Weekly Vulnerabilities Reports > February 20 to 26, 2023

Overview

333 new vulnerabilities reported during this period, including 84 critical vulnerabilities and 103 high severity vulnerabilities. This weekly summary report vulnerabilities in 327 products from 226 vendors including Apache, Linux, Google, Tribe29, and Zoneminder. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Path Traversal", "Cross-Site Request Forgery (CSRF)", and "Use After Free".

  • 291 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 149 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 208 reported vulnerabilities are exploitable by an anonymous user.
  • Apache has the most reported vulnerabilities, with 8 reported vulnerabilities.
  • Apache has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

84 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-02-26 CVE-2023-26602 Asus Command Injection vulnerability in Asus Asmb8-Ikvm Firmware 1.14.51

ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.

9.8
2023-02-26 CVE-2023-1037 Dental Clinic Appointment Reservation System Project SQL Injection vulnerability in Dental Clinic Appointment Reservation System Project Dental Clinic Appointment Reservation System 1.0

A vulnerability was found in SourceCodester Dental Clinic Appointment Reservation System 1.0.

9.8
2023-02-26 CVE-2023-1038 Online Reviewer Management System Project SQL Injection vulnerability in Online Reviewer Management System Project Online Reviewer Management System 1.0

A vulnerability classified as critical has been found in SourceCodester Online Reviewer Management System 1.0.

9.8
2023-02-26 CVE-2023-1040 Online Graduate Tracer System Project SQL Injection vulnerability in Online Graduate Tracer System Project Online Graduate Tracer System 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Online Graduate Tracer System 1.0.

9.8
2023-02-25 CVE-2023-26550 BMC SQL Injection vulnerability in BMC Control-M

A SQL injection vulnerability in BMC Control-M before 9.0.20.214 allows attackers to execute arbitrary SQL commands via the memname JSON field.

9.8
2023-02-25 CVE-2022-2024 Gogs OS Command Injection vulnerability in Gogs

OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.

9.8
2023-02-25 CVE-2023-26035 Zoneminder Missing Authorization vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.

9.8
2023-02-25 CVE-2023-26036 Zoneminder Untrusted Search Path vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.

9.8
2023-02-25 CVE-2023-26037 Zoneminder SQL Injection vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.

9.8
2023-02-24 CVE-2022-23535 Litedb Deserialization of Untrusted Data vulnerability in Litedb

LiteDB is a small, fast and lightweight .NET NoSQL embedded database.

9.8
2023-02-24 CVE-2023-24189 Bstek XXE vulnerability in Bstek Urule 2.1.7

An XML External Entity (XXE) vulnerability in urule v2.1.7 allows attackers to execute arbitrary code via uploading a crafted XML file to /urule/common/saveFile.

9.8
2023-02-24 CVE-2021-33224 Umbraco Unrestricted Upload of File with Dangerous Type vulnerability in Umbraco Forms 8.7.0

File upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code via a crafted web.config and asp file.

9.8
2023-02-24 CVE-2021-35370 Txjia Unspecified vulnerability in Txjia Imcat 5.4

An issue found in Peacexie Imcat v5.4 allows attackers to execute arbitrary code via the incomplete filtering function.

9.8
2023-02-24 CVE-2021-4105 BG TEK Unspecified vulnerability in Bg-Tek products

Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewall allows Remote Code Inclusion.This issue affects COSLAT Firewall: from 5.24.0.R.20180630 before 5.24.0.R.20210727.

9.8
2023-02-24 CVE-2023-25691 Apache Improper Input Validation vulnerability in Apache Apache-Airflow-Providers-Google

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

9.8
2023-02-24 CVE-2023-25693 Apache Improper Input Validation vulnerability in Apache Apache-Airflow-Providers-Apache-Sqoop

Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.

9.8
2023-02-24 CVE-2023-25696 Apache Improper Input Validation vulnerability in Apache Apache-Airflow-Providers-Apache-Hive

Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.

9.8
2023-02-23 CVE-2023-24212 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.11

Tenda AX3 V16.03.12.11 was discovered to contain a stack overflow via the timeType function at /goform/SetSysTimeCfg.

9.8
2023-02-23 CVE-2022-36231 Newspaperclub Unspecified vulnerability in Newspaperclub PDF Info 0.5.3

pdf_info 0.5.3 is vulnerable to Command Execution because the Ruby code uses backticks instead of Open3.

9.8
2023-02-23 CVE-2023-0754 Rockwellautomation
PTC
GE
Integer Overflow or Wraparound vulnerability in multiple products

The affected products are vulnerable to an integer overflow or wraparound, which could  allow an attacker to crash the server and remotely execute arbitrary code.

9.8
2023-02-23 CVE-2023-0755 PTC
Rockwellautomation
GE
Improper Validation of Array Index vulnerability in multiple products

The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code.

9.8
2023-02-23 CVE-2023-24205 Clash Project Incorrect Permission Assignment for Critical Resource vulnerability in Clash Project Clash 0.20.12

Clash for Windows v0.20.12 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via overwriting the configuration file (cfw-setting.yaml).

9.8
2023-02-23 CVE-2023-25823 Gradio Project Use of Hard-coded Credentials vulnerability in Gradio Project Gradio

Gradio is an open-source Python library to build machine learning and data science demos and web applications.

9.8
2023-02-23 CVE-2023-26326 Themekraft Deserialization of Untrusted Data vulnerability in Themekraft Buddyforms

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue.

9.8
2023-02-23 CVE-2022-48342 Jetbrains Insecure Default Initialization of Resource vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents.

9.8
2023-02-23 CVE-2023-0986 Sales Tracker Management System Project SQL Injection vulnerability in Sales Tracker Management System Project Sales Tracker Management System 1.0

A vulnerability classified as critical has been found in SourceCodester Sales Tracker Management System 1.0.

9.8
2023-02-23 CVE-2023-24104 UI Unspecified vulnerability in UI Unifi Dream Machine PRO Firmware 7.2.95

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets.

9.8
2023-02-23 CVE-2022-2504 SDD Baro Project SQL Injection vulnerability in Sdd-Baro Project Sdd-Baro

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SDD Computer Software SDD-Baro allows SQL Injection.This issue affects SDD-Baro: before 2.8.432.

9.8
2023-02-23 CVE-2023-0980 Yoga Class Registration System Project SQL Injection vulnerability in Yoga Class Registration System Project Yoga Class Registration System 1.0

A vulnerability was found in SourceCodester Yoga Class Registration System 1.0 and classified as critical.

9.8
2023-02-23 CVE-2023-0981 Yoga Class Registration System Project SQL Injection vulnerability in Yoga Class Registration System Project Yoga Class Registration System 1.0

A vulnerability was found in SourceCodester Yoga Class Registration System 1.0.

9.8
2023-02-23 CVE-2023-0982 Yoga Class Registration System Project SQL Injection vulnerability in Yoga Class Registration System Project Yoga Class Registration System 1.0

A vulnerability was found in SourceCodester Yoga Class Registration System 1.0.

9.8
2023-02-23 CVE-2023-0939 Online Services Project SQL Injection vulnerability in Online Services Project Online Services

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NTN Information Technologies Online Services Software allows SQL Injection.This issue affects Online Services Software: before 1.17.

9.8
2023-02-22 CVE-2022-48149 Online Student Admission System Project SQL Injection vulnerability in Online Student Admission System Project Online Student Admission System 1.0

Online Student Admission System in PHP Free Source Code 1.0 was discovered to contain a SQL injection vulnerability via the username parameter.

9.8
2023-02-22 CVE-2022-39983 Instantdeveloper Unrestricted Upload of File with Dangerous Type vulnerability in Instantdeveloper RD3 22.0.8500

File upload vulnerability in Instantdeveloper RD3 22.0.8500, allows attackers to execute arbitrary code.

9.8
2023-02-22 CVE-2022-45599 Aztech Insufficiently Protected Credentials vulnerability in Aztech Wmb250Ac Firmware 0162020

Aztech WMB250AC Mesh Routers Firmware Version 016 2020 is vulnerable to PHP Type Juggling in file /var/www/login.php, allows attackers to gain escalated privileges only when specific conditions regarding a given accounts hashed password.

9.8
2023-02-22 CVE-2023-24114 Typecho Unspecified vulnerability in Typecho

typecho 1.1/17.10.30 was discovered to contain a remote code execution (RCE) vulnerability via install.php.

9.8
2023-02-22 CVE-2023-24093 H3C Improper Authentication vulnerability in H3C A210-G Firmware A210Gv100R005

An access control issue in H3C A210-G A210-GV100R005 allows attackers to authenticate without a password.

9.8
2023-02-22 CVE-2023-24812 Misskey SQL Injection vulnerability in Misskey

Misskey is an open source, decentralized social media platform.

