CISA Bulletins - Vulnerability Summary for the Week of October 2, 2023

  • Welcome to ITBible, we're your #1 resource for enterprise or homelab IT problems (or just a place to show off your stuff).
C

CISA

Guest

High Vulnerabilities​

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
acronis -- agent​
Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 29051.​
2023-10-04​
7.8
CVE-2023-44209
MISC
acronis -- cyber_protect_home_office​
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713.​
2023-10-04​
9.1
CVE-2023-44208
MISC
afterlogic -- aurora_files​
A deserialization vulnerability in Afterlogic Aurora Files v9.7.3 allows attackers to execute arbitrary code via supplying a crafted .sabredav file.​
2023-10-03​
8.8
CVE-2023-43176
MISC
MISC
MISC
MISC
apple -- ipados/ios​
The issue was addressed with improved checks. This issue is fixed in iOS 17.0.3 and iPadOS 17.0.3. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.​
2023-10-04​
7.8
CVE-2023-42824
MISC
MISC
MISC
aqua_esolutions -- aqua_drive​
Aqua Drive, in its 2.4 version, is vulnerable to a relative path traversal vulnerability. By exploiting this vulnerability, an authenticated non privileged user could access/modify stored resources of other users. It could also be possible to access and modify the source and configuration files of the cloud disk platform, affecting the integrity and availability of the entire platform.​
2023-10-04​
8.8
CVE-2023-3701
MISC
asyncua -- asyncua​
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. Note: This issue is a result of missing checks for services that require an active session.​
2023-10-03​
7.5
CVE-2023-26150
MISC
MISC
MISC
MISC
MISC
MISC
MISC
asyncua -- asyncua​
Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.​
2023-10-03​
7.5
CVE-2023-26151
MISC
MISC
MISC
MISC
MISC
MISC
baramundi_software_gmbh -- enterprise_mobility_management_agent​
Buffer Overflow vulnerability in baramundi software GmbH EMM Agent 23.1.50 and before allows an attacker to cause a denial of service via a crafted request to the password parameter.​
2023-10-02​
7.8
CVE-2023-37605
MISC
bydemes -- airspace_cctv_web_service​
The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access.​
2023-10-03​
8.8
CVE-2023-0506
MISC
MISC
cambium_networks -- enterprise_wi-fi​
Cambium Enterprise Wi-Fi System Software before 6.4.2 does not sanitize the ping host argument in device-agent.​
2023-09-29​
9.8
CVE-2022-35908
CONFIRM
MISC
candlepin -- candlepin​
An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant.​
2023-10-04​
8.1
CVE-2023-1832
MISC
MISC
caphyon -- advanced_installer​
A vulnerability classified as critical has been found in Caphyon Advanced Installer 19.7. This affects an unknown part of the component WinSxS DLL Handler. The manipulation leads to uncontrolled search path. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Upgrading to version 19.7.1 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-240903.​
2023-09-30​
7.8
CVE-2022-4956
MISC
MISC
MISC
MISC
cashit -- cashit!​
cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 are affected by an origin bypass via the host header in an HTTP request. This vulnerability can be triggered by an HTTP endpoint exposed to the network.​
2023-10-03​
9.8
CVE-2023-3654
MISC
cashit -- cashit!​
cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 are affected by an unauthenticated remote code execution vulnerability. This vulnerability can be triggered by an HTTP endpoint exposed to the network.​
2023-10-03​
9.8
CVE-2023-3656
MISC
cashit -- cashit!​
cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 are affected by a dangerous methods, that allows to leak the database (system settings, user accounts,...). This vulnerability can be triggered by an HTTP endpoint exposed to the network.​
2023-10-03​
7.5
CVE-2023-3655
MISC
cato_networks -- cato_client​
An issue in CatoNetworks CatoClient before v.5.4.0 allows attackers to escalate privileges and winning the race condition (TOCTOU) via the PrivilegedHelperTool component.​
2023-10-03​
8.1
CVE-2023-43976
MISC
MISC
cisco -- emergency_responder​
A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.​
2023-10-04​
9.8
CVE-2023-20101
MISC
composer -- composer​
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has register_argc_argv enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.​
2023-09-29​
8.8
CVE-2023-43655
MISC
MISC
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the CurrentPassword parameter in the CheckPasswdSettings function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44828
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the AdminPassword parameter in the SetDeviceSettings function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44829
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the EndTime parameter in the SetParentsControlInfo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44830
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the Type parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44831
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the MacAddress parameter in the SetWanSettings function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44832
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the GuardInt parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44833
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the StartTime parameter in the SetParentsControlInfo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44834
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the Mac parameter in the SetParentsControlInfo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44835
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the SSID parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44836
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the Password parameter in the SetWanSettings function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44837
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the TXPower parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44838
MISC
MISC
d-link -- dir-823g_firmware​
D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer overflow via the Encryption parameter in the SetWLanRadioSecurity function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.​
2023-10-05​
7.5
CVE-2023-44839
MISC
MISC
d-link -- dir-846_firmware​
An issue in D-Link Wireless MU-MIMO Gigabit AC1200 Router DIR-846 firmware version 100A53DBR-Retail allows a remote attacker to execute arbitrary code.​
2023-10-05​
8.8
CVE-2023-43284
MISC
MISC
dedecms -- dedecms​
A vulnerability classified as critical was found in DedeCMS 5.7.111. This vulnerability affects the function AddMyAddon of the file album_add.php. The manipulation of the argument albumUploadFiles leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-240940.​
2023-09-30​
8.8
CVE-2023-5301
MISC
MISC
MISC
dell -- common_event_enabler​
Dell Common Event Enabler 8.9.8.2 for Windows and prior, contain an improper access control vulnerability. A local low-privileged malicious user may potentially exploit this vulnerability to gain elevated privileges.​
2023-09-29​
7.8
CVE-2023-32477
MISC
dell -- smartfabric_storage_software​
Dell SmartFabric Storage Software version 1.3 and lower contain an improper input validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability and escalate privileges up to the highest administration level. This is a critical severity vulnerability affecting user authentication. Dell recommends customers to upgrade at the earliest opportunity.​
2023-10-05​
9.8
CVE-2023-32485
MISC
dell -- smartfabric_storage_software​
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the restricted shell in SSH. An authenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands.​
2023-10-05​
8.8
CVE-2023-43068
MISC
dell -- smartfabric_storage_software​
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the 'more' command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access.​
2023-10-05​
8.8
CVE-2023-4401
MISC
dell -- smartfabric_storage_software​
Dell SmartFabric Storage Software v1.4 (and earlier) contain(s) an OS Command Injection Vulnerability in the CLI. An authenticated local attacker could potentially exploit this vulnerability, leading to possible injection of parameters to curl or docker.​
2023-10-05​
7.8
CVE-2023-43069
MISC
dell -- smartfabric_storage_software​
Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands.​
2023-10-05​
7.8
CVE-2023-43072
MISC
deyue_remote_vehicle_management_system -- deyue_remote_vehicle_management_system​
Deyue Remote Vehicle Management System v1.1 was discovered to contain a deserialization vulnerability.​
2023-10-02​
8.8
CVE-2023-43268
MISC
MISC
MISC
dts -- monitoring​
An issue was discovered in DTS Monitoring 3.57.0. The parameter port within the SSL Certificate check function is vulnerable to OS command injection (blind).​
2023-10-03​
9.8
CVE-2023-33268
MISC
dts -- monitoring​
An issue was discovered in DTS Monitoring 3.57.0. The parameter options within the WGET check function is vulnerable to OS command injection (blind).​
2023-10-03​
9.8
CVE-2023-33269
MISC
dts -- monitoring​
An issue was discovered in DTS Monitoring 3.57.0. The parameter url within the Curl check function is vulnerable to OS command injection (blind).​
2023-10-03​
9.8
CVE-2023-33270
MISC
dts -- monitoring​
An issue was discovered in DTS Monitoring 3.57.0. The parameter common_name within the SSL Certificate check function is vulnerable to OS command injection (blind).​
2023-10-03​
9.8
CVE-2023-33271
MISC
dts -- monitoring​
An issue was discovered in DTS Monitoring 3.57.0. The parameter ip within the Ping check function is vulnerable to OS command injection (blind).​
2023-10-03​
9.8
CVE-2023-33272
MISC
dts -- monitoring​
An issue was discovered in DTS Monitoring 3.57.0. The parameter url within the WGET check function is vulnerable to OS command injection (blind).​
2023-10-03​
9.8
CVE-2023-33273
MISC
eclipse -- mosquitto​
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.​
2023-10-02​
7.5
CVE-2023-3592
MISC
ecshop -- ecshop​
A vulnerability has been found in ECshop 4.1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/order.php. The manipulation of the argument goods_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240925 was assigned to this vulnerability.​
2023-09-29​
8.8
CVE-2023-5294
MISC
MISC
MISC
efs_software -- easy_address_book_web_server​
Buffer overflow vulnerability in Easy Address Book Web Server 1.6 version. The exploitation of this vulnerability could allow an attacker to send a very long username string to /searchbook.ghp, asking for the name via a POST request, resulting in arbitrary code execution on the remote machine.​
2023-10-04​
9.8
CVE-2023-4491
MISC
efs_software -- easy_chat_server​
Stack-based buffer overflow vulnerability in Easy Chat Server 3.1 version. An attacker could send an excessively long username string to the register.ghp file asking for the name via a GET request resulting in arbitrary code execution on the remote machine.​
2023-10-04​
9.8
CVE-2023-4494
MISC
emlog -- emlog​
An arbitrary file upload vulnerability in the component /content/templates/ of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.​
2023-10-03​
9.8
CVE-2023-44973
MISC
emlog -- emlog​
An arbitrary file upload vulnerability in the component /admin/plugin.php of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.​
2023-10-03​
9.8
CVE-2023-44974
MISC
field_logic -- datacube4_firmware​
A vulnerability classified as problematic was found in Field Logic DataCube4 up to 20231001. This vulnerability affects unknown code of the file /api/ of the component Web API. The manipulation leads to improper authentication. The exploit has been disclosed to the public and may be used. VDB-241030 is the identifier assigned to this vulnerability.​
2023-10-02​
7.5
CVE-2023-5329
MISC
MISC
MISC
free5gc -- free5gc​
Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different actions on the platform as an administrator, simply by changing the token value to "admin". It is also possible to perform POST, GET and DELETE requests without any token value. Therefore, an unprivileged remote user is able to create, delete and modify users within theapplication.​
2023-10-02​
9.8
CVE-2023-4659
MISC
furuno_systems -- acera_1210_firmware​
Cross-site request forgery (CSRF) vulnerability exists in FURUNO SYSTEMS wireless LAN access point devices. If a user views a malicious page while logged in, unintended operations may be performed. Affected products and versions are as follows: ACERA 1210 firmware ver.02.36 and earlier, ACERA 1150i firmware ver.01.35 and earlier, ACERA 1150w firmware ver.01.35 and earlier, ACERA 1110 firmware ver.01.76 and earlier, ACERA 1020 firmware ver.01.86 and earlier, ACERA 1010 firmware ver.01.86 and earlier, ACERA 950 firmware ver.01.60 and earlier, ACERA 850F firmware ver.01.60 and earlier, ACERA 900 firmware ver.02.54 and earlier, ACERA 850M firmware ver.02.06 and earlier, ACERA 810 firmware ver.03.74 and earlier, and ACERA 800ST firmware ver.07.35 and earlier. They are affected when running in ST(Standalone) mode.​
2023-10-03​
8.8
CVE-2023-41086
MISC
MISC
furuno_systems -- acera_1310_firmware​
OS command injection vulnerability in FURUNO SYSTEMS wireless LAN access point devices allow an authenticated user to execute an arbitrary OS command that is not intended to be executed from the web interface by sending a specially crafted request. Affected products and versions are as follows: ACERA 1320 firmware ver.01.26 and earlier, ACERA 1310 firmware ver.01.26 and earlier, ACERA 1210 firmware ver.02.36 and earlier, ACERA 1150i firmware ver.01.35 and earlier, ACERA 1150w firmware ver.01.35 and earlier, ACERA 1110 firmware ver.01.76 and earlier, ACERA 1020 firmware ver.01.86 and earlier, ACERA 1010 firmware ver.01.86 and earlier, ACERA 950 firmware ver.01.60 and earlier, ACERA 850F firmware ver.01.60 and earlier, ACERA 900 firmware ver.02.54 and earlier, ACERA 850M firmware ver.02.06 and earlier, ACERA 810 firmware ver.03.74 and earlier, and ACERA 800ST firmware ver.07.35 and earlier. They are affected when running in ST(Standalone) mode.​
2023-10-03​
8.8
CVE-2023-39222
MISC
MISC
furuno_systems -- acera_1310_firmware​
Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode.​
2023-10-03​
8.8
CVE-2023-42771
MISC
MISC
gitlab -- gitlab​
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.​
2023-09-30​
8.8
CVE-2023-5207
MISC
MISC
MISC
gitlab -- gitlab​
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.​
2023-09-29​
7.5
CVE-2023-3413
MISC
MISC
gitlab -- gitlab​
Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail.​
2023-09-29​
7.5
CVE-2023-3917
MISC
MISC
gitlab -- gitlab​
An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.​
2023-10-02​
7.5
CVE-2023-5106
MISC
gitlab -- gitlab​
An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.​
2023-09-29​
7.1
CVE-2023-3922
MISC
MISC
gnu -- glibc​
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.​
2023-10-03​
7.8
CVE-2023-4911
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
google -- chrome​
Type confusion in V8 in Google Chrome prior to 117.0.5938.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)​
2023-10-05​
8.8
CVE-2023-5346
MISC
MISC
MISC
gpac -- gpac​
Out-of-bounds Read in GitHub repository gpac/gpac prior to v2.2.2-DEV.​
2023-10-04​
7.1
CVE-2023-5377
MISC
MISC
hashicorp -- vault​
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.​
2023-09-29​
7.5
CVE-2023-5077
MISC
helpdezk -- helpdezk​
Improper authorization vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to access the platform without authentication and retrieve personal data via the jsonGrid parameter.​
2023-10-04​
8.6
CVE-2023-3037
MISC
helpdezk -- helpdezk​
SQL injection vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the rows parameter of the jsonGrid route and extract all the information stored in the application.​
2023-10-04​
7.5
CVE-2023-3038
MISC
hitachi -- ops_center_common_services​
Allocation of Resources Without Limits or Throttling vulnerability in Hitachi Ops Center Common Services on Linux allows DoS.This issue affects Hitachi Ops Center Common Services: before 10.9.3-00.​
2023-10-03​
7.5
CVE-2023-3967
MISC
hospital_management_system -- hospital_management_system​
Hospital Management System thru commit 4770d was discovered to contain a SQL injection vulnerability via the app_contact parameter in appsearch.php.​
2023-09-29​
9.1
CVE-2023-43909
MISC
ibermatica -- ibermatica_rps​
Information exposure vulnerability in IBERMATICA RPS 2019, which exploitation could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Service/status.html, the application enables the logging mechanism by generating the log file, which can be downloaded.​
2023-10-03​
7.5
CVE-2023-3349
MISC
ibermatica -- ibermatica_rps​
A Cryptographic Issue vulnerability has been found on IBERMATICA RPS, affecting version 2019. By firstly downloading the log file, an attacker could retrieve the SQL query sent to the application in plaint text. This log file contains the password hashes coded with AES-CBC-128 bits algorithm, which can be decrypted with a .NET function, obtaining the username's password in plain text.​
2023-10-03​
7.5
CVE-2023-3350
MISC
ibm -- disconnected_log_collector​
IBM Disconnected Log Collector 1.0 through 1.8.2 is vulnerable to potential security misconfigurations that could disclose unintended information. IBM X-Force ID: 224648.​
2023-10-04​
7.5
CVE-2022-22447
MISC
MISC
MISC
ibm -- observability_with_instana​
IBM Observability with Instana 1.0.243 through 1.0.254 could allow an attacker on the network to execute arbitrary code on the host after a successful DNS poisoning attack. IBM X-Force ID: 259789.​
2023-10-04​
9.8
CVE-2023-37404
MISC
MISC
icpdas -- et-7060_firmware​
This vulnerability allows an authenticated attacker to upload malicious files by bypassing the restrictions of the upload functionality, compromising the entire device.​
2023-10-03​
8.8
CVE-2023-4817
MISC
ingeteam -- ingepac_da3451_firmware​
Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services.​
2023-10-02​
7.5
CVE-2023-3768
MISC
ingeteam -- ingepac_fc5066_firmware​
Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services.​
2023-10-02​
7.5
CVE-2023-3769
MISC
jorani -- jorani​
An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user, with low privileges, to send queries with malicious SQL code on the "/leaves/validate" path and the "id" parameter, managing to extract arbritary information from the database.​
2023-10-03​
8.8
CVE-2023-2681
MISC
libvpx -- libvpx​
VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.​
2023-09-30​
7.5
CVE-2023-44488
MISC
MISC
MISC
MISC
MLIST
MLIST
MISC
GENTOO
DEBIAN
linux -- kernel​
An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.​
2023-09-29​
8.8
CVE-2023-44466
MISC
MISC
MISC
MISC
linux -- kernel​
An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.​
2023-10-04​
8.2
CVE-2023-39191
MISC
MISC
MISC
linux -- kernel​
A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation. In case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free. We recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705.​
2023-10-03​
7.8
CVE-2023-5345
MISC
MISC
MISC
MISC
MISC
mediatek,_inc. -- lr11​
In CDMA PPP protocol, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privilege needed. User interaction is not needed for exploitation. Patch ID: MOLY01068234; Issue ID: ALPS08010003.​
2023-10-02​
9.8
CVE-2023-20819
MISC
mediatek,_inc. -- multiple_products​
In wlan firmware, there is a possible firmware assertion due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07932637; Issue ID: ALPS07932637.​
2023-10-02​
7.5
CVE-2023-32820
MISC
microweber -- microweber​
Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.​
2023-09-30​
7.5
CVE-2023-5318
MISC
MISC
mojoportal -- mojoportal​
File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the File Manager function.​
2023-10-02​
9.8
CVE-2023-44008
MISC
mojoportal -- mojoportal​
File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the Skin Management function.​
2023-10-02​
9.8
CVE-2023-44009
MISC
MISC
mojoportal -- mojoportal​
An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the layout.master skin file at the Skin management component.​
2023-10-02​
9.8
CVE-2023-44011
MISC
moxa -- nport_5150ai-m12-ct-t_firmware​
All firmware versions of the NPort 5000 Series are affected by an improper validation of integrity check vulnerability. This vulnerability results from insufficient checks on firmware updates or upgrades, potentially allowing malicious users to manipulate the firmware and gain control of devices.​
2023-10-03​
8.8
CVE-2023-4929
MISC
netis_systems -- n3m_firmware​
Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability in the Changing Username and Password function. This vulnerability is exploited via a crafted payload.​
2023-10-02​
9.8
CVE-2023-43891
MISC
netis_systems -- n3m_firmware​
Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the Hostname parameter within the WAN settings. This vulnerability is exploited via a crafted payload.​
2023-10-02​
9.8
CVE-2023-43892
MISC
netis_systems -- n3m_firmware​
Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the wakeup_mac parameter in the Wake-On-LAN (WoL) function. This vulnerability is exploited via a crafted payload.​
2023-10-02​
9.8
CVE-2023-43893
MISC
netis_systems -- n3m_firmware​
Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability in the diagnostic tools page. This vulnerability is exploited via a crafted HTTP request.​
2023-10-02​
8.8
CVE-2023-43890
MISC
nodebb_inc. -- nodebb​
Denial-of-service in NodeBB td> [TD]
2023-09-29​

