CVE-2022-22447 -- IBM Disconnected Log Collector 1.0 through 1.8.2 is vulnerable to potential security misconfigurations that could disclose unintended information. IBM X-Force ID: 224648.
|
CVE-2023-30690 -- Improper input validation vulnerability in Duo prior to SMR Oct-2023 Release 1 allows local attackers to launch privileged activities. |
CVE-2023-30692 -- Improper input validation vulnerability in Evaluator prior to SMR Oct-2023 Release 1 allows local attackers to launch privileged activities. |
CVE-2023-30727 -- Improper access control vulnerability in SecSettings prior to SMR Oct-2023 Release 1 allows attackers to enable Wi-Fi and connect arbitrary Wi-Fi without User Interaction. |
CVE-2023-30731 -- Logic error in package installation via debugger command prior to SMR Oct-2023 Release 1 allows physical attacker to install an application that has different build type. |
CVE-2023-30732 -- Improper access control in system property prior to SMR Oct-2023 Release 1 allows local attacker to get CPU serial number. |
CVE-2023-30733 -- Stack-based Buffer Overflow in vulnerability HDCP trustlet prior to SMR Oct-2023 Release 1 allows attacker to perform code execution. |
CVE-2023-30735 -- Improper Preservation of Permissions vulnerability in SAssistant prior to version 8.7 allows local attackers to access backup data in SAssistant. |
CVE-2023-30736 -- Improper authorization in PushMsgReceiver of Samsung Assistant prior to version 8.7.00.1 allows attacker to execute javascript interface. To trigger this vulnerability, user interaction is required. |
CVE-2023-30737 -- Improper access control vulnerability in Samsung Health prior to version 6.24.3.007 allows attackers to access sensitive information via implicit intent. |
CVE-2023-30738 -- An improper input validation in UEFI Firmware prior to Firmware update Oct-2023 Release in Galaxy Book, Galaxy Book Pro, Galaxy Book Pro 360 and Galaxy Book Odyssey allows local attacker to execute SMM memory corruption. |
CVE-2023-3213 -- The WP Mail SMTP Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_print_page function in versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to disclos |
CVE-2023-35905 -- IBM FileNet Content Manager 5.5.8, 5.5.10, and 5.5.11 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials discl |
CVE-2023-37404 -- IBM Observability with Instana 1.0.243 through 1.0.254 could allow an attacker on the network to execute arbitrary code on the host after a successful DNS poisoning attack. IBM X-Force ID: 259789. |
CVE-2023-5291 -- The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'AWL-BlogFilter' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it |
CVE-2023-5357 -- The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it poss |
CVE-2023-5368 -- On an msdosfs filesystem, the 'truncate' or 'ftruncate' system calls under certain circumstances populate the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes.
|
CVE-2023-5369 -- Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally |
CVE-2023-5370 -- On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. This resulted in no speculative execution workarounds being installed on CPU 0.
|
CVE-2022-46841 -- Cross-Site Request Forgery (CSRF) vulnerability in Soflyy Oxygen Builder plugin <=Â 4.4 versions. |
CVE-2022-47891 -- All versions of NetMan 204 allow an attacker that knows the MAC and serial number of the device to reset the administrator password via the legitimate recovery function. |
CVE-2022-47892 -- All versions of NetMan 204 could allow an unauthenticated remote attacker to read a file (config.cgi) containing sensitive information, like credentials. |
CVE-2022-47893 -- There is a remote code execution vulnerability that affects all versions of NetMan 204. A remote attacker could upload a firmware file containing a webshell, that could allow him to execute arbitrary code as root. |
CVE-2023-0506 -- The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator ac |
CVE-2023-0828 -- Cross-site Scripting (XSS) vulnerability in Syslog Section of Pandora FMS allows attacker to cause that users cookie value will be transferred to the attackers users server. This issue affects Pandora FMS v767 version and prior versions on all platforms. |
CVE-2023-21673 -- Improper Access to the VM resource manager can lead to Memory Corruption. |
CVE-2023-2222 -- ** REJECT ** This was deemed not a security vulnerability by upstream.