9.8
2023-02-22 CVE-2023-0961 Music Gallery Site Project SQL Injection vulnerability in Music Gallery Site Project Music Gallery Site 1.0

A vulnerability was found in SourceCodester Music Gallery Site 1.0.

9.8
2023-02-22 CVE-2023-0963 Music Gallery Site Project Improper Access Control vulnerability in Music Gallery Site Project Music Gallery Site 1.0

A vulnerability was found in SourceCodester Music Gallery Site 1.0.

9.8
2023-02-22 CVE-2023-25813 Sequelizejs SQL Injection vulnerability in Sequelizejs Sequelize

Sequelize is a Node.js ORM tool.

9.8
2023-02-22 CVE-2023-0960 Seacms Deserialization of Untrusted Data vulnerability in Seacms 11.6

A vulnerability was found in SeaCMS 11.6 and classified as problematic.

9.8
2023-02-22 CVE-2022-41217 Hybridsoftware Unrestricted Upload of File with Dangerous Type vulnerability in Hybridsoftware Cloudflow 2.0.0/2.3.1

Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage.

9.8
2023-02-22 CVE-2023-24107 Hour OF Code Python 2015 Project Unspecified vulnerability in Hour of Code Python 2015 Project Hour of Code Python 2015 20151211

hour_of_code_python_2015 commit 520929797b9ca43bb818b2e8f963fb2025459fa3 was discovered to contain a code execution backdoor via the request package (requirements.txt).

9.8
2023-02-22 CVE-2023-24108 Zetacomponenets Unspecified vulnerability in Zetacomponenets Mvctools 20080923

MvcTools 6d48cd6830fc1df1d8c9d61caa1805fd6a1b7737 was discovered to contain a code execution backdoor via the request package (requirements.txt).

9.8
2023-02-22 CVE-2023-0947 Flatpress Path Traversal vulnerability in Flatpress

Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3.

9.8
2023-02-21 CVE-2023-24080 Chamberlain Improper Restriction of Excessive Authentication Attempts vulnerability in Chamberlain MYQ 5.222.0.32277

A lack of rate limiting on the password reset endpoint of Chamberlain myQ v5.222.0.32277 (on iOS) allows attackers to compromise user accounts via a bruteforce attack.

9.8
2023-02-21 CVE-2023-24320 Axcora Unspecified vulnerability in Axcora

An access control issue in Axcora POS #0~gitf77ec09 allows unauthenticated attackers to execute arbitrary commands via unspecified vectors.

9.8
2023-02-21 CVE-2023-25157 Osgeo SQL Injection vulnerability in Osgeo Geoserver

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data.

9.8
2023-02-21 CVE-2017-20179 Instedd Unspecified vulnerability in Instedd Pollit 2.3.1

A vulnerability was found in InSTEDD Pollit 2.3.1.

9.8
2023-02-21 CVE-2022-46637 Prolink2U Use of Hard-coded Credentials vulnerability in Prolink2U Prs1841 Firmware UV2

Prolink router PRS1841 was discovered to contain hardcoded credentials for its Telnet and FTP services.

9.8
2023-02-21 CVE-2023-0946 Best POS Management System Project SQL Injection vulnerability in Best POS Management System Project Best POS Management System 1.0

A vulnerability has been found in SourceCodester Best POS Management System 1.0 and classified as critical.

9.8
2023-02-21 CVE-2023-25158 Geotools SQL Injection vulnerability in Geotools

GeoTools is an open source Java library that provides tools for geospatial data.

9.8
2023-02-21 CVE-2023-25657 Networktocode Unspecified vulnerability in Networktocode Nautobot

Nautobot is a Network Source of Truth and Network Automation Platform.

9.8
2023-02-21 CVE-2023-22920 Zyxel Unspecified vulnerability in Zyxel Lte3202-M437 Firmware and Lte3316-M604 Firmware

A security misconfiguration vulnerability exists in the Zyxel LTE3316-M604 firmware version V2.00(ABMP.6)C0 due to a factory default misconfiguration intended for testing purposes.

9.8
2023-02-21 CVE-2015-10083 Harrys Improper Authentication vulnerability in Harrys Dynosaur-Rails

A vulnerability has been found in harrystech Dynosaur-Rails and classified as critical.

9.8
2023-02-21 CVE-2015-10084 Irontec SQL Injection vulnerability in Irontec Klear-Library

A vulnerability was found in irontec klear-library chloe and classified as critical.

9.8
2023-02-21 CVE-2023-24184 Totolink Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

TOTOLink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability.

9.8
2023-02-21 CVE-2022-45564 Znfit SQL Injection vulnerability in Znfit Home Improvement ERP Management System 42

SQL Injection vulnerability in znfit Home improvement ERP management system V50_20220207,v42 allows attackers to execute arbitrary sql commands via the userCode parameter to the wechat applet.

9.8
2023-02-21 CVE-2022-45677 Tuition Management System Project SQL Injection vulnerability in Tuition Management System Project Tuition Management System

SQL Injection Vulnerability in tanujpatra228 Tution Management System (TMS) via the email parameter to processes/student_login.process.php.

9.8
2023-02-21 CVE-2023-0935 Dolphinphp Project OS Command Injection vulnerability in Dolphinphp Project Dolphinphp

A vulnerability was found in DolphinPHP up to 1.5.1.

9.8
2023-02-21 CVE-2023-0938 Music Gallery Site Project SQL Injection vulnerability in Music Gallery Site Project Music Gallery Site 1.0

A vulnerability classified as critical has been found in SourceCodester Music Gallery Site 1.0.

9.8
2023-02-21 CVE-2023-0232 Hasthemes Unspecified vulnerability in Hasthemes Shoplentor

The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection.

9.8
2023-02-21 CVE-2015-10082 Libimobiledevice XXE vulnerability in Libimobiledevice Libplist 1.12

A vulnerability classified as problematic has been found in UIKit0 libplist 1.12.

9.8
2023-02-21 CVE-2023-26266 AFL Project Unspecified vulnerability in Afl++ Project Afl++ 4.05C

In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.

9.8
2023-02-21 CVE-2023-26234 JD GUI Project Deserialization of Untrusted Data vulnerability in Jd-Gui Project Jd-Gui 1.6.6

JD-GUI 1.6.6 allows deserialization via UIMainWindowPreferencesProvider.singleInstance.

9.8
2023-02-20 CVE-2022-48337 GNU
Debian
OS Command Injection vulnerability in multiple products

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program.

9.8
2023-02-20 CVE-2023-23452 Sick Missing Authentication for Critical Function vulnerability in Sick Fx0-Gpnt00000 Firmware and Fx0-Gpnt00010 Firmware

Missing Authentication for Critical Function in SICK FX0-GPNT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on TCP port 9000.

9.8
2023-02-20 CVE-2023-23453 Sick Missing Authentication for Critical Function vulnerability in Sick Fx0-Gent00000 Firmware and Fx0-Gent00010 Firmware

Missing Authentication for Critical Function in SICK FX0-GENT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on TCP port 9000.

9.8
2023-02-20 CVE-2022-48317 Tribe29 Insufficient Session Expiration vulnerability in Tribe29 Checkmk 2.0.0/2.1.0

Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.

9.8
2023-02-20 CVE-2023-25613 Apache Injection vulnerability in Apache Identity Backend

An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3. 

9.8
2023-02-20 CVE-2023-25805 Versionn Project Command Injection vulnerability in Versionn Project Versionn

versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0.

9.8
2023-02-20 CVE-2012-10008 Oneapp Project SQL Injection vulnerability in Oneapp Project Oneapp

A vulnerability, which was classified as critical, has been found in uakfdotb oneapp.

9.8
2023-02-20 CVE-2013-10019 Oclc SQL Injection vulnerability in Oclc Oaicat

A vulnerability was found in OCLC-Research OAICat 1.5.61.

9.8
2023-02-20 CVE-2023-26092 Puzzle Expression Language Injection vulnerability in Puzzle Liima

Liima before 1.17.28 allows server-side template injection.

9.8
2023-02-20 CVE-2023-26093 Puzzle SQL Injection vulnerability in Puzzle Liima

Liima before 1.17.28 allows Hibernate query language (HQL) injection, related to colToSort in the deployment filter.

9.8
2023-02-20 CVE-2022-48328 Misp Improper Handling of Exceptional Conditions vulnerability in Misp

app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.

9.8
2023-02-20 CVE-2022-48329 Misp Improper Handling of Exceptional Conditions vulnerability in Misp

MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.

9.8
2023-02-24 CVE-2021-33387 1234N Cross-site Scripting vulnerability in 1234N Minicms 1.10

Cross Site Scripting Vulnerability in MiniCMS v.1.10 allows attacker to execute arbitrary code via a crafted get request.