[TD]
7.5
[/TD]
[TD]CVE-2023-30591
MISC
MISC
MISC
MISC[/TD]
[/TD]

[TD]
[TR]
[TD]
nokia -- wavelite_metro_200_and_fan_firmware​
[/TD]
[TD]
If Security Hardening guide rules are not followed, then Nokia WaveLite products allow a local user to create new users with administrative privileges by manipulating a web request. This affects (for example) WaveLite Metro 200 and Fan, WaveLite Metro 200 OPS and Fans, WaveLite Metro 200 and F2B fans, WaveLite Metro 200 OPS and F2B fans, WaveLite Metro 200 NE and F2B fans, and WaveLite Metro 200 NE OPS and F2B fans.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-22618
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
open5gs -- open5gs​
[/TD]
[TD]
DOS vulnerability that could allow an attacker to register a new VNF (Virtual Network Function) value. This action could trigger the args_assets() function defined in the arg-log.php file, which would then execute the args-abort.c file, causing the service to crash.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-4882
MISC[/TD]
[/TR]
[TR]
[TD]
open5gs -- open5gs​
[/TD]
[TD]
Invalid pointer release vulnerability. Exploitation of this vulnerability could allow an attacker to interrupt the correct operation of the service by sending a specially crafted json string to the VNF (Virtual Network Function) and triggering the ogs_sbi_message_free function, which could cause a service outage.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-4883
MISC[/TD]
[/TR]
[TR]
[TD]
open5gs -- open5gs​
[/TD]
[TD]
An attacker could send an HTTP request to an Open5GS endpoint and retrieve the information stored on the device due to the lack of Authentication.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-4884
MISC[/TD]
[/TR]
[TR]
[TD]
optipng -- optipng​
[/TD]
[TD]
OptiPNG v0.7.7 was discovered to contain a global buffer overflow via the 'buffer' variable at gifread.c.​
[/TD]
[TD]
2023-10-01​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-43907
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
oracle -- apache_avro​
[/TD]
[TD]
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-39410
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
pandora_fms -- pandora_fms​
[/TD]
[TD]
A Cross-site Request Forgery (CSRF) vulnerability in Pandora FMS allows an attacker to force authenticated users to send a request to a web application they are currently authenticated against. This issue affects Pandora FMS version 767 and earlier versions on all platforms.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.1
[/TD]
[TD]CVE-2023-24518
MISC[/TD]
[/TR]
[TR]
[TD]
personal_management_system -- personal_management_system​
[/TD]
[TD]
An arbitrary file upload vulnerability in Personal Management System v1.4.64 allows attackers to execute arbitrary code via uploading a crafted SVG file into a user profile's avatar.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-43838
MISC
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
phpipam -- phpipam​
[/TD]
[TD]
Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-41580
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
phpmyfaq -- phpmyfaq​
[/TD]
[TD]
Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5227
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
pjsip -- pjsip​
[/TD]
[TD]
PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (PJMEDIA_HAS_SRTP is set) and use underlying media transport other than UDP. This vulnerability's impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-38703
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
prestashop -- prestashop​
[/TD]
[TD]
SQL injection vulnerability in KnowBand Module One Page Checkout, Social Login & Mailchimp (supercheckout) v.8.0.3 and before allows a remote attacker to execute arbitrary code via a crafted request to the updateCheckoutBehaviour function in the supercheckout.php component.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-44024
MISC[/TD]
[/TR]
[TR]
[TD]
prestashop -- prestashop​
[/TD]
[TD]
Improper neutralization of SQL parameter in Theme Volty CMS Payment Icon module for PrestaShop. In the module "Theme Volty CMS Payment Icon" (tvcmspaymenticon) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-39645
MISC[/TD]
[/TR]
[TR]
[TD]
prestashop -- prestashop​
[/TD]
[TD]
Improper neutralization of SQL parameter in Theme Volty CMS Category Chain Slider module for PrestaShop. In the module "Theme Volty CMS Category Chain Slide"(tvcmscategorychainslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-39646
MISC[/TD]
[/TR]
[TR]
[TD]
prestashop -- prestashop​
[/TD]
[TD]
Improper neutralization of SQL parameter in Theme Volty CMS Category Product module for PrestaShop. In the module "Theme Volty CMS Category Product" (tvcmscategoryproduct) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-39647
MISC[/TD]
[/TR]
[TR]
[TD]
prestashop -- prestashop​
[/TD]
[TD]
Improper neutralization of SQL parameter in Theme Volty CMS Testimonial module for PrestaShop. In the module "Theme Volty CMS Testimonial" (tvcmstestimonial) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-39648
MISC[/TD]
[/TR]
[TR]
[TD]
prestashop -- prestashop​
[/TD]
[TD]
Improper neutralization of SQL parameter in Theme Volty CMS Category Slider module for PrestaShop. In the module "Theme Volty CMS Category Slider" (tvcmscategoryslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-39649
MISC[/TD]
[/TR]
[TR]
[TD]
prestashop -- prestashop​
[/TD]
[TD]
Improper neutralization of SQL parameter in Theme Volty CMS BrandList module for PrestaShop In the module "Theme Volty CMS BrandList" (tvcmsbrandlist) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-39651
MISC[/TD]
[/TR]
[TR]
[TD]
presto_changeo -- attribute_grid​
[/TD]
[TD]
Presto Changeo attributegrid up to 2.0.3 was discovered to contain a SQL injection vulnerability via the component disable_json.php.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-43983
MISC[/TD]
[/TR]
[TR]
[TD]
presto_changeo -- test_site_creator​
[/TD]
[TD]
Presto Changeo testsitecreator up to 1.1.1 was discovered to contain a deserialization vulnerability via the component delete_excluded_folder.php.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-43981
MISC[/TD]
[/TR]
[TR]
[TD]
presto_changeo -- testsitecreator​
[/TD]
[TD]
Presto Changeo testsitecreator up to v1.1.1 was discovered to contain a SQL injection vulnerability via the component disable_json.php.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-43980
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
pretix -- pretix​
[/TD]
[TD]
pretix before 2023.7.2 allows Pillow to parse EPS files.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-44464
MISC
MISC
MISC
MISC
CONFIRM[/TD]
[/TR]
[TR]
[TD]
prointegra -- uptime_dc​
[/TD]
[TD]
Improper authorisation of regular users in ProIntegra Uptime DC software (versions below 2.0.0.33940) allows them to change passwords of all other users including administrators leading to a privilege escalation.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-4997
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
puppet -- puppet_server​
[/TD]
[TD]
For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-5255
MISC[/TD]
[/TR]
[TR]
[TD]
pure_storage -- flasharray_purity​
[/TD]
[TD]
A flaw exists in VASA which allows users with access to a vSphere/ESXi VMware admin on a FlashArray to gain root access through privilege escalation.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-36628
MISC[/TD]
[/TR]
[TR]
[TD]
qsige -- qsige​
[/TD]
[TD]
The file upload functionality is not implemented correctly and allows uploading of any type of file. As a prerequisite, it is necessary for the attacker to log into the application with a valid username.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-4097
MISC[/TD]
[/TR]
[TR]
[TD]
qsige -- qsige​
[/TD]
[TD]
It has been identified that the web application does not correctly filter input parameters, allowing SQL injections, DoS or information disclosure. As a prerequisite, it is necessary to log into the application.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-4098
MISC[/TD]
[/TR]
[TR]
[TD]
qsige -- qsige​
[/TD]
[TD]
Allows an attacker to perform XSS attacks stored on certain resources. Exploiting this vulnerability can lead to a DoS condition, among other actions.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
8.2
[/TD]
[TD]CVE-2023-4100
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- 315_5g_iot_modem_firmware​
[/TD]
[TD]
Memory Corruption in Data Modem while making a MO call or MT VOLTE call.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-22385
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- 315_5g_iot_modem_firmware​
[/TD]
[TD]
Transient DOS in Modem while triggering a camping on an 5G cell.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-24843
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- 315_5g_iot_modem_firmware​
[/TD]
[TD]
Transient DOS in Modem while allocating DSM items.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-24847
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- 315_5g_iot_modem_firmware​
[/TD]
[TD]
Information Disclosure in Data Modem while performing a VoLTE call with an undefined RTCP FB line value.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-24848
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- 315_5g_iot_modem_firmware​
[/TD]
[TD]
Information Disclosure in data Modem while parsing an FMTP line in an SDP message.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-24849
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- 315_5g_iot_modem_firmware​
[/TD]
[TD]
Cryptographic issue in Data Modem due to improper authentication during TLS handshake.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-28540
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- 315_5g_iot_modem_firmware​
[/TD]
[TD]
Transient DOS in WLAN Firmware while parsing rsn ies.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-33027
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- apq8017_firmware​
[/TD]
[TD]
Memory Corruption in HLOS while importing a cryptographic key into KeyMaster Trusted Application.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-24850
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- apq8064au_firmware​
[/TD]
[TD]
Weak configuration in Automotive while VM is processing a listener request from TEE.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
8.2
[/TD]
[TD]CVE-2023-22382
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- aqt1000_firmware​
[/TD]
[TD]
Improper Access to the VM resource manager can lead to Memory Corruption.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-21673
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- ar8035_firmware​
[/TD]
[TD]
Memory corruption in Modem while processing security related configuration before AS Security Exchange.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-24855
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- ar8035_firmware​
[/TD]
[TD]
Memory corruption in WLAN Firmware while doing a memory copy of pmk cache.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-33028
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- ar8035_firmware​
[/TD]
[TD]
Memory Corruption in Core while invoking a call to Access Control core library with hardware protected address range.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-24844
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- ar8035_firmware​
[/TD]
[TD]
Memory Corruption in HLOS while registering for key provisioning notify.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-24853
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- ar8035_firmware​
[/TD]
[TD]
Memory corruption in WLAN Host when the firmware invokes multiple WMI Service Available command.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-28539
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- ar8035_firmware​
[/TD]
[TD]
Memory corruption in DSP Service during a remote call from HLOS to DSP.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-33029
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- ar8035_firmware​
[/TD]
[TD]
Memory corruption while invoking callback function of AFE from ADSP.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-33035
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- ar8035_firmware​
[/TD]
[TD]
Transient DOS in WLAN Firmware while parsing a NAN management frame.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-33026
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- csra6620_firmware​
[/TD]
[TD]
Memory corruption while parsing the ADSP response command.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-33034
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- qam8295p_firmware​
[/TD]
[TD]
Memory corruption in Automotive Display while destroying the image handle created using connected display driver.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-33039
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- qca6574au_firmware​
[/TD]
[TD]
Memory Corruption in VR Service while sending data using Fast Message Queue (FMQ).​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-22384
MISC[/TD]
[/TR]
[TR]
[TD]
rdiffweb -- rdiffweb​
[/TD]
[TD]
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.4.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5289
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
red_hat -- openshift​
[/TD]
[TD]
A flaw was found in Red Hat OpenShift Data Science. When exporting a pipeline from the Elyra notebook pipeline editor as Python DSL or YAML, it reads S3 credentials from the cluster (ds pipeline server) and saves them in plain text in the generated output instead of an ID for a Kubernetes secret.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-3361
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
riello-ups -- netman_204_firmware​
[/TD]
[TD]
All versions of NetMan 204 allow an attacker that knows the MAC and serial number of the device to reset the administrator password via the legitimate recovery function.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2022-47891
MISC[/TD]
[/TR]
[TR]
[TD]
riello-ups -- netman_204_firmware​
[/TD]
[TD]
All versions of NetMan 204 could allow an unauthenticated remote attacker to read a file (config.cgi) containing sensitive information, like credentials.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2022-47892
MISC[/TD]
[/TR]
[TR]
[TD]
riello_ups -- netman_204_firmware​
[/TD]
[TD]
There is a remote code execution vulnerability that affects all versions of NetMan 204. A remote attacker could upload a firmware file containing a webshell, that could allow him to execute arbitrary code as root.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2022-47893
MISC[/TD]
[/TR]
[TR]
[TD]
rockoa -- rockoa​
[/TD]
[TD]
A vulnerability was found in Xinhu RockOA 1.1/2.3.2/15.X3amdi and classified as problematic. Affected by this issue is some unknown functionality of the file api.php?m=reimplat&a=index of the component Password Handler. The manipulation leads to weak password recovery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-240926 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-5296
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
rockoa -- rockoa​
[/TD]
[TD]
A vulnerability was found in Xinhu RockOA 2.3.2. It has been classified as problematic. This affects the function start of the file task.php?m=sys|runt&a=beifen. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240927.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-5297
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sage -- sage_200_spain​
[/TD]
[TD]
Plaintext credential usage vulnerability in Sage 200 Spain 2023.38.001 version, the exploitation of which could allow a remote attacker to extract SQL database credentials from the DLL application. This vulnerability could be linked to known techniques to obtain remote execution of MS SQL commands and escalate privileges on Windows systems because the credentials are stored in plaintext.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-2809
MISC[/TD]
[/TR]
[TR]
[TD]
salesagility -- suitecrm​
[/TD]
[TD]
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.1
[/TD]
[TD]CVE-2023-5350
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
samsung -- android​
[/TD]
[TD]
Stack-based Buffer Overflow in vulnerability HDCP trustlet prior to SMR Oct-2023 Release 1 allows attacker to perform code execution.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-30733
MISC[/TD]
[/TR]
[TR]
[TD]
samsung -- android​
[/TD]
[TD]
Improper input validation vulnerability in Evaluator prior to SMR Oct-2023 Release 1 allows local attackers to launch privileged activities.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-30692
MISC[/TD]
[/TR]
[TR]
[TD]
samsung -- android​
[/TD]
[TD]
Improper access control vulnerability in SecSettings prior to SMR Oct-2023 Release 1 allows attackers to enable Wi-Fi and connect arbitrary Wi-Fi without User Interaction.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-30727
MISC[/TD]
[/TR]
[TR]
[TD]
samsung -- galaxy_book_firmware​
[/TD]
[TD]
An improper input validation in UEFI Firmware prior to Firmware update Oct-2023 Release in Galaxy Book, Galaxy Book Pro, Galaxy Book Pro 360 and Galaxy Book Odyssey allows local attacker to execute SMM memory corruption.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-30738
MISC[/TD]
[/TR]
[TR]
[TD]
sato -- cl4nx-j_plus_firmware​
[/TD]
[TD]
A vulnerability was found in SATO CL4NX-J Plus 1.13.2-u455_r2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component WebConfig. The manipulation leads to improper authentication. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-241027.​
[/TD]
[TD]
2023-10-01​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5326
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sato -- cl4nx-j_plus_firmware​
[/TD]
[TD]
A vulnerability classified as critical has been found in SATO CL4NX-J Plus 1.13.2-u455_r2. This affects an unknown part of the component Cookie Handler. The manipulation with the input auth=user,level1,settings; web=true leads to improper authentication. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used. The identifier VDB-241029 was assigned to this vulnerability.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5328
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
setelsa_security -- conacwin​
[/TD]
[TD]
Relative path traversal vulnerability in Setelsa Security's ConacWin CB, in its 3.8.2.2 version and earlier, the exploitation of which could allow an attacker to perform an arbitrary download of files from the system via the "Download file" parameter.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-3512
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sick -- sim1012-0p0g200_firmware​
[/TD]
[TD]
A remote unauthorized attacker may connect to the SIM1012, interact with the device and change configuration settings. The adversary may also reset the SIM and in the worst case upload a new firmware version to the device.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5288
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
slims -- slims​
[/TD]
[TD]
Server-Side Request Forgery vulnerability in SLims version 9.6.0. This vulnerability could allow an authenticated attacker to send requests to internal services or upload the contents of relevant files via the "scrape_image.php" file in the imageURL parameter.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-3744
MISC[/TD]
[/TR]
[TR]
[TD]
