Weekly Vulnerabilities Reports > January 16 to 22, 2023

Overview

483 new vulnerabilities reported during this period, including 94 critical vulnerabilities and 169 high severity vulnerabilities. This weekly summary report vulnerabilities in 524 products from 236 vendors including Oracle, Cisco, Adobe, Dell, and Apache. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "OS Command Injection", "Improper Input Validation", and "Out-of-bounds Write".

  • 404 reported vulnerabilities are remotely exploitables.
  • 163 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 277 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 74 reported vulnerabilities.
  • Totolink has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

94 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-01-22 CVE-2023-0435 Pyload Unspecified vulnerability in Pyload

Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.

9.8
2023-01-21 CVE-2023-22884 Apache Command Injection vulnerability in Apache Airflow

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

9.8
2023-01-20 CVE-2023-24028 Misp Project Unspecified vulnerability in Misp-Project Misp 2.4.167

In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.

9.8
2023-01-20 CVE-2023-23607 Dasherr Project Unrestricted Upload of File with Dangerous Type vulnerability in Dasherr Project Dasherr

erohtar/Dasherr is a dashboard for self-hosted services.

9.8
2023-01-20 CVE-2020-21152 Inxedu SQL Injection vulnerability in Inxedu 2.0.6

SQL Injection vulnerability in inxedu 2.0.6 allows attackers to execute arbitrary commands via the functionIds parameter to /saverolefunction.

9.8
2023-01-20 CVE-2020-22653 Ruckuswireless Unspecified vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to exploit the official image signature to force injection unauthorized image signature.

9.8
2023-01-20 CVE-2020-22654 Ruckuswireless Unspecified vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to bypass firmware image bad md5 checksum failed error.

9.8
2023-01-20 CVE-2020-22658 Ruckuswireless Unspecified vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to switch completely to unauthorized image to be Boot as primary verified image.

9.8
2023-01-20 CVE-2020-23256 Electerm Project Unspecified vulnerability in Electerm Project Electerm 1.3.22

An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request to electerms service.

9.8
2023-01-20 CVE-2020-29297 Online Food Ordering System Project SQL Injection vulnerability in Online Food Ordering System Project Online Food Ordering System 1.0

Multiple SQL Injection vulnerabilities in tourist5 Online-food-ordering-system 1.0.

9.8
2023-01-20 CVE-2022-48120 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0/4.0

SQL Injection vulnerability in kishan0725 Hospital Management System thru commit 4770d740f2512693ef8fd9aa10a8d17f79fad9bd (on March 13, 2021), allows attackers to execute arbitrary commands via the contact and doctor parameters to /search.php.

9.8
2023-01-20 CVE-2022-48152 Remoteclinic SQL Injection vulnerability in Remoteclinic Remote Clinic 2.0

SQL Injection vulnerability in RemoteClinic 2.0 allows attackers to execute arbitrary commands and gain sensitive information via the id parameter to /medicines/profile.php.

9.8
2023-01-20 CVE-2023-23488 Strangerstudios SQL Injection vulnerability in Strangerstudios Paid Memberships PRO

The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.

9.8
2023-01-20 CVE-2023-23489 Sandhillsdev SQL Injection vulnerability in Sandhillsdev Easy Digital Downloads

The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action.

9.8
2023-01-20 CVE-2021-26642 Xpressengine Unrestricted Upload of File with Dangerous Type vulnerability in Xpressengine

When uploading an image file to a bulletin board developed with XpressEngine, a vulnerability in which an arbitrary file can be uploaded due to insufficient verification of the file.

9.8
2023-01-20 CVE-2021-26644 Mangboard SQL Injection vulnerability in Mangboard WP 2.0.3

SQL-Injection vulnerability caused by the lack of verification of input values for the table name of DB used by the Mangboard bulletin board.

9.8
2023-01-20 CVE-2022-48121 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the rsabits parameter in the setting/delStaticDhcpRules function.

9.8
2023-01-20 CVE-2022-48122 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the dayvalid parameter in the setting/delStaticDhcpRules function.

9.8
2023-01-20 CVE-2022-48123 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the servername parameter in the setting/delStaticDhcpRules function.

9.8
2023-01-20 CVE-2022-48124 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the FileName parameter in the setting/setOpenVpnCertGenerationCfg function.

9.8
2023-01-20 CVE-2022-48125 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the password parameter in the setting/setOpenVpnCertGenerationCfg function.

9.8
2023-01-20 CVE-2022-48126 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the username parameter in the setting/setOpenVpnCertGenerationCfg function.

9.8
2023-01-20 CVE-2023-20025 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Small Business RV042 Series Routers could allow an unauthenticated, remote attacker to bypass authentication on the affected device. This vulnerability is due to incorrect user input validation of incoming HTTP packets.

9.8
2023-01-19 CVE-2022-46476 Dlink OS Command Injection vulnerability in Dlink Dir-859 A1 Firmware 1.05

D-Link DIR-859 A1 1.05 was discovered to contain a command injection vulnerability via the service= variable in the soapcgi_main function.

9.8
2023-01-19 CVE-2023-22741 Signalwire Classic Buffer Overflow vulnerability in Signalwire Sofia-Sip

Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification.

9.8
2023-01-19 CVE-2022-46887 Nexusphp SQL Injection vulnerability in Nexusphp 1.5

Multiple SQL injection vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to execute arbitrary SQL commands via the conuser[] parameter in takeconfirm.php; the delcheater parameter in cheaterbox.php; or the usernw parameter in nowarn.php.

9.8
2023-01-19 CVE-2022-47740 Seltmann Webdesign SQL Injection vulnerability in Seltmann-Webdesign Content Management System 6.0

Seltmann GmbH Content Management System 6 is vulnerable to SQL Injection via /index.php.

9.8
2023-01-19 CVE-2022-47105 Jeecg SQL Injection vulnerability in Jeecg Boot 3.4.4

Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.

9.8
2023-01-19 CVE-2013-10014 2Moons Project SQL Injection vulnerability in 2Moons Project 2Moons

A vulnerability classified as critical has been found in oktora24 2moons.

9.8
2023-01-19 CVE-2014-125083 Anant SQL Injection vulnerability in Anant Google-Enterprise-Connector-Dctm

A vulnerability has been found in Anant Labs google-enterprise-connector-dctm up to 3.2.3 and classified as critical.

9.8
2023-01-19 CVE-2015-10070 Twiddit Project SQL Injection vulnerability in Twiddit Project Twiddit

A vulnerability was found in copperwall Twiddit.

9.8
2023-01-19 CVE-2015-10069 Cash Machine Project SQL Injection vulnerability in Cash-Machine Project Cash-Machine

A vulnerability was found in viakondratiuk cash-machine.

9.8
2023-01-19 CVE-2017-20174 Getkirby Injection vulnerability in Getkirby Webmentions

A vulnerability was found in bastianallgeier Kirby Webmentions Plugin and classified as problematic.

9.8
2023-01-18 CVE-2010-10009 Ptome Project SQL Injection vulnerability in Ptome Project Ptome

A vulnerability was found in frioux ptome.

9.8
2023-01-18 CVE-2020-35326 Inxedu SQL Injection vulnerability in Inxedu 2.0.6

SQL Injection vulnerability in file /inxedu/demo_inxedu_open/src/main/resources/mybatis/inxedu/website/WebsiteImagesMapper.xml in inxedu 2.0.6 via the id value.

9.8
2023-01-18 CVE-2022-47966 Zohocorp Unspecified vulnerability in Zohocorp products

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.

9.8
2023-01-18 CVE-2011-10001 Phoenixcf Project SQL Injection vulnerability in Phoenixcf Project Phoenixcf

A vulnerability was found in iamdroppy phoenixcf.

9.8
2023-01-18 CVE-2012-10006 Sigeprosi Project SQL Injection vulnerability in Sigeprosi Project Sigeprosi

A vulnerability classified as critical has been found in ale7714 sigeprosi.

9.8
2023-01-18 CVE-2017-20173 Contentmap Project SQL Injection vulnerability in Contentmap Project Contentmap

A vulnerability was found in AlexRed contentmap.

9.8
2023-01-18 CVE-2017-20172 Soundslike Project SQL Injection vulnerability in Soundslike Project Soundslike

A vulnerability was found in ridhoq soundslike.

9.8
2023-01-18 CVE-2022-41417 Blogengine Missing Authorization vulnerability in Blogengine Blogengine.Net 3.3.8.0

BlogEngine.NET v3.3.8.0 allows an attacker to create any folder with "files" prefix under ~/App_Data/.

9.8
2023-01-18 CVE-2015-10068 Movify J Project SQL Injection vulnerability in Movify-J Project Movify-J

A vulnerability classified as critical was found in danynab movify-j.

9.8
2023-01-18 CVE-2022-34442 Dell Use of Hard-coded Credentials vulnerability in Dell EMC Secure Connect Gateway Policy Manager 5.10.00.00/5.12.00.00

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability.

9.8
2023-01-18 CVE-2010-10007 Click Reminder Project SQL Injection vulnerability in Click-Reminder Project Click-Reminder

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in lierdakil click-reminder.

9.8
2023-01-18 CVE-2022-41989 Sewio Out-of-bounds Write vulnerability in Sewio Real-Time Location System Studio

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not validate the length of RTLS report payloads during communication.

9.8
2023-01-18 CVE-2022-45444 Sewio Use of Hard-coded Credentials vulnerability in Sewio Real-Time Location System Studio

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application’s database.

9.8
2023-01-18 CVE-2014-125082 Redports Project SQL Injection vulnerability in Redports Project Redports

A vulnerability was found in nivit redports.

9.8
2023-01-18 CVE-2015-10066 Wuersch Project SQL Injection vulnerability in Wuersch Project Wuersch

A vulnerability was found in tynx wuersch and classified as critical.

9.8
2023-01-18 CVE-2022-46732 GE Unspecified vulnerability in GE Proficy Historian

Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication status.

9.8
2023-01-18 CVE-2023-21890 Oracle Unspecified vulnerability in Oracle Communications Converged Application Server 7.1.0/8.0.0

Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core).

9.8
2023-01-17 CVE-2014-125081 Debutsav Project SQL Injection vulnerability in Debutsav Project Debutsav

A vulnerability, which was classified as critical, has been found in risheesh debutsav.

9.8
2023-01-17 CVE-2015-10065 Find Project Classic Buffer Overflow vulnerability in Find Project Find

A vulnerability classified as critical was found in AenBleidd FiND.

9.8
2023-01-17 CVE-2017-20171 Apersistence Project SQL Injection vulnerability in Apersistence Project Apersistence

A vulnerability classified as critical has been found in PrivateSky apersistence.

9.8
2023-01-17 CVE-2022-23521 GIT SCM Integer Overflow or Wraparound vulnerability in Git-Scm GIT

Git is distributed revision control system.

9.8
2023-01-17 CVE-2022-41903 GIT SCM Integer Overflow or Wraparound vulnerability in Git-Scm GIT

Git is distributed revision control system.

9.8
2023-01-17 CVE-2023-22732 Shopware Insufficient Session Expiration vulnerability in Shopware

Shopware is an open source commerce platform based on Symfony Framework and Vue js.

9.8
2023-01-17 CVE-2022-43976 GE Unspecified vulnerability in GE MS 3000 Firmware

An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0.