9.6
2023-02-20 CVE-2021-32853 Erxes Cross-site Scripting vulnerability in Erxes

Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior.

9.6
2023-02-25 CVE-2023-26033 Gentoo SQL Injection vulnerability in Gentoo Soko

Gentoo soko is the code that powers packages.gentoo.org.

9.1
2023-02-24 CVE-2023-26468 Cerebrate Project Unspecified vulnerability in Cerebrate-Project Cerebrate 1.12

Cerebrate 1.12 does not properly consider organisation_id during creation of API keys.

9.1
2023-02-23 CVE-2023-23914 Haxx
Netapp
Cleartext Transmission of Sensitive Information vulnerability in multiple products

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially.

9.1
2023-02-20 CVE-2021-32852 Count Cross-site Scripting vulnerability in Count Countly Server

Countly, a product analytics solution, is vulnerable to cross-site scripting prior to version 21.11 of the community edition.

9.0

103 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-02-26 CVE-2023-1044 Muyucms Path Traversal vulnerability in Muyucms 2.2

A vulnerability was found in MuYuCMS 2.2.

8.8
2023-02-26 CVE-2023-1046 Muyucms Server-Side Request Forgery (SSRF) vulnerability in Muyucms 2.2

A vulnerability classified as critical has been found in MuYuCMS 2.2.

8.8
2023-02-26 CVE-2023-1039 Class AND Exam Timetabling System Project SQL Injection vulnerability in Class and Exam Timetabling System Project Class and Exam Timetabling System 1.0

A vulnerability classified as critical was found in SourceCodester Class and Exam Timetabling System 1.0.

8.8
2023-02-25 CVE-2022-48362 Zohocorp Path Traversal vulnerability in Zohocorp Manageengine Desktop Central

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet.

8.8
2023-02-25 CVE-2023-1035 Clinics Patient Management System Project SQL Injection vulnerability in Clinics Patient Management System Project Clinics Patient Management System 1.0

A vulnerability was found in SourceCodester Clinics Patient Management System 1.0.

8.8
2023-02-25 CVE-2023-1034 Salesagility Path Traversal: '..filename' vulnerability in Salesagility Suitecrm

Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9.

8.8
2023-02-25 CVE-2023-26039 Zoneminder OS Command Injection vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.

8.8
2023-02-25 CVE-2023-1033 Froxlor Cross-Site Request Forgery (CSRF) vulnerability in Froxlor

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11.

8.8
2023-02-25 CVE-2023-26034 Zoneminder SQL Injection vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.

8.8
2023-02-24 CVE-2021-34167 Taogogo Cross-Site Request Forgery (CSRF) vulnerability in Taogogo Taocms 3.0.2

Cross Site Request Forgery (CSRF) vulnerability in taoCMS 3.0.2 allows remote attackers to gain escalated privileges via taocms/admin/admin.php.

8.8
2023-02-24 CVE-2023-0997 Moosikay E Commerce System Project SQL Injection vulnerability in Moosikay E-Commerce System Project Moosikay E-Commerce System 1.0

A vulnerability was found in SourceCodester Moosikay E-Commerce System 1.0.

8.8
2023-02-24 CVE-2023-0999 Sales Tracker Management System Project Cross-Site Request Forgery (CSRF) vulnerability in Sales Tracker Management System Project Sales Tracker Management System 1.0

A vulnerability classified as problematic was found in SourceCodester Sales Tracker Management System 1.0.

8.8
2023-02-24 CVE-2022-1607 ABB Cross-Site Request Forgery (CSRF) vulnerability in ABB Infinity DC Power Plant and Ne843 S

Cross-Site Request Forgery (CSRF) vulnerability in ABB Pulsar Plus System Controller NE843_S, ABB Infinity DC Power Plant allows Cross Site Request Forgery.This issue affects Pulsar Plus System Controller NE843_S : comcode 150042936; Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415.

8.8
2023-02-23 CVE-2023-23294 Korenix Command Injection vulnerability in Korenix products

Korenix JetWave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection.

8.8
2023-02-23 CVE-2023-23295 Korenix Command Injection vulnerability in Korenix products

Korenix Jetwave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection via /goform/formSysCmd.

8.8
2023-02-23 CVE-2023-20011 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Network Controller, formerly Cisco Cloud APIC, could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.

8.8
2023-02-23 CVE-2023-23917 Rocket Chat Unspecified vulnerability in Rocket.Chat

A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account.

8.8
2023-02-23 CVE-2023-26325 Wpdeveloper SQL Injection vulnerability in Wpdeveloper Reviewx

The 'rx_export_review' action in the ReviewX WordPress Plugin version < 1.6.4, is affected by an authenticated SQL injection vulnerability in the 'filterValue' and 'selectedColumns' parameters.

8.8
2023-02-23 CVE-2023-0988 Online Pizza Ordering System Project Cross-Site Request Forgery (CSRF) vulnerability in Online Pizza Ordering System Project Online Pizza Ordering System 1.0

A vulnerability, which was classified as problematic, has been found in SourceCodester Online Pizza Ordering System 1.0.

8.8
2023-02-23 CVE-2023-24415 Quantumcloud Cross-Site Request Forgery (CSRF) vulnerability in Quantumcloud Chatbot

Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.2.8 versions.

8.8
2023-02-23 CVE-2023-23659 Mainwp Cross-Site Request Forgery (CSRF) vulnerability in Mainwp Motomo

Cross-Site Request Forgery (CSRF) vulnerability in MainWP Matomo Extension <= 4.0.4 versions.

8.8
2023-02-23 CVE-2023-24384 Wpdevart Cross-Site Request Forgery (CSRF) vulnerability in Wpdevart Organization Chart

Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart <= 1.4.4 versions.

8.8
2023-02-23 CVE-2022-48341 Thingsboard Unspecified vulnerability in Thingsboard 3.4.1

ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation.

8.8
2023-02-22 CVE-2022-45600 Aztech Command Injection vulnerability in Aztech Wmb250Ac Firmware 0162020

Aztech WMB250AC Mesh Routers Firmware Version 016 2020 devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.

8.8
2023-02-22 CVE-2023-22973 Open EMR Path Traversal vulnerability in Open-Emr Openemr

A Local File Inclusion (LFI) vulnerability in interface/forms/LBF/new.php in OpenEMR < 7.0.0 allows remote authenticated users to execute code via the formname parameter.

8.8
2023-02-22 CVE-2023-0927 Google Use After Free vulnerability in Google Chrome

Use after free in Web Payments API in Google Chrome on Android prior to 110.0.5481.177 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-02-22 CVE-2023-0928 Google Use After Free vulnerability in Google Chrome

Use after free in SwiftShader in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-02-22 CVE-2023-0929 Google Use After Free vulnerability in Google Chrome

Use after free in Vulkan in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-02-22 CVE-2023-0930 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in Video in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-02-22 CVE-2023-0931 Google Use After Free vulnerability in Google Chrome

Use after free in Video in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-02-22 CVE-2023-0932 Google Use After Free vulnerability in Google Chrome

Use after free in WebRTC in Google Chrome on Windows prior to 110.0.5481.177 allowed a remote attacker who convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-02-22 CVE-2023-0933 Google Integer Overflow or Wraparound vulnerability in Google Chrome

Integer overflow in PDF in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

8.8
2023-02-22 CVE-2023-0941 Google Use After Free vulnerability in Google Chrome

Use after free in Prompts in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-02-22 CVE-2023-0966 Online Eyewear Shop Project Cross-site Scripting vulnerability in Online Eyewear Shop Project Online Eyewear Shop 1.0

A vulnerability classified as problematic was found in SourceCodester Online Eyewear Shop 1.0.

8.8
2023-02-22 CVE-2023-0962 Music Gallery Site Project SQL Injection vulnerability in Music Gallery Site Project Music Gallery Site 1.0

A vulnerability was found in SourceCodester Music Gallery Site 1.0.

8.8
2023-02-22 CVE-2022-43873 IBM Unspecified vulnerability in IBM Spectrum Virtualize

An authenticated user can exploit a vulnerability in the IBM Spectrum Virtualize 8.2, 8.3, 8.4, and 8.5 GUI to execute code and escalate their privilege on the system.

8.8
2023-02-22 CVE-2022-41216 Hybridsoftware Path Traversal vulnerability in Hybridsoftware Cloudflow 2.0.0/2.3.1

Local File Inclusion vulnerability within Cloudflow allows attackers to retrieve confidential information from the system.

8.8
2023-02-22 CVE-2023-26314 Mono Project
Debian
The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter.
8.8
2023-02-22 CVE-2023-20855 Vmware XXE vulnerability in VMWare Vrealize Automation and Vrealize Orchestrator

VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability.