|
CVE-2023-22382 -- Weak configuration in Automotive while VM is processing a listener request from TEE. |
CVE-2023-22384 -- Memory Corruption in VR Service while sending data using Fast Message Queue (FMQ). |
CVE-2023-22385 -- Memory Corruption in Data Modem while making a MO call or MT VOLTE call. |
CVE-2023-24518 -- A Cross-site Request Forgery (CSRF) vulnerability in Pandora FMS allows an attacker to force authenticated users to send a request to a web application they are currently authenticated against. This issue affects Pandora FMS version 767 and earlier versio |
CVE-2023-24843 -- Transient DOS in Modem while triggering a camping on an 5G cell. |
CVE-2023-24844 -- Memory Corruption in Core while invoking a call to Access Control core library with hardware protected address range. |
CVE-2023-24847 -- Transient DOS in Modem while allocating DSM items. |
CVE-2023-24848 -- Information Disclosure in Data Modem while performing a VoLTE call with an undefined RTCP FB line value. |
CVE-2023-24849 -- Information Disclosure in data Modem while parsing an FMTP line in an SDP message. |
CVE-2023-24850 -- Memory Corruption in HLOS while importing a cryptographic key into KeyMaster Trusted Application. |
CVE-2023-24853 -- Memory Corruption in HLOS while registering for key provisioning notify. |
CVE-2023-24855 -- Memory corruption in Modem while processing security related configuration before AS Security Exchange. |
CVE-2023-2544 -- Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users. |
CVE-2023-25463 -- Cross-Site Request Forgery (CSRF) vulnerability in Gopi Ramasamy WP tell a friend popup form plugin <=Â 7.1 versions. |
CVE-2023-25989 -- Cross-Site Request Forgery (CSRF) vulnerability in Meks Video Importer, Meks Time Ago, Meks ThemeForest Smart Widget, Meks Smart Author Widget, Meks Audio Player, Meks Easy Maps, Meks Easy Photo Feed Widget, Meks Simple Flickr Widget, Meks Easy Ads Widget |
CVE-2023-26150 -- Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication.
|
CVE-2023-26151 -- Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory. |
CVE-2023-26152 -- All versions of the package static-server are vulnerable to Directory Traversal due to improper input sanitization passed via the validPath function of server.js. |
CVE-2023-2681 -- An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user, with low privileges, to send queries with malicious SQL code on the "/leaves/validate" path and the âidâ parameter, managing to |
CVE-2023-27435 -- Cross-Site Request Forgery (CSRF) vulnerability in Sami Ahmed Siddiqui HTTP Auth plugin <=Â 0.3.2 versions. |
CVE-2023-2830 -- Cross-Site Request Forgery (CSRF) vulnerability in Trustindex.Io WP Testimonials plugin <=Â 1.4.2 versions. |
CVE-2023-28373 -- A flaw exists in FlashArray Purity whereby an array administrator by configuring an external key manager can affect the availability of data on the system including snapshots protected by SafeMode.
|
CVE-2023-28539 -- Memory corruption in WLAN Host when the firmware invokes multiple WMI Service Available command. |
CVE-2023-28540 -- Cryptographic issue in Data Modem due to improper authentication during TLS handshake. |
CVE-2023-28571 -- Information disclosure in WLAN HOST while processing the WLAN scan descriptor list during roaming scan. |
CVE-2023-3196 -- This vulnerability could allow an attacker to store a malicious JavaScript payload in the login footer and login page description parameters within the administration panel. |
CVE-2023-32091 -- Cross-Site Request Forgery (CSRF) vulnerability in POEditor plugin <=Â 0.9.4 versions. |
CVE-2023-32572 -- A flaw exists in FlashArray Purity wherein under limited circumstances, an array administrator can alter the retention lock of a pgroup and disable pgroup SafeMode protection.
