Weekly Vulnerabilities Reports > March 20 to 26, 2023
Overview
397 new vulnerabilities reported during this period, including 59 critical vulnerabilities and 133 high severity vulnerabilities. This weekly summary report vulnerabilities in 271 products from 179 vendors including Google, Adobe, Fedoraproject, Cisco, and IBM. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Read", "Open Redirect", and "Out-of-bounds Write".
- 296 reported vulnerabilities are remotely exploitables.
- 159 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 201 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 46 reported vulnerabilities.
- Totolink has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
59 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-03-25 | CVE-2023-1458 | UI | Command Injection vulnerability in UI Edgerouter X Firmware 2.0.9 A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. | 9.8 |
2023-03-25 | CVE-2023-1456 | UI | Command Injection vulnerability in UI Edgerouter X Firmware 2.0.9 A vulnerability, which was classified as critical, has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. | 9.8 |
2023-03-25 | CVE-2023-1457 | UI | Command Injection vulnerability in UI Edgerouter X Firmware 2.0.9 A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. | 9.8 |
2023-03-25 | CVE-2023-1634 | Otcms | Server-Side Request Forgery (SSRF) vulnerability in Otcms 6.72 A vulnerability was found in OTCMS 6.72. | 9.8 |
2023-03-25 | CVE-2015-10097 | Grinnellplans | SQL Injection vulnerability in Grinnellplans 2.7/3.0 A vulnerability was found in grinnellplans-php up to 3.0. | 9.8 |
2023-03-25 | CVE-2023-25664 | Heap-based Buffer Overflow vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 9.8 | |
2023-03-24 | CVE-2022-45597 | Componentspace | Improper Certificate Validation vulnerability in Componentspace Saml 4.4.0 ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation. | 9.8 |
2023-03-24 | CVE-2023-1177 | Lfprojects | Path Traversal: '..filename' vulnerability in Lfprojects Mlflow Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. | 9.8 |
2023-03-24 | CVE-2022-28495 | Totolink | OS Command Injection vulnerability in Totolink Cp900 Firmware 6.3C.566B20171026 TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. | 9.8 |
2023-03-24 | CVE-2022-42948 | Helpsystems | Improper Encoding or Escaping of Output vulnerability in Helpsystems Cobalt Strike 4.7.1 Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. | 9.8 |
2023-03-23 | CVE-2023-1612 | Ruifang Tech | SQL Injection vulnerability in Ruifang-Tech Rebuild A vulnerability, which was classified as critical, was found in Rebuild up to 3.2.3. | 9.8 |
2023-03-23 | CVE-2023-28333 | Moodle Fedoraproject | Code Injection vulnerability in multiple products The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS). | 9.8 |
2023-03-23 | CVE-2023-1608 | Crmeb | SQL Injection vulnerability in Crmeb Java 1.3.4 A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. | 9.8 |
2023-03-23 | CVE-2023-1610 | Ruifang Tech | SQL Injection vulnerability in Ruifang-Tech Rebuild A vulnerability, which was classified as critical, has been found in Rebuild up to 3.2.3. | 9.8 |
2023-03-23 | CVE-2023-26359 | Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. | 9.8 | |
2023-03-23 | CVE-2023-1606 | Xxyopen | SQL Injection vulnerability in Xxyopen Novel-Plus 3.6.2 A vulnerability was found in novel-plus 3.6.2 and classified as critical. | 9.8 |
2023-03-23 | CVE-2023-28610 | The update process in OMICRON StationGuard and OMICRON StationScout before 2.21 can be exploited by providing a modified firmware update image. | 9.8 | |
2023-03-23 | CVE-2022-28491 | Totolink | OS Command Injection vulnerability in Totolink Cp900 Firmware 6.3C.566B20171026 TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 contains a command injection vulnerability in the NTPSyncWithHost function via the host_name parameter. | 9.8 |
2023-03-23 | CVE-2022-28493 | Totolink | Unspecified vulnerability in Totolink Cp900 Firmware 6.3C.566 A vulnerability in TOTOLINK CP900 V6.3c.566 allows attackers to start the Telnet service, | 9.8 |
2023-03-23 | CVE-2023-27078 | TP Link | Command Injection vulnerability in Tp-Link Tl-Mr3020 Firmware 1.0 A command injection issue was found in TP-Link MR3020 v.1_150921 that allows a remote attacker to execute arbitrary commands via a crafted request to the tftp endpoint. | 9.8 |
2023-03-23 | CVE-2023-27135 | Totolink | Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the enabled parameter at /setting/setWanIeCfg. | 9.8 |
2023-03-23 | CVE-2022-28492 | Totolink | Unspecified vulnerability in Totolink Cp900 Firmware 6.3C.566 TOTOLINK Technology CPE with firmware V6.3c.566 ,allows remote attackers to bypass Login. | 9.8 |
2023-03-23 | CVE-2023-1592 | Automatic Question Paper Generator System Project | SQL Injection vulnerability in Automatic Question Paper Generator System Project Automatic Question Paper Generator System 1.0 A vulnerability classified as critical was found in SourceCodester Automatic Question Paper Generator System 1.0. | 9.8 |
