C
CISA
Guest
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Back to top
Back to top
Back to top
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
kamailio -- kamailio | The Kamailio SIP before 5.5.0 server mishandles INVITE requests with duplicated fields and overlength tag, leading to a buffer overflow that crashes the server or possibly have unspecified other impact. | 2023-03-15 | 9.8 | CVE-2020-27507 MISC MISC |
stoqey -- gnuplot | An issue found in Stoqey gnuplot v.0.0.3 and earlier allows attackers to execute arbitrary code via the src/index.ts, plotCallack, child_process, and/or filePath parameter(s). | 2023-03-10 | 9.8 | CVE-2021-33360 MISC MISC |
qualcomm -- ar8035_firmware | Memory corruption due to improper validation of array index in Multi-mode call processor. | 2023-03-10 | 9.8 | CVE-2022-33256 MISC |
combodo -- itop | Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. | 2023-03-14 | 9.8 | CVE-2022-39216 MISC MISC MISC |
qualcomm -- apq8009_firmware | Memory corruption in Video due to double free while playing 3gp clip with invalid metadata atoms. | 2023-03-10 | 9.8 | CVE-2022-40515 MISC |
qualcomm -- apq8009_firmware | Memory corruption in Bluetooth HOST while processing the AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP response. | 2023-03-10 | 9.8 | CVE-2022-40537 MISC |
ibexa -- kernel | An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled. | 2023-03-12 | 9.8 | CVE-2022-48367 MISC MISC |
10web -- map_builder_for_google_maps | The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection | 2023-03-13 | 9.8 | CVE-2023-0037 MISC MISC |
akuvox -- e11_firmware | The Akuvox E11 secure shell (SSH) server is enabled by default and can be accessed by the root user. This password cannot be changed by the user. | 2023-03-13 | 9.8 | CVE-2023-0345 MISC |
akuvox -- e11_firmware | Akuvox E11 uses a weak encryption algorithm for stored passwords and uses a hard-coded password for decryption which could allow the encrypted passwords to be decrypted from the configuration file. | 2023-03-13 | 9.8 | CVE-2023-0353 MISC |
alpatateknoloji -- licensed_warehousing_automation_system | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alpata Licensed Warehousing Automation System allows Command Line Execution through SQL Injection.This issue affects Licensed Warehousing Automation System: through 2023.1.01. | 2023-03-10 | 9.8 | CVE-2023-1091 MISC |
saysis -- starcities | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saysis Starcities allows SQL Injection.This issue affects Starcities: through 1.3. | 2023-03-10 | 9.8 | CVE-2023-1198 MISC |
froxlor -- froxlor | Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13. | 2023-03-10 | 9.8 | CVE-2023-1307 MISC CONFIRM |
online_graduate_tracer_system_project -- online_graduate_tracer_system | A vulnerability classified as critical has been found in SourceCodester Online Graduate Tracer System 1.0. Affected is an unknown function of the file admin/adminlog.php. The manipulation of the argument user leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222696. | 2023-03-10 | 9.8 | CVE-2023-1308 MISC MISC MISC |
online_graduate_tracer_system_project -- online_graduate_tracer_system | A vulnerability classified as critical was found in SourceCodester Online Graduate Tracer System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/search_it.php. The manipulation of the argument input leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222697 was assigned to this vulnerability. | 2023-03-10 | 9.8 | CVE-2023-1309 MISC MISC MISC |
online_graduate_tracer_system_project -- online_graduate_tracer_system | A vulnerability, which was classified as critical, has been found in SourceCodester Online Graduate Tracer System 1.0. Affected by this issue is some unknown functionality of the file admin/prof.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-222698 is the identifier assigned to this vulnerability. | 2023-03-10 | 9.8 | CVE-2023-1310 MISC MISC MISC |
friendly_island_pizza_website_and_ordering_system_project -- friendly_island_pizza_website_and_ordering_system | A vulnerability, which was classified as critical, was found in SourceCodester Friendly Island Pizza Website and Ordering System 1.0. This affects an unknown part of the file large.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222699. | 2023-03-10 | 9.8 | CVE-2023-1311 MISC MISC MISC |
lmxcms -- lmxcms | A vulnerability has been found in lmxcms 1.41 and classified as critical. Affected by this vulnerability is the function update of the file AcquisiAction.class.php. The manipulation of the argument id with the input -1 and updatexml(0,concat(0x7e,user()),1)# leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222727. | 2023-03-10 | 9.8 | CVE-2023-1321 MISC MISC |
lmxcms -- lmxcms | A vulnerability was found in lmxcms 1.41 and classified as critical. Affected by this issue is the function reply of the file BookAction.class.php. The manipulation of the argument id with the input 1) and updatexml(0,concat(0x7e,user()),1)# leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222728. | 2023-03-10 | 9.8 | CVE-2023-1322 MISC MISC |
liferea_project -- liferea | A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848. | 2023-03-11 | 9.8 | CVE-2023-1350 MISC MISC MISC |
computer_parts_sales_and_inventory_system_project -- computer_parts_sales_and_inventory_system | A vulnerability classified as critical has been found in SourceCodester Computer Parts Sales and Inventory System 1.0. This affects an unknown part of the file cust_transac.php. The manipulation of the argument phonenumber leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222849 was assigned to this vulnerability. | 2023-03-11 | 9.8 | CVE-2023-1351 MISC MISC MISC |
design_and_implementation_of_covid-19_directory_on_vaccination_system_project -- design_and_implementation_of_covid-19_directory_on_vaccination_system | A vulnerability, which was classified as critical, has been found in SourceCodester Design and Implementation of Covid-19 Directory on Vaccination System 1.0. This issue affects some unknown processing of the file /admin/login.php. The manipulation of the argument txtusername/txtpassword leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222851. | 2023-03-11 | 9.8 | CVE-2023-1352 MISC MISC MISC |
simple_bakery_shop_management_system_project -- simple_bakery_shop_management_system | A vulnerability, which was classified as critical, has been found in SourceCodester Simple Bakery Shop Management System 1.0. Affected by this issue is some unknown functionality of the component Admin Login. The manipulation of the argument username/password with the input admin' or 1=1 -- leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222860. | 2023-03-12 | 9.8 | CVE-2023-1357 MISC MISC |
gadget_works_online_ordering_system_project -- gadget_works_online_ordering_system | A vulnerability, which was classified as critical, was found in SourceCodester Gadget Works Online Ordering System 1.0. This affects an unknown part of the file /philosophy/admin/login.php of the component POST Parameter Handler. The manipulation of the argument user_email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222861 was assigned to this vulnerability. | 2023-03-12 | 9.8 | CVE-2023-1358 MISC MISC MISC |
xhcms_project -- xhcms | A vulnerability was found in XHCMS 1.0. It has been declared as critical. This vulnerability affects unknown code of the file login.php of the component POST Parameter Handler. The manipulation of the argument user leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222874 is the identifier assigned to this vulnerability. | 2023-03-13 | 9.8 | CVE-2023-1368 MISC MISC MISC |
friendly_island_pizza_website_and_ordering_system_project -- friendly_island_pizza_website_and_ordering_system | A vulnerability classified as critical was found in SourceCodester Friendly Island Pizza Website and Ordering System 1.0. This vulnerability affects unknown code of the file paypalsuccess.php of the component POST Parameter Handler. The manipulation of the argument cusid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222904. | 2023-03-13 | 9.8 | CVE-2023-1378 MISC MISC MISC |
online_tours_\&travels_management_system_project -- online_tours\&_travels_management_system | A vulnerability, which was classified as problematic, was found in SourceCodester Online Tours & Travels Management System 1.0. Affected is an unknown function of the file admin/ab.php. The manipulation of the argument img leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-222978 is the identifier assigned to this vulnerability. | 2023-03-14 | 9.8 | CVE-2023-1391 MISC MISC MISC |
online_pizza_ordering_system_project -- online_pizza_ordering_system | A vulnerability has been found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. Affected by this vulnerability is the function save_menu. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222979. | 2023-03-14 | 9.8 | CVE-2023-1392 MISC MISC MISC |
online_graduate_tracer_system_project -- online_graduate_tracer_system | A vulnerability was found in SourceCodester Online Graduate Tracer System 1.0. It has been classified as critical. This affects the function mysqli_query of the file bsitemp.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222981 was assigned to this vulnerability. | 2023-03-14 | 9.8 | CVE-2023-1394 MISC MISC MISC |
microsoft -- multiple_products | Remote Procedure Call Runtime Remote Code Execution Vulnerability | 2023-03-14 | 9.8 | CVE-2023-21708 MISC |
microsoft -- multiple_products | HTTP Protocol Stack Remote Code Execution Vulnerability | 2023-03-14 | 9.8 | CVE-2023-23392 MISC |
microsoft -- multiple_products | Microsoft Outlook Elevation of Privilege Vulnerability | 2023-03-14 | 9.8 | CVE-2023-23397 MISC |
microsoft -- multiple_products | Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability | 2023-03-14 | 9.8 | CVE-2023-23415 MISC |
samsung -- exynos_modem_5300_firmware | The Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to a denial of service. | 2023-03-13 | 9.8 | CVE-2023-24033 MISC MISC |
netiq -- advanced_authentication | Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2 | 2023-03-15 | 9.8 | CVE-2023-24468 MISC MISC |
art_gallery_management_system_project -- art_gallery_management_system | Art Gallery Management System v1.0 was discovered to contain a SQL injection vulnerability via the viewid parameter on the enquiry page. | 2023-03-15 | 9.8 | CVE-2023-24726 MISC MISC MISC |
dlink -- dir-867_firmware | OS Command injection vulnerability in D-Link DIR-867 DIR_867_FW1.30B07 allows attackers to execute arbitrary commands via a crafted LocalIPAddress parameter for the SetVirtualServerSettings to HNAP1. | 2023-03-13 | 9.8 | CVE-2023-24762 MISC MISC |
funadmin -- funadmin | Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \controller\auth\Auth.php. | 2023-03-10 | 9.8 | CVE-2023-24774 MISC |
trendmicro -- apex_one | An uncontrolled search path element vulnerability in the Trend Micro Apex One Server installer could allow an attacker to achieve a remote code execution state on affected products. | 2023-03-10 | 9.8 | CVE-2023-25143 MISC |
prestashop -- dpd_france | PrestaShop dpdfrance <6.1.3 is vulnerable to SQL Injection via dpdfrance/ajax.php. | 2023-03-13 | 9.8 | CVE-2023-25207 MISC MISC |
dlink -- dir-820l_firmware | OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload. | 2023-03-13 | 9.8 | CVE-2023-25279 MISC MISC |
swig-templates_project -- swig-templates | An issue was discovered in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to execute arbitrary code via crafted Object.prototype anonymous function. | 2023-03-15 | 9.8 | CVE-2023-25344 MISC MISC |
samsung -- exynos_850_firmware | An issue was discovered in Samsung Mobile Chipset and Baseband Modem Chipset for Exynos 850, Exynos 980, Exynos 1080, Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123. A heap-based buffer overflow in the 5G MM message codec can occur due to insufficient parameter validation when decoding the Emergency number list. | 2023-03-13 | 9.8 | CVE-2023-26072 MISC MISC MISC MISC MISC MISC |
samsung -- exynos_850_firmware | An issue was discovered in Samsung Mobile Chipset and Baseband Modem Chipset for Exynos 850, Exynos 980, Exynos 1080, Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123. A heap-based buffer overflow in the 5G MM message codec can occur due to insufficient parameter validation when decoding the extended emergency number list. | 2023-03-13 | 9.8 | CVE-2023-26073 MISC MISC MISC MISC MISC MISC |
samsung -- exynos_850_firmware | An issue was discovered in Samsung Mobile Chipset and Baseband Modem Chipset for Exynos 850, Exynos 980, Exynos 1080, Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123.. A heap-based buffer overflow in the 5G MM message codec can occur due to insufficient parameter validation when decoding operator-defined access category definitions. | 2023-03-13 | 9.8 | CVE-2023-26074 MISC MISC MISC MISC MISC MISC |
samsung -- exynos_850_firmware | An issue was discovered in Samsung Mobile Chipset and Baseband Modem Chipset for Exynos 850, Exynos 980, Exynos 1080, Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123. An intra-object overflow in the 5G MM message codec can occur due to insufficient parameter validation when decoding the Service Area List. | 2023-03-10 | 9.8 | CVE-2023-26075 MISC MISC MISC MISC MISC MISC |
samsung -- exynos_1280_firmware | An issue was discovered in Samsung Mobile Chipset and Baseband Modem Chipset for Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123. An intra-object overflow in the 5G SM message codec can occur due to insufficient parameter validation when decoding reserved options. | 2023-03-13 | 9.8 | CVE-2023-26076 MISC MISC MISC MISC |