8.8
2023-02-21 CVE-2023-25812 Minio Unspecified vulnerability in Minio

Minio is a Multi-Cloud Object Storage framework.

8.8
2023-02-21 CVE-2023-0943 Best POS Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Best POS Management System Project Best POS Management System 1.0

A vulnerability, which was classified as problematic, has been found in SourceCodester Best POS Management System 1.0.

8.8
2023-02-20 CVE-2015-10081 Submitbymailplugin Project Cross-Site Request Forgery (CSRF) vulnerability in Submitbymailplugin Project Submitbymailplugin 1.0B2.9

A vulnerability was found in arnoldle submitByMailPlugin 1.0b2.9 and classified as problematic.

8.8
2023-02-20 CVE-2022-46836 Tribe29 Code Injection vulnerability in Tribe29 Checkmk 2.0.0/2.1.0

PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component.

8.8
2023-02-24 CVE-2023-26102 Rangy Project Unspecified vulnerability in Rangy Project Rangy

All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype

8.2
2023-02-26 CVE-2023-1045 Muyucms Path Traversal vulnerability in Muyucms 2.2

A vulnerability was found in MuYuCMS 2.2.

8.1
2023-02-25 CVE-2023-26032 Zoneminder SQL Injection vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.

8.1
2023-02-23 CVE-2023-24317 Judging Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Judging Management System Project Judging Management System 1.0

Judging Management System 1.0 was discovered to contain an arbitrary file upload vulnerability via the component edit_organizer.php.

8.1
2023-02-23 CVE-2023-26462 Thingsboard Use of Hard-coded Credentials vulnerability in Thingsboard 3.4.1

ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format.

8.1
2023-02-22 CVE-2023-0964 Sales Tracker Management System Project SQL Injection vulnerability in Sales Tracker Management System Project Sales Tracker Management System 1.0

A vulnerability classified as critical has been found in SourceCodester Sales Tracker Management System 1.0.

8.1
2023-02-26 CVE-2023-26605 Linux Use After Free vulnerability in Linux Kernel

In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback.c, related to __list_del_entry_valid.

7.8
2023-02-26 CVE-2023-26606 Linux Use After Free vulnerability in Linux Kernel

In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.

7.8
2023-02-26 CVE-2023-1047 Techpowerup Improper Initialization vulnerability in Techpowerup Realtemp 3.7.0.0

A vulnerability classified as critical was found in TechPowerUp RealTemp 3.7.0.0.

7.8
2023-02-26 CVE-2023-1048 Techpowerup Improper Initialization vulnerability in Techpowerup Dram Calculator for Ryzen 1.7.3

A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.

7.8
2023-02-25 CVE-2023-26544 Linux Use After Free vulnerability in Linux Kernel

In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.

7.8
2023-02-24 CVE-2023-1007 Filseclab Improper Access Control vulnerability in Filseclab Twister Antivirus 8.17

A vulnerability was found in Twister Antivirus 8.17.

7.8
2023-02-24 CVE-2023-1005 Markdown Electron Project Code Injection vulnerability in Markdown-Electron Project Markdown-Electron

A vulnerability was found in JP1016 Markdown-Electron and classified as critical.

7.8
2023-02-24 CVE-2023-1004 Marktext Code Injection vulnerability in Marktext

A vulnerability has been found in MarkText up to 0.17.1 on Windows and classified as critical.

7.8
2023-02-24 CVE-2023-0996 Struktur Classic Buffer Overflow vulnerability in Struktur Libheif 1.14.2

There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif.

7.8
2023-02-23 CVE-2023-20050 Cisco OS Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

7.8
2023-02-22 CVE-2023-0104 Weintek Path Traversal vulnerability in Weintek Easybuilder PRO

The listed versions for Weintek EasyBuilder Pro are vulnerable to a ZipSlip attack caused by decompiling a malicious project file.

7.8
2023-02-21 CVE-2023-24575 Dell Unspecified vulnerability in Dell Multifunction Printer E525W Driver and Software Suite

Dell Multifunction Printer E525w Driver and Software Suite, versions prior to 1.047.2022, A05, contain a local privilege escalation vulnerability that could be exploited by malicious users to compromise the affected system

7.8
2023-02-21 CVE-2023-26242 Linux Integer Overflow or Wraparound vulnerability in Linux Kernel

afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.

7.8
2023-02-20 CVE-2022-48339 GNU Improper Encoding or Escaping of Output vulnerability in GNU Emacs

An issue was discovered in GNU Emacs through 28.2.

7.8
2023-02-20 CVE-2022-47909 Tribe29 Unspecified vulnerability in Tribe29 Checkmk 2.0.0/2.1.0

Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.

7.8
2023-02-20 CVE-2016-15026 DD Plist Project XXE vulnerability in Dd-Plist Project Dd-Plist

A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic.

7.8
2023-02-26 CVE-2022-48363 Linuxfoundation Reachable Assertion vulnerability in Linuxfoundation Automotive Grade Linux

In MPD before 0.23.8, as used on Automotive Grade Linux and other platforms, the PipeWire output plugin mishandles a Drain call in certain situations involving truncated files.

7.5
2023-02-25 CVE-2023-26103 Deno Unspecified vulnerability in Deno

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header.

7.5
2023-02-25 CVE-2023-26104 Lite WEB Server Project Resource Exhaustion vulnerability in Lite-Web-Server Project Lite-Web-Server

All versions of the package lite-web-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.

7.5
2023-02-25 CVE-2023-25821 Nextcloud Unspecified vulnerability in Nextcloud Server

Nextcloud is an Open Source private cloud software.

7.5
2023-02-24 CVE-2021-34249 Online Book Store Project SQL Injection vulnerability in Online Book Store Project Online Book Store 1.0

SQL injection vulnerability in sourcecodester online-book-store 1.0 allows remote attackers to view sensitive information via the id paremeter in application URL.

7.5
2023-02-24 CVE-2022-44310 Ecdh Project Exposure of Resource to Wrong Sphere vulnerability in Ecdh Project Ecdh 0.0.0/0.1.0/0.1.1

In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.

7.5
2023-02-24 CVE-2023-25692 Apache Improper Input Validation vulnerability in Apache Apache-Airflow-Providers-Google

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

7.5
2023-02-24 CVE-2023-25956 Apache Information Exposure Through an Error Message vulnerability in Apache Apache-Airflow-Providers-Amazon

Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.

7.5
2023-02-24 CVE-2023-0994 Rosariosis Information Exposure vulnerability in Rosariosis

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.

7.5
2023-02-23 CVE-2023-25824 MOD Gnutls Project Infinite Loop vulnerability in MOD Gnutls Project MOD Gnutls 0.10.0/0.9.0/0.9.1

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS.

7.5
2023-02-23 CVE-2022-4492 Redhat Unspecified vulnerability in Redhat products

The undertow client is not checking the server identity presented by the server certificate in https connections.

7.5
2023-02-23 CVE-2023-23918 Nodejs Incorrect Authorization vulnerability in Nodejs Node.Js

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require().

7.5
2023-02-23 CVE-2023-23919 Nodejs Unspecified vulnerability in Nodejs Node.Js

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it.

7.5
2023-02-22 CVE-2023-22974 Open EMR Files or Directories Accessible to External Parties vulnerability in Open-Emr Openemr

A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.

7.5
2023-02-22 CVE-2023-25579 Nextcloud Path Traversal vulnerability in Nextcloud Server

Nextcloud server is a self hosted home cloud product.

7.5
2023-02-22 CVE-2023-23040 TP Link Use of a Broken or Risky Cryptographic Algorithm vulnerability in Tp-Link Tl-Wr940N Firmware 63.19.1

TP-Link router TL-WR940N V6 3.19.1 Build 180119 uses a deprecated MD5 algorithm to hash the admin password used for basic authentication.

7.5
2023-02-22 CVE-2023-23063 Cellinx Path Traversal vulnerability in Cellinx NVT web Server 1.0.6.002B

Cellinx NVT v1.0.6.002b is vulnerable to local file disclosure.

7.5
2023-02-22 CVE-2022-2883 Octopus Unrestricted Upload of File with Dangerous Type vulnerability in Octopus Server

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

7.5
2023-02-21 CVE-2015-10085 Gopistolet Project Unspecified vulnerability in Gopistolet Project Gopistolet

A vulnerability was found in GoPistolet.

7.5
2023-02-21 CVE-2017-20178 Codiad Unspecified vulnerability in Codiad 2.8.0

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Codiad 2.8.0.

7.5
2023-02-21 CVE-2022-31394 Hyper Allocation of Resources Without Limits or Throttling vulnerability in Hyper

Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks.