soflyy -- oxygen_builder​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Soflyy Oxygen Builder plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2022-46841
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
sonicwall -- net_extender​
[/TD]
[TD]
A local privilege escalation vulnerability in SonicWall Net Extender MSI client for Windows 10.2.336 and earlier versions allows a local low-privileged user to gain system privileges through running repair functionality.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-44217
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sonicwall -- net_extender​
[/TD]
[TD]
A flaw within the SonicWall NetExtender Pre-Logon feature enables an unauthorized user to gain access to the host Windows operating system with 'SYSTEM' level privileges, leading to a local privilege escalation (LPE) vulnerability.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-44218
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- best_courier_management_system​
[/TD]
[TD]
A vulnerability was found in SourceCodester Best Courier Management System 1.0. It has been classified as critical. Affected is an unknown function of the file parcel_list.php of the component GET Parameter Handler. The manipulation of the argument s leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-240882 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5269
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- best_courier_management_system​
[/TD]
[TD]
A vulnerability was found in SourceCodester Best Courier Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file view_parcel.php. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240883.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5270
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- best_courier_management_system​
[/TD]
[TD]
A vulnerability was found in SourceCodester Best Courier Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file edit_parcel.php. The manipulation of the argument email leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-240884.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5271
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- best_courier_management_system​
[/TD]
[TD]
A vulnerability classified as critical has been found in SourceCodester Best Courier Management System 1.0. This affects an unknown part of the file edit_parcel.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-240885 was assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5272
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- engineers_online_portal​
[/TD]
[TD]
A vulnerability classified as critical was found in SourceCodester Engineers Online Portal 1.0. This vulnerability affects unknown code of the file downloadable_student.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The identifier of this vulnerability is VDB-240904.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5276
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- engineers_online_portal​
[/TD]
[TD]
A vulnerability, which was classified as critical, has been found in SourceCodester Engineers Online Portal 1.0. This issue affects some unknown processing of the file student_avatar.php. The manipulation of the argument change leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240905 was assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5277
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- engineers_online_portal​
[/TD]
[TD]
A vulnerability, which was classified as critical, was found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file login.php. The manipulation of the argument username/password leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-240906 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5278
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- engineers_online_portal​
[/TD]
[TD]
A vulnerability has been found in SourceCodester Engineers Online Portal 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file my_classmates.php. The manipulation of the argument teacher_class_student_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240907.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5279
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- engineers_online_portal​
[/TD]
[TD]
A vulnerability was found in SourceCodester Engineers Online Portal 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file my_students.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-240908.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5280
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- engineers_online_portal​
[/TD]
[TD]
A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been classified as critical. This affects an unknown part of the file remove_inbox_message.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240909 was assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5281
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- engineers_online_portal​
[/TD]
[TD]
A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been declared as critical. This vulnerability affects unknown code of the file seed_message_student.php. The manipulation of the argument teacher_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-240910 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5282
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- engineers_online_portal​
[/TD]
[TD]
A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as critical. This issue affects some unknown processing of the file teacher_signup.php. The manipulation of the argument firstname/lastname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240911.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5283
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- engineers_online_portal​
[/TD]
[TD]
A vulnerability classified as critical has been found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file upload_save_student.php. The manipulation of the argument uploaded_file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-240912.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5284
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- online_computer_and_laptop_store​
[/TD]
[TD]
A vulnerability classified as critical has been found in SourceCodester Online Computer and Laptop Store 1.0. Affected is the function register of the file Master.php. The manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-241254 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5373
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- online_computer_and_laptop_store​
[/TD]
[TD]
A vulnerability classified as critical was found in SourceCodester Online Computer and Laptop Store 1.0. Affected by this vulnerability is an unknown functionality of the file products.php. The manipulation of the argument c leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-241255.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5374
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- simple_membership_system​
[/TD]
[TD]
A vulnerability, which was classified as critical, has been found in SourceCodester Simple Membership System 1.0. This issue affects some unknown processing of the file group_validator.php. The manipulation of the argument club_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240869 was assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5260
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
static-server -- static-server​
[/TD]
[TD]
All versions of the package static-server are vulnerable to Directory Traversal due to improper input sanitization passed via the validPath function of server.js.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-26152
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
super_store_finder -- super_store_finder​
[/TD]
[TD]
Super Store Finder 3.7 and below is vulnerable to authenticated Arbitrary PHP Code Injection that could lead to Remote Code Execution when settings overwrite config.inc.php content.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-43835
MISC[/TD]
[/TR]
[TR]
[TD]
tcman -- gim​
[/TD]
[TD]
TCMAN GIM v8.0.1 is vulnerable to a SQL injection via the 'SqlWhere' parameter inside the function 'BuscarESM'. The exploitation of this vulnerability might allow a remote attacker to directly interact with the database.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2022-36276
MISC[/TD]
[/TR]
[TR]
[TD]
tenda -- ac6_firmware​
[/TD]
[TD]
Tenda AC6 v15.03.05.19 is vulnerable to Buffer Overflow as the Index parameter does not verify the length.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-40830
MISC[/TD]
[/TR]
[TR]
[TD]
tibco_software_inc. -- nimbus​
[/TD]
[TD]
The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: versions 10.6.0 and below.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9
[/TD]
[TD]CVE-2023-26218
MISC[/TD]
[/TR]
[TR]
[TD]
tongda -- tongda_oa​
[/TD]
[TD]
A vulnerability, which was classified as critical, was found in Tongda OA 2017. Affected is an unknown function of the file general/hr/manage/staff_title_evaluation/delete.php. The manipulation of the argument EVALUATION_ID leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. VDB-240870 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5261
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
tongda -- tongda_oa​
[/TD]
[TD]
A vulnerability, which was classified as critical, has been found in Tongda OA 2017. Affected by this issue is some unknown functionality of the file general/hr/manage/staff_transfer/delete.php. The manipulation of the argument TRANSFER_ID leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. VDB-240878 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5265
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
tongda -- tongda_oa​
[/TD]
[TD]
A vulnerability has been found in Tongda OA 2017 and classified as critical. This vulnerability affects unknown code of the file general/hr/recruit/hr_pool/delete.php. The manipulation of the argument EXPERT_ID leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-240880.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5267
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
tongda -- tongda_oa​
[/TD]
[TD]
A vulnerability classified as critical was found in Tongda OA 2017. Affected by this vulnerability is an unknown functionality of the file general/hr/recruit/recruitment/delete.php. The manipulation of the argument RECRUITMENT_ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-240913 was assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-5285
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
tongda -- tongda_oa​
[/TD]
[TD]
A vulnerability was found in Tongda OA 2017. It has been rated as critical. Affected by this issue is some unknown functionality of the file general/hr/recruit/requirements/delete.php. The manipulation of the argument REQUIREMENTS_ID leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. VDB-240938 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-5298
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
ttsplanning -- ttsplanning​
[/TD]
[TD]
A vulnerability classified as critical has been found in TTSPlanning up to 20230925. This affects an unknown part. The manipulation of the argument uid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240939.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-5300
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
turna -- advertising_administration_panel
[/TD]
[TD]
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Turna Advertising Administration Panel allows SQL Injection.This issue affects Advertising Administration Panel: before 1.1.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-4530
MISC[/TD]
[/TR]
[TR]
[TD]
unify -- session_border_controller​
[/TD]
[TD]
Atos Unify OpenScape Session Border Controller through V10 R3.01.03 allows execution of administrative scripts by unauthenticated users.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2023-36619
CONFIRM
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
unify -- session_border_controller​
[/TD]
[TD]
Atos Unify OpenScape Session Border Controller through V10 R3.01.03 allows execution of OS commands as root user by low-privileged authenticated users.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-36618
CONFIRM
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
vim -- vim​
[/TD]
[TD]
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
7.5
[/TD]
[TD]CVE-2023-5344
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
A vulnerability was found in Most Popular Posts Widget Plugin up to 0.8 on WordPress. It has been classified as critical. Affected is the function add_views/show_views of the file functions.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 0.9 is able to address this issue. The patch is identified as a99667d11ac8d320006909387b100e9a8b5c12e1. It is recommended to upgrade the affected component. VDB-241026 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
9.8
[/TD]
[TD]CVE-2015-10124
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Chetan Gole WP-CopyProtect [Protect your blog posts] plugin td> [TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-25025
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Gopi Ramasamy WP tell a friend popup form plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-25463
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Jeff Sherk Update Theme and Plugins from Zip File plugin td> [TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-25489
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Saphali Saphali Woocommerce Lite plugin td> [TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-25788
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in CAGE Web Design | Rolf van Gelder Optimize Database after Deleting Revisions plugin td> [TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-25980
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in YAS Global Team Make Paths Relative plugin td> [TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-27433
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Sami Ahmed Siddiqui HTTP Auth plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-27435
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Trustindex.Io WP Testimonials plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-2830
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Gangesh Matta Simple Org Chart plugin td> [TD]
2023-10-06​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-28791
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Fugu Maintenance Switch plugin td> [TD]
2023-10-06​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-29235
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in POEditor plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-32091
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in OptiMonk OptiMonk: Popups, Personalization & A/B Testing plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-37891
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Mike Perelink Pro plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-37990
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Monchito.Net WP Emoji One plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-37991
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-37992
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Chetan Gole WP-CopyProtect [Protect your blog posts] plugin td> [TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-37995
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in GTmetrix GTmetrix for WordPress plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-37996
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Saas Disabler plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-37998
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Cyle Conoly WP-FlyBox plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-38381
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Anshul Labs Mobile Address Bar Changer plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-38390
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Alain Gonzalez plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-38396
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Taboola plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-38398
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign-up Sheets plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-39165
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery Team Photo Gallery by Ays - Responsive Image Gallery plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-39917
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme The Post Grid plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-39923
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in 99robots Header Footer Code Manager plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-39989
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab WP Like Button plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-40199
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in FuturioWP Futurio Extra plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-40201
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Hannes Etzelstorfer // codemiq WP HTML Mail plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-40202
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Sean Barton (Tortoise IT) SB Child List plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-40210
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in eMarket Design YouTube Video Gallery by YouTube Showcase plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-40558
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Dynamic Pricing and Discount Rules for WooCommerce plugin td> [TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-40559
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Enhanced Ecommerce Google Analytics for WooCommerce plugin td> [TD]
2023-10-04​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-40561
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in CLUEVO CLUEVO LMS, E-Learning Platform plugin td> [TD]
2023-10-06​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-40607
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Buildfail Localize Remote Images plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-41244
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in edward_plainview MyCryptoCheckout plugin td> [TD]
2023-10-03​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-41693
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
xiph -- vorbis-tools​
[/TD]
[TD]
Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a local attacker to execute arbitrary code and cause a denial of service during the conversion of wav files to ogg files.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
7.8
[/TD]
[TD]CVE-2023-43361
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
zzzcms -- zzzcms​
[/TD]
[TD]
A vulnerability was found in ZZZCMS 2.1.7 and classified as critical. Affected by this issue is the function restore of the file /admin/save.php of the component Database Backup File Handler. The manipulation leads to permission issues. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-240872.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
8.8
[/TD]
[TD]CVE-2023-5263
MISC
MISC
MISC[/TD]
[/TR]​
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD][/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[TD][TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]