moosikay_project -- moosikay | E-Commerce System v1.0 ws discovered to contain a SQL injection vulnerability via the id parameter at /admin/delete_user.php. | 2023-03-13 | 9.8 | CVE-2023-27052 MISC |
tenda -- w15e_firmware | Tenda V15V1.0 V15.11.0.14(1521_3190_1058) was discovered to contain a buffer overflow vulnerability via the wifiFilterListRemark parameter in the modifyWifiFilterRules function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2023-03-13 | 9.8 | CVE-2023-27061 MISC |
tenda -- w15e_firmware | Tenda V15V1.0 V15.11.0.14(1521_3190_1058) was discovered to contain a buffer overflow vulnerability via the DNSDomainName parameter in the formModifyDnsForward function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2023-03-13 | 9.8 | CVE-2023-27063 MISC |
bp_monitoring_management_system_project -- bp_monitoring_management_system | BP Monitoring Management System v1.0 was discovered to contain a SQL injection vulnerability via the emailid parameter in the login page. | 2023-03-14 | 9.8 | CVE-2023-27074 MISC |
maddy_project -- maddy | maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds. | 2023-03-13 | 9.8 | CVE-2023-27582 MISC MISC MISC MISC |
panindex_project -- panindex | PanIndex is a network disk directory index. In Panindex prior to version 3.1.3, a hard-coded JWT key PanIndex is used. An attacker can use the hard-coded JWT key to sign JWT token and perform any actions as a user with admin privileges. Version 3.1.3 has a patch for the issue. As a workaround, one may change the JWT key in the source code before compiling the project. | 2023-03-13 | 9.8 | CVE-2023-27583 MISC MISC MISC |
perfree -- perfreeblog | An arbitrary file upload vulnerability in the /admin/user/uploadImg component of PerfreeBlog v3.1.1 allows attackers to execute arbitrary code via a crafted JPG file. | 2023-03-15 | 9.8 | CVE-2023-27757 MISC |
netgear -- rax30_firmware | NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a buffer overflow vulnerability in various CGI mechanisms that could allow an attacker to execute arbitrary code on the device. | 2023-03-10 | 9.8 | CVE-2023-27852 MISC |
netgear -- rax30_firmware | NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a format string vulnerability in a SOAP service that could allow an attacker to execute arbitrary code on the device. | 2023-03-10 | 9.8 | CVE-2023-27853 MISC |
webpack.js -- webpack | Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object. | 2023-03-13 | 9.8 | CVE-2023-28154 MISC MISC |
sap -- netweaver_application_server_abap | SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity | 2023-03-14 | 9.6 | CVE-2023-27501 MISC MISC |
akuvox -- e11_firmware | The Akuvox E11 libvoice library provides unauthenticated access to the camera capture for image and video. This could allow an attacker to view and record image and video from the camera. | 2023-03-13 | 9.1 | CVE-2023-0349 MISC |
akuvox -- e11_firmware | The Akuvox E11 password recovery webpage can be accessed without authentication, and an attacker could download the device key file. An attacker could then use this page to reset the password back to the default. | 2023-03-13 | 9.1 | CVE-2023-0352 MISC |
akuvox -- e11_firmware | The Akuvox E11 web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs. | 2023-03-13 | 9.1 | CVE-2023-0354 MISC |
siemens -- mendix_saml | A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All Versions >= 1.16.4 < 1.17.2), Mendix SAML (Mendix 8 compatible) (All versions >= 2.2.0 < 2.2.3), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= 3.1.9 < 3.2.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= 3.1.9 < 3.2.5). The affected versions of the module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. | 2023-03-14 | 9.1 | CVE-2023-25957 MISC |
ibm -- financial_transaction_manager | IBM Financial Transaction Manager 3.2.0 through 3.2.10 could allow an authenticated user to perform unauthorized actions due to improper validation. IBM X-Force ID: 192954. | 2023-03-10 | 8.8 | CVE-2020-5002 MISC MISC |
qualcomm -- apq8009_firmware | Memory corruption in modem due to buffer overflow while processing a PPP packet | 2023-03-10 | 8.8 | CVE-2022-33213 MISC |
veronalabs -- wp_statistics | SQL Injection vulnerability in VeronaLabs WP Statistics plugin <= 13.2.10 versions. | 2023-03-13 | 8.8 | CVE-2022-38074 MISC |
richplugins -- plugin_for_google_reviews | SQL Injection (SQLi) vulnerability in RichPlugins Plugin for Google Reviews plugin <= 2.2.3 versions. | 2023-03-15 | 8.8 | CVE-2022-44580 MISC |
seerox -- wp_dynamic_keywords_injector | Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Dynamic Keywords Injector plugin <= 2.3.15 versions. | 2023-03-14 | 8.8 | CVE-2022-47141 MISC |
themeisle -- multiple_page_generator | Cross-Site Request Forgery (CSRF) vulnerability in Themeisle Multiple Page Generator Plugin – MPG plugin <= 3.3.9 versions. | 2023-03-14 | 8.8 | CVE-2022-47143 MISC |
kesz1 -- ipblocklist | Cross-Site Request Forgery (CSRF) vulnerability in Kesz1 Technologies ipBlockList plugin <= 1.0 versions. | 2023-03-14 | 8.8 | CVE-2022-47147 MISC |
piwebsolution -- css_js_manager\,_async_javascript\,_defer_render_blocking_css_supports_woocommerce | Cross-Site Request Forgery (CSRF) vulnerability in Pi Websolution CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce plugin <= 2.4.49 versions. | 2023-03-14 | 8.8 | CVE-2022-47154 MISC |
supsystic -- slider | Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Slider by Supsystic plugin <= 1.8.5 versions. | 2023-03-14 | 8.8 | CVE-2022-47155 MISC |
dh_-anti_adblocker_project -- dh-_anti_adblocker | Cross-Site Request Forgery (CSRF) vulnerability in Dannie Herdyawan DH – Anti AdBlocker plugin <= 36 versions. | 2023-03-14 | 8.8 | CVE-2022-47162 MISC |
voidcoders -- void_contact_form_7_widget_for_elementor_page_builder | Cross-Site Request Forgery (CSRF) vulnerability in voidCoders Void Contact Form 7 Widget For Elementor Page Builder plugin <= 2.1.1 versions. | 2023-03-13 | 8.8 | CVE-2022-47166 MISC |
hmplugin -- accept_stripe_donation_-_aidwp | Cross-Site Request Forgery (CSRF) vulnerability in HM Plugin Accept Stripe Donation – AidWP plugin <= 3.1.5 versions. | 2023-03-14 | 8.8 | CVE-2022-47422 MISC |
my_calendar_project -- my_calendar | Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My Calendar plugin <= 3.3.24.1 versions. | 2023-03-15 | 8.8 | CVE-2022-47427 MISC |
my_tickets_project -- my_tickets | Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My Tickets plugin <= 1.9.10 versions. | 2023-03-13 | 8.8 | CVE-2022-47440 MISC |
multi_rating_project -- multi_rating | Cross-Site Request Forgery (CSRF) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.5 versions. | 2023-03-14 | 8.8 | CVE-2022-47443 MISC |
akuvox -- e11_firmware | The Akuvox E11 web server backend library allows command injection in the device phone-book contacts functionality. This could allow an attacker to upload files with executable command instructions. | 2023-03-13 | 8.8 | CVE-2023-0351 MISC |
cm-wp -- auto_featured_image | The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation. | 2023-03-13 | 8.8 | CVE-2023-0477 MISC |
netgear -- rax30_firmware | NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 is vulnerable to cross-site request forgery attacks on all endpoints due to improperly implemented CSRF protections. | 2023-03-10 | 8.8 | CVE-2023-1205 MISC |
hashicorp -- nomad | HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1. | 2023-03-14 | 8.8 | CVE-2023-1299 MISC |
agentejo -- cockpit | Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1. | 2023-03-10 | 8.8 | CVE-2023-1313 CONFIRM MISC |
teacms_project -- teacms | A vulnerability classified as critical was found in XiaoBingBy TeaCMS 2.0. Affected by this vulnerability is an unknown functionality of the file /admin/upload. The manipulation leads to path traversal: '../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222985 was assigned to this vulnerability. | 2023-03-14 | 8.8 | CVE-2023-1398 MISC MISC MISC |
simple_art_gallery_project -- simple_art_gallery | A vulnerability was found in Simple Art Gallery 1.0. It has been declared as critical. This vulnerability affects the function sliderPicSubmit of the file adminHome.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. VDB-223126 is the identifier assigned to this vulnerability. | 2023-03-15 | 8.8 | CVE-2023-1415 MISC MISC MISC |
avantfax -- avantfax | A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. | 2023-03-10 | 8.8 | CVE-2023-23328 MISC MISC |
microsoft -- multiple_products | Windows Bluetooth Driver Elevation of Privilege Vulnerability | 2023-03-14 | 8.8 | CVE-2023-23388 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-23403 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-23406 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-23413 MISC |
simple_customer_relationship_management_system_project -- simple_customer_relationship_management_system | Simple Customer Relationship Management System v1.0 as discovered to contain a SQL injection vulnerability via the contact parameter in the user profile update function. | 2023-03-15 | 8.8 | CVE-2023-24728 MISC MISC MISC |
simple_customer_relationship_management_system_project -- simple_customer_relationship_management_system | Simple Customer Relationship Management System v1.0 as discovered to contain a SQL injection vulnerability via the address parameter in the user profile update function. | 2023-03-15 | 8.8 | CVE-2023-24729 MISC MISC MISC |
simple_customer_relationship_management_system_project -- simple_customer_relationship_management_system | Simple Customer Relationship Management System v1.0 as discovered to contain a SQL injection vulnerability via the company parameter in the user profile update function. | 2023-03-15 | 8.8 | CVE-2023-24730 MISC MISC MISC |
simple_customer_relationship_management_system_project -- simple_customer_relationship_management_system | Simple Customer Relationship Management System v1.0 as discovered to contain a SQL injection vulnerability via the query parameter in the user profile update function. | 2023-03-15 | 8.8 | CVE-2023-24731 MISC MISC MISC |
simple_customer_relationship_management_system_project -- simple_customer_relationship_management_system | Simple Customer Relationship Management System v1.0 as discovered to contain a SQL injection vulnerability via the gender parameter in the user profile update function. | 2023-03-15 | 8.8 | CVE-2023-24732 MISC MISC MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Elevation of Privilege Vulnerability | 2023-03-14 | 8.8 | CVE-2023-24864 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-24867 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-24868 MISC |
microsoft -- multiple_products | Windows Bluetooth Service Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-24871 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-24872 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-24876 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-24907 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-24909 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | 2023-03-14 | 8.8 | CVE-2023-24913 MISC |
prestashop -- advanced_reviews | PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection. | 2023-03-14 | 8.8 | CVE-2023-25206 MISC MISC |
sap -- business_objects_business_intelligence_platform | In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. Successful attack could highly impact the confidentiality, Integrity, and Availability of the system. | 2023-03-14 | 8.8 | CVE-2023-25616 MISC MISC |
sap -- business_objects_business_intelligence_platform | SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system. | 2023-03-14 | 8.8 | CVE-2023-25617 MISC MISC |
coderex -- wp_vr | Cross-Site Request Forgery (CSRF) vulnerability in Rextheme WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin <= 8.2.7 versions. | 2023-03-15 | 8.8 | CVE-2023-25708 MISC |
plainware -- locatoraid | Cross-Site Request Forgery (CSRF) vulnerability in Plainware Locatoraid Store Locator plugin <= 3.9.11 versions. | 2023-03-15 | 8.8 | CVE-2023-25709 MISC |
cozmoslabs -- client_portal | Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs, Madalin Ungureanu, Antohe Cristian Client Portal – Private user pages and login plugin <= 1.1.8 versions. | 2023-03-15 | 8.8 | CVE-2023-25968 MISC |
autoaffiliatelinks -- auto_affiliate_links | Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links plugin <= 6.3.0.2 versions. | 2023-03-13 | 8.8 | CVE-2023-25973 MISC |
metagauss -- registrationmagic | Cross-Site Request Forgery (CSRF) vulnerability in RegistrationMagic plugin <= 5.1.9.2 versions. | 2023-03-13 | 8.8 | CVE-2023-25991 MISC |
ibm -- mq_certified_container | IBM MQ Certified Container 9.3.0.1 through 9.3.0.3 and 9.3.1.0 through 9.3.1.1 could allow authenticated users with the cluster to be granted administration access to the MQ console due to improper access controls. IBM X-Force ID: 248417. | 2023-03-15 | 8.8 | CVE-2023-26284 MISC MISC |
struktur -- libde265 | Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc. | 2023-03-15 | 8.8 | CVE-2023-27103 MISC |
siemens -- ruggedcom_crossbow | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.2). The client query handler of the affected application fails to check for proper permissions for specific write queries. This could allow an authenticated remote attacker to perform unauthorized actions. | 2023-03-14 | 8.8 | CVE-2023-27309 MISC |
siemens -- ruggedcom_crossbow | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.2). The client query handler of the affected application fails to check for proper permissions when assigning groups to user accounts. This could allow an authenticated remote attacker to assign administrative groups to otherwise non-privileged user accounts. | 2023-03-14 | 8.8 | CVE-2023-27310 MISC |