7.5
2023-02-21 CVE-2022-3353 Hitachienergy Improper Resource Shutdown or Release vulnerability in Hitachienergy products

A vulnerability exists in the IEC 61850 communication stack that affects multiple Hitachi Energy products.  An attacker could exploit the vulnerability by using a specially crafted message sequence, to force the IEC 61850 MMS-server communication stack, to stop accepting new MMS-client connections.  Already existing/established client-server connections are not affected. List of affected CPEs: * cpe:2.3:o:hitachienergy:fox61x_tego1:r15b08:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:fox61x_tego1:r2a16_3:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:fox61x_tego1:r2a16:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:fox61x_tego1:r1e01:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:fox61x_tego1:r1d02:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:fox61x_tego1:r1c07:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:fox61x_tego1:r1b02:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:gms600:1.3.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:1.1.*:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:1.5.*:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:1.6.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:1.6.0.1:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:1.7.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:1.7.2:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:1.8.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:2.0.*:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:2.1.0.4:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:itt600_sa_explorer:2.1.0.5:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:microscada_x_sys600:10:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:microscada_x_sys600:10.*:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2.1:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:microscada_x_sys600:10.4:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:microscada_x_sys600:10.4.1:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:mms:2.2.3:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:pwc600:1.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:pwc600:1.1:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:pwc600:1.2:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:reb500:7:*:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:reb500:8:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relion670:1.2.*:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relion670:2.0.*:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relion650:1.1.*:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relion650:1.3.*:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relion650:2.1.*:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relion670:2.1.*:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relionSAM600-IO:2.2.1:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relionSAM600-IO:2.2.5:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relion670:2.2.*:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:relion650:2.2.*:*:*:*:*:*:*:* * cpe:2.3:o:hitachienergy:rtu500cmu:12.*.*:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:rtu500cmu:13.*.*:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:txpert_hub_coretec_4:2.*:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:txpert_hub_coretec_4:3.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:txpert_hub_coretec_5:3.0:*:*:*:*:*:*:*

7.5
2023-02-21 CVE-2022-48340 Gluster Use After Free vulnerability in Gluster Glusterfs 11.0

In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.

7.5
2023-02-21 CVE-2023-26249 NIC Allocation of Resources Without Limits or Throttling vulnerability in NIC Knot Resolver

Knot Resolver before 5.6.0 enables attackers to consume its resources, launching amplification attacks and potentially causing a denial of service.

7.5
2023-02-21 CVE-2023-26253 Gluster Out-of-bounds Read vulnerability in Gluster Glusterfs 11.0

In Gluster GlusterFS 11.0, there is an xlators/mount/fuse/src/fuse-bridge.c notify stack-based buffer over-read.

7.5
2023-02-20 CVE-2022-44216 SIR Missing Authentication for Critical Function vulnerability in SIR Gnuboard 5.5.4/5.5.5

Gnuboard 5.5.4 and 5.5.5 is vulnerable to Insecure Permissions.

7.5
2023-02-20 CVE-2019-25104 Rtcwcoop Improper Resource Shutdown or Release vulnerability in Rtcwcoop 1.0.2

A vulnerability has been found in rtcwcoop 1.0.2 and classified as problematic.

7.5
2023-02-20 CVE-2021-32848 Octobox Project Unspecified vulnerability in Octobox Project Octobox

Octobox is software for managing GitHub notifications.

7.5
2023-02-20 CVE-2022-46303 Tribe29 OS Command Injection vulnerability in Tribe29 Checkmk 2.0.0/2.1.0

Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions.

7.5
2023-02-20 CVE-2023-24998 Apache
Debian
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

7.5
2023-02-20 CVE-2023-25570 Apolloconfig Missing Authentication for Critical Function vulnerability in Apolloconfig Apollo

Apollo is a configuration management system.

7.5
2023-02-20 CVE-2023-25656 Notaryproject Allocation of Resources Without Limits or Throttling vulnerability in Notaryproject Notation-Go 0.7.0/0.8.0/0.9.0

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts.

7.5
2023-02-20 CVE-2023-26081 Gnome
Fedoraproject
Exposure of Resource to Wrong Sphere vulnerability in multiple products

In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.

7.5
2023-02-20 CVE-2022-48338 GNU Command Injection vulnerability in GNU Emacs

An issue was discovered in GNU Emacs through 28.2.

7.3
2023-02-24 CVE-2021-35290 Balero CMS Project Unrestricted Upload of File with Dangerous Type vulnerability in Balero CMS Project Balero CMS 0.8.3

File Upload vulnerability in balerocms-src 0.8.3 allows remote attackers to run arbitrary code via rich text editor on /admin/main/mod-blog page.

7.2
2023-02-22 CVE-2023-20858 Vmware Injection vulnerability in VMWare Carbon Black APP Control

VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4 contain an injection vulnerability.

7.2
2023-02-21 CVE-2022-48282 Mongodb Deserialization of Untrusted Data vulnerability in Mongodb C# Driver

Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services.

7.2
2023-02-26 CVE-2023-26607 Linux
Netapp
Out-of-bounds Read vulnerability in multiple products

In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.

7.1

143 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-02-23 CVE-2023-20015 Cisco OS Command Injection vulnerability in Cisco products

A vulnerability in the CLI of Cisco Firepower 4100 Series, Cisco Firepower 9300 Security Appliances, and Cisco UCS 6200, 6300, 6400, and 6500 Series Fabric Interconnects could allow an authenticated, local attacker to inject unauthorized commands.

6.7
2023-02-26 CVE-2021-3329 Zephyrproject Improper Initialization vulnerability in Zephyrproject Zephyr 2.4.0

Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack

6.5
2023-02-25 CVE-2023-26038 Zoneminder Untrusted Search Path vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.

6.5
2023-02-25 CVE-2023-25816 Nextcloud Resource Exhaustion vulnerability in Nextcloud Server 25.0.0/25.0.2

Nextcloud is an Open Source private cloud software.

6.5
2023-02-24 CVE-2021-35369 Txjia Unspecified vulnerability in Txjia Imcat 5.2/5.3

Arbitrary File Read vulnerability found in Peacexie ImCat v.5.2 fixed in v.5.4 allows attackers to obtain sensitive information via the filtering_get_contents function.

6.5
2023-02-24 CVE-2023-1002 Muyucms Path Traversal vulnerability in Muyucms 2.2

A vulnerability, which was classified as problematic, has been found in MuYuCMS 2.2.

6.5
2023-02-23 CVE-2023-23296 Korenix Resource Exhaustion vulnerability in Korenix products

Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to Denial of Service via /goform/formDefault.

6.5
2023-02-23 CVE-2023-20016 Cisco Use of Insufficiently Random Values vulnerability in Cisco products

A vulnerability in the backup configuration feature of Cisco UCS Manager Software and in the configuration export feature of Cisco FXOS Software could allow an unauthenticated attacker with access to a backup file to decrypt sensitive information stored in the full state and configuration backup files.

6.5
2023-02-23 CVE-2023-20089 Cisco Memory Leak vulnerability in Cisco Nx-Os

A vulnerability in the Link Layer Discovery Protocol (LLDP) feature for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) Mode could allow an unauthenticated, adjacent attacker to cause a memory leak, which could result in an unexpected reload of the device.

6.5
2023-02-23 CVE-2023-23915 Haxx
Netapp
Cleartext Transmission of Sensitive Information vulnerability in multiple products

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel.

6.5
2023-02-23 CVE-2023-23916 Haxx
Fedoraproject
Debian
Netapp
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms.

6.5
2023-02-23 CVE-2023-0815 Opennms Information Exposure Through Log Files vulnerability in Opennms Horizon

Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4.

6.5
2023-02-23 CVE-2023-25621 Apache Unspecified vulnerability in Apache Sling I18N

Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to.

6.5
2023-02-22 CVE-2022-43870 IBM Information Exposure Through Log Files vulnerability in IBM Spectrum Virtualize 8.3.0.0/8.4.0.0/8.5.0.0

IBM Spectrum Virtualize 8.3, 8.4, and 8.5 could disclose SNMPv3 server credentials to an authenticated user in log files.

6.5
2023-02-21 CVE-2023-23009 Libreswan
Debian
Resource Exhaustion vulnerability in multiple products

Libreswan 4.9 allows remote attackers to cause a denial of service (assert failure and daemon restart) via crafted TS payload with an incorrect selector length.

6.5
2023-02-21 CVE-2023-0936 TP Link Improper Resource Shutdown or Release vulnerability in Tp-Link Archer C50 V2160801

A vulnerability was found in TP-Link Archer C50 V2_160801.

6.5
2023-02-21 CVE-2023-26267 PHP Saml SP Project XXE vulnerability in PHP-Saml-Sp Project PHP-Saml-Sp

php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR.