9.8
2023-01-17 CVE-2022-43977 GE Unspecified vulnerability in GE MS 3000 Firmware

An issue was discovered on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0.

9.8
2023-01-17 CVE-2022-46475 Dlink Out-of-bounds Write vulnerability in Dlink Dir-645 Firmware 1.06B01Beta01

D-Link DIR 645A1 1.06B01_Beta01 was discovered to contain a stack overflow via the service= variable in the genacgi_main function.

9.8
2023-01-17 CVE-2023-22727 Cakephp SQL Injection vulnerability in Cakephp

CakePHP is a development framework for PHP web apps.

9.8
2023-01-17 CVE-2015-10062 Galaxyproject Injection vulnerability in Galaxyproject Galaxy

A vulnerability, which was classified as problematic, was found in galaxy-data-resource up to 14.10.0.

9.8
2023-01-17 CVE-2015-10063 Theradsystem Project SQL Injection vulnerability in Theradsystem Project Theradsystem

A vulnerability was found in saemorris TheRadSystem and classified as critical.

9.8
2023-01-17 CVE-2015-10064 Pokemon Database PHP Project SQL Injection vulnerability in Pokemon-Database-PHP Project Pokemon-Database-PHP

A vulnerability was found in VictorFerraresi pokemon-database-php.

9.8
2023-01-17 CVE-2022-23739 Github Incorrect Authorization vulnerability in Github Enterprise Server

An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps.

9.8
2023-01-17 CVE-2022-47853 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

TOTOlink A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection Vulnerability in the httpd service.

9.8
2023-01-17 CVE-2013-10013 Authenticator Plugin Project SQL Injection vulnerability in Authenticator Plugin Project Authenticator Plugin

A vulnerability was found in Bricco Authenticator Plugin.

9.8
2023-01-17 CVE-2015-10061 Trabalho Web2 Project SQL Injection vulnerability in Trabalho-Web2 Project Trabalho-Web2

A vulnerability was found in evandro-machado Trabalho-Web2.

9.8
2023-01-17 CVE-2016-15021 Columbia SQL Injection vulnerability in Columbia ALS Data Browser 1

A vulnerability was found in nickzren alsdb.

9.8
2023-01-17 CVE-2017-20170 Parontalli Project SQL Injection vulnerability in Parontalli Project Parontalli

A vulnerability was found in ollpu parontalli.

9.8
2023-01-17 CVE-2015-10060 Mnbikeways Database Project SQL Injection vulnerability in Mnbikeways Database Project Mnbikeways Database

A vulnerability was found in MNBikeways database and classified as critical.

9.8
2023-01-17 CVE-2023-22279 ATE Mahoroba OS Command Injection vulnerability in Ate-Mahoroba products

MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allow a remote unauthenticated attacker to execute an arbitrary OS command.

9.8
2023-01-17 CVE-2023-22303 TP Link Improper Authentication vulnerability in Tp-Link Tl-Sg105Pe Firmware 1.0.0

TP-Link SG105PE firmware prior to 'TL-SG105PE(UN) 1.0_1.0.0 Build 20221208' contains an authentication bypass vulnerability.

9.8
2023-01-17 CVE-2023-22357 Omron Unspecified vulnerability in Omron Cp1L-El20Dr-D Firmware

Active debug code exists in OMRON CP1L-EL20DR-D all versions, which may lead to a command that is not specified in FINS protocol being executed without authentication.

9.8
2023-01-17 CVE-2023-0332 Online Food Ordering System Project SQL Injection vulnerability in Online Food Ordering System Project Online Food Ordering System 2.0

A vulnerability was found in SourceCodester Online Food Ordering System 2.0.

9.8
2023-01-16 CVE-2015-10056 Vinylmaps Project SQL Injection vulnerability in Vinylmaps Project Vinylmaps

A vulnerability was found in 2071174A vinylmap.

9.8
2023-01-16 CVE-2015-10057 Little Apps Improper Access Control vulnerability in Little-Apps Little Software Stats

A vulnerability was found in Little Apps Little Software Stats.

9.8
2023-01-16 CVE-2014-125080 Faplanet Project Path Traversal vulnerability in Faplanet Project Faplanet

A vulnerability has been found in frontaccounting faplanet and classified as critical.

9.8
2023-01-16 CVE-2015-10054 P2Manage Project SQL Injection vulnerability in P2Manage Project P2Manage

A vulnerability, which was classified as critical, was found in githuis P2Manage.

9.8
2023-01-16 CVE-2015-10055 Picturethiswebserver Project SQL Injection vulnerability in Picturethiswebserver Project Picturethiswebserver

A vulnerability was found in PictureThisWebServer and classified as critical.

9.8
2023-01-16 CVE-2022-4060 Odude Unspecified vulnerability in Odude User Post Gallery 2.19

The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.

9.8
2023-01-16 CVE-2022-4447 Fontsy Project Unspecified vulnerability in Fontsy Project Fontsy 1.8.6

The Fontsy WordPress plugin through 1.8.6 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

9.8
2023-01-16 CVE-2023-0324 Online Tours Travels Management System Project SQL Injection vulnerability in Online Tours & Travels Management System Project Online Tours & Travels Management System 1.0

A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0 and classified as critical.

9.8
2023-01-16 CVE-2022-4890 Predictapp Project Deserialization of Untrusted Data vulnerability in Predictapp Project Predictapp

A vulnerability, which was classified as critical, has been found in abhilash1985 PredictApp.

9.8
2023-01-16 CVE-2015-10053 Prodigasistemas SQL Injection vulnerability in Prodigasistemas Curupira

A vulnerability classified as critical has been found in prodigasistemas curupira up to 0.1.3.

9.8
2023-01-16 CVE-2018-25076 Events Project SQL Injection vulnerability in Events Project Events

A vulnerability classified as critical was found in Events Extension on BigTree.

9.8
2023-01-16 CVE-2021-4313 Nethserver Phonenehome Project SQL Injection vulnerability in Nethserver-Phonenehome Project Nethserver-Phonenehome

A vulnerability was found in NethServer phonenehome.

9.8
2023-01-16 CVE-2013-10012 Clan7Ups Project SQL Injection vulnerability in Clan7Ups Project Clan7Ups

A vulnerability, which was classified as critical, was found in antonbolling clan7ups.

9.8
2023-01-16 CVE-2016-15020 Liftkit Database Library Project SQL Injection vulnerability in Liftkit Database Library Project Liftkit Database Library

A vulnerability was found in liftkit database up to 2.13.1.

9.8
2023-01-18 CVE-2022-46733 Sewio Cross-site Scripting vulnerability in Sewio Real-Time Location System Studio

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site scripting in its backup services.

9.6
2023-01-20 CVE-2020-22657 Ruckuswireless Improper Authentication vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to perform WEB GUI login authentication bypass.

9.1
2023-01-20 CVE-2023-22964 Zohocorp Improper Authentication vulnerability in Zohocorp Manageengine Servicedesk Plus MSP 10.6/13.0

Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.

9.1
2023-01-20 CVE-2022-40267 Mitsubishielectric Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishielectric products

Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DSS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/z (x=24,40,60, y=T,R, z=ES,ESS) versions 1.042 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/ES-A (x=24,40,60, y=T,R) versions 1.043 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-xMy/z (x=30,40,60,80, y=T,R, z=ES,ESS) versions 1.003 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MR/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU all versions, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU all versions allows a remote unauthenticated attacker to access the Web server function by guessing the random numbers used for authentication from several used random numbers.

9.1
2023-01-16 CVE-2022-4101 Images Optimize AND Upload CF7 Project Unspecified vulnerability in Images Optimize and Upload CF7 Project Images Optimize and Upload CF7 2.1.4

The Images Optimize and Upload CF7 WordPress plugin through 2.1.4 does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack.

9.1
2023-01-17 CVE-2022-36760 Apache HTTP Request Smuggling vulnerability in Apache Http Server

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.

9.0

169 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-01-21 CVE-2020-36655 Yiiframework Code Injection vulnerability in Yiiframework GII

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field.

8.8
2023-01-20 CVE-2023-0052 Sauter Controls Missing Authentication for Critical Function vulnerability in Sauter-Controls products

SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior allows the execution of commands without credentials.

8.8
2023-01-20 CVE-2023-22726 ACT Project Path Traversal vulnerability in ACT Project ACT

act is a project which allows for local running of github actions.

8.8
2023-01-20 CVE-2022-3918 Apple Injection vulnerability in Apple Swift Foundation

A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers.

8.8
2023-01-20 CVE-2021-29368 Cuppacms Session Fixation vulnerability in Cuppacms

Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions.

8.8
2023-01-20 CVE-2022-45748 Assimp Use After Free vulnerability in Assimp 5.1.4

An issue was discovered with assimp 5.1.4, a use after free occurred in function ColladaParser::ExtractDataObjectFromChannel in file /code/AssetLib/Collada/ColladaParser.cpp.

8.8
2023-01-20 CVE-2023-0101 Tenable Improper Privilege Management vulnerability in Tenable Nessus

A privilege escalation vulnerability was identified in Nessus versions 8.10.1 through 8.15.8 and 10.0.0 through 10.4.1.

8.8
2023-01-20 CVE-2023-23490 AYS PRO SQL Injection vulnerability in Ays-Pro Survey Maker

The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the 'surveys_ids' parameter of its 'ays_surveys_export_json' action.

8.8
2023-01-20 CVE-2023-23492 Idehweb SQL Injection vulnerability in Idehweb Login With Phone Number

The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the 'ID' parameter of its 'lwp_forgot_password' action.

8.8
2023-01-20 CVE-2023-23596 Jc21 OS Command Injection vulnerability in Jc21 Nginx Proxy Manager

jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection.

8.8
2023-01-20 CVE-2023-23691 Dell HTTP Request Smuggling vulnerability in Dell products

Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability.

8.8
2023-01-20 CVE-2022-20964 Cisco OS Command Injection vulnerability in Cisco Identity Services Engine

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system. This vulnerability is due to improper validation of user input within requests as part of the web-based management interface.

8.8
2023-01-20 CVE-2023-20010 Cisco SQL Injection vulnerability in Cisco Unified Communications Manager

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input.

8.8
2023-01-20 CVE-2023-20038 Cisco Use of Hard-coded Credentials vulnerability in Cisco Industrial Network Director

A vulnerability in the monitoring application of Cisco Industrial Network Director could allow an authenticated, local attacker to access a static secret key used to store both local data and credentials for accessing remote systems. This vulnerability is due to a static key value stored in the application used to encrypt application data and remote credentials.

8.8
2023-01-19 CVE-2022-47766 Popojicms Unrestricted Upload of File with Dangerous Type vulnerability in Popojicms 2.0.1

PopojiCMS v2.0.1 backend plugin function has a file upload vulnerability.

8.8
2023-01-19 CVE-2022-47745 Easycorp SQL Injection vulnerability in Easycorp Zentao

ZenTao 16.4 to 18.0.beta1 is vulnerable to SQL injection.

8.8
2023-01-18 CVE-2022-45923 Opentext Deserialization of Untrusted Data vulnerability in Opentext Extended ECM

An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803).