siemens -- ruggedcom_crossbow | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.3). The audit log form of affected applications is vulnerable to SQL injection. This could allow authenticated remote attackers to execute arbitrary SQL queries on the server database. | 2023-03-14 | 8.8 | CVE-2023-27463 MISC |
github-slug-action_project -- github-slug-action | github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the github.head_ref parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets one uses in the CI pipeline. A patched action is available in version 4.4.1. No workaround is available. | 2023-03-13 | 8.8 | CVE-2023-27581 MISC MISC MISC MISC |
netgear -- rax30_firmware | NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a file sharing mechanism that unintentionally allows users with upload permissions to execute arbitrary code on the device. | 2023-03-10 | 8.8 | CVE-2023-27851 MISC |
sap -- netweaver_application_server_for_java | Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailable. | 2023-03-14 | 8.6 | CVE-2023-23857 MISC MISC |
microsoft -- multiple_products | Windows Cryptographic Services Remote Code Execution Vulnerability | 2023-03-14 | 8.4 | CVE-2023-23416 MISC |
ibm -- spectrum_scale | A vulnerability in the Spectrum Scale 5.0.5.0 through 5.1.6.1 core component could allow unauthorized access to user data or injection of arbitrary data in the communication protocol. IBM X-Force ID: 191695. | 2023-03-15 | 8.2 | CVE-2020-4927 MISC MISC |
microsoft -- azure_service_fabric | Service Fabric Explorer Spoofing Vulnerability | 2023-03-14 | 8.2 | CVE-2023-23383 MISC |
microsoft -- multiple_products | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | 2023-03-14 | 8.1 | CVE-2023-23404 MISC |
microsoft -- multiple_products | Remote Procedure Call Runtime Remote Code Execution Vulnerability | 2023-03-14 | 8.1 | CVE-2023-23405 MISC |
microsoft -- multiple_products | Remote Procedure Call Runtime Remote Code Execution Vulnerability | 2023-03-14 | 8.1 | CVE-2023-24869 MISC |
microsoft -- multiple_products | Remote Procedure Call Runtime Remote Code Execution Vulnerability | 2023-03-14 | 8.1 | CVE-2023-24908 MISC |
hashicorp -- vault | HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. | 2023-03-11 | 8.1 | CVE-2023-24999 MISC |
cisco -- enterprise_nfv_infrastructure_software | A vulnerability in the upgrade signature verification of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, local attacker to provide an unauthentic upgrade file for upload. This vulnerability is due to insufficient cryptographic signature verification of upgrade files. An attacker could exploit this vulnerability by providing an administrator with an unauthentic upgrade file. A successful exploit could allow the attacker to fully compromise the Cisco NFVIS system. | 2023-03-10 | 7.8 | CVE-2022-20929 MISC |
qualcomm -- apq8009_firmware | Memory corruption in WLAN HAL while arbitrary value is passed in WMI UTF command payload. | 2023-03-10 | 7.8 | CVE-2022-25655 MISC |
qualcomm -- apq8009w_firmware | Memory corruption in Modem due to usage of Out-of-range pointer offset in UIM | 2023-03-10 | 7.8 | CVE-2022-25694 MISC |
qualcomm -- apq8009_firmware | Memory corruption in modem due to integer overflow to buffer overflow while handling APDU response | 2023-03-10 | 7.8 | CVE-2022-25705 MISC |
qualcomm -- ar8035_firmware | Memory corruption in modem due to use of out of range pointer offset while processing qmi msg | 2023-03-10 | 7.8 | CVE-2022-25709 MISC |
qualcomm -- aqt1000_firmware | Memory corruption due to improper authentication in Qualcomm IPC while loading unsigned lib in audio PD. | 2023-03-10 | 7.8 | CVE-2022-33242 MISC |
qualcomm -- apq8064au_firmware | Memory corruption in WLAN due to use after free | 2023-03-10 | 7.8 | CVE-2022-33245 MISC |
qualcomm -- aqt1000_firmware | Memory corruption due to stack based buffer overflow in core while sending command from USB of large size. | 2023-03-10 | 7.8 | CVE-2022-33260 MISC |
qualcomm -- aqt1000_firmware | Memory corruption due to buffer copy without checking the size of input in HLOS when input message size is larger than the buffer capacity. | 2023-03-10 | 7.8 | CVE-2022-33278 MISC |
qualcomm -- aqt1000_firmware | Memory corruption in WLAN due to integer overflow to buffer overflow in WLAN during initialization phase. | 2023-03-10 | 7.8 | CVE-2022-40530 MISC |
qualcomm -- apq8009_firmware | Memory corruption in WLAN due to incorrect type cast while sending WMI_SCAN_SCH_PRIO_TBL_CMDID message. | 2023-03-10 | 7.8 | CVE-2022-40531 MISC |
qualcomm -- qam8295p_firmware | Memory corruption in Automotive Android OS due to improper validation of array index. | 2023-03-10 | 7.8 | CVE-2022-40539 MISC |
qualcomm -- sd_8_gen1_5g_firmware | Memory corruption due to buffer copy without checking the size of input while loading firmware in Linux Kernel. | 2023-03-10 | 7.8 | CVE-2022-40540 MISC |
docker -- docker_desktop | Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking a user to open a crafted malicious docker-desktop:// URL. | 2023-03-13 | 7.8 | CVE-2023-0628 MISC |
openharmony -- openharmony | The kernel subsystem function check_permission_for_set_tokenid within OpenHarmony-v3.1.5 and prior versions has an UAF vulnerability which local attackers can exploit this vulnerability to escalate the privilege to root. | 2023-03-10 | 7.8 | CVE-2023-22436 MISC |
microsoft -- multiple_products | Microsoft Excel Remote Code Execution Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23399 MISC |
microsoft -- multiple_products | Windows Media Remote Code Execution Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23401 MISC |
microsoft -- multiple_products | Windows Media Remote Code Execution Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23402 MISC |
microsoft -- multiple_products | Windows HTTP.sys Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23410 MISC |
microsoft -- multiple_products | Windows Accounts Picture Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23412 MISC |
microsoft -- multiple_products | Windows Partition Management Driver Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23417 MISC |
microsoft -- windows_11 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23418 MISC |
microsoft -- windows_11 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23419 MISC |
microsoft -- windows_server_2012 | Windows Kernel Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23420 MISC |
microsoft -- windows_server_2012 | Windows Kernel Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23421 MISC |
microsoft -- windows_server_2012 | Windows Kernel Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23422 MISC |
microsoft -- windows_server_2012 | Windows Kernel Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-23423 MISC |
draytek -- vigor2960_firmware | DrayTek Vigor2960 v1.5.1.4 was discovered to contain a command injection vulnerability via the mainfunction.cgi component. | 2023-03-15 | 7.8 | CVE-2023-24229 MISC MISC |
microsoft -- multiple_products | Windows Graphics Component Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-24910 MISC |
microsoft -- onedrive_for_macos | Microsoft OneDrive for MacOS Elevation of Privilege Vulnerability | 2023-03-14 | 7.8 | CVE-2023-24930 MISC |
trendmicro -- apex_one | An improper access control vulnerability in the Trend Micro Apex One agent could allow a local attacker to gain elevated privileges and create arbitrary directories with arbitrary ownership. | 2023-03-10 | 7.8 | CVE-2023-25144 MISC MISC |
trendmicro -- apex_one | A link following vulnerability in the scanning function of Trend Micro Apex One agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2023-03-10 | 7.8 | CVE-2023-25145 MISC MISC |
trendmicro -- apex_one | A security agent link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to quarantine a file, delete the original folder and replace with a junction to an arbitrary location, ultimately leading to an arbitrary file dropped to an arbitrary location. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2023-03-10 | 7.8 | CVE-2023-25146 MISC MISC |
trendmicro -- apex_one | A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to exploit the vulnerability by changing a specific file into a pseudo-symlink, allowing privilege escalation on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2023-03-10 | 7.8 | CVE-2023-25148 MISC MISC |
webassembly -- webassembly | WebAssembly v1.0.29 was discovered to contain a heap overflow via the component component wabt::Node: | 2023-03-10 | 7.8 | CVE-2023-27117 MISC |
siemens -- tecnomatix_plant_simulation | A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted SPP file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-20304) | 2023-03-14 | 7.8 | CVE-2023-27398 MISC |
siemens -- tecnomatix_plant_simulation | A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted SPP file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-20299, ZDI-CAN-20346) | 2023-03-14 | 7.8 | CVE-2023-27399 MISC |
siemens -- tecnomatix_plant_simulation | A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted SPP file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-20300) | 2023-03-14 | 7.8 | CVE-2023-27400 MISC |
siemens -- tecnomatix_plant_simulation | A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted SPP files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-20308, ZDI-CAN-20345) | 2023-03-14 | 7.8 | CVE-2023-27401 MISC |
siemens -- tecnomatix_plant_simulation | A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted SPP files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-20334) | 2023-03-14 | 7.8 | CVE-2023-27402 MISC |
siemens -- tecnomatix_plant_simulation | A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected application contains a memory corruption vulnerability while parsing specially crafted SPP files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-20303, ZDI-CAN-20348) | 2023-03-14 | 7.8 | CVE-2023-27403 MISC |
siemens -- tecnomatix_plant_simulation | A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected application is vulnerable to stack-based buffer while parsing specially crafted SPP files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-20433) | 2023-03-14 | 7.8 | CVE-2023-27404 MISC |
siemens -- tecnomatix_plant_simulation | A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted SPP files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-20432) | 2023-03-14 | 7.8 | CVE-2023-27405 MISC |
siemens -- tecnomatix_plant_simulation | A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected application is vulnerable to stack-based buffer while parsing specially crafted SPP files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-20449) | 2023-03-14 | 7.8 | CVE-2023-27406 MISC |
jpegoptim_project -- jpegoptim | jpegoptim v1.5.2 was discovered to contain a heap overflow in the optimize function at jpegoptim.c. | 2023-03-15 | 7.8 | CVE-2023-27781 MISC |
getadmiral -- ad_blocking_detector | A vulnerability has been found in Ad Blocking Detector Plugin up to 1.2.1 and classified as problematic. This vulnerability affects unknown code of the file ad-blocking-detector.php. The manipulation leads to information disclosure. The attack can be initiated remotely. Upgrading to version 1.2.2 is able to address this issue. The name of the patch is 3312b9cd79e5710d1e282fc9216a4e5ab31b3d94. It is recommended to upgrade the affected component. VDB-222610 is the identifier assigned to this vulnerability. | 2023-03-10 | 7.5 | CVE-2014-125093 MISC MISC MISC MISC |
ithemes -- backupbuddy | Directory Traversal vulnerability in iThemes BackupBuddy plugin 8.5.8.0 - 8.7.4.1 versions. | 2023-03-13 | 7.5 | CVE-2022-31474 MISC MISC |
qualcomm -- ar8035_firmware | Transient DOS due to reachable assertion in modem during MIB reception and SIB timeout | 2023-03-10 | 7.5 | CVE-2022-33244 MISC |
qualcomm -- ar8035_firmware | Transient DOS due to reachable assertion in modem when network repeatedly sent invalid message container for NR to LTE handover. | 2023-03-10 | 7.5 | CVE-2022-33250 MISC |
qualcomm -- aqt1000_firmware | Transient DOS due to reachable assertion in Modem while processing SIB1 Message. | 2023-03-10 | 7.5 | CVE-2022-33254 MISC |
qualcomm -- ar8035_firmware | Transient DOS in modem due to reachable assertion. | 2023-03-10 | 7.5 | CVE-2022-33272 MISC |
qualcomm -- csr8811_firmware | Transient DOS due to buffer over-read in WLAN Firmware while parsing secure FTMR frame with size lesser than 39 Bytes. | 2023-03-10 | 7.5 | CVE-2022-33309 MISC |
ajax_search_project -- ajax_search | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ernest Marcinko Ajax Search Lite plugin <= 4.10.3 versions. | 2023-03-15 | 7.5 | CVE-2022-38456 MISC |
combodo -- itop | Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. | 2023-03-14 | 7.5 | CVE-2022-39214 MISC MISC MISC |
qualcomm -- ar8035_firmware | Transient DOS due to reachable assertion in WLAN while processing PEER ID populated by TQM. | 2023-03-10 | 7.5 | CVE-2022-40527 MISC |
qualcomm -- csr8811_firmware | Transient DOS due to buffer over-read in WLAN while sending a packet to device. | 2023-03-10 | 7.5 | CVE-2022-40535 MISC |
ibm -- mq_appliance | IBM MQ 9.2 CD, 9.2 LTS, 9.3 CD, and 9.3 LTS is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. IBM X-Force ID: 240832. | 2023-03-10 | 7.5 | CVE-2022-43902 MISC MISC |
ivanti -- avalanche | An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port. | 2023-03-10 | 7.5 | CVE-2022-44574 MISC |