6.5
2023-02-20 CVE-2021-32847 Mobyproject Out-of-bounds Read vulnerability in Mobyproject Hyperkit

HyperKit is a toolkit for embedding hypervisor capabilities in an application.

6.5
2023-02-26 CVE-2023-1042 Online PET Shop WE APP Project Cross-site Scripting vulnerability in Online PET Shop WE APP Project Online PET Shop WE APP 1.0

A vulnerability has been found in SourceCodester Online Pet Shop We App 1.0 and classified as problematic.

6.1
2023-02-26 CVE-2023-1036 Dental Clinic Appointment Reservation System Project Cross-site Scripting vulnerability in Dental Clinic Appointment Reservation System Project Dental Clinic Appointment Reservation System 1.0

A vulnerability was found in SourceCodester Dental Clinic Appointment Reservation System 1.0.

6.1
2023-02-26 CVE-2023-1041 Simple Responsive Tourism Website Project Cross-site Scripting vulnerability in Simple Responsive Tourism Website Project Simple Responsive Tourism Website 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester Simple Responsive Tourism Website 1.0.

6.1
2023-02-26 CVE-2019-25105 DRO PM Project Cross-site Scripting vulnerability in Dro.Pm Project Dro.Pm

A vulnerability, which was classified as problematic, was found in dro.pm.

6.1
2023-02-26 CVE-2023-26091 Frappant Cross-site Scripting vulnerability in Frappant Forms Export

The frp_form_answers (aka Forms Export) extension before 3.1.2, and 4.x before 4.0.2, for TYPO3 allows XSS via saved emails.

6.1
2023-02-25 CVE-2023-25825 Zoneminder Cross-site Scripting vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.

6.1
2023-02-24 CVE-2023-1030 Online Boat Reservation System Project Cross-site Scripting vulnerability in Online Boat Reservation System Project Online Boat Reservation System 1.0

A vulnerability has been found in SourceCodester Online Boat Reservation System 1.0 and classified as problematic.

6.1
2023-02-24 CVE-2022-48345 Paypal Cross-site Scripting vulnerability in Paypal Braintree/Sanitize-Url

sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

6.1
2023-02-23 CVE-2022-46784 Squaredup Open Redirect vulnerability in Squaredup Dashboard Server

SquaredUp Dashboard Server SCOM edition before 5.7.1 GA allows open redirection.

6.1
2023-02-23 CVE-2022-46785 Squaredup Cross-site Scripting vulnerability in Squaredup Dashboard Server

SquaredUp Dashboard Server SCOM edition before 5.7.1 GA allows XSS (issue 1 of 2).

6.1
2023-02-23 CVE-2023-0044 Quarkus
Redhat
Cross-site Scripting vulnerability in multiple products

If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure.

6.1
2023-02-23 CVE-2022-48343 Jetbrains Cross-site Scripting vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process.

6.1
2023-02-23 CVE-2022-48344 Jetbrains Cross-site Scripting vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process.

6.1
2023-02-23 CVE-2023-0867 Opennms Cross-site Scripting vulnerability in Opennms Horizon

Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4.

6.1
2023-02-23 CVE-2023-0868 Opennms Cross-site Scripting vulnerability in Opennms Horizon

Reflected cross-site scripting in graph results in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to steal session cookies. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4.

6.1
2023-02-23 CVE-2023-0869 Opennms Cross-site Scripting vulnerability in Opennms Horizon

Cross-site scripting in outage/list.htm in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information.

6.1
2023-02-22 CVE-2022-29273 Netgate Cross-site Scripting vulnerability in Netgate Pfsense

pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.

6.1
2023-02-22 CVE-2023-24810 Misskey Cross-site Scripting vulnerability in Misskey

Misskey is an open source, decentralized social media platform.

6.1
2023-02-22 CVE-2023-24811 Misskey Cross-site Scripting vulnerability in Misskey

Misskey is an open source, decentralized social media platform.

6.1
2023-02-22 CVE-2023-0846 Opennms Cross-site Scripting vulnerability in Opennms Horizon

Unauthenticated, stored cross-site scripting in the display of alarm reduction keys in multiple versions of OpenNMS Horizon and Meridian could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4.

6.1
2023-02-22 CVE-2023-25154 Misskey Cross-site Scripting vulnerability in Misskey

Misskey is an open source, decentralized social media platform.

6.1
2023-02-22 CVE-2021-4325 Nhncloud Cross-site Scripting vulnerability in Nhncloud Toast UI Chart 4.1.4

A vulnerability, which was classified as problematic, has been found in NHN TOAST UI Chart 4.1.4.

6.1
2023-02-22 CVE-2022-38779 Elastic Open Redirect vulnerability in Elastic Kibana

An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL.

6.1
2023-02-21 CVE-2023-0942 Artisanworkshop Unspecified vulnerability in Artisanworkshop Japanized for Woocommerce

The Japanized For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping.

6.1
2023-02-21 CVE-2023-22984 Axis Cross-site Scripting vulnerability in Axis 207W Firmware

A Vulnerability was discovered in Axis 207W network camera.

6.1
2023-02-21 CVE-2021-32854 Textangular Cross-site Scripting vulnerability in Textangular

textAngular is a text editor for Angular.js.

6.1
2023-02-21 CVE-2021-32855 B3Log Cross-site Scripting vulnerability in B3Log Vditor

Vditor is a browser-side Markdown editor.

6.1
2023-02-21 CVE-2021-32856 Microweber Cross-site Scripting vulnerability in Microweber

Microweber is a drag and drop website builder and content management system.

6.1
2023-02-21 CVE-2021-32857 Agentejo Cross-site Scripting vulnerability in Agentejo Cockpit

Cockpit is a content management system that allows addition of content management functionality to any site.

6.1
2023-02-21 CVE-2021-32858 Esdoc Cross-site Scripting vulnerability in Esdoc Esdoc-Publish-Html-Plugin

esdoc-publish-html-plugin is a plugin for the document maintenance software ESDoc.

6.1
2023-02-21 CVE-2021-32859 Baremetrics Cross-site Scripting vulnerability in Baremetrics Date Range Picker

The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view.

6.1
2023-02-21 CVE-2021-32860 Izimodal Project Cross-site Scripting vulnerability in Izimodal Project Izimodal

iziModal is a modal plugin with jQuery.

6.1
2023-02-21 CVE-2022-4897 Ithemes Unspecified vulnerability in Ithemes Backupbuddy 8.5.8.0/8.7.4.1/8.7.5.0

The BackupBuddy WordPress plugin before 8.8.3 does not sanitise and escape some parameters before outputting them back in various places, leading to Reflected Cross-Site Scripting

6.1
2023-02-21 CVE-2023-0428 Kibokolabs Cross-site Scripting vulnerability in Kibokolabs Watu Quiz

The Watu Quiz WordPress plugin before 3.3.8.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

6.1
2023-02-21 CVE-2023-0442 Loan Comparison Project Unspecified vulnerability in Loan Comparison Project Loan Comparison

The Loan Comparison WordPress plugin before 1.5.3 does not validate and escape some of its query parameters before outputting them back in a page/post via an embedded shortcode, which could allow an attacker to inject javascript into into the site via a crafted URL.

6.1
2023-02-21 CVE-2014-125089 Cention Chatserver Project Cross-site Scripting vulnerability in Cention-Chatserver Project Cention-Chatserver 3.8.0

A vulnerability was found in cention-chatserver 3.8.0-rc1.

6.1
2023-02-21 CVE-2023-26235 JD GUI Project Cross-site Scripting vulnerability in Jd-Gui Project Jd-Gui 1.6.6

JD-GUI 1.6.6 allows XSS via util/net/InterProcessCommunicationUtil.java.

6.1
2023-02-20 CVE-2021-32850 Jquery Minicolors Project Cross-site Scripting vulnerability in Jquery-Minicolors Project Jquery-Minicolors

jQuery MiniColors is a color picker built on jQuery.

6.1
2023-02-20 CVE-2021-32851 Mind Elixir Project Cross-site Scripting vulnerability in Mind-Elixir Project Mind-Elixir

Mind-elixir is a free, open source mind map core.

6.1
2023-02-20 CVE-2022-3901 Visioglobe Unspecified vulnerability in Visioglobe Visioweb 1.10.6

Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system.

6.1
2023-02-20 CVE-2016-15027 Metaphorcreations Cross-site Scripting vulnerability in Metaphorcreations Post Duplicator 2.18

A vulnerability was found in meta4creations Post Duplicator Plugin 2.18 on WordPress.

6.1
2023-02-20 CVE-2015-10080 Nrel Cross-site Scripting vulnerability in Nrel API Umbrella 0.7.1

A vulnerability was found in NREL api-umbrella-web 0.7.1.