2023-03-23 | CVE-2023-1594 | Xxyopen | SQL Injection vulnerability in Xxyopen Novel-Plus 3.6.2 A vulnerability, which was classified as critical, was found in novel-plus 3.6.2. | 9.8 |
2023-03-23 | CVE-2023-1591 | Automatic Question Paper Generator System Project | SQL Injection vulnerability in Automatic Question Paper Generator System Project Automatic Question Paper Generator System 1.0 A vulnerability classified as critical has been found in SourceCodester Automatic Question Paper Generator System 1.0. | 9.8 |
2023-03-23 | CVE-2023-1589 | Online Tours Travels Management System Project | SQL Injection vulnerability in Online Tours & Travels Management System Project Online Tours & Travels Management System 1.0 A vulnerability has been found in SourceCodester Online Tours & Travels Management System 1.0 and classified as critical. | 9.8 |
2023-03-23 | CVE-2023-1590 | Online Tours Travels Management System Project | SQL Injection vulnerability in Online Tours & Travels Management System Project Online Tours & Travels Management System 1.0 A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0 and classified as critical. | 9.8 |
2023-03-23 | CVE-2023-1050 | Askoc | SQL Injection vulnerability in Askoc web Report System Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in As Koc Energy Web Report System allows SQL Injection.This issue affects Web Report System: before 23.03.10. | 9.8 |
2023-03-23 | CVE-2022-22512 | Varta | Use of Hard-coded Credentials vulnerability in Varta products Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network. | 9.8 |
2023-03-23 | CVE-2023-26496 | Samsung | Out-of-bounds Write vulnerability in Samsung products An issue was discovered in Samsung Baseband Modem Chipset for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5124. | 9.8 |
2023-03-23 | CVE-2022-28494 | Totolink | OS Command Injection vulnerability in Totolink Cp900 Firmware 6.3C.566B20171026 TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the setUpgradeFW function via the filename parameter. | 9.8 |
2023-03-23 | CVE-2023-26498 | Samsung | Out-of-bounds Write vulnerability in Samsung products An issue was discovered in Samsung Baseband Modem Chipset for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos Auto T5126. | 9.8 |
2023-03-22 | CVE-2023-27224 | Jc21 | Command Injection vulnerability in Jc21 Nginx Proxy Manager 2.9.19 An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to the configuration file. | 9.8 |
2023-03-22 | CVE-2023-1571 | Datagear | SQL Injection vulnerability in Datagear A vulnerability, which was classified as critical, was found in DataGear up to 4.5.0. | 9.8 |
2023-03-22 | CVE-2023-1566 | Medical Certificate Generator APP Project | SQL Injection vulnerability in Medical Certificate Generator APP Project Medical Certificate Generator APP 1.0 A vulnerability was found in SourceCodester Medical Certificate Generator App 1.0. | 9.8 |
2023-03-22 | CVE-2023-1563 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Student Study Center Desk Management System 1.0 A vulnerability has been found in SourceCodester Student Study Center Desk Management System 1.0 and classified as critical. | 9.8 |
2023-03-22 | CVE-2023-1564 | AIR Cargo Management System Project | SQL Injection vulnerability in AIR Cargo Management System Project AIR Cargo Management System 1.0 A vulnerability was found in SourceCodester Air Cargo Management System 1.0 and classified as critical. | 9.8 |
2023-03-22 | CVE-2023-27637 | Tshirtecommerce | SQL Injection vulnerability in Tshirtecommerce Custom Product Designer 2.1.4 An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. | 9.8 |
2023-03-22 | CVE-2023-27638 | Tshirtecommerce | SQL Injection vulnerability in Tshirtecommerce Custom Product Designer 2.1.4 An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. | 9.8 |
2023-03-22 | CVE-2023-1561 | Fabianros | Unrestricted Upload of File with Dangerous Type vulnerability in Fabianros Simple Online Hotel Reservation System 1.0 A vulnerability, which was classified as critical, was found in code-projects Simple Online Hotel Reservation System 1.0. | 9.8 |
2023-03-22 | CVE-2023-1556 | Judging Management System Project | SQL Injection vulnerability in Judging Management System Project Judging Management System 1.0 A vulnerability was found in SourceCodester Judging Management System 1.0. | 9.8 |
2023-03-22 | CVE-2023-1557 | E Commerce System Project | Improper Access Control vulnerability in E-Commerce System Project E-Commerce System 1.0 A vulnerability was found in SourceCodester E-Commerce System 1.0. | 9.8 |
2023-03-22 | CVE-2023-1558 | Simple AND Beautiful Shopping Cart System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Simple and Beautiful Shopping Cart System Project Simple and Beautiful Shopping Cart System 1.0 A vulnerability classified as critical has been found in Simple and Beautiful Shopping Cart System 1.0. | 9.8 |
