticle=8400346 False Vulnerability None None CVE Liste - Common Vulnerability Exposure The leakage of the client secret in Uomasa_Saiji_news Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39735 www.secnews.physaphae.fr/article.php?IdArticle=8400317 False None None None CVE Liste - Common Vulnerability Exposure The leakage of the client secret in Matsuya Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39737 www.secnews.physaphae.fr/article.php?IdArticle=8400319 False None None None CVE Liste - Common Vulnerability Exposure The leakage of the client secret in VISION MEAT WORKS TrackDiner10/10_mc Line v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39734 www.secnews.physaphae.fr/article.php?IdArticle=8400316 False None None None CVE Liste - Common Vulnerability Exposure Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3010 www.secnews.physaphae.fr/article.php?IdArticle=8400290 False None None None CVE Liste - Common Vulnerability Exposure A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39930 www.secnews.physaphae.fr/article.php?IdArticle=8400327 False Vulnerability None None CVE Liste - Common Vulnerability Exposure ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39814 www.secnews.physaphae.fr/article.php?IdArticle=8400322 False None None None CVE Liste - Common Vulnerability Exposure 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39924 www.secnews.physaphae.fr/article.php?IdArticle=8400326 False Vulnerability None None CVE Liste - Common Vulnerability Exposure The leakage of the client secret in TonTon-Tei Line v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39733 www.secnews.physaphae.fr/article.php?IdArticle=8400315 False None None None CVE Liste - Common Vulnerability Exposure ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39815 www.secnews.physaphae.fr/article.php?IdArticle=8400323 False None None None CVE Liste - Common Vulnerability Exposure The leakage of the client secret in Tokueimaru_waiting Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39732 www.secnews.physaphae.fr/article.php?IdArticle=8400314 False None None None CVE Liste - Common Vulnerability Exposure ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39817 www.secnews.physaphae.fr/article.php?IdArticle=8400325 False None None None CVE Liste - Common Vulnerability Exposure The leakage of the client secret in Fukunaga_memberscard Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39736 www.secnews.physaphae.fr/article.php?IdArticle=8400318 False None None None CVE Liste - Common Vulnerability Exposure The leakage of the client secret in REGINA SWEETS&BAKERY Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39739 www.secnews.physaphae.fr/article.php?IdArticle=8400320 False None None None CVE Liste - Common Vulnerability Exposure The leakage of the client secret in Onigiriya-musubee Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39740 www.secnews.physaphae.fr/article.php?IdArticle=8400321 False None None None CVE Liste - Common Vulnerability Exposure ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39619 www.secnews.physaphae.fr/article.php?IdArticle=8400313 False None None None CVE Liste - Common Vulnerability Exposure PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user\'s first factor credentials.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39231 www.secnews.physaphae.fr/article.php?IdArticle=8400312 False Vulnerability,Threat None None CVE Liste - Common Vulnerability Exposure ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.]]> 2023-10-25T18:17:29+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39816 www.secnews.physaphae.fr/article.php?IdArticle=8400324 False None None None CVE Liste - Common Vulnerability Exposure XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute names. This can be exploited, e.g., via the link syntax in any content that supports XWiki syntax like comments in XWiki. When a user moves the mouse over a malicious link, the malicious JavaScript code is executed in the context of the user session. When this user is a privileged user who has programming rights, this allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. While this attribute was correctly recognized as not allowed, the attribute was still printed with a prefix `data-xwiki-translated-attribute-` without further cleaning or validation. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by removing characters not allowed in data attributes and then validating the cleaned attribute again. There are no known workarounds apart from upgrading to a version including the fix.]]> 2023-10-25T18:17:28+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37908 www.secnews.physaphae.fr/article.php?IdArticle=8400304 False None None None CVE Liste - Common Vulnerability Exposure iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, when displaying `pages/preferences.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0.]]> 2023-10-25T18:17:28+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34446 www.secnews.physaphae.fr/article.php?IdArticle=8400300 False None None None CVE Liste - Common Vulnerability Exposure XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-created document but not on the deleted document to view the contents of the deleted document. Such a situation might arise when rights were added to the deleted document. This can be exploited through the diff feature and, partially, through the REST API by using versions such as `deleted:1` (where the number counts the deletions in the wiki and is thus guessable). Given sufficient rights, the attacker can also re-create the deleted document, thus extending the scope to any deleted document as long as the attacker has edit right in the location of the deleted document. This vulnerability has been patched in XWiki 14.10.8 and 15.3 RC1 by properly checking rights when deleted revisions of a document are accessed. The only workaround is to regularly clean deleted documents to minimize the potential exposure. Extra care should be taken when deleting sensitive documents that are protected individually (and not, e.g., by being placed in a protected space) or deleting a protected space as a whole.]]> 2023-10-25T18:17:28+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37911 www.secnews.physaphae.fr/article.php?IdArticle=8400307 False Vulnerability None None CVE Liste - Common Vulnerability Exposure When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request]]> 2023-10-25T18:17:28+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34085 www.secnews.physaphae.fr/article.php?IdArticle=8400299 False None None None CVE Liste - Common Vulnerability Exposure PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests]]> 2023-10-25T18:17:28+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39219 www.secnews.physaphae.fr/article.php?IdArticle=8400311 False None None None CVE Liste - Common Vulnerability Exposure The sisqualWFM 7.1.319.103 thru 7.1.319.111 for Android, has a host header injection vulnerability in its "/sisqualIdentityServer/core/" endpoint. By modifying the HTTP Host header, an attacker can change webpage links and even redirect users to arbitrary or malicious locations. This can lead to phishing attacks, malware distribution, and unauthorized access to sensitive resources.]]> 2023-10-25T18:17:28+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36085 www.secnews.physaphae.fr/article.php?IdArticle=8400302 False Malware,Vulnerability None None CVE Liste - Common Vulnerability Exposure XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any document (can be the user profile which is editable by default) can move any attachment of any other document to this attacker-controlled document. This allows the attacker to access and possibly publish any attachment of which the name is known, regardless if the attacker has view or edit rights on the source document of this attachment. Further, the attachment is deleted from the source document. This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1. There is no workaround apart from upgrading to a fixed version.]]> 2023-10-25T18:17:28+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37910 www.secnews.physaphae.fr/article.php?IdArticle=8400306 False Vulnerability None None CVE Liste - Common Vulnerability Exposure iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, on `pages/UI.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0.]]> 2023-10-25T18:17:28+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34447 www.secnews.physaphae.fr/article.php?IdArticle=8400301 False None None None