6.1
2023-02-20 CVE-2016-15025 Generator Hottowel Project Cross-site Scripting vulnerability in Generator-Hottowel Project Generator-Hottowel 0.0.11

A vulnerability, which was classified as problematic, was found in generator-hottowel 0.0.11.

6.1
2023-02-20 CVE-2014-125088 QT Users Cross-site Scripting vulnerability in Qt-Users Silk 0.0.1

A vulnerability was found in qt-users-jp silk 0.0.1.

6.1
2023-02-22 CVE-2023-23039 Linux Race Condition vulnerability in Linux Kernel

An issue was discovered in the Linux kernel through 6.2.0-rc2.

5.7
2023-02-20 CVE-2023-25569 Apolloconfig Cross-Site Request Forgery (CSRF) vulnerability in Apolloconfig Apollo

Apollo is a configuration management system.

5.7
2023-02-24 CVE-2023-23205 MZ Automation Memory Leak vulnerability in Mz-Automation Lib60870 2.3.2

An issue was discovered in lib60870 v2.3.2.

5.5
2023-02-24 CVE-2022-43923 IBM Information Exposure Through Log Files vulnerability in IBM Maximo Application Suite 8.8.0/8.9.0

IBM Maximo Application Suite 8.8.0 and 8.9.0 stores potentially sensitive information that could be read by a local user.

5.5
2023-02-24 CVE-2023-1008 Filseclab Improper Resource Shutdown or Release vulnerability in Filseclab Twister Antivirus 8.17

A vulnerability was found in Twister Antivirus 8.17.

5.5
2023-02-24 CVE-2023-1009 Draytek Path Traversal vulnerability in Draytek Vigor2960 Firmware 1.5.1.4

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5.

5.5
2023-02-24 CVE-2023-1010 Vox2Png Project Heap-based Buffer Overflow vulnerability in Vox2Png Project Vox2Png 1.0

A vulnerability classified as critical was found in vox2png 1.0.

5.5
2023-02-24 CVE-2022-46440 Swftools Unspecified vulnerability in Swftools 0.9.2

ttftool v0.9.2 was discovered to contain a segmentation violation via the readU16 function at ttf.c.

5.5
2023-02-23 CVE-2023-0597 Linux Memory Leak vulnerability in Linux Kernel 6.2

A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data.

5.5
2023-02-23 CVE-2023-26303 Executablebooks Unspecified vulnerability in Executablebooks Markdown-It-Py

Denial of service could be caused to markdown-it-py, before v2.2.0, if an attacker was allowed to force null assertions with specially crafted input.

5.5
2023-02-22 CVE-2023-26302 Executablebooks Unspecified vulnerability in Executablebooks Markdown-It-Py

Denial of service could be caused to the command line interface of markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8 characters as input.

5.5
2023-02-22 CVE-2021-33367 Freeimage Project Out-of-bounds Read vulnerability in Freeimage Project Freeimage 3.18.0

Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to cause a denial of service via a crafted JXR file.

5.5
2023-02-20 CVE-2022-48319 Tribe29 Information Exposure Through Log Files vulnerability in Tribe29 Checkmk 2.0.0/2.1.0

Sensitive host secret disclosed in cmk-update-agent.log file in Tribe29's Checkmk <= 2.1.0p13, Checkmk <= 2.0.0p29, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to gain access to the host secret through the unprotected agent updater log file.

5.5
2023-02-24 CVE-2023-0586 Aioseo Unspecified vulnerability in Aioseo ALL in ONE SEO

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping.

5.4
2023-02-24 CVE-2023-1006 Medical Certificate Generator APP Project Cross-site Scripting vulnerability in Medical Certificate Generator APP Project Medical Certificate Generator APP 1.0

A vulnerability was found in SourceCodester Medical Certificate Generator App 1.0.

5.4
2023-02-24 CVE-2023-22425 SS Proj Cross-site Scripting vulnerability in Ss-Proj Shirasagi

Stored cross-site scripting vulnerability in Schedule function of SHIRASAGI v1.16.2 and earlier versions allows a remote authenticated attacker to inject an arbitrary script.

5.4
2023-02-24 CVE-2023-0995 Business Management System Project Cross-site Scripting vulnerability in Business Management System Project Business Management System

Cross-site Scripting (XSS) - Stored in GitHub repository unilogies/bumsys prior to v2.0.1.

5.4
2023-02-23 CVE-2022-46786 Squaredup Cross-site Scripting vulnerability in Squaredup Dashboard Server

SquaredUp Dashboard Server SCOM edition before 5.7.1 GA allows XSS (issue 2 of 2).

5.4
2023-02-23 CVE-2023-0987 Online Pizza Ordering System Project Cross-site Scripting vulnerability in Online Pizza Ordering System Project Online Pizza Ordering System 1.0

A vulnerability classified as problematic was found in SourceCodester Online Pizza Ordering System 1.0.

5.4
2023-02-22 CVE-2023-22972 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr

A Reflected Cross-site scripting (XSS) vulnerability in interface/forms/eye_mag/php/eye_mag_functions.php in OpenEMR < 7.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the REQUEST_URI.

5.4
2023-02-22 CVE-2022-41565 Tibco Cross-site Scripting vulnerability in Tibco products

The Web Application component of TIBCO Software Inc.'s TIBCO EBX and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a stored XSS on the affected system.

5.4
2023-02-22 CVE-2022-41566 Tibco Cross-site Scripting vulnerability in Tibco EBX Add-Ons

The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute stored XSS on the affected system.

5.4
2023-02-22 CVE-2022-41567 Tibco Cross-site Scripting vulnerability in Tibco Businessconnect

The BusinessConnect UI component of TIBCO Software Inc.'s TIBCO BusinessConnect contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a cross-site scripting (XSS) attack on the affected system.

5.4
2023-02-22 CVE-2022-43578 IBM Cross-site Scripting vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 and 6.1.0.0 through 6.1.2.0 is vulnerable to cross-site scripting.

5.4
2023-02-22 CVE-2023-26214 Tibco Cross-site Scripting vulnerability in Tibco Businessconnect

The BusinessConnect UI component of TIBCO Software Inc.'s TIBCO BusinessConnect contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim's local system.

5.4
2023-02-21 CVE-2023-24081 GO Redrock Cross-site Scripting vulnerability in Go-Redrock Tutortrac

Multiple stored cross-site scripting (XSS) vulnerabilities in Redrock Software TutorTrac before v4.2.170210 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the reason and location fields of the visits listing page.

5.4
2023-02-21 CVE-2023-0945 Best POS Management System Project Cross-site Scripting vulnerability in Best POS Management System Project Best POS Management System 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester Best POS Management System 1.0.

5.4
2023-02-21 CVE-2023-25810 Uptime Kuma Project Cross-site Scripting vulnerability in Uptime-Kuma Project Uptime-Kuma

Uptime Kuma is a self-hosted monitoring tool.

5.4
2023-02-21 CVE-2023-25811 Uptime Kuma Project Cross-site Scripting vulnerability in Uptime-Kuma Project Uptime-Kuma

Uptime Kuma is a self-hosted monitoring tool.

5.4
2023-02-21 CVE-2023-0934 Answer Cross-site Scripting vulnerability in Answer

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.5.

5.4
2023-02-21 CVE-2023-25928 IBM Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting.

5.4
2023-02-21 CVE-2020-36656 Brainstormforce Cross-site Scripting vulnerability in Brainstormforce Spectra

The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks.