2023-03-22 | CVE-2023-25589 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. | 9.8 |
2023-03-22 | CVE-2023-27855 | Rockwellautomation | Path Traversal vulnerability in Rockwellautomation Thinmanager In affected versions, a path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer. | 9.8 |
2023-03-21 | CVE-2023-26497 | Samsung | Out-of-bounds Write vulnerability in Samsung products An issue was discovered in Samsung Baseband Modem Chipset for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5125. | 9.8 |
2023-03-21 | CVE-2023-1529 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Out of bounds memory access in WebHID in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a malicious HID device. | 9.8 |
2023-03-21 | CVE-2018-25082 | Wechat SDK Python Project | XXE vulnerability in Wechat SDK Python Project Wechat SDK Python A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. | 9.8 |
2023-03-21 | CVE-2023-25684 | IBM | SQL Injection vulnerability in IBM Security KEY Lifecycle Manager IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to SQL injection. | 9.8 |
2023-03-21 | CVE-2023-27569 | Prestashop | SQL Injection vulnerability in Prestashop EO Tags The eo_tags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header. | 9.8 |
2023-03-21 | CVE-2023-27570 | Prestashop | SQL Injection vulnerability in Prestashop EO Tags The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie. | 9.8 |
2023-03-21 | CVE-2023-1153 | Pacsrapor | SQL Injection vulnerability in Pacsrapor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pacsrapor allows SQL Injection, Command Line Execution through SQL Injection.This issue affects Pacsrapor: before 1.22. | 9.8 |
2023-03-21 | CVE-2023-1537 | Answer | Authentication Bypass by Capture-replay vulnerability in Answer Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6. | 9.8 |
2023-03-21 | CVE-2012-10009 | 404Like Project | SQL Injection vulnerability in 404Like Project 404Like 1.0 A vulnerability was found in 404like Plugin up to 1.0.2 on WordPress. | 9.8 |
2023-03-20 | CVE-2022-43663 | Wellintech | Incorrect Conversion between Numeric Types vulnerability in Wellintech Kinghistorian 35.01.00.05 An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. | 9.8 |
2023-03-20 | CVE-2023-28424 | Gentoo | SQL Injection vulnerability in Gentoo Soko Soko if the code that powers packages.gentoo.org. | 9.8 |
2023-03-20 | CVE-2022-4933 | ATM Consulting | SQL Injection vulnerability in Atm-Consulting Dolibarr Module Quicksupplierprice A vulnerability, which was classified as critical, has been found in ATM Consulting dolibarr_module_quicksupplierprice up to 1.1.6. | 9.8 |
2023-03-23 | CVE-2023-26114 | Coder | Origin Validation Error vulnerability in Coder Code-Server Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. | 9.3 |
2023-03-22 | CVE-2023-28725 | Generalbytes | Unrestricted Upload of File with Dangerous Type vulnerability in Generalbytes Crypto Application Server 20230120 General Bytes Crypto Application Server (CAS) 20230120, as distributed with General Bytes BATM devices, allows remote attackers to execute arbitrary Java code by uploading a Java application to the /batm/app/admin/standalone/deployments directory, aka BATM-4780, as exploited in the wild in March 2023. | 9.1 |
133 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-03-24 | CVE-2023-28446 | Deno | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Deno Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. | 8.8 |
2023-03-23 | CVE-2023-24788 | Notrinos | SQL Injection vulnerability in Notrinos Notrinoserp 0.7 NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at /NotrinosERP/sales/customer_delivery.php. | 8.8 |
2023-03-23 | CVE-2023-28329 | Moodle | SQL Injection vulnerability in Moodle Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers). | 8.8 |
2023-03-23 | CVE-2023-28335 | Moodle | Cross-Site Request Forgery (CSRF) vulnerability in Moodle 4.1.0/4.1.1 The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk. | 8.8 |
2023-03-23 | CVE-2023-1607 | Xxyopen | SQL Injection vulnerability in Xxyopen Novel-Plus 3.6.2 A vulnerability was found in novel-plus 3.6.2. | 8.8 |
2023-03-23 | CVE-2023-20055 | Cisco | Unspecified vulnerability in Cisco DNA Center A vulnerability in the management API of Cisco DNA Center could allow an authenticated, remote attacker to elevate privileges in the context of the web-based management interface on an affected device. | 8.8 |
2023-03-23 | CVE-2023-27094 | Opengoofy | Unspecified vulnerability in Opengoofy Hippo4J 1.4.3 An issue found in OpenGoofy Hippo4j v.1.4.3 allows attackers to escalate privileges via the ThreadPoolController of the tenant Management module. | 8.8 |
2023-03-23 | CVE-2022-4224 | Codesys | Insecure Default Initialization of Resource vulnerability in Codesys products In multiple products of CODESYS v3 in multiple versions a remote low privileged user could utilize this vulnerability to read and modify system files and OS resources or DoS the device. | 8.8 |