|
CVE-2023-32669 -- Authorization bypass vulnerability in BuddyBoss 2.2.9 version, the exploitation of which could allow an authenticated user to access and rename other users' albums. This vulnerability can be exploited by changing the album identification (id). |
CVE-2023-32670 -- Cross-Site Scripting vulnerability
|
CVE-2023-32671 -- A stored XSS vulnerability has been found on BuddyBoss Platform affecting version 2.2.9. This vulnerability allows an attacker to store a malicious javascript payload via POST request when sending an invitation. |
CVE-2023-32790 -- Cross-Site Scripting (XSS) vulnerability in NXLog Manager 5.6.5633 version. This vulnerability allows an attacker to inject a malicious JavaScript payload into the 'Full Name' field during a user edit, due to improper sanitization of the input parameter. |
CVE-2023-32791 -- Cross-Site Request Forgery (CSRF) vulnerability in NXLog Manager 5.6.5633 version. This vulnerability allows an attacker to manipulate and delete user accounts within the platform by sending a specifically crafted query to the server. The vulnerability is |
CVE-2023-32792 -- Cross-Site Request Forgery (CSRF) vulnerability in NXLog Manager 5.6.5633 version. This vulnerability allows an attacker to eliminate roles within the platform by sending a specifically crafted query to the server. The vulnerability is based on the absenc |
CVE-2023-33026 -- Transient DOS in WLAN Firmware while parsing a NAN management frame. |
CVE-2023-33027 -- Transient DOS in WLAN Firmware while parsing rsn ies. |
CVE-2023-33028 -- Memory corruption in WLAN Firmware while doing a memory copy of pmk cache. |
CVE-2023-33029 -- Memory corruption in DSP Service during a remote call from HLOS to DSP. |
CVE-2023-33034 -- Memory corruption while parsing the ADSP response command. |
CVE-2023-33035 -- Memory corruption while invoking callback function of AFE from ADSP. |
CVE-2023-33039 -- Memory corruption in Automotive Display while destroying the image handle created using connected display driver. |
CVE-2023-33200 -- A local non-privileged user can make improper GPU processing operations to exploit a software race condition. If the systemâs memory is carefully prepared by the user, then this in turn could give them access to already freed memory.
|
CVE-2023-33268 -- An issue was discovered in DTS Monitoring 3.57.0. The parameter port within the SSL Certificate check function is vulnerable to OS command injection (blind).
|
CVE-2023-33269 -- An issue was discovered in DTS Monitoring 3.57.0. The parameter options within the WGET check function is vulnerable to OS command injection (blind).
|
CVE-2023-33270 -- An issue was discovered in DTS Monitoring 3.57.0. The parameter url within the Curl check function is vulnerable to OS command injection (blind).
|
CVE-2023-33271 -- An issue was discovered in DTS Monitoring 3.57.0. The parameter common_name within the SSL Certificate check function is vulnerable to OS command injection (blind).
|
CVE-2023-33272 -- An issue was discovered in DTS Monitoring 3.57.0. The parameter ip within the Ping check function is vulnerable to OS command injection (blind).
|
CVE-2023-33273 -- An issue was discovered in DTS Monitoring 3.57.0. The parameter url within the WGET check function is vulnerable to OS command injection (blind).
|
CVE-2023-3335 -- Insertion of Sensitive Information into Log File vulnerability in Hitachi Ops Center Administrator on Linux allows local users to gain sensive information.This issue affects Hitachi Ops Center Administrator: before 10.9.3-00.
|
CVE-2023-3349 -- Information exposure vulnerability in IBERMATICA RPS 2019, which exploitation could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Servi |
CVE-2023-3350 -- A Cryptographic Issue vulnerability has been found on IBERMATICA RPS, affecting version 2019. By firstly downloading the log file, an attacker could retrieve the SQL query sent to the application in plaint text. This log file contains the password hashes |
CVE-2023-3440 -- Incorrect Default Permissions vulnerability in Hitachi JP1/Performance Management on Windows allows File Manipulation.This issue affects JP1/Performance Management - Manager: from 09-00 before 12-50-07; JP1/Performance Management - Base: from 09-00 throug |
CVE-2023-34970 -- A local non-privileged user can make improper GPU processing operations to access a limited amount outside of buffer bounds or to exploit a software race condition. If the systemâs memory is carefully prepared by the user, then this in turn could give the |
CVE-2023-3654 -- cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 are affected by a origin bypass via the host header in an HTTP request. This vulnerability can be triggered by an HTTP endpoint exposed to |
CVE-2023-3655 -- cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 are affected by a dangerous methods, that allows to leak the database (system settings, user accounts,...). This vulnerability can be trig |
CVE-2023-3656 -- cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 are affected by an unauthenticated remote code execution vulnerability. This vulnerability can be triggered by an HTTP endpoint exposed to |
CVE-2023-36628 -- A flaw exists in VASA which allows users with access to a vSphere/ESXi VMware admin on a FlashArray to gain root access through privilege escalation.