wp_csv_to_database_project -- wp_csv_to_database | Cross-Site Request Forgery (CSRF) vulnerability in Tips and Tricks HQ, josh401 WP CSV to Database – Insert CSV file content into WordPress plugin <= 2.6 versions. | 2023-03-14 | 7.5 | CVE-2022-47163 MISC |
akuvox -- e11_firmware | Akuvox E11 cloud login is performed through an unencrypted HTTP connection. An attacker could gain access to the Akuvox cloud and device if the MAC address of a device if known. | 2023-03-13 | 7.5 | CVE-2023-0346 MISC |
akuvox -- e11_firmware | Akuvox E11 allows direct SIP calls. No access control is enforced by the SIP servers, which could allow an attacker to contact any device within Akuvox to call any other device. | 2023-03-13 | 7.5 | CVE-2023-0348 MISC |
akuvox -- e11_firmware | Akuvox E11 uses a hard-coded cryptographic key, which could allow an attacker to decrypt sensitive information. | 2023-03-13 | 7.5 | CVE-2023-0355 MISC |
saysis -- starcities | Files or Directories Accessible to External Parties vulnerability in Saysis Starcities allows Collect Data from Common Resource Locations.This issue affects Starcities: through 1.3. | 2023-03-10 | 7.5 | CVE-2023-1246 MISC |
vim -- vim | NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1402. | 2023-03-11 | 7.5 | CVE-2023-1355 MISC CONFIRM |
online_pizza_ordering_system_project -- online_pizza_ordering_system | A vulnerability has been found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file category.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222871. | 2023-03-13 | 7.5 | CVE-2023-1364 MISC MISC MISC |
online_pizza_ordering_system_project -- online_pizza_ordering_system | A vulnerability was found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/ajax.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222872. | 2023-03-13 | 7.5 | CVE-2023-1365 MISC MISC MISC |
openharmony -- openharmony | The kernel subsystem hmdfs within OpenHarmony-v3.1.5 and prior versions has an arbitrary memory accessing vulnerability which network attackers can launch a remote attack to obtain kernel memory data of the target system. | 2023-03-10 | 7.5 | CVE-2023-22301 MISC |
rocket.chat -- rocket.chat | An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room. | 2023-03-10 | 7.5 | CVE-2023-23911 MISC |
microsoft -- windows_server_2012 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | 2023-03-14 | 7.5 | CVE-2023-24856 MISC |
microsoft -- windows_server_2012 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | 2023-03-14 | 7.5 | CVE-2023-24857 MISC |
microsoft -- windows_server_2012 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | 2023-03-14 | 7.5 | CVE-2023-24858 MISC |
microsoft -- windows_server_2012 | Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability | 2023-03-14 | 7.5 | CVE-2023-24859 MISC |
dlink -- dir-820l_firmware | A stack overflow vulnerability in D-Link DIR820LA1_FW106B02 allows attackers to cause a denial of service via the reserveDHCP_HostName_1.1.1.0 parameter to lan.asp. | 2023-03-13 | 7.5 | CVE-2023-25283 MISC MISC |
swig-templates_project -- swig-templates | Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags. | 2023-03-15 | 7.5 | CVE-2023-25345 MISC |
apache -- log4j | ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | 2023-03-10 | 7.5 | CVE-2023-26464 MISC |
tenda -- w15e_firmware | Tenda V15V1.0 was discovered to contain a buffer overflow vulnerability via the gotoUrl parameter in the formPortalAuth function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2023-03-13 | 7.5 | CVE-2023-27062 MISC |
tenda -- w15e_firmware | Tenda V15V1.0 V15.11.0.14(1521_3190_1058) was discovered to contain a buffer overflow vulnerability via the index parameter in the formDelDnsForward function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2023-03-13 | 7.5 | CVE-2023-27064 MISC |
tenda -- w15e_firmware | Tenda V15V1.0 V15.11.0.14(1521_3190_1058) was discovered to contain a buffer overflow vulnerability via the picName parameter in the formDelWewifiPi function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2023-03-13 | 7.5 | CVE-2023-27065 MISC |
jellyfin -- jellyfin | Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request. | 2023-03-10 | 7.5 | CVE-2023-27161 MISC MISC MISC |
rack_project -- rack | A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. | 2023-03-10 | 7.5 | CVE-2023-27530 MISC |
veeam -- backup_\&_replication | Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts. | 2023-03-10 | 7.5 | CVE-2023-27532 MISC |
jenkins -- jenkins | Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service. | 2023-03-10 | 7.5 | CVE-2023-27900 MISC |
jenkins -- jenkins | Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service. | 2023-03-10 | 7.5 | CVE-2023-27901 MISC |
ibexa -- digital_experience_platform | An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges. | 2023-03-12 | 7.2 | CVE-2022-48365 MISC MISC MISC MISC |
bbraun -- battery-pack_sp_with_wifi_firmware | An improper neutralization of directives in dynamically evaluated code vulnerability in the WiFi Battery embedded web server in versions L90/U70 and L92/U92 can be used to gain administrative access to the WiFi communication module. An authenticated user, having access to both the medical device WiFi network (such as a biomedical engineering staff member) and the specific B.Braun Battery Pack SP with WiFi web server credentials, could get administrative (root) access on the infusion pump communication module. This could be used as a vector to start further attacks | 2023-03-13 | 7.2 | CVE-2023-0888 MISC MISC |
115cms -- 115cms | A vulnerability was found in Guizhou 115cms 4.2. It has been classified as problematic. Affected is an unknown function of the file /admin/content/index. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-222738 is the identifier assigned to this vulnerability. | 2023-03-10 | 7.2 | CVE-2023-1328 MISC MISC MISC |
yoga_class_registration_system_project -- yoga_class_registration_system | A vulnerability was found in SourceCodester Yoga Class Registration System 1.0. It has been classified as critical. This affects the function query of the file admin/categories/manage_category.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222873 was assigned to this vulnerability. | 2023-03-13 | 7.2 | CVE-2023-1366 MISC MISC MISC |
student_study_center_desk_management_system_project -- student_study_center_desk_management_system | A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/user/manage_user.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223111. | 2023-03-15 | 7.2 | CVE-2023-1407 MISC MISC MISC |
microsoft -- windows_server | Windows DNS Server Remote Code Execution Vulnerability | 2023-03-14 | 7.2 | CVE-2023-23400 MISC |
jizhicms -- jizhicms | An arbitrary file upload vulnerability in the \admin\c\CommonController.php component of Jizhicms v2.4.5 allows attackers to execute arbitrary code via a crafted phtml file. | 2023-03-15 | 7.2 | CVE-2023-27235 MISC |
docker -- docker_desktop | Docker Desktop before 4.17.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions by setting the Docker host to docker.raw.sock, or npipe:////.pipe/docker_engine_linux on Windows, via the -H (--host) CLI flag or the DOCKER_HOST environment variable and launch containers without the additional hardening features provided by ECI. This would not affect already running containers, nor containers launched through the usual approach (without Docker's raw socket). The affected functionality is available for Docker Business customers only and assumes an environment where users are not granted local root or Administrator privileges. This issue has been fixed in Docker Desktop 4.17.0. Affected Docker Desktop versions: from 4.13.0 before 4.17.0. | 2023-03-13 | 7.1 | CVE-2023-0629 MISC |
microsoft -- multiple_products | Microsoft Excel Spoofing Vulnerability | 2023-03-14 | 7.1 | CVE-2023-23398 MISC |
microsoft -- multiple_products | Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability | 2023-03-14 | 7.1 | CVE-2023-23407 MISC |
microsoft -- multiple_products | Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability | 2023-03-14 | 7.1 | CVE-2023-23414 MISC |
microsoft -- edge | Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability | 2023-03-14 | 7.1 | CVE-2023-24892 MISC |
qualcomm -- aqt1000_firmware | Memory corruption in Core due to time-of-check time-of-use race condition during dump collection in trust zone. | 2023-03-10 | 7 | CVE-2022-33257 MISC |
microsoft -- multiple_products | Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability | 2023-03-14 | 7 | CVE-2023-23385 MISC |
microsoft -- multiple_products | Windows BrokerInfrastructure Service Elevation of Privilege Vulnerability | 2023-03-14 | 7 | CVE-2023-23393 MISC |
microsoft -- multiple_products | Windows Graphics Component Elevation of Privilege Vulnerability | 2023-03-14 | 7 | CVE-2023-24861 MISC |
jenkins -- jenkins | Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution. | 2023-03-10 | 7 | CVE-2023-27899 MISC |
Back to top
Medium Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
netgear -- rax30_firmware | NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a file sharing mechanism that allows users with access to this feature to access arbitrary files on the device. | 2023-03-10 | 6.8 | CVE-2023-27850 MISC |
google -- android | In telephone service, there is a missing permission check. This could lead to local escalation of privilege with system execution privileges needed. | 2023-03-10 | 6.7 | CVE-2022-47461 MISC |
google -- android | In telephone service, there is a missing permission check. This could lead to local escalation of privilege with system execution privileges needed. | 2023-03-10 | 6.7 | CVE-2022-47462 MISC |
mcafee -- advanced_threat_defense | A command injection vulnerability in Trellix Intelligent Sandbox CLI for version 5.2 and earlier, allows a local user to inject and execute arbitrary operating system commands using specially crafted strings. This vulnerability is due to insufficient validation of arguments that are passed to specific CLI command. The vulnerability allows the attack | 2023-03-13 | 6.7 | CVE-2023-0978 MISC |
trendmicro -- apex_one | An issue in the Trend Micro Apex One agent could allow an attacker who has previously acquired administrative rights via other means to bypass the protection by using a specifically crafted DLL during a specific update process. Please note: an attacker must first obtain administrative access on the target system via another method in order to exploit this. | 2023-03-10 | 6.7 | CVE-2023-25147 MISC |
ibm -- robotic_process_automation_as_a_service | IBM Robotic Process Automation 21.0.0 - 21.0.7 and 23.0.0 is vulnerable to client-side validation bypass for credential pools. Invalid credential pools may be created as a result. IBM X-Force ID: 242951. | 2023-03-15 | 6.5 | CVE-2022-46773 MISC MISC |
ibm -- manage_application | IBM Manage Application 8.8.0 and 8.9.0 in the IBM Maximo Application Suite is vulnerable to incorrect default permissions which could give access to a user to actions that they should not have access to. IBM X-Force ID: 242953. | 2023-03-15 | 6.5 | CVE-2022-46774 MISC MISC |
wpgmaps -- wp_go_maps | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Go Maps (formerly WP Google Maps) plugin <= 9.0.15 versions. | 2023-03-14 | 6.5 | CVE-2022-47595 MISC |
akuvox -- e11_firmware | Akuvox E11 does not ensure that a file extension is associated with the file provided. This could allow an attacker to upload a file to the device by changing the extension of a malicious file to an accepted file type. | 2023-03-13 | 6.5 | CVE-2023-0350 MISC |
oceanwp -- ocean_extra | The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones. | 2023-03-13 | 6.5 | CVE-2023-0749 MISC |
optinmonster -- optinmonster | The Popup Builder by OptinMonster WordPress plugin before 2.12.2 does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protected ones. | 2023-03-13 | 6.5 | CVE-2023-0772 MISC |
devolutions -- devolutions_server | Improper access control in the secure messages feature in Devolutions Server 2022.3.12 and below allows an authenticated attacker that possesses the message UUID to access the data it contains. | 2023-03-10 | 6.5 | CVE-2023-1201 MISC |
devolutions -- remote_desktop_manager | Improper removal of sensitive data in the entry edit feature of Hub Business submodule in Devolutions Remote Desktop Manager PowerShell Module 2022.3.1.5 and earlier allows an authenticated user to access sensitive data on entries that were edited using the affected submodule. | 2023-03-10 | 6.5 | CVE-2023-1203 MISC |
bumsys_project -- bumsys | SQL Injection in GitHub repository unilogies/bumsys prior to v2.0.2. | 2023-03-13 | 6.5 | CVE-2023-1361 CONFIRM MISC |
ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 and 6.1.0.0 through 6.1.2.1 could allow a privileged user to obtain sensitive information that could aid in further attacks against the system. IBM X-Force ID: 244364. | 2023-03-15 | 6.5 | CVE-2023-22876 MISC MISC |
microsoft -- multiple_products | Microsoft Excel Denial of Service Vulnerability | 2023-03-14 | 6.5 | CVE-2023-23396 MISC |
microsoft -- multiple_products | Windows Hyper-V Denial of Service Vulnerability | 2023-03-14 | 6.5 | CVE-2023-23411 MISC |
libelfin_project -- libelfin | Libelfin v0.3 was discovered to contain an integer overflow in the load function at elf/mmap_loader.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted elf file. | 2023-03-14 | 6.5 | CVE-2023-24180 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | 2023-03-14 | 6.5 | CVE-2023-24863 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | 2023-03-14 | 6.5 | CVE-2023-24865 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | 2023-03-14 | 6.5 | CVE-2023-24866 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | 2023-03-14 | 6.5 | CVE-2023-24870 MISC |