2023-03-23 | CVE-2018-25048 | The CODESYS runtime system in multiple versions allows an remote low privileged attacker to use a path traversal vulnerability to access and modify all system files as well as DoS the device. | 8.8 | |
2023-03-22 | CVE-2023-28434 | Minio | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 8.8 |
2023-03-22 | CVE-2023-1578 | Pimcore | SQL Injection vulnerability in Pimcore SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19. | 8.8 |
2023-03-22 | CVE-2023-1168 | HPE | Unspecified vulnerability in HPE Arubaos-Cx An authenticated remote code execution vulnerability exists in the AOS-CX Network Analytics Engine. | 8.8 |
2023-03-22 | CVE-2023-25069 | Trendmicro | Unspecified vulnerability in Trendmicro Txone Stellarone TXOne StellarOne has an improper access control privilege escalation vulnerability in every version before V2.0.1160 that could allow a malicious, falsely authenticated user to escalate his privileges to administrator level. | 8.8 |
2023-03-22 | CVE-2023-25594 | Arubanetworks | Incorrect Authorization vulnerability in Arubanetworks Clearpass Policy Manager A vulnerability in the web-based management interface of ClearPass Policy Manager allows an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. | 8.8 |
2023-03-22 | CVE-2023-25924 | IBM | Incorrect Authorization vulnerability in IBM Security KEY Lifecycle Manager IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an authenticated user to perform actions that they should not have access to due to improper authorization. | 8.8 |
2023-03-21 | CVE-2023-1528 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Passwords in Google Chrome prior to 111.0.5563.110 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-03-21 | CVE-2023-1530 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in PDF in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-03-21 | CVE-2023-1531 | Google Fedoraproject Chromium | Use After Free vulnerability in multiple products Use after free in ANGLE in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-03-21 | CVE-2023-1532 | Google Fedoraproject | Out-of-bounds Read vulnerability in multiple products Out of bounds read in GPU Video in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-03-21 | CVE-2023-1533 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in WebProtect in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-03-21 | CVE-2023-1534 | Google Fedoraproject | Out-of-bounds Read vulnerability in multiple products Out of bounds read in ANGLE in Google Chrome prior to 111.0.5563.110 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-03-21 | CVE-2022-37337 | Netgear | OS Command Injection vulnerability in Netgear Rbs750 Firmware 4.6.8.5 A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. | 8.8 |
2023-03-21 | CVE-2022-38452 | Netgear | Unspecified vulnerability in Netgear Rbs750 Firmware 4.6.8.5 A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. | 8.8 |
2023-03-21 | CVE-2023-1304 | Rapid7 | Code Injection vulnerability in Rapid7 Insightappsec and Insightcloudsec An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. | 8.8 |
2023-03-21 | CVE-2023-1306 | Rapid7 | Code Injection vulnerability in Rapid7 Insightappsec and Insightcloudsec An authenticated attacker can leverage an exposed resource.db() accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. | 8.8 |
2023-03-21 | CVE-2023-27842 | Extplorer | Unspecified vulnerability in Extplorer 2.1.15 Insecure Permissions vulnerability found in Extplorer File manager eXtplorer v.2.1.15 allows a remote attacker to execute arbitrary code via the index.php compenent | 8.8 |
2023-03-21 | CVE-2023-27874 | IBM | XXE vulnerability in IBM Aspera Faspex 4.4.1/4.4.2 IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. | 8.8 |
2023-03-21 | CVE-2023-27984 | Schneider Electric | Improper Input Validation vulnerability in Schneider-Electric Custom Reports, Igss Dashboard and Igss Data Server A CWE-20: Improper Input Validation vulnerability exists in Custom Reports that could cause a macro to be executed, potentially leading to remote code execution when a user opens a malicious report file planted by an attacker. | 8.8 |
2023-03-21 | CVE-2023-27981 | Schneider Electric | Path Traversal vulnerability in Schneider-Electric Custom Reports, Igss Dashboard and Igss Data Server A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists in Custom Reports that could cause a remote code execution when a victim tries to open a malicious report. | 8.8 |
2023-03-21 | CVE-2023-1462 | Vadi | Authorization Bypass Through User-Controlled Key vulnerability in Vadi Digikent Authorization Bypass Through User-Controlled Key vulnerability in Vadi Corporate Information Systems DigiKent allows Authentication Bypass, Authentication Abuse. This issue affects DigiKent: before 23.03.20. | 8.8 |