|
CVE-2023-37891 -- Cross-Site Request Forgery (CSRF) vulnerability in OptiMonk OptiMonk: Popups, Personalization & A/B Testing plugin <=Â 2.0.4 versions. |
CVE-2023-37990 -- Cross-Site Request Forgery (CSRF) vulnerability in Mike Perelink Pro plugin <=Â 2.1.4 versions. |
CVE-2023-37991 -- Cross-Site Request Forgery (CSRF) vulnerability in Monchito.Net WP Emoji One plugin <=Â 0.6.0 versions. |
CVE-2023-37992 -- Cross-Site Request Forgery (CSRF) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <=Â 3.1.35 versions. |
CVE-2023-37996 -- Cross-Site Request Forgery (CSRF) vulnerability in GTmetrix GTmetrix for WordPress plugin <=Â 0.4.7 versions. |
CVE-2023-37998 -- Cross-Site Request Forgery (CSRF) vulnerability in Saas Disabler plugin <=Â 3.0.3 versions. |
CVE-2023-38381 -- Cross-Site Request Forgery (CSRF) vulnerability in Cyle Conoly WP-FlyBox plugin <=Â 6.46 versions. |
CVE-2023-38390 -- Cross-Site Request Forgery (CSRF) vulnerability in Anshul Labs Mobile Address Bar Changer plugin <=Â 3.0 versions. |
CVE-2023-38396 -- Cross-Site Request Forgery (CSRF) vulnerability in Alain Gonzalez plugin <=Â 3.1.2 versions. |
CVE-2023-38398 -- Cross-Site Request Forgery (CSRF) vulnerability in Taboola plugin <=Â 2.0.1 versions. |
CVE-2023-39158 -- Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Banner Management For WooCommerce plugin <=Â 2.4.2 versions. |
CVE-2023-39159 -- Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Fraud Prevention For Woocommerce plugin <=Â 2.1.5 versions. |
CVE-2023-39165 -- Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign-up Sheets plugin <=Â 2.2.8 versions. |
CVE-2023-39222 -- OS command injection vulnerability in FURUNO SYSTEMS wireless LAN access point devices allows an authenticated user to execute an arbitrary OS command that is not intended to be executed from the web interface by sending a specially crafted request. Affec |
CVE-2023-39429 -- Cross-site scripting vulnerability in FURUNO SYSTEMS wireless LAN access point devices allows an authenticated user to inject an arbitrary script via a crafted configuration. Affected products and versions are as follows: ACERA 1210 firmware ver.02.36 and |
CVE-2023-39645 -- Improper neutralization of SQL parameter in Theme Volty CMS Payment Icon module for PrestaShop. In the module âTheme Volty CMS Payment Iconâ (tvcmspaymenticon) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affec |
CVE-2023-39645 -- Theme volty tvcmspaymenticon up to v4.0.1 was discovered to contain a SQL injection vulnerability via the component /tvcmspaymenticon/ajax.php?action=update_position&recordsArray. |
CVE-2023-39646 -- Improper neutralization of SQL parameter in Theme Volty CMS Category Chain Slider module for PrestaShop. In the module âTheme Volty CMS Category Chain Slide"(tvcmscategorychainslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perfor |
CVE-2023-39647 -- Improper neutralization of SQL parameter in Theme Volty CMS Category Product module for PrestaShop. In the module âTheme Volty CMS Category Productâ (tvcmscategoryproduct) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL inject |
CVE-2023-39648 -- Improper neutralization of SQL parameter in Theme Volty CMS Testimonial module for PrestaShop. In the module âTheme Volty CMS Testimonialâ (tvcmstestimonial) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affecte |
CVE-2023-39649 -- Improper neutralization of SQL parameter in Theme Volty CMS Category Slider module for PrestaShop. In the module âTheme Volty CMS Category Sliderâ (tvcmscategoryslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection |
CVE-2023-39651 -- Improper neutralization of SQL parameter in Theme Volty CMS BrandList module for PrestaShop In the module âTheme Volty CMS BrandListâ (tvcmsbrandlist) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versi |
CVE-2023-3967 -- Allocation of Resources Without Limits or Throttling vulnerability in Hitachi Ops Center Common Services on Linux allows DoS.This issue affects Hitachi Ops Center Common Services: before 10.9.3-00.