Medium Vulnerabilities​

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
acilia -- widestand​
Cross-site Scripting (XSS) reflected vulnerability on WideStand until 5.3.5 version, which generates one of the meta tags directly using the content of the queried URL, which would allow an attacker to inject HTML/Javascript code into the response.​
2023-10-04​
6.1
CVE-2023-4090
MISC
acronis -- agent​
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 29258.​
2023-10-04​
5.5
CVE-2023-44210
MISC
MISC
animal-art-lab -- animal-art-lab​
An issue in animal-art-lab v13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.​
2023-10-02​
5.4
CVE-2023-43297
MISC
arm -- 5th_gen_gpu_architecture_kernel_driver​
A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.​
2023-10-01​
5.5
CVE-2023-4211
MISC
arm -- mali_gpu_kernel_driver​
A local non-privileged user can make improper GPU processing operations to exploit a software race condition. If the system's memory is carefully prepared by the user, then this in turn could give them access to already freed memory.​
2023-10-03​
4.7
CVE-2023-33200
MISC
arm -- valhall_gpu_kernel_driver​
A local non-privileged user can make improper GPU processing operations to access a limited amount outside of buffer bounds or to exploit a software race condition. If the system's memory is carefully prepared by the user, then this in turn could give them access to already freed memory​
2023-10-03​
4.7
CVE-2023-34970
MISC
broadpeak -- centralized_accounts_management_auth_agent​
A cross-site scripting (XSS) vulnerability in the bpk-common/auth/login/index.html login portal in Broadpeak Centralized Accounts Management Auth Agent 01.01.00.19219575_ee9195b0, 01.01.01.30097902_fd999e76, and 00.12.01.9565588_1254b459 allows remote attackers to inject arbitrary web script or HTML via the disconnectMessage parameter.​
2023-10-03​
6.1
CVE-2023-40519
MISC
buddyboss -- buddyboss​
Authorization bypass vulnerability in BuddyBoss 2.2.9 version, the exploitation of which could allow an authenticated user to access and rename other users' albums. This vulnerability can be exploited by changing the album identification (id).​
2023-10-03​
5.4
CVE-2023-32669
MISC
buddyboss -- buddyboss​
Cross-Site Scripting vulnerability in BuddyBoss 2.2.9 version , which could allow a local attacker with basic privileges to execute a malicious payload through the "[name]=image.jpg" parameter, allowing to assign a persistent javascript payload that would be triggered when the associated image is loaded.​
2023-10-03​
5.4
CVE-2023-32670
MISC
capensis -- canopsis​
This vulnerability could allow an attacker to store a malicious JavaScript payload in the login footer and login page description parameters within the administration panel.​
2023-10-03​
4.8
CVE-2023-3196
MISC
capensis -- canopsis​
This vulnerability could allow an attacker to store a malicious JavaScript payload in the broadcast message parameter within the admin panel.​
2023-10-03​
4.8
CVE-2023-4564
MISC
concrete_cms -- concrete_cms​
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.​
2023-10-06​
5.4
CVE-2023-44761
MISC
concrete_cms -- concrete_cms​
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags.​
2023-10-06​
5.4
CVE-2023-44762
MISC
concrete_cms -- concrete_cms​
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SITE parameter from installation or in the Settings.​
2023-10-06​
5.4
CVE-2023-44764
MISC
concrete_cms -- concrete_cms​
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.​
2023-10-06​
5.4
CVE-2023-44765
MISC
concrete_cms -- concrete_cms​
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings.​
2023-10-06​
5.4
CVE-2023-44766
MISC
dell -- smartfabric_storage_software​
Dell SmartFabric Storage Software v1.4 (and earlier) contains a Path Traversal Vulnerability in the HTTP interface. A remote authenticated attacker could potentially exploit this vulnerability, leading to modify or write arbitrary files to arbitrary locations in the license container.​
2023-10-05​
6.5
CVE-2023-43070
MISC
dell -- smartfabric_storage_software​
Dell SmartFabric Storage Software v1.4 (and earlier) contains an Improper Input Validation vulnerability in RADIUS configuration. An authenticated remote attacker could potentially exploit this vulnerability, leading to gaining unauthorized access to data.​
2023-10-05​
6.5
CVE-2023-43073
MISC
dell -- smartfabric_storage_software​
Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.​
2023-10-05​
5.4
CVE-2023-43071
MISC
dolibarr -- dolibarr​
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.​
2023-10-01​
6.1
CVE-2023-5323
MISC
MISC
easy_address_book_web_server -- easy_address_book_web_server​
Vulnerability in Easy Address Book Web Server 1.6 version, affecting the parameters (firstname, homephone, lastname, middlename, workaddress, workcity, workcountry, workphone, workstate and workzip) of the /addrbook.ghp file, allowing an attacker to inject a JavaScript payload specially designed to run when the application is loaded.​
2023-10-04​
6.1
CVE-2023-4492
MISC
easy_address_book_web_server -- easy_address_book_web_server​
Stored Cross-Site Scripting in Easy Address Book Web Server 1.6 version, through the users_admin.ghp file that affects multiple parameters such as (firstname, homephone, lastname, lastname, middlename, workaddress, workcity, workcountry, workphone, workstate, workzip). This vulnerability allows a remote attacker to store a malicious JavaScript payload in the application to be executed when the page is loaded, resulting in an integrity impact.​
2023-10-04​
5.4
CVE-2023-4493
MISC
easy_chat_server -- easy_chat_server​
Easy Chat Server, in its 3.1 version and before, does not sufficiently encrypt user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability stored via /registresult.htm (POST method), in the Resume parameter. The XSS is loaded from /register.ghp.​
2023-10-04​
6.1
CVE-2023-4495
MISC
easy_chat_server -- easy_chat_server​
Easy Chat Server, in its 3.1 version and before, does not sufficiently encrypt user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability stored via /body2.ghp (POST method), in the mtowho parameter.​
2023-10-04​
6.1
CVE-2023-4496
MISC
easy_chat_server -- easy_chat_server​
Easy Chat Server, in its 3.1 version and before, does not sufficiently encrypt user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability stored via /registresult.htm (POST method), in the Icon parameter. The XSS is loaded from /users.ghp.​
2023-10-04​
6.1
CVE-2023-4497
MISC
eclipse -- mosquitto​
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.​
2023-10-02​
5.3
CVE-2023-0809
MISC
ecshop -- ecshop​
A vulnerability, which was classified as critical, was found in ECshop 4.1.5. Affected is an unknown function of the file /admin/leancloud.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-240924.​
2023-09-29​
6.5
CVE-2023-5293
MISC
MISC
MISC
eeroos -- eeroos​
A vulnerability has been found in eeroOS up to 6.16.4-11 and classified as critical. This vulnerability affects unknown code of the component Ethernet Interface. The manipulation leads to denial of service. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-241024.​
2023-10-01​
6.5
CVE-2023-5324
MISC
MISC
MISC
emlog -- emlog​
A cross-site scripting (XSS) vulnerability in the publish article function of emlog pro v2.1.14 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title field.​
2023-10-02​
5.4
CVE-2023-43267
MISC
MISC
foreman -- foreman​
A sensitive information exposure vulnerability was found in foreman. Contents of tomcat's server.xml file, which contain passwords to candlepin's keystore and truststore, were found to be world readable.​
2023-10-03​
4.4
CVE-2023-4886
MISC
MISC
foru_cms -- foru_cms​
A vulnerability classified as problematic was found in ForU CMS. This vulnerability affects unknown code of the file /admin/cms_admin.php. The manipulation of the argument del leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The identifier of this vulnerability is VDB-240868.​
2023-09-29​
4.9
CVE-2023-5259
MISC
MISC
MISC
freebsd -- freebsd​
On an msdosfs filesystem, the 'truncate' or 'ftruncate' system calls under certain circumstances populate the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes. This may permit a user with write access to files on a msdosfs filesystem to read unintended data (e.g. from a previously deleted file).​
2023-10-04​
6.5
CVE-2023-5368
MISC
furuno_systems -- acera_1210_firmware​
Cross-site scripting vulnerability in FURUNO SYSTEMS wireless LAN access point devices allows an authenticated user to inject an arbitrary script via a crafted configuration. Affected products and versions are as follows: ACERA 1210 firmware ver.02.36 and earlier, ACERA 1150i firmware ver.01.35 and earlier, ACERA 1150w firmware ver.01.35 and earlier, ACERA 1110 firmware ver.01.76 and earlier, ACERA 1020 firmware ver.01.86 and earlier, ACERA 1010 firmware ver.01.86 and earlier, ACERA 950 firmware ver.01.60 and earlier, ACERA 850F firmware ver.01.60 and earlier, ACERA 900 firmware ver.02.54 and earlier, ACERA 850M firmware ver.02.06 and earlier, ACERA 810 firmware ver.03.74 and earlier, and ACERA 800ST firmware ver.07.35 and earlier. They are affected when running in ST(Standalone) mode.​
2023-10-03​
5.4
CVE-2023-39429
MISC
MISC
furuno_systems -- acera_1310_firmware​
Path traversal vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent authenticated attacker to alter critical information such as system files by sending a specially crafted request. They are affected when running in ST(Standalone) mode.​
2023-10-03​
5.7
CVE-2023-43627
MISC
MISC
gitlab -- gitlab​
An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.​
2023-09-29​
5.7
CVE-2023-0989
MISC
MISC
gitlab -- gitlab​
A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.​
2023-09-29​
5.3
CVE-2023-3914
MISC
MISC
gitlab -- gitlab​
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects.​
2023-09-29​
4.3
CVE-2023-2233
MISC
MISC
gitlab -- gitlab​
An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories.​
2023-09-29​
4.3
CVE-2023-3115
MISC
MISC
gitlab -- gitlab​
An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.​
2023-09-29​
4.3
CVE-2023-3920
MISC
MISC
gitlab -- gitlab​
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request's source branch.​
2023-09-29​
4.3
CVE-2023-3979
MISC
MISC
gitlab -- gitlab​
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.​
2023-09-29​
4.3
CVE-2023-4532
MISC
MISC
gitlab -- gitlab​
An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.​
2023-09-29​
4.3
CVE-2023-5198
MISC
MISC
google -- android​
In video, there is a possible out of bounds write due to a permissions bypass. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08013430; Issue ID: ALPS08013433.​
2023-10-02​
6.7
CVE-2023-32821
MISC
google -- android​
In ftm, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07994229; Issue ID: ALPS07994229.​
2023-10-02​
6.7
CVE-2023-32822
MISC
google -- android​
In rpmb, there is a possible memory corruption due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07912966; Issue ID: ALPS07912966.​
2023-10-02​
6.7
CVE-2023-32823
MISC
google -- android​
In rpmb, there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07912966; Issue ID: ALPS07912961.​
2023-10-02​
6.7
CVE-2023-32824
MISC
google -- android​
In camera middleware, there is a possible out of bounds write due to a missing input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07993539; Issue ID: ALPS07993544.​
2023-10-02​
6.7
CVE-2023-32826
MISC
google -- android​
In camera middleware, there is a possible out of bounds write due to a missing input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07993539; Issue ID: ALPS07993539.​
2023-10-02​
6.7
CVE-2023-32827
MISC
google -- android​
In TVAPI, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03802522; Issue ID: DTV03802522.​
2023-10-02​
6.7
CVE-2023-32830
MISC
google -- android​
In display, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07993705; Issue ID: ALPS08014138.​
2023-10-02​
4.4
CVE-2023-32819
MISC
hashicorp -- vault​
A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8.​
2023-09-29​
4.9
CVE-2023-3775
MISC
hitachi -- ops_center_administrator​
Insertion of Sensitive Information into Log File vulnerability in Hitachi Ops Center Administrator on Linux allows local users to gain sensive information.This issue affects Hitachi Ops Center Administrator: before 10.9.3-00.​
2023-10-03​
5.5
CVE-2023-3335
MISC
ibm -- content_navigator​
IBM Content Navigator 3.0.11, 3.0.13, and 3.0.14 with IBM Daeja ViewOne Virtual is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 264019.​
2023-10-04​
5.4
CVE-2023-40684
MISC
MISC
ibm -- filenet_content_manager​
IBM FileNet Content Manager 5.5.8, 5.5.10, and 5.5.11 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 259384.​
2023-10-04​
5.4
CVE-2023-35905
MISC
MISC
ibm -- security_guardium​
IBM Security Guardium 11.5 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. IBM X-Force ID: 240897.​
2023-10-04​
5.3
CVE-2022-43906
MISC
MISC
ibm -- urbancode_deploy​
IBM UrbanCode Deploy (UCD) 7.1 - 7.1.2.12, 7.2 through 7.2.3.5, and 7.3 through 7.3.2.0 under certain configurations could allow an authenticated user to make changes to environment variables due to improper authentication controls. IBM X-Force ID: 263581.​
2023-10-04​
6.5
CVE-2023-40376
MISC
MISC
ingeteam -- ingepac_da3451_firmware​
Incorrect validation vulnerability of the data entered, allowing an attacker with access to the network on which the affected device is located to use the discovery port protocol (1925/UDP) to obtain device-specific information without the need for authentication.​
2023-10-02​
4.3
CVE-2023-3770
MISC
inure -- inure​
Missing Authorization in GitHub repository hamza417/inure prior to build94.​
2023-09-30​
5.5
CVE-2023-5321
MISC
MISC
jfrog -- artifactory​
JFrog Artifactory prior to version 7.66.0 is vulnerable to specific endpoint abuse with a specially crafted payload, which can lead to unauthenticated users being able to send emails with manipulated email body.​
2023-10-03​
6.5
CVE-2023-42508
MISC
jizhicms -- jizhicms​
There is a SQL injection vulnerability in the Jizhicms 2.4.9 backend, which users can use to obtain database information​
2023-10-02​
6.5
CVE-2023-43836
MISC
MISC
lemonldap -- lemonldap​
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.​
2023-09-29​
4.3
CVE-2023-44469
MISC
MISC
MISC
MLIST
libhv -- libhv​
All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered.​
2023-09-29​
6.1
CVE-2023-26146
MISC
MISC
libhv -- libhv​
All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.​
2023-09-29​
6.1
CVE-2023-26147
MISC
MISC
libhv -- libhv​
All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.​
2023-09-29​
5.3
CVE-2023-26148
MISC
MISC
linux -- kernel​
A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement referencing pmd_t x.​
2023-10-03​
4.7
CVE-2023-4732
MISC
MISC
mattermost -- mattermost​
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users.​
2023-09-29​
6.5
CVE-2023-5196
MISC
mattermost -- mattermost​
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of​
2023-09-29​
5.4
CVE-2023-5195
MISC
mattermost -- mattermost​
Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled​
2023-10-02​
4.3
CVE-2023-5160
MISC
mattermost -- mattermost​
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager​
2023-09-29​
4.3
CVE-2023-5194
MISC
mediatek,_inc. -- multiple_products​
Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Banner Management For WooCommerce plugin td> [TD]
2023-10-03​