5.4
2023-02-21 CVE-2022-4622 Wpbrigade Unspecified vulnerability in Wpbrigade Login Logout Menu

The Login Logout Menu WordPress plugin through 1.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4666 Terakoya Unspecified vulnerability in Terakoya Markup (Json-Ld) Structured in Schema.Org

The Markup (JSON-LD) structured in schema.org WordPress plugin through 4.8.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2022-4669 Livecomposerplugin Unspecified vulnerability in Livecomposerplugin Page Builder: Live Composer

The Page Builder: Live Composer WordPress plugin before 1.5.23 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2022-4714 Wppool Unspecified vulnerability in Wppool WP Dark Mode

The WP Dark Mode WordPress plugin before 4.0.0 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack

5.4
2023-02-21 CVE-2022-4750 WP Responsive Testimonials Slider AND Widget Project Unspecified vulnerability in WP Responsive Testimonials Slider and Widget Project WP Responsive Testimonials Slider and Widget

The WP Responsive Testimonials Slider And Widget WordPress plugin through 1.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4752 Opening Hours Project Unspecified vulnerability in Opening Hours Project Opening Hours

The Opening Hours WordPress plugin through 2.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4754 Easy Social BOX Project Unspecified vulnerability in Easy Social BOX Project Easy Social BOX 4.1.2

The Easy Social Box / Page Plugin WordPress plugin through 4.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4761 Post Views Count Project Unspecified vulnerability in Post Views Count Project Post Views Count

The Post Views Count WordPress plugin through 3.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4764 Simple File Downloader Project Unspecified vulnerability in Simple File Downloader Project Simple File Downloader

The Simple File Downloader WordPress plugin through 1.0.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4777 Bootstrap Shortcodes Project Unspecified vulnerability in Bootstrap Shortcodes Project Bootstrap Shortcodes

The Bootstrap Shortcodes WordPress plugin through 3.4.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4784 Presscustomizr Cross-site Scripting vulnerability in Presscustomizr Hueman Addons

The Hueman Addons WordPress plugin through 2.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4785 Video Sidebar Widgets Project Unspecified vulnerability in Video Sidebar Widgets Project Video Sidebar Widgets

The Video Sidebar Widgets WordPress plugin through 6.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4786 Video JS Project Unspecified vulnerability in Video.Js Project Video.Js

The Video.js WordPress plugin through 4.5.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2022-4791 Essentialplugin Unspecified vulnerability in Essentialplugin Product Slider and Carousel With Category With Woocommerce

The Product Slider and Carousel with Category for WooCommerce WordPress plugin before 2.8 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

5.4
2023-02-21 CVE-2023-0059 Kainelabs Unspecified vulnerability in Kainelabs Youzify

The Youzify WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0067 Timed Content Project Cross-site Scripting vulnerability in Timed Content Project Timed Content

The Timed Content WordPress plugin before 2.73 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0231 Hasthemes Unspecified vulnerability in Hasthemes Shoplentor

The ShopLentor WordPress plugin before 2.5.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0271 WP Font Awesome Project Unspecified vulnerability in WP Font Awesome Project WP Font Awesome

The WP Font Awesome WordPress plugin before 1.7.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0285 Devowl Unspecified vulnerability in Devowl Real Media Library

The Real Media Library WordPress plugin before 4.18.29 does not sanitise and escape the created folder names, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0366 Quick Plugins Unspecified vulnerability in Quick-Plugins Loan Comparison

The Loan Comparison WordPress plugin before 1.5.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2023-0371 Embedsocial Unspecified vulnerability in Embedsocial

The EmbedSocial WordPress plugin before 1.1.28 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2023-0372 Embedsocial Unspecified vulnerability in Embedsocial Embedstories

The EmbedStories WordPress plugin before 0.7.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2023-0375 Bootstrapped Unspecified vulnerability in Bootstrapped Easy Affiliate Links

The Easy Affiliate Links WordPress plugin before 3.7.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0378 Greenshiftwp Unspecified vulnerability in Greenshiftwp Greenshift - Animation and Page Builder Blocks

The Greenshift WordPress plugin before 5.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0380 Sandhillsdev Unspecified vulnerability in Sandhillsdev Easy Digital Downloads

The Easy Digital Downloads WordPress plugin before 3.1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0419 SMG Webdesign Unspecified vulnerability in Smg-Webdesign Shortcode for Font Awesome

The Shortcode for Font Awesome WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0492 Gsplugins Unspecified vulnerability in Gsplugins GS products Slider

The GS Products Slider for WooCommerce WordPress plugin before 1.5.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-21 CVE-2023-0540 Gsplugins Unspecified vulnerability in Gsplugins GS Filterable Portfolio

The GS Filterable Portfolio WordPress plugin before 1.6.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0541 Gsplugins Unspecified vulnerability in Gsplugins GS Books Showcase

The GS Books Showcase WordPress plugin before 1.3.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-02-21 CVE-2023-0559 Gsplugins Unspecified vulnerability in Gsplugins GS Portfolio for Envato

The GS Portfolio for Envato WordPress plugin before 1.4.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-02-24 CVE-2023-0595 Schneider Electric Improper Encoding or Escaping of Output vulnerability in Schneider-Electric products

A CWE-117: Improper Output Neutralization for Logs vulnerability exists that could cause the misinterpretation of log files when malicious packets are sent to the Geo SCADA server's database web port (default 443).

5.3
2023-02-24 CVE-2023-0998 Alphaware Simple E Commerce System Project Improper Access Control vulnerability in Alphaware Simple E-Commerce System Project Alphaware Simple E-Commerce System 1.0

A vulnerability classified as critical has been found in SourceCodester Alphaware Simple E-Commerce System 1.0.

5.3
2023-02-21 CVE-2023-26265 Borg Project Path Traversal vulnerability in Borg Project Borg

The Borg theme before 1.1.19 for Backdrop CMS does not sufficiently sanitize path arguments that are passed in via a URL.

5.3
2023-02-20 CVE-2022-48318 Tribe29 Missing Authorization vulnerability in Tribe29 Checkmk 2.0.0/2.1.0

No authorisation controls in the RestAPI documentation for Tribe29's Checkmk <= 2.1.0p13 and Checkmk <= 2.0.0p29 which may lead to unintended information disclosure through automatically generated user specific tags within Rest API documentation.

5.3
2023-02-24 CVE-2022-4203 Openssl Out-of-bounds Read vulnerability in Openssl

A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

4.9
2023-02-24 CVE-2023-0585 Aioseo Unspecified vulnerability in Aioseo ALL in ONE SEO

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping.

4.8
2023-02-24 CVE-2023-22427 SS Proj Cross-site Scripting vulnerability in Ss-Proj Shirasagi

Stored cross-site scripting vulnerability in Theme switching function of SHIRASAGI v1.16.2 and earlier versions allows a remote attacker with an administrative privilege to inject an arbitrary script.

4.8
2023-02-22 CVE-2023-0949 Modoboa Cross-site Scripting vulnerability in Modoboa 2.0.4

Cross-site Scripting (XSS) - Reflected in GitHub repository modoboa/modoboa prior to 2.0.5.

4.8
2023-02-21 CVE-2023-0429 Kibokolabs Unspecified vulnerability in Kibokolabs Watu Quiz

The Watu Quiz WordPress plugin before 3.3.8.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-02-25 CVE-2023-26545 Linux
Netapp
Double Free vulnerability in multiple products

In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.

4.7
2023-02-23 CVE-2023-20012 Cisco Improper Authentication vulnerability in Cisco products

A vulnerability in the CLI console login authentication of Cisco Nexus 9300-FX3 Series Fabric Extender (FEX) when used in UCS Fabric Interconnect deployments could allow an unauthenticated attacker with physical access to bypass authentication.

4.6
2023-02-26 CVE-2023-1043 Muyucms Path Traversal vulnerability in Muyucms 2.2

A vulnerability was found in MuYuCMS 2.2.

4.3
2023-02-24 CVE-2023-1029 Joomunited Cross-Site Request Forgery (CSRF) vulnerability in Joomunited WP Meta SEO

The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3.

4.3
2023-02-23 CVE-2023-22476 Mantisbt Unspecified vulnerability in Mantisbt

Mantis Bug Tracker (MantisBT) is an open source issue tracker.

4.3
2023-02-21 CVE-2022-4385 Intuitive Custom Post Order Project Unspecified vulnerability in Intuitive Custom Post Order Project Intuitive Custom Post Order

The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for authorization in the update-menu-order ajax action, allowing any logged in user (with roles as low as Subscriber) to update the menu order

4.3
2023-02-21 CVE-2022-4386 Intuitive Custom Post Order Project Unspecified vulnerability in Intuitive Custom Post Order Project Intuitive Custom Post Order

The Intuitive Custom Post Order WordPress plugin before 3.1.4 lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack

4.3
2023-02-21 CVE-2023-0453 Apusthemes Unspecified vulnerability in Apusthemes WP Private Messaging

The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests.

4.3
2023-02-20 CVE-2022-48320 Tribe29 Cross-Site Request Forgery (CSRF) vulnerability in Tribe29 Checkmk 2.0.0/2.1.0

Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages.

4.3
2023-02-23 CVE-2023-23920 Nodejs
Debian
Untrusted Search Path vulnerability in multiple products

An untrusted search path vulnerability exists in Node.js.

4.2

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-02-24 CVE-2023-0481 Quarkus Exposure of Resource to Wrong Sphere vulnerability in Quarkus

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.

3.3
2023-02-23 CVE-2022-3219 Gnupg Out-of-bounds Write vulnerability in Gnupg

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

3.3
2023-02-20 CVE-2022-48321 Tribe29 Server-Side Request Forgery (SSRF) vulnerability in Tribe29 Checkmk 2.1.0

Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe29's Checkmk <= 2.1.0p11 allows an attacker to communicate with local network restricted endpoints by use of the host registration API.

3.3