|
CVE-2023-39917 -- Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery Team Photo Gallery by Ays â Responsive Image Gallery plugin <=Â 5.2.6 versions. |
CVE-2023-39923 -- Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme The Post Grid plugin <=Â 7.2.7 versions. |
CVE-2023-39989 -- Cross-Site Request Forgery (CSRF) vulnerability in 99robots Header Footer Code Manager plugin <=Â 1.1.34 versions. |
CVE-2023-40009 -- Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Pipes plugin <=Â 1.4.0 versions. |
CVE-2023-40198 -- Cross-Site Request Forgery (CSRF) vulnerability in Antsanchez Easy Cookie Law plugin <=Â 3.1 versions. |
CVE-2023-40199 -- Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab WP Like Button plugin <=Â 1.7.0 versions. |
CVE-2023-40201 -- Cross-Site Request Forgery (CSRF) vulnerability in FuturioWP Futurio Extra plugin <= 1.8.4 versions leads to activation of arbitrary plugin. |
CVE-2023-40202 -- Cross-Site Request Forgery (CSRF) vulnerability in Hannes Etzelstorfer // codemiq WP HTML Mail plugin <=Â 3.4.1 versions. |
CVE-2023-40210 -- Cross-Site Request Forgery (CSRF) vulnerability in Sean Barton (Tortoise IT) SB Child List plugin <=Â 4.5 versions. |
CVE-2023-40212 -- Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Product Attachment for WooCommerce plugin <=Â 2.1.8 versions. |
CVE-2023-40519 -- A cross-site scripting (XSS) vulnerability in the bpk-common/auth/login/index.html login portal in Broadpeak Centralized Accounts Management Auth Agent 01.01.00.19219575_ee9195b0, 01.01.01.30097902_fd999e76, and 00.12.01.9565588_1254b459 allows remote att |
CVE-2023-40558 -- Cross-Site Request Forgery (CSRF) vulnerability in eMarket Design YouTube Video Gallery by YouTube Showcase plugin <=Â 3.3.5 versions. |
CVE-2023-40830 -- Tenda AC6 v15.03.05.19 is vulnerable to Buffer Overflow as the Index parameter does not verify the length. |
CVE-2023-4097 -- The file upload functionality is not implemented correctly and allows uploading of any type of file. As a prerequisite, it is necessary for the attacker to log into the application with a valid username. |
CVE-2023-4098 -- It has been identified that the web application does not correctly filter input parameters, allowing SQL injections, DoS or information disclosure. As a prerequisite, it is necessary to log into the application. |
CVE-2023-4099 -- The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. |
CVE-2023-4100 -- Allows an attacker to perform XSS attacks stored on certain resources. Exploiting this vulnerability can lead to a DoS condition, among other actions. |
CVE-2023-4101 -- The QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. |
CVE-2023-4102 -- QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. |
CVE-2023-4103 -- QSige statistics are affected by a remote SQLi vulnerability. It has been identified that the web application does not correctly filter input parameters, allowing SQL injections, DoS or information disclosure. As a prerequisite, it is necessary to log int |
CVE-2023-41086 -- Cross-site request forgery (CSRF) vulnerability exists in FURUNO SYSTEMS wireless LAN access point devices. If a user views a malicious page while logged in, unintended operations may be performed. Affected products and versions are as follows: ACERA 1210 |
CVE-2023-41244 -- Cross-Site Request Forgery (CSRF) vulnerability in Buildfail Localize Remote Images plugin <=Â 1.0.9 versions. |
CVE-2023-41693 -- Cross-Site Request Forgery (CSRF) vulnerability in edward_plainview MyCryptoCheckout plugin <=Â 2.125 versions. |
CVE-2023-42508 -- JFrog Artifactory prior to version 7.66.0 is vulnerable to specific endpoint abuse with a specially crafted payload, which can lead to unauthenticated users being able to send emails with manipulated email body. |
CVE-2023-42771 -- Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or l |
CVE-2023-43176 -- A deserialization vulnerability in Afterlogic Aurora Files v9.7.3 allows attackers to execute arbitrary code via supplying a crafted .sabredav file. |
CVE-2023-43627 -- Path traversal vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent authenticated attacker to alter critical information such as system files by sending a specially crafted req |
CVE-2023-43898 -- Nothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted pic file. |
CVE-2023-43951 -- SSCMS 7.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Column Management component.