2023-03-21 | CVE-2023-27982 | Schneider Electric | Insufficient Verification of Data Authenticity vulnerability in Schneider-Electric Custom Reports, Igss Dashboard and Igss Data Server A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. | 8.8 |
2023-03-21 | CVE-2023-27980 | Schneider Electric | Missing Authentication for Critical Function vulnerability in Schneider-Electric Custom Reports, Igss Dashboard and Igss Data Server A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface that could allow the creation of a malicious report file in the IGSS project report directory, this could lead to remote code execution when a victim eventually opens the report. | 8.8 |
2023-03-21 | CVE-2023-1543 | Answer | Insufficient Session Expiration vulnerability in Answer Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6. | 8.8 |
2023-03-20 | CVE-2023-0340 | Custom Content Shortcode Project | Unspecified vulnerability in Custom Content Shortcode Project Custom Content Shortcode The Custom Content Shortcode WordPress plugin through 4.0.2 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. | 8.8 |
2023-03-20 | CVE-2023-0630 | WP Slimstat | Unspecified vulnerability in Wp-Slimstat Slimstat Analytics The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query. | 8.8 |
2023-03-20 | CVE-2023-0631 | Strangerstudios | Unspecified vulnerability in Strangerstudios Paid Memberships PRO The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query. | 8.8 |
2023-03-20 | CVE-2023-0865 | Woocommerce Multiple Customer Addresses Shipping Project | Unspecified vulnerability in Woocommerce multiple Customer Addresses & Shipping Project Woocommerce multiple Customer Addresses & Shipping The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users. | 8.8 |
2023-03-20 | CVE-2023-0875 | Joomunited | Unspecified vulnerability in Joomunited WP Meta SEO The WP Meta SEO WordPress plugin before 4.5.3 does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited by subscriber+ users. | 8.8 |
2023-03-20 | CVE-2023-0940 | Metagauss | Incorrect Authorization vulnerability in Metagauss Profilegrid The ProfileGrid WordPress plugin before 5.3.1 provides an AJAX endpoint for resetting a user password but does not implement proper authorization. | 8.8 |
2023-03-20 | CVE-2023-22678 | Superior FAQ Project | Cross-Site Request Forgery (CSRF) vulnerability in Superior FAQ Project Superior FAQ Cross-Site Request Forgery (CSRF) vulnerability in Rafael Dery Superior FAQ plugin <= 1.0.2 versions. | 8.8 |
2023-03-20 | CVE-2023-23721 | Admin LOG Project | Cross-Site Request Forgery (CSRF) vulnerability in Admin LOG Project Admin LOG Cross-Site Request Forgery (CSRF) vulnerability in David Gwyer Admin Log plugin <= 1.50 versions. | 8.8 |
2023-03-23 | CVE-2023-26360 | Adobe | Unspecified vulnerability in Adobe Coldfusion 2018/2021 Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. | 8.6 |
2023-03-23 | CVE-2023-20027 | Cisco | Unspecified vulnerability in Cisco IOS XE A vulnerability in the implementation of the IPv4 Virtual Fragmentation Reassembly (VFR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 8.6 |
2023-03-23 | CVE-2023-20072 | Cisco | Unspecified vulnerability in Cisco IOS XE 17.9.1/17.9.1A/17.9.1W A vulnerability in the fragmentation handling code of tunnel protocol packets in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected system to reload, resulting in a denial of service (DoS) condition. | 8.6 |
2023-03-21 | CVE-2022-42333 | XEN Debian Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. | 8.6 |
2023-03-23 | CVE-2023-20113 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Sd-Wan A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. | 8.1 |
2023-03-21 | CVE-2023-0391 | MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. | 8.1 | |
2023-03-21 | CVE-2022-45636 | Megafeis | Missing Authorization vulnerability in Megafeis Bofei Dbd+ 1.4.3/1.4.4 An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 allows attacker to unlock model(s) without authorization via arbitrary API requests. | 8.1 |
2023-03-21 | CVE-2023-1305 | Rapid7 | Unspecified vulnerability in Rapid7 Insightappsec and Insightcloudsec An authenticated attacker can leverage an exposed “box” object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. | 8.1 |
2023-03-20 | CVE-2023-1506 | E Commerce System Project | SQL Injection vulnerability in E-Commerce System Project E-Commerce System 1.0 A vulnerability, which was classified as critical, was found in SourceCodester E-Commerce System 1.0. | 8.1 |
2023-03-20 | CVE-2023-1502 | Alphaware Simple E Commerce System Project | SQL Injection vulnerability in Alphaware - Simple E-Commerce System Project Alphaware - Simple E-Commerce System 1.0 A vulnerability was found in SourceCodester Alphaware Simple E-Commerce System 1.0. | 8.1 |
2023-03-20 | CVE-2023-1503 | Alphaware Simple E Commerce System Project | SQL Injection vulnerability in Alphaware - Simple E-Commerce System Project Alphaware - Simple E-Commerce System 1.0 A vulnerability classified as critical has been found in SourceCodester Alphaware Simple E-Commerce System 1.0. | 8.1 |