[TD]
6.5
[/TD]
[TD]CVE-2023-39158
MISC[/TD]
[/TD]

[TD]
[TR]
[TD]
mediatek,_inc. -- multiple_products​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Fraud Prevention For Woocommerce plugin td> [TD]
2023-10-03​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-39159
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
mediatek,_inc. -- multiple_products​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Pipes plugin td> [TD]
2023-10-03​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-40009
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
mediatek,_inc. -- multiple_products​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Antsanchez Easy Cookie Law plugin td> [TD]
2023-10-03​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-40198
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
mediatek,_inc. -- multiple_products​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Product Attachment for WooCommerce plugin td> [TD]
2023-10-03​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-40212
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
mediatek,_inc. -- multiple_products​
[/TD]
[TD]
In vpu, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07767817; Issue ID: ALPS07767817.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
6.7
[/TD]
[TD]CVE-2023-32828
MISC[/TD]
[/TR]
[TR]
[TD]
mediatek,_inc. -- multiple_products​
[/TD]
[TD]
In apusys, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07713478; Issue ID: ALPS07713478.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
6.7
[/TD]
[TD]CVE-2023-32829
MISC[/TD]
[/TR]
[TR]
[TD]
mhlw -- fd_application​
[/TD]
[TD]
FD Application Apr. 2022 Edition (Version 9.01) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
5.5
[/TD]
[TD]CVE-2023-42132
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
mojoportal -- mojoportal​
[/TD]
[TD]
Cross Site Scripting vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the helpkey parameter in the Help.aspx component.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-44012
MISC[/TD]
[/TR]
[TR]
[TD]
mosparo -- mosparo​
[/TD]
[TD]
Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-5375
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
nothings_stb -- nothings_stb​
[/TD]
[TD]
Nothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted pic file.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
5.5
[/TD]
[TD]CVE-2023-43898
MISC[/TD]
[/TR]
[TR]
[TD]
nxlog -- nxlog_manager​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in NXLog Manager 5.6.5633 version. This vulnerability allows an attacker to manipulate and delete user accounts within the platform by sending a specifically crafted query to the server. The vulnerability is based on the lack of proper validation of the origin of incoming requests.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-32791
MISC[/TD]
[/TR]
[TR]
[TD]
nxlog -- nxlog_manager​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in NXLog Manager 5.6.5633 version. This vulnerability allows an attacker to eliminate roles within the platform by sending a specifically crafted query to the server. The vulnerability is based on the absence of proper validation of the origin of incoming requests.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-32792
MISC[/TD]
[/TR]
[TR]
[TD]
nxlog -- nxlog_manager​
[/TD]
[TD]
Cross-Site Scripting (XSS) vulnerability in NXLog Manager 5.6.5633 version. This vulnerability allows an attacker to inject a malicious JavaScript payload into the 'Full Name' field during a user edit, due to improper sanitization of the input parameter.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-32790
MISC[/TD]
[/TR]
[TR]
[TD]
online_banquet_booking_system -- online_banquet_booking_system​
[/TD]
[TD]
A vulnerability, which was classified as problematic, was found in Online Banquet Booking System 1.0. Affected is an unknown function of the file /view-booking-detail.php of the component Account Detail Handler. The manipulation of the argument username leads to cross site scripting. It is possible to launch the attack remotely. VDB-240942 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-5303
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
online_banquet_booking_system -- online_banquet_booking_system​
[/TD]
[TD]
A vulnerability has been found in Online Banquet Booking System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /book-services.php of the component Service Booking. The manipulation of the argument message leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-240943.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-5304
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
online_banquet_booking_system -- online_banquet_booking_system​
[/TD]
[TD]
A vulnerability was found in Online Banquet Booking System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /mail.php of the component Contact Us Page. The manipulation of the argument message leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-240944.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-5305
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
open5gs -- open5gs​
[/TD]
[TD]
Man in the Middle vulnerability, which could allow an attacker to intercept VNF (Virtual Network Function) communications resulting in the exposure of sensitive information.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
5.9
[/TD]
[TD]CVE-2023-4885
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "tracking_number" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43702
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "product_info[][name]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43703
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "title" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43704
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "translation_value[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43705
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "email_templates_key" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43706
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "CatalogsPageDescriptionForm[1][name] " parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43707
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "configuration_title[1](MODULE_PAYMENT_SAGE_PAY_SERVER_TEXT_TITLE)" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43708
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "configuration_title[1](MODULE)" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43709
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "configuration_title[1][MODULE_SHIPPING_PERCENT_TEXT_TITLE]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43710
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "admin_firstname" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43711
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "access_levels_name" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43712
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability, which allows attackers to inject JS via the "title" parameter, in the "/admin/admin-menu/add-submit" endpoint, which can lead to unauthorized execution of scripts in a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43713
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "SKIP_CART_PAGE_TITLE[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43714
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "ENTRY_FIRST_NAME_MIN_LENGTH_TITLE[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43715
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "MAX_DISPLAY_NEW_PRODUCTS_TITLE[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43716
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "MSEARCH_HIGHLIGHT_ENABLE_TITLE[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43717
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "MSEARCH_ENABLE_TITLE[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43718
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "SHIPPING_GENDER_TITLE[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43719
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "BILLING_GENDER_TITLE[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43720
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "PACKING_SLIPS_SUMMARY_TITLE[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43721
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "orders_status_groups_name[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43722
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "orders_status_name[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43723
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "derb6zmklgtjuhh2cn5chn2qjbm2stgmfa4.oastify.comscription[1][name]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43724
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "orders_products_status_name_long[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43725
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "orders_products_status_manual_name_long[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43726
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "stock_indication_text[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43727
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "stock_delivery_terms_text[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43728
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "xsell_type_name[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43729
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "countries_name[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43730
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "zone_name" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43731
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "tax_class_title" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43732
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "company_address" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43733
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "name" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43734
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "formats_titles[7]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43735
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "featured_type_name[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5111
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
os_commerce -- os_commerce​
[/TD]
[TD]
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "specials_type_name[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5112
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
ovn -- open_virtual_network​
[/TD]
[TD]
A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit. This issue could allow an attacker to cause a denial of service, including on deployments with CoPP enabled and properly configured.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.3
[/TD]
[TD]CVE-2023-3153
MISC
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
pandorafms -- pandora_fms​
[/TD]
[TD]
Cross-site Scripting (XSS) vulnerability in Syslog Section of Pandora FMS allows attacker to cause that users cookie value will be transferred to the attacker's user's server. This issue affects Pandora FMS v767 version and prior versions on all platforms.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-0828
MISC[/TD]
[/TR]
[TR]
[TD]
phpmyfaq -- phpmyfaq​
[/TD]
[TD]
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-5316
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
phpmyfaq -- phpmyfaq​
[/TD]
[TD]
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-5320
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
phpmyfaq -- phpmyfaq​
[/TD]
[TD]
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5317
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
phpmyfaq -- phpmyfaq​
[/TD]
[TD]
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5319
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
pleasant_solutions -- pleasant_password_server​
[/TD]
[TD]
A cross-site scripting (XSS) vulnerability in the component /framework/cron/action/humanize of Pleasant Solutions Pleasant Password Server v7.11.41.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cronString parameter.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-27121
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
pretix -- pretix​
[/TD]
[TD]
An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
5.3
[/TD]
[TD]CVE-2023-44463
MISC
MISC
MISC
MISC
CONFIRM[/TD]
[/TR]
[TR]
[TD]
pure_storage -- flasharray_purity​
[/TD]
[TD]
A flaw exists in FlashArray Purity wherein under limited circumstances, an array administrator can alter the retention lock of a pgroup and disable pgroup SafeMode protection.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
4.9
[/TD]
[TD]CVE-2023-32572
MISC[/TD]
[/TR]
[TR]
[TD]
pure_storage -- purity​
[/TD]
[TD]
A flaw exists in FlashBlade Purity whereby an authenticated user with access to FlashBlade's object store protocol can impact the availability of the system's data access and replication protocols.​
[/TD]
[TD]
2023-10-02​
[/TD]
[TD]
4.3
[/TD]
[TD]CVE-2023-31042
MISC[/TD]
[/TR]
[TR]
[TD]
qsige -- qsige​
[/TD]
[TD]
The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-4099
MISC[/TD]
[/TR]
[TR]
[TD]
qualcomm -- apq8064au_firmware​
[/TD]
[TD]
Information disclosure in WLAN HOST while processing the WLAN scan descriptor list during roaming scan.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
5.5
[/TD]
[TD]CVE-2023-28571
MISC[/TD]
[/TR]
[TR]
[TD]
quick_cms -- quick_cms​
[/TD]
[TD]
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Files - Description parameter in the Pages Menu component.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43343
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
red_hat -- multiple_products​
[/TD]
[TD]
A flaw was found in JSS. A memory leak in JSS requires non-standard configuration but is a low-effort DoS vector if configured that way (repeatedly hitting the login page).​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.9
[/TD]
[TD]CVE-2022-4132
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
ritecms -- ritecms​
[/TD]
[TD]
Rite CMS 3.0 has Multiple Cross-Site scripting (XSS) vulnerabilities that allow attackers to execute arbitrary code via a payload crafted in the Home Page fields in the Administration menu.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-43877
MISC[/TD]
[/TR]
[TR]
[TD]
salesagility -- suitecrm​
[/TD]
[TD]
Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-5353
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
salesagility -- suitecrm​
[/TD]
[TD]
Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5351
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
samsung -- android​
[/TD]
[TD]
Logic error in package installation via debugger command prior to SMR Oct-2023 Release 1 allows physical attacker to install an application that has different build type.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
4.6
[/TD]
[TD]CVE-2023-30731
MISC[/TD]
[/TR]
[TR]
[TD]
samsung -- health​
[/TD]
[TD]
Improper access control vulnerability in Samsung Health prior to version 6.24.3.007 allows attackers to access sensitive information via implicit intent.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.5
[/TD]
[TD]CVE-2023-30734
MISC[/TD]
[/TR]
[TR]
[TD]
samsung -- health​
[/TD]
[TD]
Improper access control vulnerability in Samsung Health prior to version 6.24.3.007 allows attackers to access sensitive information via implicit intent.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.5
[/TD]
[TD]CVE-2023-30737
MISC[/TD]
[/TR]
[TR]
[TD]
samsung -- samsung_assistant​
[/TD]
[TD]
Improper authorization in PushMsgReceiver of Samsung Assistant prior to version 8.7.00.1 allows attacker to execute javascript interface. To trigger this vulnerability, user interaction is required.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-30736
MISC[/TD]
[/TR]
[TR]
[TD]
sato -- cl4nx-j_plus_firmware​
[/TD]
[TD]
A vulnerability was found in SATO CL4NX-J Plus 1.13.2-u455_r2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /rest/dir/. The manipulation of the argument full leads to path traversal. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-241028.​
[/TD]
[TD]
2023-10-01​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-5327
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
setelsa_security -- conacwin​
[/TD]
[TD]
Blind SQL injection vulnerability in the Conacwin 3.7.1.2 web interface, the exploitation of which could allow a local attacker to obtain sensitive data stored in the database by sending a specially crafted SQL query to the xml parameter.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.5
[/TD]
[TD]CVE-2023-4037
MISC[/TD]
[/TR]
[TR]
[TD]
silabs -- gecko_software_development_kit​
[/TD]
[TD]
Forcing the Bluetooth LE stack to segment 'prepare write response' packets can lead to an out-of-bounds memory access.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-3024
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
small_crm -- small_crm​
[/TD]
[TD]
Cross Site Scripting vulnerability in Small CRM in PHP v.3.0 allows a remote attacker to execute arbitrary code via a crafted payload to the Address parameter.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-44075
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- best_courier_management_system​
[/TD]
[TD]
A vulnerability classified as problematic was found in SourceCodester Best Courier Management System 1.0. This vulnerability affects unknown code of the file manage_parcel_status.php. The manipulation of the argument id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-240886 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5273