|
CVE-2023-43952 -- SSCMS 7.2.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Material Management component.
|
CVE-2023-43953 -- SSCMS 7.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Content Management component.
|
CVE-2023-43976 -- An issue in CatoNetworks CatoClient before v.5.4.0 allows attackers to escalate privileges and winning the race condition (TOCTOU) via the PrivilegedHelperTool component. |
CVE-2023-44973 -- An arbitrary file upload vulnerability in the component /content/templates/ of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
|
CVE-2023-44974 -- An arbitrary file upload vulnerability in the component /admin/plugin.php of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
|
CVE-2023-4564 -- This vulnerability could allow an attacker to store a malicious JavaScript payload in the broadcast message parameter within the admin panel. |
CVE-2023-4732 -- A flaw was found in the Linux Kernel's memory management subsytem. A task exits and releases a 2MB page in a vma (vm_area_struct) and hits the BUG statement in pfn_swap_entry_to_page() referencing pmd_t x.
|
CVE-2023-4817 -- This vulnerability allows an authenticated attacker to upload malicious files by bypassing the restrictions of the upload functionality, compromising the entire device. |
CVE-2023-4882 -- DOS vulnerability that could allow an attacker to register a new VNF (Virtual Network Function) value. This action could trigger the args_assets() function defined in the arg-log.php file, which would then execute the args-abort.c file, causing the servic |
CVE-2023-4883 -- Invalid pointer release vulnerability. Exploitation of this vulnerability could allow an attacker to interrupt the correct operation of the service by sending a specially crafted json string to the VNF (Virtual Network Function), and triggering the ogs_s |
CVE-2023-4884 -- An attacker could send an HTTP request to an Open5GS endpoint and retrieve the information stored on the device due to the lack of Authentication. |
CVE-2023-4885 -- Man in the Middle vulnerability, which could allow an attacker to intercept VNF (Virtual Network Function) communications resulting in the exposure of sensitive information. |
CVE-2023-4886 -- A sensitive information exposure vulnerability was found in foreman. Contents of tomcat's server.xml file, which contain passwords to candlepin's keystore and truststore, were found to be world readable.
|
CVE-2023-4911 -- A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching b |
CVE-2023-4929 -- All firmware versions of the NPort 5000 Series are affected by an improper validation of integrity check vulnerability. This vulnerability results from insufficient checks on firmware updates or upgrades, potentially allowing malicious users to manipulate |
CVE-2023-5255 -- For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked. |
CVE-2023-5334 -- The WP Responsive header image slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sp_responsiveslider' shortcode in versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied |
CVE-2023-5345 -- A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation.
|
CVE-2023-5350 -- SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1. |
CVE-2023-5351 -- Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1. |
CVE-2023-5353 -- Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1. |
CVE-2015-10124 -- A vulnerability was found in Most Popular Posts Widget Plugin up to 0.8 on WordPress. It has been classified as critical. Affected is the function add_views/show_views of the file functions.php. The manipulation leads to sql injection. It is possible to l |
CVE-2023-0809 -- In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets. |
CVE-2023-20819 -- In CDMA PPP protocol, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privilege needed. User interaction is not needed for exploitation. Patch ID: MOLY01 |
CVE-2023-28372 -- A flaw exists in FlashBlade Purity (OE) Version 4.1.0 whereby a user with privileges to extend an objectâs retention period can affect the availability of the object lock.