8.8
2023-01-18 CVE-2022-45927 Opentext Authorization Bypass Through User-Controlled Key vulnerability in Opentext Extended ECM

An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803).

8.8
2023-01-18 CVE-2023-0164 Orangescrum OS Command Injection vulnerability in Orangescrum 2.0.11

OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server.

8.8
2023-01-18 CVE-2022-45922 Opentext Unspecified vulnerability in Opentext Extended ECM 21.1/22.1

An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803).

8.8
2023-01-18 CVE-2022-45926 Opentext Server-Side Request Forgery (SSRF) vulnerability in Opentext Extended ECM

An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803).

8.8
2023-01-18 CVE-2022-45928 Opentext Unspecified vulnerability in Opentext Extended ECM

A remote OScript execution issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803).

8.8
2023-01-18 CVE-2023-0242 Rapid7 Missing Authorization vulnerability in Rapid7 Velociraptor

Rapid7 Velociraptor allows users to be created with different privileges on the server.

8.8
2023-01-18 CVE-2022-34456 Dell Code Injection vulnerability in Dell EMC Metro Node

Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability.

8.8
2023-01-18 CVE-2023-21832 Oracle Unspecified vulnerability in Oracle BI Publisher 12.2.1.4.0/5.9.0.0.0/6.4.0.0.0

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: Security).

8.8
2023-01-18 CVE-2023-21846 Oracle Unspecified vulnerability in Oracle BI Publisher 12.2.1.4.0/5.9.0.0.0/6.4.0.0.0

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: Security).

8.8
2023-01-18 CVE-2023-21848 Oracle Unspecified vulnerability in Oracle Communications Convergence 3.0.3.1.0

Vulnerability in the Oracle Communications Convergence product of Oracle Communications Applications (component: Admin Configuration).

8.8
2023-01-17 CVE-2023-22731 Shopware Code Injection vulnerability in Shopware

Shopware is an open source commerce platform based on Symfony Framework and Vue js.

8.8
2023-01-17 CVE-2022-4621 Panasonic Cross-Site Request Forgery (CSRF) vulnerability in Panasonic products

Panasonic Sanyo CCTV Network Cameras versions 1.02-05 and 2.03-0x are vulnerable to CSRFs that can be exploited to allow an attacker to perform changes with administrator level privileges.

8.8
2023-01-17 CVE-2022-46891 ARM Use After Free vulnerability in ARM products

An issue was discovered in the Arm Mali GPU Kernel Driver.

8.8
2023-01-17 CVE-2022-30544 Hyumika Cross-Site Request Forgery (CSRF) vulnerability in Hyumika Openstreetmap

Cross-Site Request Forgery (CSRF) in MiKa's OSM – OpenStreetMap plugin <= 6.0.1 versions.

8.8
2023-01-16 CVE-2022-43719 Apache Cross-Site Request Forgery (CSRF) vulnerability in Apache Superset

Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery.

8.8
2023-01-16 CVE-2023-0315 Froxlor Command Injection vulnerability in Froxlor

Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.

8.8
2023-01-20 CVE-2023-20020 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the Device Management Servlet application of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper input validation when parsing HTTP requests.

8.6
2023-01-20 CVE-2021-37500 Reprisesoftware Path Traversal vulnerability in Reprisesoftware Reprise License Manager

Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server.

8.1
2023-01-18 CVE-2022-45924 Opentext Unspecified vulnerability in Opentext Extended ECM

An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803).

8.1
2023-01-18 CVE-2015-10067 Ssharpsmartthreadpool Project Race Condition vulnerability in Ssharpsmartthreadpool Project Ssharpsmartthreadpool

A vulnerability was found in oznetmaster SSharpSmartThreadPool.

8.1
2023-01-18 CVE-2022-45127 Sewio Cross-Site Request Forgery (CSRF) vulnerability in Sewio Real-Time Location System Studio

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site request forgery in its backup services.

8.1
2023-01-18 CVE-2022-47395 Sewio Cross-Site Request Forgery (CSRF) vulnerability in Sewio Real-Time Location System Studio

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site request forgery in its monitor services.

8.1
2023-01-18 CVE-2022-46331 GE Unspecified vulnerability in GE Proficy Historian

An unauthorized user could possibly delete any file on the system.

8.1
2023-01-18 CVE-2023-21828 Oracle Unspecified vulnerability in Oracle Hospitality Reporting and Analytics 9.1.0

Vulnerability in the Oracle Hospitality Reporting and Analytics product of Oracle Food and Beverage Applications (component: Reporting).

8.1
2023-01-18 CVE-2023-21862 Oracle Unspecified vulnerability in Oracle web Services Manager 12.2.1.4.0

Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware (component: XML Security component).

8.1
2023-01-18 CVE-2023-21886 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

8.1
2023-01-17 CVE-2023-22286 ATE Mahoroba Cross-Site Request Forgery (CSRF) vulnerability in Ate-Mahoroba products

Cross-site request forgery (CSRF) vulnerability in MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allows a remote unauthenticated attacker to hijack the user authentication and conduct user's unintended operations by having a user to view a malicious page while logged in.

8.1
2023-01-19 CVE-2021-37774 TP Link Unspecified vulnerability in Tp-Link Tl-Wdr7660 Firmware 2.0.30

An issue was discovered in function httpProcDataSrv in TL-WDR7660 2.0.30 that allows attackers to execute arbitrary code.

8.0
2023-01-17 CVE-2022-2251 Gitlab OS Command Injection vulnerability in Gitlab Runner

Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that other user.

8.0
2023-01-17 CVE-2022-46648 Ruby GIT Project
Debian
Code Injection vulnerability in multiple products

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product.

8.0
2023-01-17 CVE-2022-47318 Ruby GIT Project
Debian
Fedoraproject
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product.
8.0
2023-01-17 CVE-2023-22304 Pixela OS Command Injection vulnerability in Pixela Pix-Rt100 Firmware 2.1.1Eq101/2.1.2Eq101

OS command injection vulnerability in PIX-RT100 versions RT100_TEQ_2.1.1_EQ101 and RT100_TEQ_2.1.2_EQ101 allows a network-adjacent attacker who can access product settings to execute an arbitrary OS command.

8.0
2023-01-21 CVE-2023-0433 VIM Heap-based Buffer Overflow vulnerability in VIM

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

7.8
2023-01-21 CVE-2023-24039 Opengroup Out-of-bounds Write vulnerability in Opengroup Common Desktop Environment 1.6

A stack-based buffer overflow in ParseColors in libXm in Common Desktop Environment 1.6 can be exploited by local low-privileged users via the dtprintinfo setuid binary to escalate their privileges to root on Solaris 10 systems.

7.8
2023-01-20 CVE-2020-25502 Cybereason Uncontrolled Search Path Element vulnerability in Cybereason Endpoint Detection and Response 20.2.0

Cybereason EDR version 19.1.282 and above, 19.2.182 and above, 20.1.343 and above, and 20.2.X and above has a DLL hijacking vulnerability, which could allow a local attacker to execute code with elevated privileges.

7.8
2023-01-20 CVE-2021-33641 Openeuler Use After Free vulnerability in Openeuler Byacc

When processing files, malloc stores the data of the current line.

7.8
2023-01-20 CVE-2022-47021 Xiph
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts.

7.8
2023-01-20 CVE-2022-47024 VIM NULL Pointer Dereference vulnerability in VIM

A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.

7.8
2023-01-20 CVE-2023-23143 Gpac Classic Buffer Overflow vulnerability in Gpac 2.3Devrev1G4669Ba229Master

Buffer overflow vulnerability in function avc_parse_slice in file media_tools/av_parsers.c.

7.8
2023-01-20 CVE-2023-23145 Gpac Memory Leak vulnerability in Gpac 2.2Rev0Gab012Bbfbmaster

GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a memory leak in lsr_read_rare_full function.

7.8
2023-01-20 CVE-2022-25631 Broadcom Unspecified vulnerability in Broadcom Symantec Endpoint Protection

Symantec Endpoint Protection, prior to 14.3 RU6 (14.3.9210.6000), may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated

7.8
2023-01-19 CVE-2022-3085 Fujielectric Stack-based Buffer Overflow vulnerability in Fujielectric Tellus Lite V-Simulator 4.0.12.0

Fuji Electric Tellus Lite V-Simulator versions 4.0.12.0 and prior are vulnerable to a stack-based buffer overflow which may allow an attacker to execute arbitrary code.

7.8
2023-01-18 CVE-2022-47990 IBM Classic Buffer Overflow vulnerability in IBM AIX and Vios

IBM AIX 7.1, 7.2, 7.3 and VIOS , 3.1 could allow a non-privileged local user to exploit a vulnerability in X11 to cause a buffer overflow that could result in a denial of service or arbitrary code execution.

7.8
2023-01-18 CVE-2023-21579 Adobe Integer Overflow or Wraparound vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-01-18 CVE-2023-21604 Adobe Stack-based Buffer Overflow vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-01-18 CVE-2023-21605 Adobe Heap-based Buffer Overflow vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-01-18 CVE-2023-21606 Adobe Out-of-bounds Write vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-01-18 CVE-2023-21607 Adobe Improper Input Validation vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-01-18 CVE-2023-21608 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-01-18 CVE-2023-21609 Adobe Out-of-bounds Write vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-01-18 CVE-2023-21610 Adobe Stack-based Buffer Overflow vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-01-18 CVE-2023-21611 Adobe Exposure of Resource to Wrong Sphere vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user.

7.8
2023-01-18 CVE-2023-21612 Adobe Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user.

7.8
2023-01-18 CVE-2023-22592 IBM Incorrect Permission Assignment for Critical Resource vulnerability in IBM Robotic Process Automation for Cloud PAK

IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.4 could allow a local user to perform unauthorized actions due to insufficient permission settings.

7.8
2023-01-18 CVE-2023-22809 Sudo Project
Debian
Fedoraproject
Apple
Improper Privilege Management vulnerability in multiple products

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process.

7.8
2023-01-18 CVE-2022-34457 Dell Incorrect Permission Assignment for Critical Resource vulnerability in Dell Command|Configure

Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation.

7.8
2023-01-18 CVE-2022-34462 Dell Use of Hard-coded Credentials vulnerability in Dell EMC Secure Connect Gateway Policy Manager 5.10.00.00/5.12.00.00

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability.

7.8
2023-01-18 CVE-2022-32490 Dell Improper Input Validation vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.8
2023-01-18 CVE-2022-34460 Dell Improper Input Validation vulnerability in Dell products

Prior Dell BIOS versions contain an improper input validation vulnerability.

7.8
2023-01-18 CVE-2023-0358 Gpac Use After Free vulnerability in Gpac

Use After Free in GitHub repository gpac/gpac prior to 2.3.0-DEV.

7.8
2023-01-17 CVE-2022-41953 GIT SCM Untrusted Search Path vulnerability in Git-Scm GIT

Git GUI is a convenient graphical tool that comes with Git for Windows.

7.8
2023-01-17 CVE-2022-3650 Redhat Unspecified vulnerability in Redhat Ceph 16.2.9

A privilege escalation flaw was found in Ceph.

7.8
2023-01-17 CVE-2023-22366 Omron Access of Uninitialized Pointer vulnerability in Omron Cx-Motion-Mch Firmware

CX-Motion-MCH v2.32 and earlier contains an access of uninitialized pointer vulnerability.