microsoft -- onedrive_for_ios | Microsoft OneDrive for iOS Security Feature Bypass Vulnerability | 2023-03-14 | 6.5 | CVE-2023-24890 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | 2023-03-14 | 6.5 | CVE-2023-24906 MISC |
microsoft -- multiple_products | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | 2023-03-14 | 6.5 | CVE-2023-24911 MISC |
microsoft -- dynamics_365 | Microsoft Dynamics 365 Information Disclosure Vulnerability | 2023-03-14 | 6.5 | CVE-2023-24922 MISC |
dlink -- dir-820l_firmware | A heap overflow vulnerability in D-Link DIR820LA1_FW106B02 allows attackers to cause a denial of service via the config.log_to_syslog and log_opt_dropPackets parameters to mydlink_api.ccp. | 2023-03-15 | 6.5 | CVE-2023-25282 MISC MISC |
sap -- netweaver_application_server_abap | SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information. | 2023-03-14 | 6.5 | CVE-2023-25618 MISC MISC |
ibm -- robotic_process_automation | IBM Robotic Process Automation 21.0.1 through 21.0.5 is vulnerable to insufficiently protecting credentials. Queue Provider credentials are not obfuscated while editing queue provider details. IBM X-Force ID: 247032. | 2023-03-15 | 6.5 | CVE-2023-25680 MISC MISC |
online_food_ordering_system_project -- online_food_ordering_system | A Cross-Site Request Forgery (CSRF) in Online Food Ordering System v1.0 allows attackers to change user details and credentials via a crafted POST request. | 2023-03-14 | 6.5 | CVE-2023-27073 MISC |
readtomyshoe_project -- readtomyshoe | ReadtoMyShoe, a web app that lets users upload articles and listen to them later, generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, then it will include the full URL of the request. The request URL contains the Google Cloud API key. This has been patched in commit 8533b01. Upgrading should be accompanied by deleting the current GCP API key and issuing a new one. There are no known workarounds. | 2023-03-13 | 6.5 | CVE-2023-27587 MISC MISC |
microsoft -- malware_protection_engine | Microsoft Defender Elevation of Privilege Vulnerability | 2023-03-14 | 6.3 | CVE-2023-23389 MISC |
a-forms_project -- a-forms | A vulnerability, which was classified as problematic, was found in MMDeveloper A Forms Plugin up to 1.4.2. This affects an unknown part of the file a-forms.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.4.3 is able to address this issue. The name of the patch is 3e693197bd69b7173cc16d8d2e0a7d501a2a0b06. It is recommended to upgrade the affected component. The identifier VDB-222609 was assigned to this vulnerability. | 2023-03-10 | 6.1 | CVE-2013-10020 MISC MISC MISC |
wordpress -- debug_bar | A vulnerability was found in dd32 Debug Bar Plugin up to 0.8. It has been declared as problematic. Affected by this vulnerability is the function render of the file panels/class-debug-bar-queries.php. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.8.1 is able to address this issue. The name of the patch is 0842af8f8a556bc3e39b9ef758173b0a8a9ccbfc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222739. | 2023-03-11 | 6.1 | CVE-2013-10021 MISC MISC MISC MISC |
mobilevikings -- django_ajax_utilities | A vulnerability was found in Mobile Vikings Django AJAX Utilities up to 1.2.1 and classified as problematic. This issue affects the function Pagination of the file django_ajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 329eb1dd1580ca1f9d4f95bc69939833226515c9. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222611. | 2023-03-10 | 6.1 | CVE-2017-20182 MISC MISC MISC |
hcltech -- verse | HCL Verse is susceptible to a Cross Site Scripting (XSS) vulnerability. By tricking a user into clicking a crafted URL, a remote unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information. | 2023-03-10 | 6.1 | CVE-2021-27788 MISC |
firmanet -- customer_relation_manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Firmanet Software and Technology Customer Relation Manager allows XSS Targeting HTML Attributes.This issue affects Customer Relation Manager: before 2022.03.13. | 2023-03-14 | 6.1 | CVE-2021-4195 MISC |
ibexa -- ez_platform_kernel | An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file. | 2023-03-12 | 6.1 | CVE-2021-46875 MISC MISC |
firmanet -- technology_customer_relation_manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Firmanet Software and Technology Customer Relation Manager allows Cross-Site Scripting (XSS).This issue affects Customer Relation Manager: before 2022.03.13. | 2023-03-14 | 6.1 | CVE-2022-23790 MISC |
firmanet -- customer_relation_manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Firmanet Software and Technology Customer Relation Manager allows Cross-Site Scripting (XSS).This issue affects Customer Relation Manager: before 2022.03.13. | 2023-03-14 | 6.1 | CVE-2022-23791 MISC |
ibm -- app_connect_enterprise_certified_container | IBM App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2, 6.0, 6.1, 6.2, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 239963. | 2023-03-15 | 6.1 | CVE-2022-43874 MISC MISC |
siri-informatica -- wi400 | A cross-site scripting (XSS) vulnerability in the check_login function of SIPE s.r.l WI400 between version 8 and 11 included allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the f parameter. | 2023-03-10 | 6.1 | CVE-2022-48111 MISC MISC MISC MISC MISC |
sap -- netweaver | Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application. | 2023-03-14 | 6.1 | CVE-2023-0021 MISC MISC |
talentyazilim -- unis | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Talent Software UNIS allows Reflected XSS.This issue affects UNIS: before 28376. | 2023-03-15 | 6.1 | CVE-2023-0322 MISC |
gigamon -- gigavue-os | The help page in GigaVUE-FM, when using GigaVUE-OS software version 5.0 202, does not require an authenticated user. An attacker could enforce a user into inserting malicious JavaScript code into the URI, that could lead to a Reflected Cross site Scripting. | 2023-03-10 | 6.1 | CVE-2023-0746 CONFIRM |
enhancesoft -- osticket | Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6. | 2023-03-10 | 6.1 | CVE-2023-1320 CONFIRM MISC |
hsycms -- hsycms | A vulnerability, which was classified as problematic, has been found in Hsycms 3.1. Affected by this issue is some unknown functionality of the file controller\cate.php of the component Add Category Module. The manipulation of the argument title leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-222842 is the identifier assigned to this vulnerability. | 2023-03-11 | 6.1 | CVE-2023-1349 MISC MISC MISC |
design_and_implementation_of_covid-19_directory_on_vaccination_system_project -- design_and_implementation_of_covid-19_directory_on_vaccination_system | A vulnerability, which was classified as problematic, was found in SourceCodester Design and Implementation of Covid-19 Directory on Vaccination System 1.0. Affected is an unknown function of the file verification.php. The manipulation of the argument txtvaccinationID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222852. | 2023-03-11 | 6.1 | CVE-2023-1353 MISC MISC MISC |
design_and_implementation_of_covid-19_directory_on_vaccination_system_project -- design_and_implementation_of_covid-19_directory_on_vaccination_system | A vulnerability has been found in SourceCodester Design and Implementation of Covid-19 Directory on Vaccination System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file register.php. The manipulation of the argument txtfullname/txtage/txtaddress/txtphone leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222853 was assigned to this vulnerability. | 2023-03-11 | 6.1 | CVE-2023-1354 MISC MISC MISC |
bumsys_project -- bumsys | Improper Restriction of Rendered UI Layers or Frames in GitHub repository unilogies/bumsys prior to v2.0.2. | 2023-03-13 | 6.1 | CVE-2023-1362 MISC CONFIRM |
webhostings -- wh_testimonials | The WH Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters such as wh_homepage, wh_text_short, wh_text_full and in versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2023-03-13 | 6.1 | CVE-2023-1372 MISC MISC MISC |
yoga_class_registration_system_project -- yoga_class_registration_system | A vulnerability was found in SourceCodester Yoga Class Registration System 1.0. It has been declared as problematic. This vulnerability affects the function query of the file admin/user/list.php. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222982 is the identifier assigned to this vulnerability. | 2023-03-14 | 6.1 | CVE-2023-1395 MISC MISC MISC |
online_tours_\&travels_management_system_project -- online_tours\&_travels_management_system | A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file admin/traveller_details.php. The manipulation of the argument address leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222983. | 2023-03-14 | 6.1 | CVE-2023-1396 MISC MISC MISC |
online_student_management_system_project -- online_student_management_system | A vulnerability classified as problematic has been found in SourceCodester Online Student Management System 1.0. Affected is an unknown function of the file profile.php. The manipulation of the argument adminname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222984. | 2023-03-14 | 6.1 | CVE-2023-1397 MISC MISC MISC |
opennetworking -- onos | A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to v2.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard. | 2023-03-14 | 6.1 | CVE-2023-24279 MISC MISC MISC |
ibm -- spectrum_symphony | IBM Spectrum Symphony 7.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 247030. | 2023-03-10 | 6.1 | CVE-2023-24975 MISC MISC |
sap -- content_server | SAP Content Server - version 7.53, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can read and modify some sensitive information but cannot delete the data. | 2023-03-14 | 6.1 | CVE-2023-26457 MISC MISC |
my-blog_project -- my-blog | Cross Site Scripting vulnerability found in My-Blog allows attackers to cause a denial of service via the Post function. | 2023-03-13 | 6.1 | CVE-2023-27093 MISC |
icepay -- rest_api | A vulnerability was found in ICEPAY REST-API-NET 0.9. It has been declared as problematic. Affected by this vulnerability is the function RestClient of the file Classes/RestClient.cs of the component Checksum Validation. The manipulation leads to improper validation of integrity check value. The attack can be launched remotely. Upgrading to version 1.0 is able to address this issue. The name of the patch is 61f6b8758e5c971abff5f901cfa9f231052b775f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222847. | 2023-03-12 | 5.9 | CVE-2016-15028 MISC MISC MISC MISC |
qualcomm -- apq8009_firmware | Information Disclosure in Graphics during GPU context switch. | 2023-03-10 | 5.5 | CVE-2022-22075 MISC |
hpe -- superdome_flex_280_server_firmware | A potential security vulnerability has been identified in HPE Superdome Flex and Superdome Flex 280 servers. The vulnerability could be locally exploited to allow disclosure of information. HPE has made the following software to resolve the vulnerability in HPE Superdome Flex Servers v3.65.8 and Superdome Flex 280 Servers v1.45.8. | 2023-03-10 | 5.5 | CVE-2022-37939 MISC |
google -- android | In wcn service, there is a possible missing params check. This could lead to local denial of service in wcn service. | 2023-03-10 | 5.5 | CVE-2022-47453 MISC |
google -- android | In wlan driver, there is a possible missing params check. This could lead to local denial of service in wlan services. | 2023-03-10 | 5.5 | CVE-2022-47454 MISC |
google -- android | In wlan driver, there is a possible missing params check. This could lead to local denial of service in wlan services. | 2023-03-10 | 5.5 | CVE-2022-47455 MISC |
google -- android | In wlan driver, there is a possible missing params check. This could lead to local denial of service in wlan services. | 2023-03-10 | 5.5 | CVE-2022-47456 MISC |
google -- android | In wlan driver, there is a possible missing params check. This could lead to local denial of service in wlan services. | 2023-03-10 | 5.5 | CVE-2022-47457 MISC |
google -- android | In wlan driver, there is a possible missing params check. This could lead to local denial of service in wlan services. | 2023-03-10 | 5.5 | CVE-2022-47458 MISC |
google -- android | In wlan driver, there is a possible missing params check. This could lead to local denial of service in wlan services. | 2023-03-10 | 5.5 | CVE-2022-47459 MISC |
google -- android | In gpu device, there is a memory corruption due to a use after free. This could lead to local denial of service in kernel. | 2023-03-10 | 5.5 | CVE-2022-47460 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47471 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47472 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47473 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47474 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47475 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47476 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47477 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47478 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47479 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47480 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47481 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47482 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47483 MISC |
google -- android | In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | 2023-03-10 | 5.5 | CVE-2022-47484 MISC |
openharmony -- openharmony | The ArKUI framework subsystem within OpenHarmony-v3.1.5 and prior versions, OpenHarmony-v3.0.7 and prior versions has an Improper Input Validation vulnerability which local attackers can exploit this vulnerability to send malicious data, causing the current application to crash. | 2023-03-10 | 5.5 | CVE-2023-0083 MISC |