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- best_courier_management_system​
[/TD]
[TD]
A vulnerability, which was classified as problematic, has been found in SourceCodester Best Courier Management System 1.0. This issue affects some unknown processing of the component Manage Account Page. The manipulation of the argument First Name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240941 was assigned to this vulnerability.​
[/TD]
[TD]
2023-09-30​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5302
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- expense_tracker​
[/TD]
[TD]
A vulnerability, which was classified as problematic, has been found in SourceCodester Expense Tracker App v1. Affected by this issue is some unknown functionality of the file add_category.php of the component Category Handler. The manipulation of the argument category_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-240914 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5286
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- task_management_system​
[/TD]
[TD]
A Stored Cross Site Scripting (XSS) vulnerability was found in SourceCodester Task Management System 1.0. It allows attackers to execute arbitrary code via parameter field in index.php?page=project_list.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43944
MISC[/TD]
[/TR]
[TR]
[TD]
sscms -- sscms​
[/TD]
[TD]
SSCMS 7.2.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Material Management component.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43952
MISC[/TD]
[/TR]
[TR]
[TD]
sscms -- sscms​
[/TD]
[TD]
SSCMS 7.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Column Management component.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43951
MISC[/TD]
[/TR]
[TR]
[TD]
sscms -- sscms​
[/TD]
[TD]
SSCMS 7.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Content Management component.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-43953
MISC[/TD]
[/TR]
[TR]
[TD]
tcman -- gim​
[/TD]
[TD]
The 'sReferencia', 'sDescripcion', 'txtCodigo' and 'txtDescripcion' parameters, in the frmGestionStock.aspx and frmEditServicio.aspx files in TCMAN GIM v8.0.1, could allow an attacker to perform persistent XSS attacks.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2022-36277
MISC[/TD]
[/TR]
[TR]
[TD]
upv -- peix​
[/TD]
[TD]
Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
6.5
[/TD]
[TD]CVE-2023-2544
MISC[/TD]
[/TR]
[TR]
[TD]
userfeedback -- userfeedback​
[/TD]
[TD]
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in UserFeedback Team User Feedback plugin td> [TD]
2023-09-29​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-39308
MISC
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
whitehsbg -- jndiexploit​
[/TD]
[TD]
A vulnerability was found in WhiteHSBG JNDIExploit 1.4 on Windows. It has been rated as problematic. Affected by this issue is the function handleFileRequest of the file src/main/java/com/feihong/ldap/HTTPServer.java. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. VDB-240866 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-09-29​
[/TD]
[TD]
5.7
[/TD]
[TD]CVE-2023-5257
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Photo Gallery Slideshow & Masonry Tiled Gallery plugin td> [TD]
2023-09-29​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-41658
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ulf Benjaminsson WP-dTree plugin td> [TD]
2023-09-29​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-41662
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Giovambattista Fazioli WP Bannerize Pro plugin td> [TD]
2023-09-29​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-41663
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Hennessey Digital Attorney theme td> [TD]
2023-10-02​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-41692
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ClickToTweet.Com Click To Tweet plugin td> [TD]
2023-10-02​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-41856
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Dreamfox Payment gateway per Product for WooCommerce plugin td> [TD]
2023-10-02​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-44144
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin td> [TD]
2023-10-02​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-44244
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Leap Contractor Contact Form Website to Workflow Tool plugin td> [TD]
2023-10-02​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-44245
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in MD Jakir Hosen Tiger Forms - Drag and Drop Form Builder plugin td> [TD]
2023-10-02​
[/TD]
[TD]
6.1
[/TD]
[TD]CVE-2023-44474
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Stockdio Stock Quotes List plugin td> [TD]
2023-09-29​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-41666
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Irina Sokolovskaya Goods Catalog plugin td> [TD]
2023-09-29​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-41687
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Rescue Themes Rescue Shortcodes plugin td> [TD]
2023-10-02​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-41728
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Gold Plugins Locations plugin td> [TD]
2023-10-02​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-41797
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WEN Solutions Notice Bar plugin td> [TD]
2023-10-02​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-41847
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in jesweb.Dev Anchor Episodes Index (Spotify for Podcasters) plugin td> [TD]
2023-10-02​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-44145
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in 2J Slideshow Team Slideshow, Image Slider by 2J plugin td> [TD]
2023-10-02​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-44242
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed - Custom Feed plugin td> [TD]
2023-10-02​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-44264
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin td> [TD]
2023-10-02​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-44477
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'AWL-BlogFilter' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5291
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
The WP Responsive header image slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sp_responsiveslider' shortcode in versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5334
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-5357
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
The WP Mail SMTP Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_print_page function in versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to disclose potentially sensitive email information.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
5.3
[/TD]
[TD]CVE-2023-3213
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Andreas Heigl authLdap plugin td> [TD]
2023-09-29​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41655
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Groundhogg Inc. HollerBox plugin td> [TD]
2023-09-29​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41657
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin td> [TD]
2023-09-29​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41661
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41729
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution WordPress publish post email notification plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41731
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in YYDevelopment Back To The Top Button plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41733
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in nigauri Insert Estimated Reading Time plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41734
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Email posts to subscribers plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41736
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPGens Swifty Bar, sticky bar by WPGens plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41737
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in UniConsent UniConsent CMP for GDPR CPRA GPP TCF plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41800
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Regpacks Regpack plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41855
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ashok Rane Order Delivery Date for WP e-Commerce plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-41859
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Onclick show popup plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-44228
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Popup contact form plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-44230
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jobin Jose WWM Social Share On Image Hover plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-44239
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Renzo Johnson Blocks plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-44262
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Riyaz Social Metrics plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-44263
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Popup contact form plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-44265
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jewel Theme WP Adminify plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-44266
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jim Krill WP Jump Menu plugin td> [TD]
2023-10-02​
[/TD]
[TD]
4.8
[/TD]
[TD]CVE-2023-44479
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress
[/TD]
[TD]
The Profile Extra Fields by BestWebSoft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the prflxtrflds_export_file function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to expose potentially sensitive user data, including data entered into custom fields.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
5.3
[/TD]
[TD]CVE-2023-4469
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
zenario_cms -- zenario_cms​
[/TD]
[TD]
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows an attacker to execute arbitrary code via a crafted script to the Organizer - Spare alias.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-44770
MISC[/TD]
[/TR]
[TR]
[TD]
zenario_cms -- zenario_cms​
[/TD]
[TD]
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Page Layout.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
5.4
[/TD]
[TD]CVE-2023-44771
MISC[/TD]
[/TR]​
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD][/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]



Low Vulnerabilities​

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
gitlab -- gitlab​
An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.​
2023-09-29​
3.5
CVE-2023-3906
MISC
MISC
mattermost -- mattermost​
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.​
2023-09-29​
2.7
CVE-2023-5159
MISC
mattermost -- mattermost​
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.​
2023-09-29​
2.7
CVE-2023-5193
MISC
phpkobo -- ajax_poll_script​
A vulnerability classified as problematic was found in phpkobo Ajax Poll Script 3.18. Affected by this vulnerability is an unknown functionality of the file ajax-poll.php of the component Poll Handler. The manipulation leads to improper enforcement of a single, unique action. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240949 was assigned to this vulnerability.​
2023-09-30​
3.7
CVE-2023-5313
MISC
MISC
MISC
pure_storage -- flasharray_purity​
A flaw exists in FlashArray Purity whereby an array administrator by configuring an external key manager can affect the availability of data on the system including snapshots protected by SafeMode.​
2023-10-03​
2.7
CVE-2023-28373
MISC
pure_storage -- flashblad_purity​
A flaw exists in FlashBlade Purity (OE) Version 4.1.0 whereby a user with privileges to extend an object's retention period can affect the availability of the object lock.​
2023-10-02​
2.7
CVE-2023-28372
MISC
pure_storage -- flashblade_purity​
A flaw exists in FlashBlade Purity whereby a user with access to an administrative account on a FlashBlade that is configured with timezone-dependent snapshot schedules can configure a timezone to prevent the schedule from functioning properly.​
2023-10-02​
2.7
CVE-2023-36627
MISC
samsung -- android​
Improper access control in system property prior to SMR Oct-2023 Release 1 allows local attacker to get CPU serial number.​
2023-10-04​
3.3
CVE-2023-30732
MISC
samsung -- sassistant​
Improper Preservation of Permissions vulnerability in SAssistant prior to version 8.7 allows local attackers to access backup data in SAssistant.​
2023-10-04​
3.3
CVE-2023-30735
MISC

Back to top




Severity Not Yet Assigned​

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
simple_and_nice_shopping_cart_scrip --
simple_and_nice_shopping_cart_script
File Upload vulnerability in Simple and Nice Shopping Cart Script v.1.0 allows a remote attacker to execute arbitrary code via the upload function in the edit profile component.​
2023-10-06​
not yet calculated​
CVE-2023-44061
MISC
1e -- 1e_client
1E Client installer can perform arbitrary file deletion on protected files. A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup. A hotfix is available Q23092 that forces the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID.​
2023-10-05​
not yet calculated​
CVE-2023-45159
MISC
1e -- 1e_client
In the affected version of the 1E Client, an ordinary user could subvert downloaded instruction resource files, e.g., to substitute a harmful script. by replacing a resource script file created by an instruction at run time with a malicious script. This has been fixed in patch Q23094 as the 1E Client's temporary directory is now locked down​
2023-10-05​
not yet calculated​
CVE-2023-45160
MISC
acronis -- acronis_agent
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 31637.​
2023-10-05​
not yet calculated​
CVE-2023-44211
MISC
acronis -- acronis_agent
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 31477.​
2023-10-05​
not yet calculated​
CVE-2023-44212
MISC
MISC
acronis -- acronis_agent
Sensitive information disclosure due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35739.​
2023-10-05​
not yet calculated​
CVE-2023-44214
MISC
acronis -- acronis_agent
Sensitive information disclosure due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35739.​
2023-10-05​
not yet calculated​
CVE-2023-45240
MISC
acronis -- acronis_agent
Sensitive information leak through log files. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35739.​
2023-10-05​
not yet calculated​
CVE-2023-45241
MISC
acronis -- acronis_agent
Sensitive information disclosure due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35739.​
2023-10-05​
not yet calculated​
CVE-2023-45242
MISC
acronis -- acronis_agent
Sensitive information disclosure due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35739.​
2023-10-05​
not yet calculated​
CVE-2023-45243
MISC
acronis -- acronis_agent
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35895.​
2023-10-06​
not yet calculated​
CVE-2023-45244
MISC
acronis -- acronis_agent
Sensitive information disclosure due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 36119.​
2023-10-06​
not yet calculated​
CVE-2023-45245
MISC
acronis -- acronis_agent
Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 36343.​
2023-10-06​
not yet calculated​
CVE-2023-45246
MISC
acronis -- acronis_agent_for_windows
Sensitive information disclosure due to excessive collection of system information. The following products are affected: Acronis Agent (Windows) before build 35739.​
2023-10-05​
not yet calculated​
CVE-2023-44213
MISC
altair-graphql -- altair
Altair is a GraphQL Client. Prior to version 5.2.5, the Altair GraphQL Client Desktop Application does not sanitize external URLs before passing them to the underlying system. Moreover, Altair GraphQL Client also does not isolate the context of the renderer process. This affects versions of the software running on MacOS, Windows, and Linux. Version 5.2.5 fixes this issue.​
2023-10-04​
not yet calculated​
CVE-2023-43799
MISC
MISC
ansible -- ansible
A logic flaw exists in Ansible. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.​
2023-10-04​
not yet calculated​
CVE-2023-4380
MISC
MISC
MISC
ansible_automation_platform -- ansible_automation_platform
A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.​
2023-10-04​
not yet calculated​
CVE-2023-4237
MISC
MISC
atlassian -- confluence_data_center
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. For more details, please review the linked advisory on this CVE.​
2023-10-04​
not yet calculated​
CVE-2023-22515
MISC
MISC
MISC
buddyboss -- buddyboss
A stored XSS vulnerability has been found on BuddyBoss Platform affecting version 2.2.9. This vulnerability allows an attacker to store a malicious javascript payload via POST request when sending an invitation.​
2023-10-03​
not yet calculated​
CVE-2023-32671
MISC
canonical_ltd. -- subiquity
Sensitive data could be exposed in logs of subiquity version 23.09.1 and earlier. An attacker in the adm group could use this information to find hashed passwords and possibly escalate their privilege.​
2023-10-07​
not yet calculated​
CVE-2023-5182
MISC
MISC
checkfront_inc. -- checkfront_online_booking_system
Cross-Site Request Forgery (CSRF) vulnerability in Checkfront Inc. Checkfront Online Booking System plugin td> [TD]
2023-10-06​