7.8
2023-01-17 CVE-2022-3087 Fujielectric Out-of-bounds Write vulnerability in Fujielectric Tellus Lite V-Simulator 4.0.12.0

Fuji Electric Tellus Lite V-Simulator versions 4.0.12.0 and prior are vulnerable to an out-of-bounds write which may allow an attacker to execute arbitrary code.

7.8
2023-01-16 CVE-2022-4258 Hima Unquoted Search Path or Element vulnerability in Hima products

In multiple versions of HIMA PC based Software an unquoted Windows search path vulnerability might allow local users to gain privileges via a malicious .exe file and gain full access to the system.

7.8
2023-01-18 CVE-2023-21826 Oracle Unspecified vulnerability in Oracle Hospitality Reporting and Analytics 9.1.0

Vulnerability in the Oracle Hospitality Reporting and Analytics product of Oracle Food and Beverage Applications (component: Reporting).

7.6
2023-01-17 CVE-2022-23538 Sylabs Insufficiently Protected Credentials vulnerability in Sylabs Singularity Container Services Library

github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service.

7.6
2023-01-17 CVE-2023-23637 Unistra Cross-site Scripting vulnerability in Unistra Impatient

IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder.

7.6
2023-01-22 CVE-2023-0434 Pyload Improper Input Validation vulnerability in Pyload

Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.

7.5
2023-01-21 CVE-2023-22617 Powerdns Uncontrolled Recursion vulnerability in Powerdns Recursor 4.8.0

A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode.

7.5
2023-01-21 CVE-2023-24042 Lightftp Project Race Condition vulnerability in Lightftp Project Lightftp 1.1

A race condition in LightFTP through 2.2 allows an attacker to achieve path traversal via a malformed FTP request.

7.5
2023-01-21 CVE-2023-24038 Html Stripscripts Project
Debian
The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes.
7.5
2023-01-20 CVE-2023-24025 Pqclean Project Improper Verification of Cryptographic Signature vulnerability in Pqclean Project Pqclean

CRYSTALS-DILITHIUM (in Post-Quantum Cryptography Selected Algorithms 2022) in PQClean d03da30 may allow universal forgeries of digital signatures via a template side-channel attack because of intermediate data leakage of one vector.

7.5
2023-01-20 CVE-2022-1109 Lenovo Incorrect Default Permissions vulnerability in Lenovo Leyun

An incorrect default permissions vulnerability in Lenovo Leyun cloud music application could allow denial of service.

7.5
2023-01-20 CVE-2020-22655 Ruckuswireless Unspecified vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to persistently to writing unauthorized image.

7.5
2023-01-20 CVE-2020-22656 Ruckuswireless Unspecified vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to make the Secure Boot in failed attempts state (rfwd).

7.5
2023-01-20 CVE-2020-22659 Ruckuswireless Unspecified vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to exploit the official image signature to force injection unauthorized image signature.

7.5
2023-01-20 CVE-2020-22660 Ruckuswireless Unspecified vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to force bypass Secure Boot failed attempts and run temporarily the previous Backup image.

7.5
2023-01-20 CVE-2020-22662 Ruckuswireless Command Injection vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to change and set unauthorized "illegal region code" by remote code Execution command injection which leads to run illegal frequency with maxi output power.

7.5
2023-01-20 CVE-2022-47012 Solarwinds Use of Uninitialized Resource vulnerability in Solarwinds Dynamips 0.2.21

Use of uninitialized variable in function gen_eth_recv in GNS3 dynamips 0.2.21.

7.5
2023-01-20 CVE-2022-48279 Trustwave
Debian
Interpretation Conflict vulnerability in multiple products

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall.

7.5
2023-01-20 CVE-2023-24021 Trustwave
Debian
Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection.
7.5
2023-01-20 CVE-2022-38112 Solarwinds Cleartext Storage of Sensitive Information vulnerability in Solarwinds Database Performance Analyzer

In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

7.5
2023-01-20 CVE-2022-47732 Yeastar Use of Password Hash With Insufficient Computational Effort vulnerability in Yeastar N412 Firmware and N824 Firmware

In Yeastar N412 and N824 Configuration Panel 42.x and 45.x, an unauthenticated attacker can create backup file and download it, revealing admin hash, allowing, once cracked, to login inside the Configuration Panel, otherwise, replacing the hash in the archive and restoring it on the device which will change admin password granting access to the device.

7.5
2023-01-20 CVE-2022-47747 Uber Path Traversal vulnerability in Uber Kraken

kraken <= 0.1.4 has an arbitrary file read vulnerability via the component testfs.

7.5
2023-01-20 CVE-2021-27782 Hcltech Improper Restriction of Excessive Authentication Attempts vulnerability in Hcltech Bigfix Mobile 2.0

HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts.

7.5
2023-01-20 CVE-2023-22331 Contec Improper Privilege Management vulnerability in Contec Conprosys HMI System

Use of default credentials vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to alter user credentials information.

7.5
2023-01-20 CVE-2023-22339 Contec Unspecified vulnerability in Contec Conprosys HMI System

Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to bypass access restriction and obtain the server certificate including the private key of the product.

7.5
2023-01-19 CVE-2023-0126 Sonicwall Path Traversal vulnerability in Sonicwall Sma1000 Firmware 12.4.2

Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.

7.5
2023-01-19 CVE-2015-10071 Gitter Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gitter EZ Publish Modern Legacy

A vulnerability was found in gitter-badger ezpublish-modern-legacy.

7.5
2023-01-18 CVE-2022-45925 Opentext Unspecified vulnerability in Opentext Extended ECM

An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803).

7.5
2023-01-18 CVE-2023-0040 Asynchttpclient Project Injection vulnerability in Asynchttpclient Project Async-Http-Client

Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection.

7.5
2023-01-18 CVE-2022-46505 Matrixssl Improper Initialization vulnerability in Matrixssl

An issue in MatrixSSL 4.5.1-open and earlier leads to failure to securely check the SessionID field, resulting in the misuse of an all-zero MasterSecret that can decrypt secret data.

7.5
2023-01-18 CVE-2021-33959 Plex Origin Validation Error vulnerability in Plex Media Server

Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service.

7.5
2023-01-18 CVE-2021-36630 Ruckuswireless Allocation of Resources Without Limits or Throttling vulnerability in Ruckuswireless products

DDOS reflection amplification vulnerability in eAut module of Ruckus Wireless SmartZone controller that allows remote attackers to perform DOS attacks via crafted request.

7.5
2023-01-18 CVE-2022-34393 Dell Improper Input Validation vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.5
2023-01-18 CVE-2022-34401 Dell Out-of-bounds Write vulnerability in Dell products

Dell BIOS contains a stack based buffer overflow vulnerability.

7.5
2023-01-18 CVE-2022-25901 Cookiejar Project Unspecified vulnerability in Cookiejar Project Cookiejar

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

7.5
2023-01-18 CVE-2018-25077 MEL Spintax Project Unspecified vulnerability in Mel-Spintax Project Mel-Spintax

A vulnerability was found in melnaron mel-spintax.

7.5
2023-01-18 CVE-2020-36651 Nodeserver Project Path Traversal vulnerability in Nodeserver Project Nodeserver

A vulnerability has been found in youngerheart nodeserver and classified as critical.

7.5
2023-01-18 CVE-2010-10006 Jopenid Project Information Exposure Through Timing Discrepancy vulnerability in Jopenid Project Jopenid 1.01/1.05/1.07

A vulnerability, which was classified as problematic, was found in michaelliao jopenid.

7.5
2023-01-18 CVE-2022-38469 GE Insufficiently Protected Credentials vulnerability in GE Proficy Historian

An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.

7.5
2023-01-18 CVE-2023-21837 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.3.0/12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

7.5
2023-01-18 CVE-2023-21838 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.3.0/12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

7.5
2023-01-18 CVE-2023-21839 Oracle Deserialization of Untrusted Data vulnerability in Oracle Weblogic Server 12.2.1.3.0/12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

7.5
2023-01-18 CVE-2023-21841 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.3.0/12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

7.5
2023-01-18 CVE-2023-21842 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.3.0/12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container).

7.5
2023-01-18 CVE-2023-21849 Oracle Unspecified vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils).

7.5
2023-01-18 CVE-2023-21850 Oracle Unspecified vulnerability in Oracle Demantra Demand Management 12.1/12.2

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections).

7.5
2023-01-18 CVE-2023-21851 Oracle Unspecified vulnerability in Oracle Marketing

Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration).

7.5
2023-01-18 CVE-2023-21852 Oracle Unspecified vulnerability in Oracle Learning Management 12.2.12/12.2.3/12.2.9

Vulnerability in the Oracle Learning Management product of Oracle E-Business Suite (component: Setup).

7.5
2023-01-18 CVE-2023-21853 Oracle Unspecified vulnerability in Oracle Mobile Field Service

Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Synchronization).

7.5
2023-01-18 CVE-2023-21854 Oracle Unspecified vulnerability in Oracle Sales Offline 12.2.10/12.2.12/12.2.3

Vulnerability in the Oracle Sales Offline product of Oracle E-Business Suite (component: Core Components).

7.5
2023-01-18 CVE-2023-21855 Oracle Unspecified vulnerability in Oracle Sales for Handhelds 12.2.12/12.2.3

Vulnerability in the Oracle Sales for Handhelds product of Oracle E-Business Suite (component: Pocket Outlook Sync(PocketPC)).

7.5
2023-01-18 CVE-2023-21856 Oracle Unspecified vulnerability in Oracle Isetup 12.2.12/12.2.3

Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports).

7.5
2023-01-18 CVE-2023-21857 Oracle Unspecified vulnerability in Oracle HCM Common Architecture 12.2.12/12.2.3

Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Auomated Test Suite).

7.5
2023-01-18 CVE-2023-21858 Oracle Unspecified vulnerability in Oracle Collaborative Planning

Vulnerability in the Oracle Collaborative Planning product of Oracle E-Business Suite (component: Installation).

7.5
2023-01-18 CVE-2023-21893 Oracle Unspecified vulnerability in Oracle Database Server 19C/21C

Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server.

7.5
2023-01-17 CVE-2021-32837 Mechanize Project Unspecified vulnerability in Mechanize Project Mechanize

mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6.

7.5
2023-01-17 CVE-2023-22730 Shopware Improper Input Validation vulnerability in Shopware

Shopware is an open source commerce platform based on Symfony Framework and Vue js.

7.5
2023-01-17 CVE-2023-22734 Shopware Improper Input Validation vulnerability in Shopware

Shopware is an open source commerce platform based on Symfony Framework and Vue js.

7.5
2023-01-17 CVE-2022-40319 Lsoft Authorization Bypass Through User-Controlled Key vulnerability in Lsoft Listserv 17.0

The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL.

7.5
2023-01-17 CVE-2022-43975 GE Path Traversal vulnerability in GE MS 3000 Firmware

An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0.

7.5
2023-01-17 CVE-2023-0122 Linux NULL Pointer Dereference vulnerability in Linux Kernel 6.0

A NULL pointer dereference vulnerability in the Linux kernel NVMe functionality, in nvmet_setup_auth(), allows an attacker to perform a Pre-Auth Denial of Service (DoS) attack on a remote machine.

