Security Vulnerabilities - Known exploited
CVE-2023-49897
An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product.
Known exploited
CVSS Score
8.8
EPSS Score
0.419
Published
2023-12-06
CVE-2023-44221
Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.
Known exploited
CVSS Score
7.2
EPSS Score
0.474
Published
2023-12-05
CVE-2023-6448
Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.
Known exploited
CVSS Score
9.8
EPSS Score
0.105
Published
2023-12-05
CVE-2023-33106
Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
Known exploited
CVSS Score
8.4
EPSS Score
0.001
Published
2023-12-05
CVE-2023-33107
Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.
Known exploited
CVSS Score
8.4
EPSS Score
0.001
Published
2023-12-05
CVE-2023-33063
Memory corruption in DSP Services during a remote call from HLOS to DSP.
Known exploited
CVSS Score
7.8
EPSS Score
0.002
Published
2023-12-05
CVE-2023-42916
An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Known exploited
CVSS Score
6.5
EPSS Score
0.0
Published
2023-11-30
CVE-2023-42917
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Known exploited
CVSS Score
8.8
EPSS Score
0.0
Published
2023-11-30
CVE-2023-6345
Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Known exploited
CVSS Score
9.6
EPSS Score
0.007
Published
2023-11-29
CVE-2023-49103
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
Known exploited
CVSS Score
10.0
EPSS Score
0.944
Published
2023-11-21