[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44146
MISC[/TD]
[/TD]

[TD]
[TR]
[TD]
cisco -- ios_xe_software
[/TD]
[TD]
A vulnerability in the on-device application development workflow feature for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an authenticated, remote attacker to access the underlying operating system as the root user. This vulnerability exists because Docker containers with the privileged runtime option are not blocked when they are in application development mode. An attacker could exploit this vulnerability by using the Docker CLI to access an affected device. The application development workflow is meant to be used only on development systems and not in production systems.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-20235
MISC[/TD]
[/TR]
[TR]
[TD]
cisco -- unified_communications_products
[/TD]
[TD]
A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the web-based management interface and cause delays with call processing. This API is not used for device management and is unlikely to be used in normal operations of the device. This vulnerability is due to improper API authentication and incomplete validation of the API request. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to high CPU utilization, which could negatively impact user traffic and management access. When the attack stops, the device will recover without manual intervention.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-20259
MISC[/TD]
[/TR]
[TR]
[TD]
citadel -- citadel​
[/TD]
[TD]
A cross-site scripting vulnerability exists in Citadel versions prior to 994. When a malicious user sends an instant message with some JavaScript code, the script may be executed on the web browser of the victim user.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44272
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
d-link -- dir-820l
[/TD]
[TD]
D-Link DIR-820L 1.05B03 has a stack overflow vulnerability in the cancelPing function.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44807
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
decidim -- decidim
[/TD]
[TD]
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The templates module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-36465
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
digital_china_networks -- dcfw-1800-sdc
[/TD]
[TD]
File Upload vulnerability in Digital China Networks DCFW-1800-SDC v.3.0 allows an authenticated attacker to execute arbitrary code via the wget function in the /sbin/cloudadmin.sh component.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43321
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
discourse -- discourse-jira
[/TD]
[TD]
Discourse-jira is a Discourse plugin allows Jira projects, issue types, fields and field options will be synced automatically. An administrator user can make an SSRF attack by setting the Jira URL to an arbitrary location and enabling the discourse_jira_verbose_log site setting. A moderator user could manipulate the request path to the Jira API, allowing them to perform arbitrary GET requests using the Jira API credentials, potentially with elevated permissions, used by the application.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44384
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
extreme_networks -- iq_engine
[/TD]
[TD]
IQ Engine before 10.6r2 on Extreme Network AP devices has a Buffer Overflow.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-35803
MISC[/TD]
[/TR]
[TR]
[TD]
facebook -- whatsapp_desktop_for_mac
[/TD]
[TD]
A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-38537
MISC[/TD]
[/TR]
[TR]
[TD]
facebook -- whatsapp_desktop_for_mac
[/TD]
[TD]
A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-38538
MISC[/TD]
[/TR]
[TR]
[TD]
freebsd -- freebsd
[/TD]
[TD]
Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK capability. This incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that file descriptor.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5369
MISC[/TD]
[/TR]
[TR]
[TD]
freebsd -- freebsd
[/TD]
[TD]
On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. This resulted in no speculative execution workarounds being installed on CPU 0.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5370
MISC[/TD]
[/TR]
[TR]
[TD]
fsevents -- fsevents
[/TD]
[TD]
fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-45311
MISC
MISC
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
garuda_linux -- garuda_linux
[/TD]
[TD]
Garuda Linux performs an insecure user creation and authentication that allows any user to impersonate the created account. By creating users from the 'Garuda settings manager', an insecure procedure is performed that keeps the created user without an assigned password during some seconds. This could allow a potential attacker to exploit this vulnerability in order to authenticate without knowing the password.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2021-3784
MISC[/TD]
[/TR]
[TR]
[TD]
gdidees_cms -- gdidees_cms
[/TD]
[TD]
GDidees CMS 3.0 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload to the Page Title.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44758
MISC[/TD]
[/TR]
[TR]
[TD]
geokit-rails-- geokit-rails​
[/TD]
[TD]
Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value. Note: An attacker can use this vulnerability to execute commands on the host system.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-26153
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
go_toolchain -- cmd/go
[/TD]
[TD]
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-39323
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
google -- android
[/TD]
[TD]
In visitUris of Notification.java, there is a possible bypass of user profile boundaries due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-21244
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
google -- android
[/TD]
[TD]
In validatePassword of WifiConfigurationUtil.java, there is a possible way to get the device into a boot loop due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-21252
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
google -- android
[/TD]
[TD]
In multiple locations, there is a possible way to crash multiple system services due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-21253
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
google -- android
[/TD]
[TD]
In killBackgroundProcesses of ActivityManagerService.java, there is a possible way to escape Google Play protection due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-21266
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
google -- android
[/TD]
[TD]
In visitUris of Notification.java, there is a possible way to reveal image contents from another user due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-21291
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
gradle -- gradle
[/TD]
[TD]
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-42445
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
gradle -- gradle
[/TD]
[TD]
Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44387
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
hex_dragon -- plain_craft_launcher_2
[/TD]
[TD]
Directory Traversal vulnerability in Hex-Dragon Plain Craft Launcher 2 version Alpha 1.3.9, allows local attackers to execute arbitrary code and gain sensitive information.​
[/TD]
[TD]
2023-10-07​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-36123
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
hitachi -- hitachi_ops_center_common_services
[/TD]
[TD]
An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-3971
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
hitachi -- jp1/performance_management-manager
[/TD]
[TD]
Incorrect Default Permissions vulnerability in Hitachi JP1/Performance Management on Windows allows File Manipulation.This issue affects JP1/Performance Management - Manager: from 09-00 before 12-50-07; JP1/Performance Management - Base: from 09-00 through 10-50-; JP1/Performance Management - Agent Option for Application Server: from 11-00 before 11-50-16; JP1/Performance Management - Agent Option for Enterprise Applications: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for HiRDB: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for IBM Lotus Domino: from 10-00 before 11-50-16; JP1/Performance Management - Agent Option for Microsoft(R) Exchange Server: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for Microsoft(R) Internet Information Server: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for Microsoft(R) SQL Server: from 09-00 before 12-50-07; JP1/Performance Management - Agent Option for Oracle: from 09-00 before 12-10-08; JP1/Performance Management - Agent Option for Platform: from 09-00 before 12-50-07; JP1/Performance Management - Agent Option for Service Response: from 09-00 before 11-50-16; JP1/Performance Management - Agent Option for Transaction System: from 11-00 before 12-00-14; JP1/Performance Management - Remote Monitor for Microsoft(R) SQL Server: from 09-00 before 12-50-07; JP1/Performance Management - Remote Monitor for Oracle: from 09-00 before 12-10-08; JP1/Performance Management - Remote Monitor for Platform: from 09-00 before 12-10-08; JP1/Performance Management - Remote Monitor for Virtual Machine: from 10-00 before 12-50-07; JP1/Performance Management - Agent Option for Domino: from 09-00 through 09-00-; JP1/Performance Management - Agent Option for IBM WebSphere Application Server: from 09-00 through 10-00-; JP1/Performance Management - Agent Option for IBM WebSphere MQ: from 09-00 through 10-00-; JP1/Performance Management - Agent Option for JP1/AJS3: from 09-00 through 10-00-; JP1/Performance Management - Agent Option for OpenTP1: from 09-00 through 10-00-; JP1/Performance Management - Agent Option for Oracle WebLogic Server: from 09-00 through 10-00-; JP1/Performance Management - Agent Option for uCosminexus Application Server: from 09-00 through 10-00-; JP1/Performance Management - Agent Option for Virtual Machine: from 09-00 through 09-01-*.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-3440
MISC[/TD]
[/TR]
[TR]
[TD]
hotrod-client -- hotrod-client
[/TD]
[TD]
A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-4586
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
hp_inc. -- multiple_products
[/TD]
[TD]
Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are potentially vulnerable to denial of service due to WS-Print request and potential injections of Cross Site Scripting via jQuery-UI.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5113
MISC[/TD]
[/TR]
[TR]
[TD]
htmlsanitizer -- htmlsanitizer
[/TD]
[TD]
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. The vulnerability occurs in configurations where foreign content is allowed, i.e. either svg or math are in the list of allowed elements. In the case an application sanitizes user input with a vulnerable configuration, an attacker could bypass the sanitization and inject arbitrary HTML, including JavaScript code. Note that in the default configuration the vulnerability is not present. The vulnerability has been fixed in versions 8.0.723 and 8.1.722-beta (preview version).​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44390
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
hydra -- hydra
[/TD]
[TD]
Hydra is the layer-two scalability solution for Cardano. Users of the Hydra head protocol send the UTxOs they wish to commit into the Hydra head first to the commit validator, where they remain until they are either collected into the head validator or the protocol initialisation is aborted and the value in the committed UTxOs is returned to the users who committed them. Prior to version 0.12.0, the commit validator contains a flawed check when the ViaAbort redeemer is used, which allows any user to spend any UTxO which is at the validator arbitrarily, meaning an attacker can steal the funds that users are trying to commit into the head validator. The intended behavior is that the funds must be returned to the user which committed the funds and can only be performed by a participant of the head. The initial validator also is similarly affected as the same flawed check is performed for the ViaAbort redeemer. Due to this issue, an attacker can steal any funds that user's try to commit into a Hydra head. Also, an attacker can prevent any Hydra head from being successfully opened. It does not allow an attacker to take funds which have been successfully collected into and currently reside in the head validator. Version 0.12.0 contains a fix for this issue.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-38701
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
hydra -- hydra
[/TD]
[TD]
Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, the specification states that the contestation period in the datum of the UTxO at the head validator must stay unchanged as the state progresses from Open to Closed (Close transaction), but no such check appears to be performed in the checkClose function of the head validator. This would allow a malicious participant to modify the contestation deadline of the head to either allow them to fanout the head without giving another participant the chance to contest or prevent any participant from ever redistributing the funds locked in the head via a fan-out. Version 0.13.0 contains a patch for this issue.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-42448
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
hydra -- hydra
[/TD]
[TD]
Hydra is the two-layer scalability solution for Cardano. Prior to version 0.13.0, it is possible for a malicious head initializer to extract one or more PTs for the head they are initializing due to incorrect data validation logic in the head token minting policy which then results in a flawed check for burning the head ST in the initial validator. This is possible because it is not checked in HeadTokens.hs that the datums of the outputs at the initial validator are equal to the real head ID, and it is also not checked in the off-chain code. During the Initial state of the protocol, if the malicious initializer removes a PT from the Hydra scripts it becomes impossible for any other participant to reclaim any funds they have attempted to commit into the head, as to do so the Abort transaction must burn all the PTs for the head, but they cannot burn the PT which the attacker controls and so cannot satisfy this requirement. That means the initializer can lock the other participants committed funds forever or until they choose to return the PT (ransom). The malicious initializer can also use the PT to spoof that they have committed a particular TxO when progressing the head into the Open state. For example, they could say they committed a TxO residing at their address containing 100 ADA, but in fact this 100 ADA was not moved into the head, and thus in order for another participant to perform the fanout they will be forced to pay the attacker the 100 ADA out of their own funds, as the fanout transaction must pay all the committed TxOs (even though the attacker did not really commit that TxO). They can do this by placing the PT in a UTxO with a well-formed Commit datum with whatever contents they like, then use this UTxO in the collectCom transaction. There may be other possible ways to abuse having control of a PT. Version 0.13.0 fixes this issue.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-42449
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
ibm -- engineering_lifecycle_management
[/TD]
[TD]
IBM Jazz Foundation (IBM Engineering Lifecycle Management 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2) could disclose sensitive version information to a user that could be used in further attacks against the system. IBM X-Force ID: 230498.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2022-34355
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
ibm -- robotic_process_automation​
[/TD]
[TD]
IBM Robotic Process Automation 23.0.9 is vulnerable to privilege escalation that affects ownership of projects. IBM X-Force ID: 247527.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43058
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
ibm -- security_directory_suite
[/TD]
[TD]
IBM Security Directory Suite 8.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228568.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2022-33160
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
ibm -- storage_protect_client
[/TD]
[TD]
IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-35897
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
idm_sistemas_qsige -- qsige
[/TD]
[TD]
The QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-4101
MISC[/TD]
[/TR]
[TR]
[TD]
idm_sistemas_qsige -- qsige
[/TD]
[TD]
QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-4102
MISC[/TD]
[/TR]
[TR]
[TD]
idm_sistemas_qsige -- qsige
[/TD]
[TD]
QSige statistics are affected by a remote SQLi vulnerability. It has been identified that the web application does not correctly filter input parameters, allowing SQL injections, DoS or information disclosure. As a prerequisite, it is necessary to log into the application.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-4103
MISC[/TD]
[/TR]
[TR]
[TD]
imagemagick -- imagemagick
[/TD]
[TD]
A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-3428
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
keycloak -- keycloak
[/TD]
[TD]
A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-2422
MISC
MISC
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
kong -- insomnia
[/TD]
[TD]
Kong Insomnia 2023.4.0 on macOS allows attackers to execute code and access restricted files, or make requests for TCC permissions, by using the DYLD_INSERT_LIBRARIES environment variable.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-40299
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
libtiff -- libtiff
[/TD]
[TD]
A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-3576
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
libtiff -- libtiff
[/TD]
[TD]
LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-40745
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
libtiff -- libtiff
[/TD]
[TD]
A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-41175