7.5
2023-01-17 CVE-2023-22499 Deno Race Condition vulnerability in Deno

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust.

7.5
2023-01-17 CVE-2006-20001 Apache Out-of-bounds Write vulnerability in Apache Http Server

A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent.

7.5
2023-01-17 CVE-2022-4891 Libsisimai Unspecified vulnerability in Libsisimai Sisimai

A vulnerability has been found in Sisimai up to 4.25.14p11 and classified as problematic.

7.5
2023-01-17 CVE-2023-22624 Zohocorp XXE vulnerability in Zohocorp Manageengine Exchange Reporter Plus

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.

7.5
2023-01-17 CVE-2023-23749 Miniorange Injection vulnerability in Miniorange Ldap Integration With Active Directory and Openldap 5.0.2

The 'LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login' extension is vulnerable to LDAP Injection since is not properly sanitizing the 'username' POST parameter.

7.5
2023-01-17 CVE-2023-22875 IBM Information Exposure vulnerability in IBM Qradar Security Information and Event Manager 7.4.0/7.5.0

IBM QRadar SIEM 7.4 and 7.5copies certificate key files used for SSL/TLS in the QRadar web user interface to managed hosts in the deployment that do not require that key.

7.5
2023-01-17 CVE-2022-41859 Freeradius Insufficiently Protected Credentials vulnerability in Freeradius

In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.

7.5
2023-01-17 CVE-2022-41860 Freeradius NULL Pointer Dereference vulnerability in Freeradius

In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries.

7.5
2023-01-17 CVE-2022-3091 Ronds Information Exposure vulnerability in Ronds Equipment Predictive Maintenance 1.19.5

RONDS EPM version 1.19.5 has a vulnerability in which a function could allow unauthenticated users to leak credentials.

7.5
2023-01-17 CVE-2023-0158 Nlnetlabs Unspecified vulnerability in Nlnetlabs Krill

NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint.

7.5
2023-01-16 CVE-2022-47630 ARM Out-of-bounds Read vulnerability in ARM Trusted Firmware-A

Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates.

7.4
2023-01-22 CVE-2023-24059 Rockstargames Unspecified vulnerability in Rockstargames Grand Theft Auto V

Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023.

7.3
2023-01-20 CVE-2023-20044 Cisco Unspecified vulnerability in Cisco CX Cloud Agent

A vulnerability in Cisco CX Cloud Agent of could allow an authenticated, local attacker to elevate their privileges. This vulnerability is due to insecure file permissions.

7.3
2023-01-18 CVE-2023-21894 Oracle Unspecified vulnerability in Oracle Global Lifecycle Management Nextgen OUI Framework 12.2.1.3.0/12.2.1.4.0/13.9.4.2.2

Vulnerability in the Oracle Global Lifecycle Management NextGen OUI Framework product of Oracle Fusion Middleware (component: NextGen Installer issues).

7.3
2023-01-20 CVE-2023-20007 Cisco OS Command Injection vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code or cause the web-based management process on the device to restart unexpectedly, resulting in a denial of service (DoS) condition.

7.2
2023-01-20 CVE-2023-20026 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Small Business Routers RV042 Series could allow an authenticated, remote attacker to inject arbitrary commands on an affected device. This vulnerability is due to improper validation of user input fields within incoming HTTP packets.

7.2
2023-01-20 CVE-2023-20045 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Small Business RV160 and RV260 Series VPN Routers could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user input.

7.2
2023-01-18 CVE-2022-43483 Sewio OS Command Injection vulnerability in Sewio Real-Time Location System Studio

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the monitor services of the software.

7.2
2023-01-18 CVE-2022-47911 Sewio OS Command Injection vulnerability in Sewio Real-Time Location System Studio

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the backup services of the software.

7.2
2023-01-17 CVE-2023-22280 ATE Mahoroba OS Command Injection vulnerability in Ate-Mahoroba products

MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allow a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.

7.2
2023-01-17 CVE-2022-43462 IP Blacklist Cloud Project SQL Injection vulnerability in IP Blacklist Cloud Project IP Blacklist Cloud 5.00

Auth.

7.2
2023-01-16 CVE-2022-4547 Thedotstore SQL Injection vulnerability in Thedotstore Conditional Payment Methods for Woocommerce

The Conditional Payment Methods for WooCommerce WordPress plugin through 1.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by [high privilege users such as admin|users with a role as low as admin.

7.2
2023-01-21 CVE-2023-24040 Opengroup Injection vulnerability in Opengroup Common Desktop Environment 1.6

dtprintinfo in Common Desktop Environment 1.6 has a bug in the parser of lpstat (an invoked external command) during listing of the names of available printers.

7.1
2023-01-20 CVE-2023-20008 Cisco Unspecified vulnerability in Cisco Roomos and Telepresence Collaboration Endpoint

A vulnerability in the CLI of Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are in the local file system.

7.1
2023-01-17 CVE-2022-41858 Linux
Netapp
NULL Pointer Dereference vulnerability in multiple products

A flaw was found in the Linux kernel.

7.1
2023-01-17 CVE-2020-36611 Hitachi Incorrect Default Permissions vulnerability in Hitachi Tuning Manager

Incorrect Default Permissions vulnerability in Hitachi Tuning Manager on Linux (Hitachi Tuning Manager server, Hitachi Tuning Manager - Agent for RAID, Hitachi Tuning Manager - Agent for NAS, Hitachi Tuning Manager - Agent for SAN Switch components) allows local users to read and write specific files.This issue affects Hitachi Tuning Manager: before 8.8.5-00.

7.1
2023-01-20 CVE-2022-48191 Trendmicro Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Trendmicro Maximum Security 2022 17.7

A vulnerability exists in Trend Micro Maximum Security 2022 (17.7) wherein a low-privileged user can write a known malicious executable to a specific location and in the process of removal and restoral an attacker could replace an original folder with a mount point to an arbitrary location, allowing a escalation of privileges on an affected system.

7.0
2023-01-19 CVE-2023-23690 Dell Improper Certificate Validation vulnerability in Dell Cloud Mobility for Dell EMC Storage 1.3.0/1.3.1

Cloud Mobility for Dell EMC Storage, versions 1.3.0.X and below contains an Improper Check for Certificate Revocation vulnerability.

7.0

213 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-01-18 CVE-2020-22007 Okerthai Missing Authorization vulnerability in Okerthai G955V1 Firmware 1.03.02.20161128

OS Command Injection vulnerability in OKER G955V1 v1.03.02.20161128, allows physical attackers to interrupt the boot sequence and execute arbitrary commands with root privileges.

6.8
2023-01-20 CVE-2023-20043 Cisco Incorrect Default Permissions vulnerability in Cisco CX Cloud Agent

A vulnerability in Cisco CX Cloud Agent of could allow an authenticated, local attacker to elevate their privileges. This vulnerability is due to insecure file permissions.

6.7
2023-01-20 CVE-2020-22661 Ruckuswireless Unspecified vulnerability in Ruckuswireless products

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to erase the backup secondary official image and write secondary backup unauthorized image.

6.5
2023-01-20 CVE-2021-39089 IBM Information Exposure vulnerability in IBM Cloud PAK for Security 1.10.0.0/1.10.2.0/1.10.6.0

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.6.0 could allow an authenticated user to obtain sensitive information from a specially crafted HTTP request.

6.5
2023-01-20 CVE-2022-47015 Mariadb NULL Pointer Dereference vulnerability in Mariadb

MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service.

6.5
2023-01-20 CVE-2021-37498 Reprisesoftware Server-Side Request Forgery (SSRF) vulnerability in Reprisesoftware Reprise License Manager

An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.

6.5
2023-01-20 CVE-2021-37499 Reprisesoftware Injection vulnerability in Reprisesoftware Reprise License Manager

CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers.

6.5
2023-01-20 CVE-2023-20018 Cisco Incorrect Authorization vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco IP Phone 7800 and 8800 Series Phones could allow an unauthenticated, remote attacker to bypass authentication on an affected device. This vulnerability is due to insufficient validation of user-supplied input.

6.5
2023-01-20 CVE-2023-20047 Cisco Allocation of Resources Without Limits or Throttling vulnerability in Cisco products

A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco Webex Room Phone and Cisco Webex Share devices could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient resource allocation.

6.5
2023-01-19 CVE-2022-31901 Notepad Plus Plus Out-of-bounds Write vulnerability in Notepad-Plus-Plus Notepad++

Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two crafted files.

6.5
2023-01-19 CVE-2023-0398 Modoboa Cross-Site Request Forgery (CSRF) vulnerability in Modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

6.5
2023-01-19 CVE-2023-0397 Zephyrproject Improper Initialization vulnerability in Zephyrproject Zephyr

A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete.

6.5
2023-01-18 CVE-2022-47950 Openstack
Debian
Files or Directories Accessible to External Parties vulnerability in multiple products

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0.

6.5
2023-01-18 CVE-2022-45103 Dell Information Exposure vulnerability in Dell products

Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 9.2.3.x contain an information disclosure vulnerability.

6.5
2023-01-18 CVE-2022-47881 Foxit Out-of-bounds Read vulnerability in Foxit PDF Editor and PDF Reader

Foxit PDF Reader and PDF Editor 11.2.1.53537 and earlier has an Out-of-Bounds Read vulnerability.

6.5
2023-01-18 CVE-2022-43455 Sewio Improper Input Validation vulnerability in Sewio Real-Time Location System Studio

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to improper input validation of user input to the service_start, service_stop, and service_restart modules of the software.

6.5
2023-01-18 CVE-2022-47917 Sewio Improper Input Validation vulnerability in Sewio Real-Time Location System Studio

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to improper input validation of user input to several modules and services of the software.

6.5
2023-01-18 CVE-2022-43494 GE Unspecified vulnerability in GE Proficy Historian

An unauthorized user could be able to read any file on the system, potentially exposing sensitive information.

6.5
2023-01-18 CVE-2022-46660 GE Unrestricted Upload of File with Dangerous Type vulnerability in GE Proficy Historian

An unauthorized user could alter or write files with full control over the path and content of the file.

6.5
2023-01-18 CVE-2023-21868 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

6.5
2023-01-17 CVE-2023-22733 Shopware Information Exposure Through Log Files vulnerability in Shopware

Shopware is an open source commerce platform based on Symfony Framework and Vue js.

6.5
2023-01-17 CVE-2022-2907 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.

6.5
2023-01-17 CVE-2022-41861 Freeradius Improper Input Validation vulnerability in Freeradius

A flaw was found in freeradius.

6.5
2023-01-17 CVE-2022-2893 Ronds Path Traversal vulnerability in Ronds Equipment Predictive Maintenance 1.19.5

RONDS EPM version 1.19.5 does not properly validate the filename parameter, which could allow an unauthorized user to specify file paths and download files.

6.5
2023-01-17 CVE-2023-22316 Pixela Unspecified vulnerability in Pixela Pix-Rt100 Firmware 2.1.1Eq101/2.1.2Eq101

Hidden functionality vulnerability in PIX-RT100 versions RT100_TEQ_2.1.1_EQ101 and RT100_TEQ_2.1.2_EQ101 allows a network-adjacent attacker to access the product via undocumented Telnet or SSH services.

