CVE & Exploit Intelligence Database

CVE-2023-25188 5.1 MEDIUM EPSS 0.00

An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. If/when CSP (as a BTS administrator) removes security hardenings from the Nokia Single RAN BTS baseband unit, the BTS baseband unit diagnostic tool AaShell (which is by default disabled) allows unauthenticated access from the mobile network solution internal BTS management network to the BTS embedded Linux operating-system level.

CWE-269 Jun 16, 2023

CVE-2023-25366 9.8 CRITICAL 1 Writeup EPSS 0.00

In Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS, insecure SCPI interface discloses web password.

CWE-346 Jun 16, 2023

CVE-2023-2639 4.1 MEDIUM EPSS 0.00

The underlying feedback mechanism of Rockwell Automation's FactoryTalk System Services that transfers the FactoryTalk Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device.  This may allow a threat actor to craft a malicious website that, when visited, will send a malicious script that can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If successfully exploited, this would allow a threat actor to receive information including whether FactoryTalk Policy Manager is installed and potentially the entire security policy. 

CWE-346 Jun 13, 2023

CVE-2023-29753 5.5 MEDIUM 1 Writeup EPSS 0.00

An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows a local attacker to cause a denial of service via the SharedPreference files.

CWE-346 Jun 09, 2023

CVE-2023-29751 5.5 MEDIUM 1 Writeup EPSS 0.00

An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

CWE-346 Jun 09, 2023

CVE-2023-29756 5.5 MEDIUM 1 Writeup EPSS 0.00

An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

CWE-346 Jun 09, 2023

CVE-2023-33443 9.8 CRITICAL 1 PoC Analysis EPSS 0.00

Incorrect access control in the administrative functionalities of BES--6024PB-I50H1 VideoPlayTool v2.0.1.0 allow attackers to execute arbitrary administrative commands via a crafted payload sent to the desired endpoints.

CWE-346 Jun 08, 2023

CVE-2023-2589 5.9 MEDIUM EPSS 0.00

An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group.

CWE-346 Jun 07, 2023

CVE-2023-28164 6.5 MEDIUM EPSS 0.00

Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.

CWE-346 Jun 02, 2023

CVE-2023-23601 6.5 MEDIUM EPSS 0.00

Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks This vulnerability affects Firefox < 109, Firefox ESR < 102.7, and Thunderbird < 102.7.

CWE-346 Jun 02, 2023

CVE-2023-27745 8.8 HIGH EPSS 0.00

An issue in South River Technologies TitanFTP Before v2.0.1.2102 allows attackers with low-level privileges to perform Administrative actions by sending requests to the user server.

CWE-346 Jun 02, 2023

CVE-2023-29745 7.1 HIGH 1 Writeup EPSS 0.00

An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a persistent denial of service attack by manipulating the database.

CWE-346 May 31, 2023

CVE-2023-28349 8.8 HIGH EPSS 0.01

An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a crafted program that functions similarly to the Teacher Console. This can compel Student Consoles to connect and put themselves at risk automatically. Connected Student Consoles can be compelled to write arbitrary files to arbitrary locations on disk with NT AUTHORITY/SYSTEM level permissions, enabling remote code execution.

CWE-346 May 31, 2023

CVE-2023-29743 7.5 HIGH 1 Writeup EPSS 0.00

An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a persistent denial of service attack by manipulating the database.

CWE-346 May 30, 2023

CVE-2023-29728 9.8 CRITICAL 1 Writeup EPSS 0.00

The Call Blocker application 6.6.3 for Android allows attackers to tamper with feature-related data, resulting in a severe elevation of privilege attack.

CWE-346 May 30, 2023

CVE-2023-33740 7.5 HIGH 1 Writeup EPSS 0.00

Incorrect access control in luowice v3.5.18 allows attackers to access cloud source code information via modification fo the Verify parameter in a warning message.

CWE-346 May 30, 2023

CVE-2023-23561 5.5 MEDIUM EPSS 0.00

Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control: authenticated users can read sensitive information.

CWE-346 May 30, 2023

CVE-2023-30196 7.5 HIGH 1 Writeup EPSS 0.00

Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php.

CWE-22 May 30, 2023

CVE-2023-2886 4.3 MEDIUM EPSS 0.00

Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

CWE-346 May 25, 2023

CVE-2023-32993 4.8 MEDIUM EPSS 0.00

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

CWE-345 May 16, 2023