|
CVE-2023-31042 -- A flaw exists in FlashBlade Purity whereby an authenticated user with access to FlashBladeâs object store protocol can impact the availability of the systemâs data access and replication protocols.
|
CVE-2023-32819 -- In display, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07993705; Issue I |
CVE-2023-32820 -- In wlan firmware, there is a possible firmware assertion due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07932637; I |
CVE-2023-32821 -- In video, there is a possible out of bounds write due to a permissions bypass. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08013430; Issue ID: ALP |
CVE-2023-32822 -- In ftm, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07994229; Issue ID: ALP |
CVE-2023-32823 -- In rpmb , there is a possible memory corruption due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07912966; Issue ID: ALP |
CVE-2023-32824 -- In rpmb , there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07912966; Issue ID: ALPS07912961. |
CVE-2023-32827 -- In camera middleware, there is a possible out of bounds write due to a missing input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07993 |
CVE-2023-32828 -- In vpu, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07767817; Issue ID: ALPS07 |
CVE-2023-32829 -- In apusys, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07713478; Issue ID: ALP |
CVE-2023-32830 -- In TVAPI, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03802522; Issue ID: DT |
CVE-2023-3592 -- In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
|
CVE-2023-36627 -- A flaw exists in FlashBlade Purity whereby a user with access to an administrative account on a FlashBlade that is configured with timezone-dependent snapshot schedules can configure a timezone to prevent the schedule from functioning properly.
|
CVE-2023-3744 -- Server-Side Request Forgery vulnerability in SLims version 9.6.0. This vulnerability could allow an authenticated attacker to send requests to internal services or upload the contents of relevant files via the "scrape_image.php" file in the imageURL param |
CVE-2023-37605 -- Buffer Overflow vulnerability in baramundi software GmbH EMM Agent 23.1.50 and before allows an attacker to cause a denial of service via a crafted request to the password parameter. |
CVE-2023-3768 -- Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MM |
CVE-2023-40744 -- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2023. Notes: none.
|
CVE-2023-41580 -- Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a cra |
CVE-2023-41692 -- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Hennessey Digital Attorney theme <=Â 3 theme. |
CVE-2023-41728 -- Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Rescue Themes Rescue Shortcodes plugin <=Â 2.5 versions. |
CVE-2023-41729 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <=Â 1.22.3.31 versions. |
CVE-2023-41731 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution WordPress publish post email notification plugin <=Â 1.0.2.2 versions. |
CVE-2023-41733 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in YYDevelopment Back To The Top Button plugin <= 2.1.5 versions. |
CVE-2023-41734 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in nigauri Insert Estimated Reading Time plugin <=Â 1.2 versions. |
CVE-2023-41736 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Email posts to subscribers plugin <=Â 6.2 versions. |
CVE-2023-41737 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPGens Swifty Bar, sticky bar by WPGens plugin <=Â 1.2.10 versions. |
CVE-2023-41797 -- Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Gold Plugins Locations plugin <=Â 4.0 versions. |
CVE-2023-41800 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in UniConsent UniConsent CMP for GDPR CPRA GPP TCF plugin <=Â 1.4.2 versions. |
CVE-2023-41847 -- Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WEN Solutions Notice Bar plugin <=Â 3.1.0 versions. |
CVE-2023-41855 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Regpacks Regpack plugin <=Â 0.1 versions. |
CVE-2023-41856 -- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ClickToTweet.Com Click To Tweet plugin <=Â 2.0.14 versions. |
CVE-2023-41859 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ashok Rane Order Delivery Date for WP e-Commerce plugin <=Â 1.2 versions. |
CVE-2023-42132 -- FD Application Apr. 2022 Edition (Version 9.01) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
|
CVE-2023-43267 -- A cross-site scripting (XSS) vulnerability in the publish article function of emlog pro v2.1.14 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title field. |
CVE-2023-43268 -- Deyue Remote Vehicle Management System v1.1 was discovered to contain a deserialization vulnerability. |
CVE-2023-43297 -- An issue in animal-art-lab v13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
|
CVE-2023-43361 -- Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a local attacker to execute arbitrary code and cause a denial of service during the conversion of wav files to ogg files. |
CVE-2023-43835 -- Super Store Finder 3.7 and below is vulnerable to authenticated Arbitrary PHP Code Injection that could lead to Remote Code Execution when settings overwrite config.inc.php content. |
CVE-2023-43836 -- There is a SQL injection vulnerability in the Jizhicms 2.4.9 backend, which users can use to obtain database information |
CVE-2023-43890 -- Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability in the diagnostic tools page. This vulnerability is exploited via a crafted HTTP request.