2023-03-20 | CVE-2023-1504 | Alphaware Simple E Commerce System Project | SQL Injection vulnerability in Alphaware - Simple E-Commerce System Project Alphaware - Simple E-Commerce System 1.0 A vulnerability classified as critical was found in SourceCodester Alphaware Simple E-Commerce System 1.0. | 8.1 |
2023-03-20 | CVE-2023-1505 | E Commerce System Project | SQL Injection vulnerability in E-Commerce System Project E-Commerce System 1.0 A vulnerability, which was classified as critical, has been found in SourceCodester E-Commerce System 1.0. | 8.1 |
2023-03-20 | CVE-2015-10096 | IRC Twitter Announcer BOT Project | Command Injection vulnerability in IRC Twitter Announcer BOT Project IRC Twitter Announcer BOT 1.0.0 A vulnerability, which was classified as critical, was found in Zarthus IRC Twitter Announcer Bot up to 1.1.0. | 8.1 |
2023-03-23 | CVE-2023-28436 | Tailscale | Improper Privilege Management vulnerability in Tailscale Tailscale is software for using Wireguard and multi-factor authentication (MFA). | 8.0 |
2023-03-22 | CVE-2023-28438 | Pimcore | SQL Injection vulnerability in Pimcore Pimcore is an open source data and experience management platform. | 8.0 |
2023-03-26 | CVE-2023-1646 | Iobit | Out-of-bounds Write vulnerability in Iobit Malware Fighter 9.4.0.776 A vulnerability was found in IObit Malware Fighter 9.4.0.776. | 7.8 |
2023-03-25 | CVE-2023-1626 | Jiangmin | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Jiangmin Antivirus 16.2.2022.418 A vulnerability was found in Jianming Antivirus 16.2.2022.418. | 7.8 |
2023-03-25 | CVE-2023-1629 | Jiangmin | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Jiangmin Antivirus 16.2.2022.418 A vulnerability classified as critical was found in JiangMin Antivirus 16.2.2022.418. | 7.8 |
2023-03-24 | CVE-2022-20542 | Improper Input Validation vulnerability in Google Android 13.0 In parseParamsBlob of types.cpp, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2023-03-24 | CVE-2023-20971 | Unspecified vulnerability in Google Android 13.0 In removePermission of PermissionManagerServiceImpl.java, there is a possible way to obtain dangerous permissions without user consent due to a logic error in the code. | 7.8 | |
2023-03-24 | CVE-2023-20975 | Unspecified vulnerability in Google Android 13.0 In getAvailabilityStatus of EnableContentCapturePreferenceController.java, there is a possible way to bypass DISALLOW_CONTENT_CAPTURE due to a permissions bypass. | 7.8 | |
2023-03-24 | CVE-2023-20985 | Out-of-bounds Write vulnerability in Google Android 13.0 In BTA_GATTS_HandleValueIndication of bta_gatts_api.cc, there is a possible out of bounds write due to improper input validation. | 7.8 | |
2023-03-24 | CVE-2023-20993 | Improper Handling of Exceptional Conditions vulnerability in Google Android 13.0 In multiple functions of SnoozeHelper.java, there is a possible failure to persist settings due to an uncaught exception. | 7.8 | |
2023-03-24 | CVE-2022-38745 | Apache | Insecure Default Initialization of Resource vulnerability in Apache Openoffice Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. | 7.8 |
2023-03-24 | CVE-2022-47502 | Apache | Argument Injection or Modification vulnerability in Apache Openoffice Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. | 7.8 |
2023-03-23 | CVE-2023-1252 | Linux | Use After Free vulnerability in Linux Kernel A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. | 7.8 |
2023-03-23 | CVE-2023-20029 | Cisco | Unspecified vulnerability in Cisco IOS XE 17.7.1/17.8.1 A vulnerability in the Meraki onboarding feature of Cisco IOS XE Software could allow an authenticated, local attacker to gain root level privileges on an affected device. | 7.8 |
2023-03-23 | CVE-2023-20035 | Cisco | Unspecified vulnerability in Cisco IOS XE Sd-Wan A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges. | 7.8 |
2023-03-23 | CVE-2023-20065 | Cisco | Unspecified vulnerability in Cisco IOS XE 17.11.1/17.6.3 A vulnerability in the Cisco IOx application hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. | 7.8 |
2023-03-23 | CVE-2023-28759 | An issue was discovered in Veritas NetBackup before 10.0. | 7.8 | |
2023-03-22 | CVE-2023-0386 | Linux | Unspecified vulnerability in Linux Kernel A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. | 7.8 |
2023-03-22 | CVE-2023-25859 | Adobe | Improper Input Validation vulnerability in Adobe Illustrator Illustrator version 26.5.2 (and earlier) and 27.2.0 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2023-03-22 | CVE-2023-25860 | Adobe | Out-of-bounds Write vulnerability in Adobe Illustrator Illustrator version 26.5.2 (and earlier) and 27.2.0 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2023-03-22 | CVE-2023-25861 | Adobe | Out-of-bounds Write vulnerability in Adobe Illustrator Illustrator version 26.5.2 (and earlier) and 27.2.0 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2023-03-22 | CVE-2023-26358 | Adobe | Untrusted Search Path vulnerability in Adobe Creative Cloud Creative Cloud version 5.9.1 (and earlier) is affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. | 7.8 |