6.5
2023-01-17 CVE-2022-45439 Zyxel Cleartext Storage of Sensitive Information vulnerability in Zyxel Ax7501-B0 Firmware 5.17(Abpc.1)C0

A pair of spare WiFi credentials is stored in the configuration file of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0 in cleartext.

6.5
2023-01-19 CVE-2023-22745 Tpm2 Software Stack Project Classic Buffer Overflow vulnerability in Tpm2 Software Stack Project Tpm2 Software Stack

tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2).

6.4
2023-01-18 CVE-2023-21860 Oracle Unspecified vulnerability in Oracle Mysql Cluster

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: Internal Operations).

6.3
2023-01-18 CVE-2023-21829 Oracle Unspecified vulnerability in Oracle Database 19C/21C

Vulnerability in the Oracle Database RDBMS Security component of Oracle Database Server.

6.3
2023-01-22 CVE-2023-24044 Plesk Open Redirect vulnerability in Plesk Obsidian 18.0.17

A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header.

6.1
2023-01-20 CVE-2023-24026 Misp Project Cross-site Scripting vulnerability in Misp-Project Misp 2.4.167

In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.

6.1
2023-01-20 CVE-2023-24027 Misp Cross-site Scripting vulnerability in Misp 2.4.167

In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.

6.1
2023-01-20 CVE-2022-45537 Eyoucms Cross-site Scripting vulnerability in Eyoucms

EyouCMS <= 1.6.0 was discovered a reflected-XSS in the article publish component in cookie "ENV_LIST_URL".

6.1
2023-01-20 CVE-2022-45538 Eyoucms Cross-site Scripting vulnerability in Eyoucms

EyouCMS <= 1.6.0 was discovered a reflected-XSS in the article publish component in cookie "ENV_GOBACK_URL".

6.1
2023-01-20 CVE-2022-45539 Eyoucms Cross-site Scripting vulnerability in Eyoucms

EyouCMS <= 1.6.0 was discovered a reflected-XSS in FileManager component in GET value "activepath" when creating a new file.

6.1
2023-01-20 CVE-2022-45540 Eyoucms Cross-site Scripting vulnerability in Eyoucms

EyouCMS <= 1.6.0 was discovered a reflected-XSS in article type editor component in POST value "name" if the value contains a malformed UTF-8 char.

6.1
2023-01-20 CVE-2022-45541 Eyoucms Cross-site Scripting vulnerability in Eyoucms

EyouCMS <= 1.6.0 was discovered a reflected-XSS in the article attribute editor component in POST value "value" if the value contains a non-integer char.

6.1
2023-01-20 CVE-2022-45557 Left Project Cross-site Scripting vulnerability in Left Project Left 7.1.5

Cross site scripting (XSS) vulnerability in Hundredrabbits Left 7.1.5 for MacOS allows attackers to execute arbitrary code via file names.

6.1
2023-01-20 CVE-2022-45558 Left Project Cross-site Scripting vulnerability in Left Project Left 7.1.5

Cross site scripting (XSS) vulnerability in Hundredrabbits Left 7.1.5 for MacOS allows attackers to execute arbitrary code via the meta tag.

6.1
2023-01-20 CVE-2023-23010 Ecommerce Codeigniter Bootstrap Project Cross-site Scripting vulnerability in Ecommerce-Codeigniter-Bootstrap Project Ecommerce-Codeigniter-Bootstrap 20200803

Cross Site Scripting (XSS) vulnerability in Ecommerce-CodeIgniter-Bootstrap thru commit d5904379ca55014c5df34c67deda982c73dc7fe5 (on Dec 27, 2022), allows attackers to execute arbitrary code via the languages and trans_load parameters in file add_product.php.

6.1
2023-01-20 CVE-2023-23012 Classroombookings Cross-site Scripting vulnerability in Classroombookings 2.6.4

Cross Site Scripting (XSS) vulnerability in craigrodway classroombookings 2.6.4 allows attackers to execute arbitrary code or other unspecified impacts via the input bgcol in file Weeks.php.

6.1
2023-01-20 CVE-2023-23014 Inventory System Project Cross-site Scripting vulnerability in Inventory System Project Inventory System

Cross Site Scripting (XSS) vulnerability in InventorySystem thru commit e08fbbe17902146313501ed0b5feba81d58f455c (on Apr 23, 2021) via edit_store_name and edit_active inputs in file InventorySystem.php.

6.1
2023-01-20 CVE-2023-23015 Kalkun Project Cross-site Scripting vulnerability in Kalkun Project Kalkun 0.8.0

Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php.

6.1
2023-01-20 CVE-2023-23024 Book Store Management System Project Cross-site Scripting vulnerability in Book Store Management System Project Book Store Management System 1.0

Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book.

6.1
2023-01-20 CVE-2023-23491 Fullworksplugins Cross-site Scripting vulnerability in Fullworksplugins Quick Event Manager

The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scripting vulnerability in the 'category' parameter of its 'qem_ajax_calendar' action.

6.1
2023-01-20 CVE-2022-41441 Reqlogic Cross-site Scripting vulnerability in Reqlogic 11.3

Multiple cross-site scripting (XSS) vulnerabilities in ReQlogic v11.3 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the POBatch and WaitDuration parameters.

6.1
2023-01-20 CVE-2023-20019 Cisco Cross-site Scripting vulnerability in Cisco Broadworks Xtended Services Platform

A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform, Cisco BroadWorks Application Server, and Cisco BroadWorks Xtended Services Platform could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability exists because the web-based management interface does not properly validate user-supplied input.

6.1
2023-01-20 CVE-2023-20058 Cisco Cross-site Scripting vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input.

6.1
2023-01-20 CVE-2023-0410 Builder Cross-site Scripting vulnerability in Builder Qwik

Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5.

6.1
2023-01-19 CVE-2022-46888 Nexusphp Cross-site Scripting vulnerability in Nexusphp 1.5

Multiple reflective cross-site scripting (XSS) vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to inject arbitrary web script or HTML via the secret parameter in /login.php; q parameter in /user-ban-log.php; query parameter in /log.php; text parameter in /moresmiles.php; q parameter in myhr.php; or id parameter in /viewrequests.php.

6.1
2023-01-19 CVE-2022-4892 Mycms Project Cross-site Scripting vulnerability in Mycms Project Mycms

A vulnerability was found in MyCMS.

6.1
2023-01-18 CVE-2023-0214 Trellix Cross-site Scripting vulnerability in Trellix Skyhigh Secure web Gateway

A cross-site scripting vulnerability in Skyhigh SWG in main releases 11.x prior to 11.2.6, 10.x prior to 10.2.17, and controlled release 12.x prior to 12.0.1 allows a remote attacker to craft SWG-specific internal requests with URL paths to any third-party website, causing arbitrary content to be injected into the response when accessed through SWG.

6.1
2023-01-18 CVE-2020-36653 Geni Cross-site Scripting vulnerability in Geni Geni-Portal

A vulnerability was found in GENI Portal.

6.1
2023-01-18 CVE-2020-36654 Geni Cross-site Scripting vulnerability in Geni Geni-Portal 20200129

A vulnerability classified as problematic has been found in GENI Portal.

6.1
2023-01-17 CVE-2022-39195 Lsoft Cross-site Scripting vulnerability in Lsoft Listserv 17.0

A cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the c parameter.

6.1
2023-01-17 CVE-2022-40704 Phoronix Media Cross-site Scripting vulnerability in Phoronix-Media Phoronix Test Suite

A XSS vulnerability was found in phoromatic_r_add_test_details.php in phoronix-test-suite.

6.1
2023-01-17 CVE-2023-0337 Daloradius Cross-site Scripting vulnerability in Daloradius

Cross-site Scripting (XSS) - Reflected in GitHub repository lirantal/daloradius prior to master-branch.

6.1
2023-01-17 CVE-2023-0338 Daloradius Cross-site Scripting vulnerability in Daloradius

Cross-site Scripting (XSS) - Reflected in GitHub repository lirantal/daloradius prior to master-branch.

6.1
2023-01-17 CVE-2015-10058 Mediawiki Cross-site Scripting vulnerability in Mediawiki Wikisource Category Browser

A vulnerability, which was classified as problematic, was found in Wikisource Category Browser.

6.1
2023-01-17 CVE-2015-10059 Webapplication Veganguide Project Cross-site Scripting vulnerability in Webapplication-Veganguide Project Webapplication-Veganguide

A vulnerability has been found in s134328 Webapplication-Veganguide and classified as problematic.

6.1
2023-01-17 CVE-2023-22296 ATE Mahoroba Cross-site Scripting vulnerability in Ate-Mahoroba products

Reflected cross-site scripting vulnerability in MAHO-PBX NetDevancer series MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allows a remote unauthenticated attacker to inject an arbitrary script.

6.1
2023-01-17 CVE-2023-22298 Pgadmin
Fedoraproject
Open Redirect vulnerability in multiple products

Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

6.1
2023-01-16 CVE-2023-0327 Theradsystem Project Cross-site Scripting vulnerability in Theradsystem Project Theradsystem

A vulnerability was found in saemorris TheRadSystem.

6.1
2023-01-16 CVE-2022-3904 Monsterinsights Cross-site Scripting vulnerability in Monsterinsights

The MonsterInsights WordPress plugin before 8.9.1 does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics.

6.1
2023-01-16 CVE-2022-4295 Appjetty Unspecified vulnerability in Appjetty Show ALL Comments

The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin.

6.1
2023-01-16 CVE-2022-4320 Mhsoftware Unspecified vulnerability in Mhsoftware Wordpress Events Calendar Plugin

The WordPress Events Calendar WordPress plugin before 1.4.5 does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high-privilege ones like admin).

6.1
2023-01-20 CVE-2023-22742 Libgit2 Improper Verification of Cryptographic Signature vulnerability in Libgit2

libgit2 is a cross-platform, linkable library implementation of Git.

5.9
2023-01-20 CVE-2022-43704 Sinilink Authentication Bypass by Capture-replay vulnerability in Sinilink Xy-Wft1 Firmware 1.3.6

The Sinilink XY-WFT1 WiFi Remote Thermostat, running firmware 1.3.6, allows an attacker to bypass the intended requirement to communicate using MQTT.

5.9
2023-01-19 CVE-2022-39167 IBM Unspecified vulnerability in IBM Spectrum Virtualize

IBM Spectrum Virtualize 8.5, 8.4, 8.3, 8.2, and 7.8, under certain configurations, could disclose sensitive information to an attacker using man-in-the-middle techniques.

5.9
2023-01-19 CVE-2022-3738 Wago Missing Authentication for Critical Function vulnerability in Wago products

The vulnerability allows a remote unauthenticated attacker to download a backup file, if one exists.

5.9
2023-01-18 CVE-2023-22863 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM products

IBM Robotic Process Automation 20.12.0 through 21.0.2 defaults to HTTP in some RPA commands when the prefix is not explicitly specified in the URL.

5.9
2023-01-18 CVE-2022-3100 Openstack
Redhat
Authentication Bypass by Primary Weakness vulnerability in multiple products

A flaw was found in the openstack-barbican component.

5.9
2023-01-18 CVE-2023-21875 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).

5.9
2023-01-22 CVE-2023-24055 Keepass Cleartext Storage of Sensitive Information vulnerability in Keepass

KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger.

