CVE-2023-41266

Known exploited
Used for ransomware
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Max CVSS
8.2
EPSS Score
83.57%
Published
2023-08-29
Updated
2023-09-08
CISA KEV Added
2023-12-07

CVE-2023-41265

Known exploited
Used for ransomware
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Max CVSS
9.9
EPSS Score
91.51%
Published
2023-08-29
Updated
2023-09-08
CISA KEV Added
2023-12-07

CVE-2023-33107

Known exploited
Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.
Max CVSS
8.4
EPSS Score
0.06%
Published
2023-12-05
Updated
2023-12-11
CISA KEV Added
2023-12-05

CVE-2023-33106

Known exploited
Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
Max CVSS
8.4
EPSS Score
0.06%
Published
2023-12-05
Updated
2023-12-11
CISA KEV Added
2023-12-05

CVE-2023-33063

Known exploited
Memory corruption in DSP Services during a remote call from HLOS to DSP.
Max CVSS
7.8
EPSS Score
0.06%
Published
2023-12-05
Updated
2023-12-11
CISA KEV Added
2023-12-05

CVE-2022-22071

Known exploited
Possible use after free when process shell memory is freed using IOCTL munmap call and process initialization is in progress in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
Max CVSS
8.4
EPSS Score
0.11%
Published
2022-06-14
Updated
2022-06-22
CISA KEV Added
2023-12-05

CVE-2023-42917

Known exploited
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Max CVSS
8.8
EPSS Score
0.14%
Published
2023-11-30
Updated
2024-01-26
CISA KEV Added
2023-12-04

CVE-2023-42916

Known exploited
An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Max CVSS
6.5
EPSS Score
0.11%
Published
2023-11-30
Updated
2024-01-26
CISA KEV Added
2023-12-04

CVE-2023-49103

Known exploited
Public exploit
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
Max CVSS
10.0
EPSS Score
88.83%
Published
2023-11-21
Updated
2023-12-05
CISA KEV Added
2023-11-30

CVE-2023-6345

Known exploited
Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Max CVSS
9.6
EPSS Score
5.84%
Published
2023-11-29
Updated
2024-01-31
CISA KEV Added
2023-11-30

CVE-2023-4911

Known exploited
Public exploit
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Max CVSS
7.8
EPSS Score
1.71%
Published
2023-10-03
Updated
2024-02-22
CISA KEV Added
2023-11-21

CVE-2023-36584

Known exploited
Windows Mark of the Web Security Feature Bypass Vulnerability
Max CVSS
5.4
EPSS Score
0.11%
Published
2023-10-10
Updated
2023-10-13
CISA KEV Added
2023-11-16

CVE-2023-1671

Known exploited
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
Max CVSS
9.8
EPSS Score
96.43%
Published
2023-04-04
Updated
2023-04-26
CISA KEV Added
2023-11-16

CVE-2020-2551

Known exploited
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Max CVSS
9.8
EPSS Score
97.44%
Published
2020-01-15
Updated
2022-10-25
CISA KEV Added
2023-11-16

CVE-2023-36036

Known exploited
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-11-14
Updated
2023-11-20
CISA KEV Added
2023-11-14

CVE-2023-36033

Known exploited
Windows DWM Core Library Elevation of Privilege Vulnerability
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-11-14
Updated
2023-11-20
CISA KEV Added
2023-11-14

CVE-2023-36025

Known exploited
Windows SmartScreen Security Feature Bypass Vulnerability
Max CVSS
8.8
EPSS Score
0.49%
Published
2023-11-14
Updated
2023-11-21
CISA KEV Added
2023-11-14

CVE-2023-47246

Known exploited
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
Max CVSS
9.8
EPSS Score
94.35%
Published
2023-11-10
Updated
2023-11-13
CISA KEV Added
2023-11-13

CVE-2023-36851

Known exploited
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to webauth_operation.php that doesn't require authentication, an attacker is able to upload and download arbitrary files via J-Web, leading to a loss of integrity or confidentiality, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * 21.2 versions prior to 21.2R3-S8; * 21.4 versions prior to 21.4R3-S6; * 22.1 versions prior to 22.1R3-S5; * 22.2 versions prior to 22.2R3-S3; * 22.3 versions prior to 22.3R3-S2; * 22.4 versions prior to 22,4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R1-S2, 23.2R2.
Max CVSS
5.3
EPSS Score
0.62%
Published
2023-09-27
Updated
2024-01-25
CISA KEV Added
2023-11-13

CVE-2023-36847

Known exploited
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.
Max CVSS
5.3
EPSS Score
3.56%
Published
2023-08-17
Updated
2023-09-27
CISA KEV Added
2023-11-13
Toggle Search Form
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!