|
CVE-2023-43891 -- Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability in the Changing Username and Password function. This vulnerability is exploited via a crafted payload.
|
CVE-2023-43892 -- Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the Hostname parameter within the WAN settings. This vulnerability is exploited via a crafted payload.
|
CVE-2023-43893 -- Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the wakeup_mac parameter in the Wake-On-LAN (WoL) function. This vulnerability is exploited via a crafted payload.
|
CVE-2023-43980 -- Presto Changeo testsitecreator up to v1.1.1 was discovered to contain a SQL injection vulnerability via the component disable_json.php.
|
CVE-2023-43980 -- Presto Changeo testsitecreator up to v1.1.1 was discovered to contain a SQL injection vulnerability via the component disable_json.php. |
CVE-2023-44008 -- File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the File Manager function.
|
CVE-2023-44009 -- File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the Skin Management function. |
CVE-2023-44011 -- An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the layout.master skin file at the Skin management component.
|
CVE-2023-44012 -- Cross Site Scripting vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the helpkey parameter in the Help.aspx component.
|
CVE-2023-44144 -- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Dreamfox Payment gateway per Product for WooCommerce plugin <=Â 3.2.7 versions. |
CVE-2023-44145 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in jesweb.Dev Anchor Episodes Index (Spotify for Podcasters) plugin <=Â 2.1.7 versions. |
CVE-2023-44228 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Onclick show popup plugin <=Â 8.1 versions. |
CVE-2023-44239 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jobin Jose WWM Social Share On Image Hover plugin <=Â 2.2 versions. |
CVE-2023-44242 -- Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in 2J Slideshow Team Slideshow, Image Slider by 2J plugin <=Â 1.3.54 versions. |
CVE-2023-44244 -- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin <=Â 2.2.44 versions. |
CVE-2023-44245 -- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Leap Contractor Contact Form Website to Workflow Tool plugin <=Â 4.0.0 versions. |
CVE-2023-44262 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Renzo Johnson Blocks plugin <=Â 1.6.41 versions. |
CVE-2023-44263 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Riyaz Social Metrics plugin <=Â 2.2 versions. |
CVE-2023-44264 -- Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed â Custom Feed plugin <=Â 2.2.5 versions. |
CVE-2023-44265 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Popup contact form plugin <=Â 7.1 versions. |
CVE-2023-44266 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jewel Theme WP Adminify plugin <=Â 3.1.6 versions. |
CVE-2023-44463 -- An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of |
CVE-2023-44474 -- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in MD Jakir Hosen Tiger Forms â Drag and Drop Form Builder plugin <=Â 2.0.0 versions. |
CVE-2023-44477 -- Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin <=Â 1.7.13 versions. |
CVE-2023-44479 -- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jim Krill WP Jump Menu plugin <=Â 3.6.4 versions. |
CVE-2023-4659 -- Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different actions on the platform as an administrator, simply by changing the token value to "admin". It is also possible to perform POST, GET and DELETE reque |
CVE-2023-5106 -- An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer |
CVE-2023-5160 -- Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled
|
CVE-2023-5290 -- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.
|
CVE-2023-5328 -- A vulnerability classified as critical has been found in SATO CL4NX-J Plus 1.13.2-u455_r2. This affects an unknown part of the component Cookie Handler. The manipulation with the input auth=user,level1,settings; web=true leads to improper authentication. |
CVE-2023-5329 -- A vulnerability classified as problematic was found in Field Logic DataCube4 up to 20231001. This vulnerability affects unknown code of the file /api/ of the component Web API. The manipulation leads to improper authentication. The exploit has been disclo |
CVE-2023-5344 -- Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. |