5.5
2023-01-22 CVE-2023-24056 Pkgconf Unspecified vulnerability in Pkgconf

In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse.

5.5
2023-01-20 CVE-2021-33642 Openeuler Infinite Loop vulnerability in Openeuler Byacc

When a file is processed, an infinite loop occurs in next_inline() of the more_curly() function.

5.5
2023-01-20 CVE-2022-35977 Redis Integer Overflow or Wraparound vulnerability in Redis

Redis is an in-memory database that persists on disk.

5.5
2023-01-20 CVE-2023-22458 Redis Integer Overflow or Wraparound vulnerability in Redis

Redis is an in-memory database that persists on disk.

5.5
2023-01-20 CVE-2023-23144 Gpac Integer Overflow or Wraparound vulnerability in Gpac 2.2Rev0Gab012Bbfbmaster

Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file bifs/unquantize.c in GPAC version 2.2-rev0-gab012bbfb-master.

5.5
2023-01-20 CVE-2023-20040 Cisco Unrestricted Upload of File with Dangerous Type vulnerability in Cisco Network Services Orchestrator

A vulnerability in the NETCONF service of Cisco Network Services Orchestrator (NSO) could allow an authenticated, remote attacker to cause a denial of service (DoS) on an affected system that is running as the root user.

5.5
2023-01-18 CVE-2023-21581 Adobe Out-of-bounds Read vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

5.5
2023-01-18 CVE-2023-21585 Adobe Out-of-bounds Read vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

5.5
2023-01-18 CVE-2023-21613 Adobe Out-of-bounds Read vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

5.5
2023-01-18 CVE-2023-21614 Adobe Out-of-bounds Read vulnerability in Adobe products

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

5.5
2023-01-18 CVE-2023-21601 Adobe Use After Free vulnerability in Adobe Dimension 3.4.3

Adobe Dimension version 3.4.6 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory.

5.5
2023-01-18 CVE-2023-21603 Adobe Out-of-bounds Read vulnerability in Adobe Dimension 3.4.3

Adobe Dimension version 3.4.6 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

5.5
2023-01-18 CVE-2023-21869 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).

5.5
2023-01-18 CVE-2023-21872 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

5.5
2023-01-18 CVE-2023-21877 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).

5.5
2023-01-18 CVE-2023-21880 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).

5.5
2023-01-18 CVE-2023-21898 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

5.5
2023-01-18 CVE-2023-21899 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

5.5
2023-01-17 CVE-2022-47929 Linux
Debian
NULL Pointer Dereference vulnerability in multiple products

In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands.

5.5
2023-01-17 CVE-2022-4121 Libetpan Project NULL Pointer Dereference vulnerability in Libetpan Project Libetpan

In libetpan a null pointer dereference in mailimap_mailbox_data_status_free in low-level/imap/mailimap_types.c was found that could lead to a remote denial of service or other potential consequences.

5.5
2023-01-16 CVE-2023-0316 Froxlor Path Traversal: '..filename' vulnerability in Froxlor

Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0.

5.5
2023-01-20 CVE-2022-45542 Eyoucms Cross-site Scripting vulnerability in Eyoucms

EyouCMS <= 1.6.0 was discovered a reflected-XSS in the FileManager component in GET parameter "filename" when editing any file.

5.4
2023-01-20 CVE-2022-38110 Solarwinds Cross-site Scripting vulnerability in Solarwinds Database Performance Analyzer

In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting.

5.4
2023-01-20 CVE-2023-22910 Mediawiki Cross-site Scripting vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1.

5.4
2023-01-20 CVE-2022-20965 Cisco Unspecified vulnerability in Cisco Identity Services Engine

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to take privileges actions within the web-based management interface. This vulnerability is due to improper access control on a feature within the web-based management interface of the affected system.

5.4
2023-01-20 CVE-2022-20966 Cisco Cross-site Scripting vulnerability in Cisco Identity Services Engine

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface.

5.4
2023-01-20 CVE-2022-20967 Cisco Cross-site Scripting vulnerability in Cisco Identity Services Engine

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface.

5.4
2023-01-20 CVE-2023-20037 Cisco Cross-site Scripting vulnerability in Cisco Industrial Network Director

A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks. The vulnerability is due to improper validation of content submitted to the affected application.

5.4
2023-01-20 CVE-2023-22373 Contec Cross-site Scripting vulnerability in Contec Conprosys HMI System

Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information.

5.4
2023-01-19 CVE-2022-46889 Nexusphp Cross-site Scripting vulnerability in Nexusphp 1.5

A persistent cross-site scripting (XSS) vulnerability in NexusPHP before 1.7.33 allows remote authenticated attackers to permanently inject arbitrary web script or HTML via the title parameter used in /subtitles.php.

5.4
2023-01-19 CVE-2022-47194 Ghost Insecure Default Initialization of Resource vulnerability in Ghost 5.9.4

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4.

5.4
2023-01-19 CVE-2022-47195 Ghost Cross-site Scripting vulnerability in Ghost 5.9.4

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4.

5.4
2023-01-19 CVE-2022-47196 Ghost Insecure Default Initialization of Resource vulnerability in Ghost 5.9.4

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4.

5.4
2023-01-19 CVE-2022-47197 Ghost Cross-site Scripting vulnerability in Ghost 5.9.4

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4.

5.4
2023-01-19 CVE-2023-0402 Warfareplugins Unspecified vulnerability in Warfareplugins Social Warfare

The Social Warfare plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several AJAX actions in versions up to, and including, 4.3.0.

5.4
2023-01-19 CVE-2023-0403 Warfareplugins Unspecified vulnerability in Warfareplugins Social Warfare

The Social Warfare plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.0.

5.4
2023-01-19 CVE-2023-0404 E Dynamics Missing Authorization vulnerability in E-Dynamics Events Made Easy

The Events Made Easy plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions related to AJAX actions in versions up to, and including, 2.3.16.

5.4
2023-01-18 CVE-2022-4235 Rushstreetinteractive Cross-site Scripting vulnerability in Rushstreetinteractive Rushbet 2022.23.1B490616D

RushBet version 2022.23.1-b490616d allows a remote attacker to steal customer accounts via use of a malicious application.

5.4
2023-01-18 CVE-2023-22594 IBM Cross-site Scripting vulnerability in IBM products

IBM Robotic Process Automation for Cloud Pak 20.12.0 through 21.0.4 is vulnerable to cross-site scripting.

5.4
2023-01-18 CVE-2022-45613 Book Store Management System Project Cross-site Scripting vulnerability in Book Store Management System Project Book Store Management System 1.0

Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book.

5.4
2023-01-18 CVE-2023-21844 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.59/8.60

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search).

5.4
2023-01-18 CVE-2023-21845 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.60

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Panel Processor).

5.4
2023-01-18 CVE-2023-21847 Oracle Unspecified vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Download).

5.4
2023-01-18 CVE-2023-21861 Oracle Unspecified vulnerability in Oracle Business Intelligence 5.9.0.0.0/6.4.0.0.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Visual Analyzer).

5.4
2023-01-18 CVE-2023-21888 Oracle Unspecified vulnerability in Oracle Primavera Gateway

Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: WebUI).

5.4
2023-01-18 CVE-2023-21891 Oracle Unspecified vulnerability in Oracle Business Intelligence 5.9.0.0.0/6.4.0.0.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Visual Analyzer).

5.4
2023-01-18 CVE-2023-21892 Oracle Unspecified vulnerability in Oracle Business Intelligence 5.9.0.0.0/6.4.0.0.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Visual Analyzer).

5.4
2023-01-17 CVE-2010-10008 Simplesamlphp Cross-site Scripting vulnerability in Simplesamlphp Simplesamlphp-Module-Openidprovider

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in simplesamlphp simplesamlphp-module-openidprovider up to 0.8.x.

5.4
2023-01-16 CVE-2022-4431 Pluginus Unspecified vulnerability in Pluginus FOX - Currency Switcher Professional for Woocommerce

The WOOCS WordPress plugin before 1.3.9.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4449 Page Scroll TO ID Project Unspecified vulnerability in Page Scroll to ID Project Page Scroll to ID

The Page scroll to id WordPress plugin before 1.7.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4451 Heateor Unspecified vulnerability in Heateor Sassy Social Share

The Social Sharing WordPress plugin before 3.3.45 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4453 3Dflipbook Cross-site Scripting vulnerability in 3Dflipbook 3D Flipbook

The 3D FlipBook WordPress plugin through 1.13.2 does not validate or escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks against high privilege users like administrators.

5.4
2023-01-16 CVE-2022-4460 Codelights Shortcodes AND Widgets Project Unspecified vulnerability in Codelights-Shortcodes-And-Widgets Project Codelights-Shortcodes-And-Widgets 1.4

The Sidebar Widgets by CodeLights WordPress plugin through 1.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

5.4
2023-01-16 CVE-2022-4464 Themify Unspecified vulnerability in Themify Portfolio Post

Themify Portfolio Post WordPress plugin before 1.2.1 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin.

5.4
2023-01-16 CVE-2022-4465 Tipsandtricks HQ Unspecified vulnerability in Tipsandtricks-Hq WP Video Lightbox

The WP Video Lightbox WordPress plugin before 1.9.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.

5.4
2023-01-16 CVE-2022-4469 Simple Membership Plugin Unspecified vulnerability in Simple-Membership-Plugin Simple Membership

The Simple Membership WordPress plugin before 4.2.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.

5.4
2023-01-16 CVE-2022-4476 Wpdownloadmanager Unspecified vulnerability in Wpdownloadmanager Wordpress Download Manager

The Download Manager WordPress plugin before 3.2.62 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins.

5.4
2023-01-16 CVE-2022-4477 Smashballoon Unspecified vulnerability in Smashballoon Smash Balloon Social Post Feed

The Smash Balloon Social Post Feed WordPress plugin before 4.1.6 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins.

5.4
2023-01-16 CVE-2022-4478 Fontawesome Unspecified vulnerability in Fontawesome Font Awesome

The Font Awesome WordPress plugin before 4.3.2 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins.

5.4
2023-01-16 CVE-2022-4480 Holithemes Cross-site Scripting vulnerability in Holithemes Click to Chat

The Click to Chat WordPress plugin before 3.18.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4481 Extendthemes Unspecified vulnerability in Extendthemes Mesmerize Companion

The Mesmerize Companion WordPress plugin before 1.6.135 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4482 Techearty Unspecified vulnerability in Techearty Carousel, Slider, Gallery BY WP Carousel

The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4483 Insert Pages Project Unspecified vulnerability in Insert Pages Project Insert Pages

The Insert Pages WordPress plugin before 3.7.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4484 Heateor Unspecified vulnerability in Heateor Super Socializer

The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.44 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4486 Meteor Slides Project Unspecified vulnerability in Meteor Slides Project Meteor Slides

The Meteor Slides WordPress plugin before 1.5.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4487 Techearty Unspecified vulnerability in Techearty Easy Accordion

The Easy Accordion WordPress plugin before 2.2.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4507 Devowl Unspecified vulnerability in Devowl Wordpress Real Cookie Banner

The Real Cookie Banner WordPress plugin before 3.4.10 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins.