2023-03-22 | CVE-2023-26426 | Adobe | Use After Free vulnerability in Adobe Illustrator Illustrator version 26.5.2 (and earlier) and 27.2.0 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2023-03-22 | CVE-2022-4095 | Linux | Use After Free vulnerability in Linux Kernel A use-after-free flaw was found in Linux kernel before 5.19.2. | 7.8 |
2023-03-22 | CVE-2023-1281 | Linux | Use After Free vulnerability in Linux Kernel Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. | 7.8 |
2023-03-22 | CVE-2023-25590 | Arubanetworks | Improper Privilege Management vulnerability in Arubanetworks Clearpass Policy Manager A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. | 7.8 |
2023-03-21 | CVE-2022-42332 | XEN Debian Fedoraproject | Use After Free vulnerability in multiple products x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. | 7.8 |
2023-03-21 | CVE-2023-1314 | Cloudflare | Link Following vulnerability in Cloudflare Cloudflared A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. | 7.8 |
2023-03-21 | CVE-2023-27978 | Schneider Electric | Deserialization of Untrusted Data vulnerability in Schneider-Electric Custom Reports, Igss Dashboard and Igss Data Server A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file. | 7.8 |
2023-03-20 | CVE-2023-1250 | Otrs | Code Injection vulnerability in Otrs Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. | 7.8 |
2023-03-25 | CVE-2023-25658 | Out-of-bounds Read vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-25659 | Out-of-bounds Read vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-25660 | NULL Pointer Dereference vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-25662 | Integer Overflow or Wraparound vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-25667 | Integer Overflow or Wraparound vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-25669 | Incorrect Comparison vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-25670 | NULL Pointer Dereference vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-25671 | Out-of-bounds Write vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-25672 | NULL Pointer Dereference vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-25673 | Incorrect Comparison vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2023-03-25 | CVE-2023-27579 | Incorrect Comparison vulnerability in Google Tensorflow TensorFlow is an end-to-end open source platform for machine learning. | 7.5 | |
2023-03-24 | CVE-2023-21027 | Unspecified vulnerability in Google Android 13.0 In multiple functions of PasspointXmlUtils.java, there is a possible authentication misconfiguration due to a logic error in the code. | 7.5 | |
2023-03-24 | CVE-2023-28444 | Angular Server Side Configuration Project | Information Exposure vulnerability in Angular-Server-Side-Configuration Project Angular-Server-Side-Configuration 15.0.0/15.0.1/15.0.2 angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. | 7.5 |
2023-03-24 | CVE-2023-28448 | Versionize Project | Out-of-bounds Read vulnerability in Versionize Project Versionize Versionize is a framework for version tolerant serializion/deserialization of Rust data structures, designed for usecases that need fast deserialization times and minimal size overhead. | 7.5 |
2023-03-23 | CVE-2023-1605 | Radare | Resource Exhaustion vulnerability in Radare Radare2 Denial of Service in GitHub repository radareorg/radare2 prior to 5.8.6. | 7.5 |
2023-03-23 | CVE-2023-20080 | Cisco | Improper Validation of Array Index vulnerability in Cisco IOS and IOS XE A vulnerability in the IPv6 DHCP version 6 (DHCPv6) relay and server features of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition. | 7.5 |
2023-03-23 | CVE-2023-27077 | 360 | Out-of-bounds Write vulnerability in 360 D901 Firmware Stack Overflow vulnerability found in 360 D901 allows a remote attacker to cause a Distributed Denial of Service (DDOS) via a crafted HTTP package. | 7.5 |
2023-03-23 | CVE-2023-27079 | Tenda | Command Injection vulnerability in Tenda G103 Firmware 1.0.05 Command Injection vulnerability found in Tenda G103 v.1.0.05 allows an attacker to obtain sensitive information via a crafted package | 7.5 |
2023-03-22 | CVE-2022-45003 | Getgophish | Unspecified vulnerability in Getgophish Gophish Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus. | 7.5 |
2023-03-22 | CVE-2023-28431 | Parity | Incorrect Calculation vulnerability in Parity Frontier 20210903/20211013/20220912 Frontier is an Ethereum compatibility layer for Substrate. | 7.5 |
2023-03-22 | CVE-2023-28432 | Minio | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 7.5 |