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
linux -- kernel
[/TD]
[TD]
A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-42754
MISC
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
linux -- kernel
[/TD]
[TD]
A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the rsvp_classify function. This issue may allow a local user to crash the system and cause a denial of service.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-42755
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
mbed_tls -- mbed_tls
[/TD]
[TD]
Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow.​
[/TD]
[TD]
2023-10-07​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43615
MISC[/TD]
[/TR]
[TR]
[TD]
mbed_tls -- mbed_tls
[/TD]
[TD]
Mbed TLS 3.2.x through 3.4.x before 3.5 has a Buffer Overflow that can lead to remote Code execution.​
[/TD]
[TD]
2023-10-07​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-45199
MISC[/TD]
[/TR]
[TR]
[TD]
meks -- multiple_products​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Meks Video Importer, Meks Time Ago, Meks ThemeForest Smart Widget, Meks Smart Author Widget, Meks Audio Player, Meks Easy Maps, Meks Easy Photo Feed Widget, Meks Simple Flickr Widget, Meks Easy Ads Widget, Meks Smart Social Widget plugins leading to dismiss or the popup.​
[/TD]
[TD]
2023-10-03​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-25989
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
meta -- tac_plus
[/TD]
[TD]
A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-45239
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
milesight -- multiple_products
[/TD]
[TD]
Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the admin panel.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43260
MISC[/TD]
[/TR]
[TR]
[TD]
milesight -- multiple_products
[/TD]
[TD]
An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43261
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
misskey -- misskey
[/TD]
[TD]
Misskey is an open source, decentralized social media platform. Prior to version 2023.9.0, by editing the URL, a user can bypass the authentication of the Bull dashboard, which is the job queue management UI, and access it. Version 2023.9.0 contains a fix. There are no known workarounds.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43793
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
mozilla -- common_voice
[/TD]
[TD]
Common Voice is the web app for Mozilla Common Voice, a platform for collecting speech donations in order to create public domain datasets for training voice recognition-related tools. Version 1.88.2 is vulnerable to reflected Cross-Site Scripting given that user-controlled data flows to a path expression (path of a network request). This issue may lead to reflected Cross-Site Scripting (XSS) in the context of Common Voice's server origin. As of time of publication, it is unknown whether any patches or workarounds exist.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-42808
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
national_instruments -- measurementlink
[/TD]
[TD]
An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the ni-measurementlink-service Python package and all previous versions.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-4570
MISC[/TD]
[/TR]
[TR]
[TD]
netbsd_ftpd -- netbsd_ftpd
[/TD]
[TD]
ftpd before "NetBSD-ftpd 20230930" can leak information about the host filesystem before authentication via an MLSD or MLST command. tnftpd (the portable version of NetBSD ftpd) before 20231001 is also vulnerable.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-45198
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
netis_systems -- n3m_firmware
[/TD]
[TD]
An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44860
MISC[/TD]
[/TR]
[TR]
[TD]
nexkey -- nexkey
[/TD]
[TD]
Nexkey is a fork of Misskey, an open source, decentralized social media platform. Prior to version 12.121.9, incomplete URL validation can allow users to bypass authentication for access to the job queue dashboard. Version 12.121.9 contains a fix for this issue. As a workaround, it may be possible to avoid this by blocking access using tools such as Cloudflare's WAF.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43805
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
open_mct -- open_mct
[/TD]
[TD]
In NASA Open MCT (aka openmct) 2.2.5 before 545a177, prototype pollution can occur via an import action.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-45282
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
opentelemetry -- opentelemetry
[/TD]
[TD]
OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label http_method that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43810
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
openvswitch -- openvswitch
[/TD]
[TD]
A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5366
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
pigcms -- pigcms
[/TD]
[TD]
pigcms up to 7.0 was discovered to contain an arbitrary file upload vulnerability.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43269
MISC[/TD]
[/TR]
[TR]
[TD]
prixan -- connect
[/TD]
[TD]
Prixan prixanconnect up to v1.62 was discovered to contain a SQL injection vulnerability via the component CartsGuruCatalogModuleFrontController::importProducts().​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-40920
MISC[/TD]
[/TR]
[TR]
[TD]
puppet -- bolt
[/TD]
[TD]
In Puppet Bolt versions prior to 3.27.4, a path to escalate privileges was identified.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5214
MISC[/TD]
[/TR]
[TR]
[TD]
qnap_systems_inc. -- multiple_products
[/TD]
[TD]
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h4.5.4.2476 build 20230728 and later QuTScloud c5.1.0.2498 and later​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-32971
MISC[/TD]
[/TR]
[TR]
[TD]
qnap_systems_inc. -- multiple_products
[/TD]
[TD]
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h4.5.4.2476 build 20230728 and later QuTScloud c5.1.0.2498 and later​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-32972
MISC[/TD]
[/TR]
[TR]
[TD]
qnap_systems_inc. -- music_station
[/TD]
[TD]
A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow authenticated users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following version: Music Station 5.3.22 and later​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-23365
MISC[/TD]
[/TR]
[TR]
[TD]
qnap_systems_inc. -- music_station
[/TD]
[TD]
A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow authenticated users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following version: Music Station 5.3.22 and later​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-23366
MISC[/TD]
[/TR]
[TR]
[TD]
qnap_systems_inc. -- qvpn_windows
[/TD]
[TD]
An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to gain access to user accounts and access sensitive data used by the user account via unspecified vectors. We have already fixed the vulnerability in the following version: QVPN Windows 2.1.0.0518 and later​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-23370
MISC[/TD]
[/TR]
[TR]
[TD]
qnap_systems_inc. -- qvpn_windows
[/TD]
[TD]
A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to read sensitive data via unspecified vectors. We have already fixed the vulnerability in the following version: QVPN Windows 2.2.0.0823 and later​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-23371
MISC[/TD]
[/TR]
[TR]
[TD]
qognify -- nicevision
[/TD]
[TD]
Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-2306
MISC[/TD]
[/TR]
[TR]
[TD]
quarkus_oidc -- quarkus_oidc
[/TD]
[TD]
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-1584
MISC
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
red_hat -- multiple_products
[/TD]
[TD]
A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2022-3248
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
red_hat -- openshift
[/TD]
[TD]
A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2022-4145
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
redisson -- redisson
[/TD]
[TD]
Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue. Some post-fix advice is available. Do NOT use Kryo5Codec as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the setRegistrationRequired(false) call. On the contrary, KryoCodec is safe to use. The fix applied to SerializationCodec only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating SerializationCodec please use the SerializationCodec(ClassLoader classLoader, Set allowedClasses) constructor to restrict the allowed classes for deserialization.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-42809
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
samsung_mobile -- samsung_mobile_devices
[/TD]
[TD]
Improper input validation vulnerability in Duo prior to SMR Oct-2023 Release 1 allows local attackers to launch privileged activities.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-30690
MISC[/TD]
[/TR]
[TR]
[TD]
schneider_electric -- c-bus_toolkit
[/TD]
[TD]
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause a path traversal issue when using the File Command.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5399
MISC[/TD]
[/TR]
[TR]
[TD]
schneider_electric -- c-bus_toolkit
[/TD]
[TD]
A CWE-269: Improper Privilege Management vulnerability exists that could cause a local privilege escalation when the transfer command is used.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5402
MISC[/TD]
[/TR]
[TR]
[TD]
schneider_electric -- ecostruxure_power_monitoring_expert
[/TD]
[TD]
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5391
MISC[/TD]
[/TR]
[TR]
[TD]
silicon_labs -- ember_znet
[/TD]
[TD]
TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing Release of Resource after Effective Lifetime may allow a device to be added outside of valid TouchLink range or pairing duration This issue affects Ember ZNet 7.1.x from 7.1.3 through 7.1.5; 7.2.x from 7.2.0 through 7.2.3; Version 7.3 and later are unaffected​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-41094
MISC[/TD]
[/TR]
[TR]
[TD]
snipe -- snipe-it
[/TD]
[TD]
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5452
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
soft_serve -- soft_serve
[/TD]
[TD]
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the allow-keyless setting, and the public key requires additional client-side verification for example using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this vulnerability by presenting manipulated SSH requests using keyboard-interactive authentication mode. This could potentially result in unauthorized access to the Soft Serve. Users should upgrade to the latest Soft Serve version v0.6.2 to receive the patch for this issue. To work around this vulnerability without upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication using the allow-keyless setting.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43809
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
sourcecodester -- online_pizza_ordering_system
[/TD]
[TD]
A vulnerability has been found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/ajax.php?action=confirm_order. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The identifier of this vulnerability is VDB-241384.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5423
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
thingsboard -- thingboard
[/TD]
[TD]
ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute (for content sent to the /api/admin/settings endpoint).​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-45303
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
trellix_ -- trellix_endpoint_security
[/TD]
[TD]
A code injection vulnerability in Trellix ENS 10.7.0 April 2023 release and earlier, allowed a local user to disable the ENS AMSI component via environment variables, leading to denial of service and or the execution of arbitrary code.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-3665
MISC[/TD]
[/TR]
[TR]
[TD]
urllib3 -- urllib3
[/TD]
[TD]
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-43804
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
vapor -- vapor
[/TD]
[TD]
Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44386
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
vim -- vim
[/TD]
[TD]
NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5441
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
watchguard -- epdr​
[/TD]
[TD]
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Due to a weak implementation of message handling between WatchGuard EPDR processes, it is possible to perform a Local Privilege Escalation on Windows by sending a crafted message to a named pipe.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-26236
CONFIRM[/TD]
[/TR]
[TR]
[TD]
watchguard -- epdr​
[/TD]
[TD]
An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to bypass the defensive capabilities by adding a registry key as SYSTEM.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-26237
CONFIRM[/TD]
[/TR]
[TR]
[TD]
watchguard -- epdr​
[/TD]
[TD]
An issue was discovered in WatchGuard EPDR 8.0.21.0002. It is possible to enable or disable defensive capabilities by sending a crafted message to a named pipe.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-26238
CONFIRM[/TD]
[/TR]
[TR]
[TD]
watchguard -- epdr​
[/TD]
[TD]
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Due to a weak implementation of a password check, it is possible to obtain credentials to access the management console as a non-privileged user.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-26239
CONFIRM[/TD]
[/TR]
[TR]
[TD]
webkit -- webkit
[/TD]
[TD]
A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-39928
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wireshark -- wireshark
[/TD]
[TD]
RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-5371
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Sumo Social Share Boost plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-25033
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in BoldGrid Post and Page Builder by BoldGrid - Visual Drag and Drop Editor plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-25480
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in MakeStories Team MakeStories (for Google Web Stories) plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-27448
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Dipak C. Gajjar WP Super Minify plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-27615
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Gangesh Matta Simple Org Chart plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-40008
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Greg Ross Schedule Posts Calendar plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-40556
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in ??wp DX-auto-save-images plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-40671
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Remove/hide Author, Date, Category Like Entry-Meta plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-41650
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Andreas Heigl authLdap plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-41654
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Jules Colle, BDWM Responsive Gallery Grid plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-41659
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in CodePeople CP Blocks plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-41732
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in AWP Classifieds Team Ad Directory & Listings by AWP Classifieds plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-41801
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress​
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Laposta - Roel Bousardt Laposta Signup Basic plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-41950
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress
[/TD]
[TD]
A vulnerability classified as problematic has been found in WP Ultimate CSV Importer Plugin 3.7.2 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.7.3 is able to address this issue. The identifier of the patch is 13c30af721d3f989caac72dd0f56cf0dc40fad7e. It is recommended to upgrade the affected component. The identifier VDB-241317 was assigned to this vulnerability.​
[/TD]
[TD]
2023-10-05​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2015-10125
MISC
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress
[/TD]
[TD]
A vulnerability classified as critical was found in Easy2Map Photos Plugin 1.0.1 on WordPress. This vulnerability affects unknown code. The manipulation leads to sql injection. The attack can be initiated remotely. Upgrading to version 1.1.0 is able to address this issue. The patch is identified as 503d9ee2482d27c065f78d9546f076a406189908. It is recommended to upgrade the affected component. VDB-241318 is the identifier assigned to this vulnerability.​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2015-10126
MISC
MISC
MISC[/TD]
[/TR]
[TR]
[TD]
wordpress -- wordpress
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in P Royal Royal Elementor Addons and Templates plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2022-47175
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in FooPlugins Best WordPress Gallery Plugin - FooGallery plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44233
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
wordpress -- wordpress
[/TD]
[TD]
Cross-Site Request Forgery (CSRF) vulnerability in Dylan Blokhuis Instant CSS plugin td> [TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44243
MISC[/TD]
[/TD]
[/TR]
[TD]
[TR]
[TD]
zephyr -- zephyr
[/TD]
[TD]
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem​
[/TD]
[TD]
2023-10-06​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-3725
MISC[/TD]
[/TR]
[TR]
[TD]
zope_foundation -- zope
[/TD]
[TD]
Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6​
[/TD]
[TD]
2023-10-04​
[/TD]
[TD]
not yet calculated​
[/TD]
[TD]CVE-2023-44389
MISC
MISC
MISC[/TD]
[/TR]​
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD][/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]
[/TD]

Continue reading...