tgsoft -- viragtlt.sys | A vulnerability was found in TG Soft Vir.IT eXplorer 9.4.86.0. It has been rated as problematic. This issue affects some unknown processing in the library VIRAGTLT.sys of the component IoControlCode Handler. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 9.5 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222875. | 2023-03-13 | 5.5 | CVE-2023-1369 MISC MISC MISC MISC MISC |
microsoft -- office_for_android | Office for Android Spoofing Vulnerability | 2023-03-14 | 5.5 | CVE-2023-23391 MISC |
microsoft -- multiple_products | Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability | 2023-03-14 | 5.5 | CVE-2023-23394 MISC |
microsoft -- multiple_products | Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability | 2023-03-14 | 5.5 | CVE-2023-23409 MISC |
openharmony -- openharmony | Communication Wi-Fi subsystem within OpenHarmony-v3.1.4 and prior versions, OpenHarmony-v3.0.7 and prior versions has a null pointer reference vulnerability which local attackers can exploit this vulnerability to cause the current application to crash. | 2023-03-10 | 5.5 | CVE-2023-24465 MISC |
microsoft -- multiple_products | Windows Secure Channel Denial of Service Vulnerability | 2023-03-14 | 5.5 | CVE-2023-24862 MISC |
microsoft -- onedrive_for_android | Microsoft OneDrive for Android Information Disclosure Vulnerability | 2023-03-14 | 5.5 | CVE-2023-24882 MISC |
microsoft -- onedrive_for_android | Microsoft OneDrive for Android Information Disclosure Vulnerability | 2023-03-14 | 5.5 | CVE-2023-24923 MISC |
openharmony -- openharmony | The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions has a null pointer reference vulnerability which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package. | 2023-03-10 | 5.5 | CVE-2023-25947 MISC |
radare -- radare2 | radare2 v5.8.3 was discovered to contain a segmentation fault via the component wasm_dis at p/wasm/wasm.c. | 2023-03-10 | 5.5 | CVE-2023-27114 MISC MISC |
webassembly -- webassembly | WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt::cat_compute_size. | 2023-03-10 | 5.5 | CVE-2023-27115 MISC MISC |
webassembly -- webassembly | WebAssembly v1.0.29 discovered to contain an abort in CWriter::MangleType. | 2023-03-10 | 5.5 | CVE-2023-27116 MISC |
webassembly -- webassembly | WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt: | 2023-03-10 | 5.5 | CVE-2023-27119 MISC |
connekthq -- ajax_load_more | The WordPress Infinite Scroll WordPress plugin before 5.6.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2023-03-13 | 5.4 | CVE-2022-4466 MISC |
pushlabs -- video_background | The Video Background WordPress plugin before 2.7.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 2023-03-13 | 5.4 | CVE-2022-4652 MISC |
themelocation -- widgets_for_woocommerce_products_on_elementor | The Widgets for WooCommerce Products on Elementor WordPress plugin before 1.0.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 2023-03-13 | 5.4 | CVE-2022-4661 MISC |
codeermeneer -- companion_sitemap_generator | The Companion Sitemap Generator WordPress plugin through 4.5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2023-03-13 | 5.4 | CVE-2023-0066 MISC |
client_logo_carousel_project -- client_logo_carousel | The Client Logo Carousel WordPress plugin through 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2023-03-13 | 5.4 | CVE-2023-0073 MISC |
saas.group -- juicer | The Juicer WordPress plugin before 1.11 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 2023-03-13 | 5.4 | CVE-2023-0172 MISC |
wpmanageninja -- fluentsmtp | The FluentSMTP WordPress plugin before 2.2.3 does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks (XSS) when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML. | 2023-03-13 | 5.4 | CVE-2023-0219 MISC |
campaign_url_builder_project -- campaign_url_builder | The Campaign URL Builder WordPress plugin before 1.8.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 2023-03-13 | 5.4 | CVE-2023-0538 MISC |
enhancesoft -- osticket | Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6. | 2023-03-10 | 5.4 | CVE-2023-1315 MISC CONFIRM |
enhancesoft -- osticket | Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6. | 2023-03-10 | 5.4 | CVE-2023-1316 CONFIRM MISC |
enhancesoft -- osticket | Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6. | 2023-03-10 | 5.4 | CVE-2023-1317 CONFIRM MISC |
enhancesoft -- osticket | Cross-site Scripting (XSS) - Generic in GitHub repository osticket/osticket prior to v1.16.6. | 2023-03-10 | 5.4 | CVE-2023-1318 MISC CONFIRM |
computer_parts_sales_and_inventory_system_project -- computer_parts_sales_and_inventory_system | A vulnerability, which was classified as problematic, was found in SourceCodester Computer Parts Sales and Inventory System 1.0. Affected is an unknown function of the component Add User Account. The manipulation of the argument username leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-222870 is the identifier assigned to this vulnerability. | 2023-03-13 | 5.4 | CVE-2023-1363 MISC MISC MISC |
avantfax -- avantfax | A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session. | 2023-03-10 | 5.4 | CVE-2023-23326 MISC MISC |
microsoft -- dynamics_365 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | 2023-03-14 | 5.4 | CVE-2023-24879 MISC |
microsoft -- multiple_products | Windows SmartScreen Security Feature Bypass Vulnerability | 2023-03-14 | 5.4 | CVE-2023-24880 MISC |
microsoft -- dynamics_365 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | 2023-03-14 | 5.4 | CVE-2023-24891 MISC |
microsoft -- dynamics_365 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | 2023-03-14 | 5.4 | CVE-2023-24919 MISC |
microsoft -- dynamics_365 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | 2023-03-14 | 5.4 | CVE-2023-24920 MISC |
microsoft -- dynamics_365 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | 2023-03-14 | 5.4 | CVE-2023-24921 MISC |
totaljs -- openplatform | A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the account name field. | 2023-03-14 | 5.4 | CVE-2023-27069 MISC MISC |
totaljs -- openplatform | A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field. | 2023-03-14 | 5.4 | CVE-2023-27070 MISC MISC |
jenkins -- jenkins | Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances. | 2023-03-10 | 5.4 | CVE-2023-27898 MISC |
jenkins -- update-center2 | Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting. | 2023-03-10 | 5.4 | CVE-2023-27905 MISC |
ibexa -- ez_platform_kernel | An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence. | 2023-03-12 | 5.3 | CVE-2021-46876 MISC MISC |
akuvox -- e11_firmware | The Akuvox E11 Media Access Control (MAC) address, a primary identifier, combined with the Akuvox E11 IP address, could allow an attacker to identify the device on the Akuvox cloud. | 2023-03-13 | 5.3 | CVE-2023-0347 MISC |
hashicorp -- nomad | HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1. | 2023-03-14 | 5.3 | CVE-2023-1296 MISC |
sap -- netweaver_application_server_java | SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data. | 2023-03-14 | 5.3 | CVE-2023-24526 MISC MISC |
apache -- airflow | Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. | 2023-03-15 | 5.3 | CVE-2023-25695 MISC MISC |
roxy-wi -- roxy-wi | Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a limited path traversal vulnerability. An SSH key can be saved into an unintended location, for example the /tmp folder using a payload ../../../../../tmp/test111_dev . This issue has been fixed in version 6.3.5.0. | 2023-03-15 | 5.3 | CVE-2023-25804 MISC |
jenkins -- jenkins | Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers. | 2023-03-10 | 5.3 | CVE-2023-27904 MISC |
employee_payslip_generator_system_project -- employee_payslip_generator_system | A vulnerability was found in SourceCodester Employee Payslip Generator with Sending Mail 1.2.0 and classified as critical. This issue affects some unknown processing of the file classes/Users.php?f=save of the component New User Creation. The manipulation of the argument username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222863. | 2023-03-12 | 4.9 | CVE-2023-1360 MISC MISC MISC |
avantfax -- avantfax | An Information Disclosure vulnerability exists in AvantFAX 3.3.7. Backups of the AvantFAX sent/received faxes, and database backups are stored using the current date as the filename and hosted on the web server without access controls. | 2023-03-10 | 4.9 | CVE-2023-23327 MISC MISC |
sap -- abap_platform | Due to insufficient input sanitization, SAP ABAP - versions 751, 753, 753, 754, 756, 757, 791, allows an authenticated high privileged user to alter the current session of the user by injecting the malicious database queries over the network and gain access to the unintended data. This may lead to a high impact on the confidentiality and no impact on the availability and integrity of the application. | 2023-03-14 | 4.9 | CVE-2023-25615 MISC MISC |
flarum -- flarum | flarum is a forum software package for building communities. In versions prior to 1.7.0 an admin account which has already been compromised by an attacker may use a vulnerability in the LESS parser which can be exploited to read sensitive files on the server through the use of path traversal techniques. An attacker can achieve this by providing an absolute path to a sensitive file in the custom LESS setting, which the LESS parser will then read. For example, an attacker could use the following code to read the contents of the /etc/passwd file on a linux machine. The scope of what files are vulnerable will depend on the permissions given to the running flarum process. The vulnerability has been addressed in version 1.7 . Users should upgrade to this version to mitigate the vulnerability. Users unable to upgrade may mitigate the vulnerability by ensuring that their admin accounts are secured with strong passwords and follow other best practices for account security. Additionally, users can limit the exposure of sensitive files on the server by implementing appropriate file permissions and access controls at the operating system level. | 2023-03-10 | 4.9 | CVE-2023-27577 MISC MISC |
jetbackup -- jetbackup | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JetBackup JetBackup – WP Backup, Migrate & Restore plugin <= 1.6.9.0 versions. | 2023-03-15 | 4.8 | CVE-2022-34148 MISC |
afsanalytics -- afs_analytics | Stored Cross-site Scripting (XSS) vulnerability in AFS Analytics plugin <= 4.18 versions. | 2023-03-15 | 4.8 | CVE-2022-37402 MISC |
ip_vault_-wp_firewall_project -- ip_vault-_wp_firewall | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paul C. Schroeder IP Vault – WP Firewall plugin <= 1.1 versions. | 2023-03-14 | 4.8 | CVE-2022-47171 MISC |
kibokolabs -- namaste\!_lms | The Namaste! LMS WordPress plugin before 2.6 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2023-03-13 | 4.8 | CVE-2023-0844 MISC |
pimcore -- pimcore | Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19. | 2023-03-10 | 4.8 | CVE-2023-1312 CONFIRM MISC |
enhancesoft -- osticket | Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6. | 2023-03-10 | 4.8 | CVE-2023-1319 MISC CONFIRM |
gadget_works_online_ordering_system_project -- gadget_works_online_ordering_system | A vulnerability has been found in SourceCodester Gadget Works Online Ordering System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /philosophy/admin/user/controller.php?action=add of the component Add New User. The manipulation of the argument U_NAME leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222862 is the identifier assigned to this vulnerability. | 2023-03-12 | 4.8 | CVE-2023-1359 MISC MISC MISC |
solidres -- solidres | The Solidres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'currency_name' parameter in versions up to, and including, 0.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2023-03-13 | 4.8 | CVE-2023-1374 MISC MISC MISC |
s-mall-ssm_project -- s-mall-ssm | Cross site scripting (XSS) vulnerability in xenv S-mall-ssm thru commit 3d9e77f7d80289a30f67aaba1ae73e375d33ef71 on Feb 17, 2020, allows local attackers to execute arbitrary code via the evaluate button. | 2023-03-15 | 4.8 | CVE-2023-26912 MISC |
halo -- halo | An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file. | 2023-03-10 | 4.8 | CVE-2023-27164 MISC MISC MISC |
microsoft -- azure_hdinsights | Azure Apache Ambari Spoofing Vulnerability | 2023-03-14 | 4.5 | CVE-2023-23408 MISC |
nvidia -- cuda_toolkit | NVIDIA CUDA Toolkit SDK contains a vulnerability in cuobjdump, where a local user running the tool against a malicious binary may cause an out-of-bounds read, which may result in a limited denial of service and limited information disclosure. | 2023-03-10 | 4.4 | CVE-2023-0193 MISC |