5.4
2023-01-16 CVE-2022-4508 Convertkit Unspecified vulnerability in Convertkit - Email Marketing, Email Newsletter and Landing Pages

The ConvertKit WordPress plugin before 2.0.5 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

5.4
2023-01-16 CVE-2022-4544 Wpchill Unspecified vulnerability in Wpchill Mashshare

The MashShare WordPress plugin before 3.8.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4571 Castos Unspecified vulnerability in Castos Seriously Simple Podcasting

The Seriously Simple Podcasting WordPress plugin before 2.19.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4578 Video Conferencing With Zoom Project Unspecified vulnerability in Video Conferencing With Zoom Project Video Conferencing With Zoom

The Video Conferencing with Zoom WordPress plugin before 4.0.10 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4648 Shapedplugin Unspecified vulnerability in Shapedplugin Real Testimonials

The Real Testimonials WordPress plugin before 2.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

5.4
2023-01-16 CVE-2022-4653 Greenshiftwp Unspecified vulnerability in Greenshiftwp Greenshift - Animation and Page Builder Blocks

The Greenshift WordPress plugin before 4.8.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

5.4
2023-01-16 CVE-2022-4655 Collne Unspecified vulnerability in Collne Welcart E-Commerce

The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.

5.4
2023-01-16 CVE-2022-4658 Rssimport Project Unspecified vulnerability in Rssimport Project Rssimport

The RSSImport WordPress plugin through 4.6.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

5.4
2023-01-16 CVE-2023-0323 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.14.

5.4
2023-01-16 CVE-2022-41703 Apache SQL Injection vulnerability in Apache Superset

A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value).

5.4
2023-01-16 CVE-2022-43717 Apache Cross-site Scripting vulnerability in Apache Superset

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

5.4
2023-01-16 CVE-2022-43718 Apache Cross-site Scripting vulnerability in Apache Superset

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

5.4
2023-01-16 CVE-2022-43720 Apache Unspecified vulnerability in Apache Superset

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

5.4
2023-01-16 CVE-2022-43721 Apache Open Redirect vulnerability in Apache Superset

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

5.4
2023-01-20 CVE-2022-39193 Mediawiki Information Exposure vulnerability in Mediawiki 1.39.0/1.39.1

An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x.

5.3
2023-01-20 CVE-2022-41733 IBM Improper Input Validation vulnerability in IBM Infosphere Information Server

IBM InfoSphere Information Server 11.7 could allow a remote attacked to cause some of the components to be unusable until the process is restarted.

5.3
2023-01-20 CVE-2023-22912 Mediawiki Use of Insufficiently Random Values vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1.

5.3
2023-01-20 CVE-2023-20057 Cisco Injection vulnerability in Cisco Asyncos

A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. This vulnerability is due to improper processing of URLs.

5.3
2023-01-20 CVE-2023-22334 Contec Improper Authentication vulnerability in Contec Conprosys HMI System

Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to obtain user credentials information via a man-in-the-middle attack.

5.3
2023-01-18 CVE-2021-4314 Linuxfoundation Improper Authentication vulnerability in Linuxfoundation Zowe API Mediation Layer

It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without valid JWT token as any user.

5.3
2023-01-18 CVE-2023-21825 Oracle Unspecified vulnerability in Oracle Isupplier Portal 12.2.6/12.2.7/12.2.8

Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management).

5.3
2023-01-18 CVE-2023-21830 Oracle
Azul
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).
5.3
2023-01-18 CVE-2023-21831 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise CS Academic Advisement 9.2

Vulnerability in the PeopleSoft Enterprise CS Academic Advisement product of Oracle PeopleSoft (component: Advising Notes).

5.3
2023-01-18 CVE-2023-21835 Oracle
Azul
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).
5.3
2023-01-17 CVE-2023-0296 Redhat Use of a Broken or Risky Cryptographic Algorithm vulnerability in Redhat Openshift 4.11

The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component.

5.3
2023-01-17 CVE-2022-37436 Apache HTTP Response Splitting vulnerability in Apache Http Server

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body.

5.3
2023-01-17 CVE-2023-22278 DAJ Unspecified vulnerability in DAJ M-Filter

m-FILTER prior to Ver.5.70R01 (Ver.5 Series) and m-FILTER prior to Ver.4.87R04 (Ver.4 Series) allows a remote unauthenticated attacker to bypass authentication and send users' unintended email when email is being sent under the certain conditions.

5.3
2023-01-16 CVE-2022-45438 Apache Exposure of Resource to Wrong Sphere vulnerability in Apache Superset

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

5.3
2023-01-20 CVE-2021-39011 IBM Information Exposure Through Log Files vulnerability in IBM Cloud PAK for Security 1.10.0.0/1.10.2.0/1.10.6.0

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.6.0 stores potentially sensitive information in log files that could be read by a privileged user.

4.9
2023-01-20 CVE-2022-43959 Bitrix24 Information Exposure vulnerability in Bitrix24 20.0.0/20.0.975

Insufficiently Protected Credentials in the AD/LDAP server settings in 1C-Bitrix Bitrix24 through 22.200.200 allow remote administrators to discover an AD/LDAP administrative password by reading the source code of /bitrix/admin/ldap_server_edit.php.

4.9
2023-01-18 CVE-2022-34435 Dell Improper Input Validation vulnerability in Dell Idrac9 Firmware

Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set.

4.9
2023-01-18 CVE-2022-34436 Dell Improper Input Validation vulnerability in Dell Idrac8 Firmware

Dell iDRAC8 version 2.83.83.83 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set.

4.9
2023-01-18 CVE-2023-21836 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).

4.9
2023-01-18 CVE-2023-21840 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS).

4.9
2023-01-18 CVE-2023-21863 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21864 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21865 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21866 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21867 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21870 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21871 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).

4.9
2023-01-18 CVE-2023-21873 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21876 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21878 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21879 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21881 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21883 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

4.9
2023-01-18 CVE-2023-21887 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS).

4.9
2023-01-19 CVE-2022-40697 3Commarketing Cross-site Scripting vulnerability in 3Commarketing 3Com-Asesor-De-Cookies 3.4.3

Auth.

4.8
2023-01-17 CVE-2022-42462 IP Blacklist Cloud Project Cross-site Scripting vulnerability in IP Blacklist Cloud Project IP Blacklist Cloud 5.00

Auth.

4.8
2023-01-16 CVE-2022-2658 Wpspellcheck Unspecified vulnerability in Wpspellcheck

The WP Spell Check WordPress plugin before 9.13 does not escape ignored words, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-01-16 CVE-2022-4199 Ylefebvre Unspecified vulnerability in Ylefebvre Link Library

The Link Library WordPress plugin before 7.4.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-01-16 CVE-2022-4299 Metricool Unspecified vulnerability in Metricool

The Metricool WordPress plugin before 1.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-01-16 CVE-2022-4330 Marcomilesi Cross-site Scripting vulnerability in Marcomilesi WP Attachments

The WP Attachments WordPress plugin before 5.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-01-16 CVE-2022-4442 Cozmoslabs Unspecified vulnerability in Cozmoslabs Custom Post Types and Custom Fields Creator

The Custom Post Types and Custom Fields creator WordPress plugin before 2.3.3 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

4.8
2023-01-17 CVE-2021-36647 ARM Use of a Broken or Risky Cryptographic Algorithm vulnerability in ARM Mbed TLS

Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum.c in Mbed TLS Mbed TLS all versions before 3.0.0, 2.27.0 or 2.16.11 allows attackers with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) to recover the private keys used in RSA.

4.7
2023-01-20 CVE-2023-20002 Cisco Server-Side Request Forgery (SSRF) vulnerability in Cisco Roomos and Telepresence Collaboration Endpoint

A vulnerability in Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to bypass access controls and conduct an SSRF attack through an affected device. This vulnerability is due to improper validation of user-supplied input.

4.4
2023-01-18 CVE-2023-21824 Oracle Unspecified vulnerability in Oracle products

Vulnerability in the Oracle Communications BRM - Elastic Charging Engine product of Oracle Communications Applications (component: Customer, Config, Pricing Manager).

4.4
2023-01-18 CVE-2023-21859 Oracle Unspecified vulnerability in Oracle Access Manager 12.2.1.4.0

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine).

4.4
2023-01-18 CVE-2023-21884 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

4.4
2023-01-17 CVE-2022-45440 Zyxel Link Following vulnerability in Zyxel Ax7501-B0 Firmware 5.17(Abpc.1)C0

A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media.

4.4
2023-01-22 CVE-2023-24058 Twinkletoessoftware Unspecified vulnerability in Twinkletoessoftware Booked 2.5.5

Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php.

4.3
2023-01-19 CVE-2022-46890 Nexusphp Unspecified vulnerability in Nexusphp 1.5

Weak access control in NexusPHP before 1.7.33 allows a remote authenticated user to edit any post in the forum (this is caused by a lack of checks performed by the /forums.php?action=post page).

4.3
2023-01-19 CVE-2023-0406 Modoboa Cross-Site Request Forgery (CSRF) vulnerability in Modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

4.3
2023-01-18 CVE-2023-0290 Rapid7 Path Traversal vulnerability in Rapid7 Velociraptor

Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written.

4.3
2023-01-18 CVE-2023-0385 Kunalnagar Unspecified vulnerability in Kunalnagar Custom 404 PRO

The Custom 404 Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.7.1.

4.3
2023-01-18 CVE-2022-39429 Oracle Unspecified vulnerability in Oracle Java Virtual Machine 19C/21C

Vulnerability in the Java VM component of Oracle Database Server.

4.3
2023-01-18 CVE-2023-21827 Oracle Unspecified vulnerability in Oracle Database 19C/21C

Vulnerability in the Oracle Database Data Redaction component of Oracle Database Server.

4.3
2023-01-18 CVE-2023-21834 Oracle Unspecified vulnerability in Oracle Self-Service Human Resources

Vulnerability in the Oracle Self-Service Human Resources product of Oracle E-Business Suite (component: Workflow, Approval, Work Force Management).

4.3
2023-01-17 CVE-2018-14628 Samba
Fedoraproject
Missing Authorization vulnerability in multiple products

An information leak vulnerability was discovered in Samba's LDAP server.

4.3
2023-01-16 CVE-2022-4549 Tickera Unspecified vulnerability in Tickera

The Tickera WordPress plugin before 3.5.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.

4.3
2023-01-18 CVE-2023-21900 Oracle Unspecified vulnerability in Oracle Solaris 10/11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: NSSwitch).

4.0

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-01-18 CVE-2023-21885 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

3.8
2023-01-18 CVE-2023-21889 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

3.8
2023-01-18 CVE-2023-21843 Oracle
Azul
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).
3.7
2023-01-16 CVE-2022-4309 Subscribe2 Project Unspecified vulnerability in Subscribe2 Project Subscribe2

The Subscribe2 WordPress plugin before 10.38 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete arbitrary users by knowing their email via a CSRF attack.

3.1
2023-01-18 CVE-2023-21874 Oracle Unspecified vulnerability in Oracle Mysql Server

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).

2.7
2023-01-18 CVE-2023-21882 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).

2.7
2023-01-18 CVE-2022-34399 Dell Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products

Dell Alienware m17 R5 BIOS version prior to 1.2.2 contain a buffer access vulnerability.

2.3