jenkins -- jenkins | Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used. | 2023-03-10 | 4.4 | CVE-2023-27903 MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete the plugin's cache. | 2023-03-10 | 4.3 | CVE-2023-1333 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the queue_posts function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to modify the plugin's cache. | 2023-03-10 | 4.3 | CVE-2023-1334 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the ucss_connect function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to connect a new license key to the site. | 2023-03-10 | 4.3 | CVE-2023-1335 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the ajax_deactivate function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to disable caching. | 2023-03-10 | 4.3 | CVE-2023-1336 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the clear_uucss_logs function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete plugin log files. | 2023-03-10 | 4.3 | CVE-2023-1337 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the attach_rule function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to modify cache rules. | 2023-03-10 | 4.3 | CVE-2023-1338 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the uucss_update_rule function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to update caching rules. | 2023-03-10 | 4.3 | CVE-2023-1339 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the clear_uucss_logs function. This makes it possible for unauthenticated attackers to clear plugin logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2023-03-10 | 4.3 | CVE-2023-1340 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the ajax_deactivate function. This makes it possible for unauthenticated attackers to turn off caching via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2023-03-10 | 4.3 | CVE-2023-1341 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the ucss_connect function. This makes it possible for unauthenticated attackers to connect the site to a new license key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2023-03-10 | 4.3 | CVE-2023-1342 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the attach_rule function. This makes it possible for unauthenticated attackers to modify the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2023-03-10 | 4.3 | CVE-2023-1343 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the uucss_update_rule function. This makes it possible for unauthenticated attackers to modify the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2023-03-10 | 4.3 | CVE-2023-1344 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the queue_posts function. This makes it possible for unauthenticated attackers to modify the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2023-03-10 | 4.3 | CVE-2023-1345 MISC MISC |
rapidload -- power-up_for_autoptimize | The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the clear_page_cache function. This makes it possible for unauthenticated attackers to clear the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2023-03-10 | 4.3 | CVE-2023-1346 MISC MISC |
pixelyoursite -- pixelyoursite | Cross-Site Request Forgery (CSRF) vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager plugin <= 9.3.0 versions. | 2023-03-13 | 4.3 | CVE-2023-22700 MISC |
a2hosting -- a2_optimized | Cross-Site Request Forgery (CSRF) vulnerability in A2 Hosting A2 Optimized WP plugin <= 3.0.4 versions. | 2023-03-13 | 4.3 | CVE-2023-23711 MISC |
siemens -- ruggedcom_crossbow | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.3). The client query handler of the affected application fails to check for proper permissions for specific read queries. This could allow authenticated remote attackers to access data they are not authorized for. | 2023-03-14 | 4.3 | CVE-2023-27462 MISC |
jenkins -- jenkins | Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents. | 2023-03-10 | 4.3 | CVE-2023-27902 MISC |
Back to top
Low Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
easyappointments -- easyappointments | Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | 2023-03-13 | 3.8 | CVE-2023-1367 CONFIRM MISC |
ibexa -- commerce | An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack. | 2023-03-12 | 3.7 | CVE-2022-48366 MISC MISC MISC |
ibm -- robotic_process_automation_as_a_service | IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710. | 2023-03-15 | 3.2 | CVE-2023-22591 MISC MISC |
microsoft -- multiple_products | Microsoft SharePoint Server Spoofing Vulnerability | 2023-03-14 | 3.1 | CVE-2023-23395 MISC |
Back to top
Severity Not Yet Assigned
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
markdown_edit -- markdown_edit | Cross Site Scripting vulnerability found in Markdown Edit allows a remote attacker to execute arbitrary code via the edit parameter of the webpage. | 2023-03-16 | not yet calculated | CVE-2020-19947 MISC |
depositgame -- depositgame | An issue found in DepositGame v.1.0 allows an attacker to gain sensitive information via the GetBonusWithdraw and withdraw functions. | 2023-03-16 | not yet calculated | CVE-2020-22647 MISC |
ibm -- financial_transaction_manager | IBM Financial Transaction Manager for High Value Payments for Multi-Platform 3.2.0 through 3.2.10 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 183329. | 2023-03-15 | not yet calculated | CVE-2020-4556 MISC MISC |
dell -- multiple_products | Dell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit. | 2023-03-17 | not yet calculated | CVE-2021-21548 MISC |
uwamp.exe -- uwamp.exe | An issue found in UwAmp v.1.1, 1.2, 1.3, 2.0, 2.1, 2.2, 2.2.1, 3.0.0, 3.0.1, 3.0.2 allows a remote attacker to execute arbitrary code via a crafted DLL. | 2023-03-16 | not yet calculated | CVE-2021-31637 MISC |
wordpress -- wordpress | Unauth. Stored Cross-Site Scripting (XSS) vulnerability in WPMU DEV Forminator – Contact Form, Payment Form & Custom Form Builder plugin <= 1.14.11 versions. | 2023-03-16 | not yet calculated | CVE-2021-36821 MISC |
pev -- pev | A Buffer Overflow vulnerabilityexists in Pev 0.81 via the pe_exports function from exports.c.. The array offsets_to_Names is dynamically allocated on the stack using exp->NumberOfFunctions as its size. However, the loop uses exp->NumberOfNames to iterate over it and set its components value. Therefore, the loop code assumes that exp->NumberOfFunctions is greater than ordinal at each iteration. This can lead to arbitrary code execution. | 2023-03-13 | not yet calculated | CVE-2021-45423 MISC |
jackson-databind -- jackson-databind | jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. | 2023-03-18 | not yet calculated | CVE-2021-46877 MISC MISC |
octopus_deploy -- octopus_server | In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items | 2023-03-13 | not yet calculated | CVE-2022-2258 MISC |
octopus_deploy -- octopus_server | In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items | 2023-03-13 | not yet calculated | CVE-2022-2259 MISC |
abb -- multiple_products | Use of Insufficiently Random Values vulnerability in ABB Pulsar Plus System Controller NE843_S, ABB Infinity DC Power Plant.This issue affects Pulsar Plus System Controller NE843_S : comcode 150042936; Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415. | 2023-03-16 | not yet calculated | CVE-2022-26080 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34406 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34407 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34408 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34409 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34410 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34411 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34412 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34413 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34414 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34415 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34416 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34417 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34418 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34419 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34420 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34421 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34422 MISC |
dell -- bios_for_poweredge_and_precision | Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM communication buffer verification vulnerability. A local malicious user with high Privileges may potentially exploit this vulnerability to perform arbitrary code execution or cause denial of service. | 2023-03-16 | not yet calculated | CVE-2022-34423 MISC |
wordpress -- wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Social Login WP plugin <= 5.0.0.0 versions. | 2023-03-16 | not yet calculated | CVE-2022-38063 MISC |
wordpress -- wordpress | Stored Cross-Site Scripting (XSS) vulnerability in ThemeKraft Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions plugin <= 2.7.5 versions. | 2023-03-16 | not yet calculated | CVE-2022-38971 MISC |
octopus_deploy -- octopus_server | In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation | 2023-03-16 | not yet calculated | CVE-2022-4009 MISC |
wordpress -- wordpress | Cross-Site Scripting (XSS) vulnerability in Dario Curvino Yasr – Yet Another Stars Rating plugin <= 3.1.2 versions. | 2023-03-16 | not yet calculated | CVE-2022-40699 MISC |
wordpress -- wordpress | Stored Cross-Site Scripting (XSS) vulnerability in John West Slideshow SE plugin <= 2.5.5 versions. | 2023-03-16 | not yet calculated | CVE-2022-41554 MISC |
tenable -- multiple_products | A vulnerability was reported where through modifying the scan variables, an authenticated user in Tenable products, that has Scan Policy Configuration roles, could manipulate audit policy variables to execute arbitrary commands on credentialed scan targets. | 2023-03-15 | not yet calculated | CVE-2022-4313 MISC |
ghost -- node-sqlite3 | A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability. | 2023-03-16 | not yet calculated | CVE-2022-43441 MISC MISC |
wordpress -- wordpress | Stored Cross-Site Scripting (XSS) vulnerability in John West Slideshow SE plugin <= 2.5.5 versions. | 2023-03-17 | not yet calculated | CVE-2022-43461 MISC |
eip_stack_group_opener -- eip_stack_group_opener | An out-of-bounds write vulnerability exists in the GetAttributeList attribute_count_request functionality of EIP Stack Group OpENer development commit 58ee13c. A specially crafted EtherNet/IP request can lead to an out-of-bounds write, potentially causing the server to crash or allow for remote code execution. An attacker can send a series of EtherNet/IP requests to trigger this vulnerability. | 2023-03-16 | not yet calculated | CVE-2022-43604 MISC |
eip_stack_group_opener -- eip_stack_group_opener | An out-of-bounds write vulnerability exists in the SetAttributeList attribute_count_request functionality of EIP Stack Group OpENer development commit 58ee13c. A specially crafted EtherNet/IP request can lead to an out of bounds write, potentially causing the server to crash or allow for remote code execution. An attacker can send a series of EtherNet/IP requests to trigger this vulnerability. | 2023-03-16 | not yet calculated | CVE-2022-43605 MISC |
eip_stack_group_opener -- eip_stack_group_opener | A use-of-uninitialized-pointer vulnerability exists in the Forward Open connection_management_entry functionality of EIP Stack Group OpENer development commit 58ee13c. A specially-crafted EtherNet/IP request can lead to use of a null pointer, causing the server to crash. An attacker can send a series of EtherNet/IP requests to trigger this vulnerability. | 2023-03-16 | not yet calculated | CVE-2022-43606 MISC |
suse -- opensuse_factory | An Improper Handling of Exceptional Conditions vulnerability in obs-service-go_modules of openSUSE Factory allows attackers that can influence the call to the service to delete files and directories on the system of the victim. This issue affects: SUSE openSUSE Factory obs-service-go_modules versions prior to 0.6.1. | 2023-03-15 | not yet calculated | CVE-2022-45155 CONFIRM |
wordpress -- wordpress | Stored Cross-Site Scripting (XSS) vulnerability in Fabian von Allmen WP Calendar plugin <= 1.5.3 versions. | 2023-03-17 | not yet calculated | CVE-2022-45814 MISC |
wordpress -- wordpress | Cross-Site Scripting (XSS) vulnerability in Erin Garscadden GC Testimonials plugin <= 1.3.2 versions. | 2023-03-17 | not yet calculated | CVE-2022-45817 MISC |
wordpress -- wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Obox Themes Launchpad – Coming Soon & Maintenance Mode plugin <= 1.0.13 versions. | 2023-03-17 | not yet calculated | CVE-2022-46854 MISC |
wordpress -- wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Chasil Universal Star Rating plugin <= 2.1.0 version. | 2023-03-17 | not yet calculated | CVE-2022-46867 MISC |
rockwell_automation -- modbus_tcp_server_add_on_instructions | Rockwell Automation Modbus TCP Server AOI prior to 2.04.00 is vulnerable to an unauthorized user sending a malformed message that could cause the controller to respond with a copy of the most recent response to the last valid request. If exploited, an unauthorized user could read the connected device’s Modbus TCP Server AOI information. | 2023-03-17 | not yet calculated | CVE-2023-0027 MISC |
eclipse_foundation -- business_intelligence_reporting_tool | In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13. | 2023-03-15 | not yet calculated | CVE-2023-0100 CONFIRM |
general_electric_digital -- proficy_ifix | GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web server execution path and gain full control of the HMI software. | 2023-03-16 | not yet calculated | CVE-2023-0598 MISC MISC |
omron -- multiple_products | Omron CJ1M unit v4.0 and prior has improper access controls on the memory region where the UM password is stored. If an adversary issues a PROGRAM AREA WRITE command to a specific memory region, they could overwrite the password. This may lead to disabling UM protections or setting a non-ASCII password (non-keyboard characters) and preventing an engineer from viewing or modifying the user program. | 2023-03-16 | not yet calculated | CVE-2023-0811 MISC MISC |
steptools -- v18sp1_ifcmesh_library | STEPTools v18SP1 ifcmesh library (v18.1) is affected due to a null pointer dereference, which could allow an attacker to deny application usage when reading a specially constructed file, resulting in an application crash. | 2023-03-13 | not yet calculated | CVE-2023-0973 MISC |
utarit_information_technologies -- persolus | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Utarit Information Technologies Persolus allows SQL Injection. This issue affects Persolus: before 2.03.93. | 2023-03-17 | not yet calculated | CVE-2023-1152 MISC |
wordpress -- wordpress | The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2023-03-17 | not yet calculated | CVE-2023-1172 MISC MISC |
aveva -- plant_scada/telemetry_server | The listed versions of AVEVA Plant SCADA and AVEVA Telemetry Server are vulnerable to an improper authorization exploit which could allow an unauthenticated user to remotely read data, cause denial of service, and tamper with alarm states. | 2023-03-16 | not yet calculated | CVE-2023-1256 MISC |
netgear -- rax30_(ax2400) | Netgear RAX30 (AX2400), prior to version 1.0.6.74, was affected by an authentication bypass vulnerability, allowing an unauthenticated attacker to gain administrative access to the device's web management interface by resetting the admin password. | 2023-03-14 | not yet calculated | CVE-2023-1327 MISC |
sourcecodester -- friendly_island_pizza_website_and_ordering_system | A vulnerability was found in SourceCodester Friendly Island Pizza Website and Ordering System 1.0. It has been rated as critical. This issue affects some unknown processing of the file addmem.php of the component POST Parameter Handler. The manipulation of the argument firstname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223127. | 2023-03-15 | not yet calculated | CVE-2023-1379 MISC MISC MISC |
tp-link -- archer_ax21_(ax1800)_firmware | TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request. | 2023-03-15 | not yet calculated | CVE-2023-1389 MISC |
linux -- kernel | A remote denial of service vulnerability was found in the Linux kernel’s TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition. | 2023-03-16 | not yet calculated | CVE-2023-1390 MISC MISC MISC |
simple_art_gallery -- simple_art_gallery | A vulnerability classified as critical has been found in Simple Art Gallery 1.0. Affected is an unknown function of the file adminHome.php. The manipulation of the argument social_facebook leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223128. | 2023-03-15 | not yet calculated | CVE-2023-1416 MISC MISC MISC |
sourcecodester -- friendly_island_pizza_website_and_ordering_system | A vulnerability classified as problematic was found in SourceCodester Friendly Island Pizza Website and Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file cashconfirm.php of the component POST Parameter Handler. The manipulation of the argument transactioncode leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223129 was assigned to this vulnerability. | 2023-03-15 | not yet calculated | CVE-2023-1418 MISC MISC MISC |
mattermost -- mattermost | A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter. | 2023-03-15 | not yet calculated | CVE-2023-1421 MISC |
pimcore -- pimcore | Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19. | 2023-03-16 | not yet calculated | CVE-2023-1429 CONFIRM MISC |
wordpress -- wordpress | The WP Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.6.3 due to the plugin saving shopping cart data exports in a publicly accessible location (/wp-content/plugins/wordpress-simple-paypal-shopping-cart/includes/admin/). This makes it possible for unauthenticated attackers to view information that should be limited to administrators only and can include data like first name, last name, email, address, IP Address, and more. | 2023-03-16 | not yet calculated | CVE-2023-1431 MISC MISC |
sourcecodester -- online_food_ordering_system | A vulnerability was found in SourceCodester Online Food Ordering System 2.0 and classified as critical. Affected by this issue is some unknown functionality of the file /fos/admin/ajax.php?action=save_settings of the component POST Request Handler. The manipulation leads to improper access controls. The attack may be launched remotely. VDB-223214 is the identifier assigned to this vulnerability. | 2023-03-16 | not yet calculated | CVE-2023-1432 MISC MISC |
sourcecodester -- gadget_works_online_ordering_system | A vulnerability was found in SourceCodester Gadget Works Online Ordering System 1.0. It has been classified as problematic. This affects an unknown part of the file admin/products/controller.php?action=add of the component Products Handler. The manipulation of the argument filename leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223215. | 2023-03-16 | not yet calculated | CVE-2023-1433 MISC MISC MISC |
sourcecodester -- medicine_tracker_system | A vulnerability, which was classified as critical, has been found in SourceCodester Medicine Tracker System 1.0. This issue affects some unknown processing of the file medicines/view_details.php of the component GET Parameter Handler. The manipulation of the argument GET leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223283. | 2023-03-17 | not yet calculated | CVE-2023-1439 MISC MISC MISC |
sourcecodester -- automatic_question_paper_generator_system | A vulnerability, which was classified as critical, was found in SourceCodester Automatic Question Paper Generator System 1.0. Affected is an unknown function of the file users/user/manage_user.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223284. | 2023-03-17 | not yet calculated | CVE-2023-1440 MISC MISC MISC |
sourcecodester -- automatic_question_paper_generator_system | A vulnerability has been found in SourceCodester Automatic Question Paper Generator System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file admin/courses/view_course.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223285 was assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1441 MISC MISC MISC |
qykcms -- qykcms | A vulnerability was found in Meizhou Qingyunke QYKCMS 4.3.0. It has been classified as problematic. This affects an unknown part of the file /admin_system/api.php of the component Update Handler. The manipulation of the argument downurl leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223287. | 2023-03-17 | not yet calculated | CVE-2023-1442 MISC MISC MISC |
filseclab -- twister_antivirus_8 | A vulnerability was found in Filseclab Twister Antivirus 8. It has been declared as problematic. This vulnerability affects unknown code in the library fildds.sys of the component IoControlCode Handler. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223288. | 2023-03-17 | not yet calculated | CVE-2023-1443 MISC MISC MISC MISC |
filseclab -- twister_antivirus_8 | A vulnerability was found in Filseclab Twister Antivirus 8. It has been rated as critical. This issue affects some unknown processing in the library fildds.sys of the component IoControlCode Handler. The manipulation leads to denial of service. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223289 was assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1444 MISC MISC MISC MISC |
filseclab -- twister_antivirus_8 | A vulnerability classified as problematic has been found in Filseclab Twister Antivirus 8. Affected is an unknown function in the library fildds.sys of the component IoControlCode Handler. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. VDB-223290 is the identifier assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1445 MISC MISC MISC MISC |
watchdog -- anti-virus | A vulnerability classified as problematic was found in Watchdog Anti-Virus 1.4.214.0. Affected by this vulnerability is an unknown functionality in the library wsdk-driver.sys of the component IoControlCode Handler. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223291. | 2023-03-17 | not yet calculated | CVE-2023-1446 MISC MISC MISC MISC |
sourcecodester -- medicine_tracker_system | A vulnerability, which was classified as problematic, has been found in SourceCodester Medicine Tracker System 1.0. Affected by this issue is some unknown functionality of the file app/?page=medicines/manage_medicine.They. The manipulation of the argument name/description with the input <script>alert('2')</script> leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-223292. | 2023-03-17 | not yet calculated | CVE-2023-1447 MISC MISC |
gpac -- gpac | A vulnerability, which was classified as problematic, was found in GPAC 2.3-DEV-rev35-gbbca86917-master. This affects the function gf_m2ts_process_sdt of the file media_tools/mpegts.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier VDB-223293 was assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1448 MISC MISC MISC MISC |
gpac -- gpac | A vulnerability has been found in GPAC 2.3-DEV-rev35-gbbca86917-master and classified as problematic. This vulnerability affects the function gf_av1_reset_state of the file media_tools/av_parsers.c. The manipulation leads to double free. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. VDB-223294 is the identifier assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1449 MISC MISC MISC MISC |
mp4v2_trackdump -- mp4v2_trackdump | A vulnerability was found in MP4v2 2.1.2 and classified as problematic. This issue affects the function DumpTrack of the file mp4trackdump.cpp. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223295. | 2023-03-17 | not yet calculated | CVE-2023-1450 MISC MISC MISC MISC |
mp4v2_trackdump -- mp4v2_trackdump | A vulnerability was found in MP4v2 2.1.2. It has been classified as problematic. Affected is the function mp4v2::impl::MP4Track::GetSampleFileOffset of the file mp4track.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223296. | 2023-03-17 | not yet calculated | CVE-2023-1451 MISC MISC MISC MISC |
gpac -- gpac | A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file filters/load_text.c. The manipulation leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier VDB-223297 was assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1452 MISC MISC MISC MISC |
watchdog -- watchdog_antivirus | A vulnerability was found in Watchdog Anti-Virus 1.4.214.0. It has been rated as critical. Affected by this issue is some unknown functionality in the library wsdk-driver.sys of the component IoControlCode Handler. The manipulation leads to improper access controls. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. VDB-223298 is the identifier assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1453 MISC MISC MISC MISC |
jeecg_boot_sqli -- jeecg_boot_sqli | A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223299. | 2023-03-17 | not yet calculated | CVE-2023-1454 MISC MISC MISC |
sourcecodester -- online_pizza_ordering_system | A vulnerability classified as critical was found in SourceCodester Online Pizza Ordering System 1.0. This vulnerability affects unknown code of the file admin/ajax.php?action=login2 of the component Login Page. The manipulation of the argument email with the input abc%40qq.com' AND (SELECT 9110 FROM (SELECT(SLEEP(5)))XSlc) AND 'jFNl'='jFNl leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223300. | 2023-03-17 | not yet calculated | CVE-2023-1455 MISC MISC |
sourcecodester -- canteen_management_system | A vulnerability was found in SourceCodester Canteen Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file changeUsername.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223304. | 2023-03-17 | not yet calculated | CVE-2023-1459 MISC MISC MISC |
sourcecoderster -- online_pizza_ordering_system | A vulnerability was found in SourceCodester Online Pizza Ordering System 1.0. It has been classified as critical. This affects an unknown part of the file admin/ajax.php?action=save_user of the component Password Change Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The identifier VDB-223305 was assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1460 MISC MISC |
sourcecodester -- canteen_management_system | A vulnerability was found in SourceCodester Canteen Management System 1.0. It has been declared as critical. This vulnerability affects the function query of the file createCategories.php. The manipulation of the argument categoriesStatus leads to sql injection. The attack can be initiated remotely. VDB-223306 is the identifier assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1461 MISC MISC MISC |
teampass -- teampass | Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. | 2023-03-17 | not yet calculated | CVE-2023-1463 CONFIRM MISC |
sourcecodester -- medicine_tracker_system | A vulnerability, which was classified as critical, was found in SourceCodester Medicine Tracker System 1.0. This affects an unknown part of the file Users.php?f=save_user. The manipulation of the argument firstname/middlename/lastname/username/password leads to improper authentication. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-223311. | 2023-03-17 | not yet calculated | CVE-2023-1464 MISC MISC |
sourcecodester -- student_study_center_desk_management_system | A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(SLEEP(5)))FWlC) AND 'butz'='butz leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223325 was assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1466 MISC MISC |
sourcecodester -- student_study_center_desk_management_system | A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-223326 is the identifier assigned to this vulnerability. | 2023-03-17 | not yet calculated | CVE-2023-1467 MISC MISC |
sourcecodester -- student_study_center_desk_management_system | A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipulation of the argument date_from/date_to leads to sql injection. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-223327. | 2023-03-17 | not yet calculated | CVE-2023-1468 MISC MISC |
wordpress -- wordpress | The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon
Code:
|