2023-03-22 | CVE-2023-28119 | Saml Project | Allocation of Resources Without Limits or Throttling vulnerability in Saml Project Saml 0.4.12 The crewjam/saml go library contains a partial implementation of the SAML standard in golang. | 7.5 |
2023-03-22 | CVE-2023-0464 | Openssl | Improper Certificate Validation vulnerability in Openssl A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. | 7.5 |
2023-03-22 | CVE-2023-1370 | Json Smart Project | Uncontrolled Recursion vulnerability in Json-Smart Project Json-Smart [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. | 7.5 |
2023-03-22 | CVE-2023-1436 | Jettison Project | Uncontrolled Recursion vulnerability in Jettison Project Jettison An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. | 7.5 |
2023-03-22 | CVE-2023-27857 | Rockwellautomation | Out-of-bounds Read vulnerability in Rockwellautomation Thinmanager In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation. | 7.5 |
2023-03-22 | CVE-2023-27856 | Rockwellautomation | Path Traversal vulnerability in Rockwellautomation Thinmanager In affected versions, path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer. | 7.5 |
2023-03-21 | CVE-2023-24709 | Paradox | Code Injection vulnerability in Paradox Ipr512 Firmware An issue found in Paradox Security Systems IPR512 allows attackers to cause a denial of service via the login.html and login.xml parameters. | 7.5 |
2023-03-21 | CVE-2023-27087 | Xuxueli | Unspecified vulnerability in Xuxueli Xxl-Job 2.2.0/2.3.0/2.3.1 Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter. | 7.5 |
2023-03-21 | CVE-2022-45635 | Megafeis | Weak Password Requirements vulnerability in Megafeis Bofei Dbd+ 1.4.4 An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 allows attacker to gain access to sensitive account information via insecure password policy. | 7.5 |
2023-03-21 | CVE-2023-25923 | IBM | Incorrect Authorization vulnerability in IBM Security KEY Lifecycle Manager IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an attacker to upload files that could be used in a denial of service attack due to incorrect authorization. | 7.5 |
2023-03-21 | CVE-2023-27871 | IBM | SQL Injection vulnerability in IBM Aspera Faspex 4.4.1/4.4.2 IBM Aspera Faspex 4.4.2 could allow a remote attacker to obtain sensitive credential information for an external user, using a specially crafted SQL query. | 7.5 |
2023-03-21 | CVE-2023-1545 | Teampass | SQL Injection vulnerability in Teampass SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. | 7.5 |
2023-03-20 | CVE-2022-45124 | Wellintech | Improper Authentication vulnerability in Wellintech Kinghistorian 35.01.00.05 An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. | 7.5 |
2023-03-20 | CVE-2023-27578 | Galaxyproject | Incorrect Authorization vulnerability in Galaxyproject Galaxy Galaxy is an open-source platform for data analysis. | 7.5 |
2023-03-20 | CVE-2023-26513 | Apache | Excessive Iteration vulnerability in Apache Sling Resource Merger Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2. | 7.5 |
2023-03-20 | CVE-2023-28118 | Kaml Project | XML Entity Expansion vulnerability in Kaml Project Kaml kaml provides YAML support for kotlinx.serialization. | 7.5 |
2023-03-24 | CVE-2023-22812 | Westerndigital | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Westerndigital Sandisk Privateaccess SanDisk PrivateAccess versions prior to 6.4.9 support insecure TLS 1.0 and TLS 1.1 protocols which are susceptible to man-in-the-middle attacks thereby compromising confidentiality and integrity of data. | 7.4 |
2023-03-24 | CVE-2023-20976 | Improper Input Validation vulnerability in Google Android 13.0 In getConfirmationMessage of DefaultAutofillPicker.java, there is a possible way to mislead the user to select default autofill application due to improper input validation. | 7.3 | |
2023-03-23 | CVE-2023-1595 | Xxyopen | SQL Injection vulnerability in Xxyopen Novel-Plus 3.6.2 A vulnerability has been found in novel-plus 3.6.2 and classified as critical. | 7.2 |
2023-03-23 | CVE-2023-23192 | Isdecisions | Incorrect Authorization vulnerability in Isdecisions Userlock 11.0.1 IS Decisions UserLock MFA 11.01 is vulnerable to authentication bypass using scheduled task. | 7.2 |
2023-03-22 | CVE-2022-43863 | IBM | Improper Privilege Management vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.4 and 7.5 is vulnerable to privilege escalation, allowing a user with some admin capabilities to gain additional admin capabilities. | 7.2 |
2023-03-22 | CVE-2023-1559 | Storage Unit Rental Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Storage Unit Rental Management System Project Storage Unit Rental Management System 1.0 A vulnerability classified as problematic was found in SourceCodester Storage Unit Rental Management System 1.0. | 7.2 |
2023-03-21 | CVE-2022-36429 | Netgear | Unspecified vulnerability in Netgear Rbs750 Firmware 4.6.8.5 A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. | 7.2 |
2023-03-24 | CVE-2023-28686 | Dino Fedoraproject Debian | Authorization Bypass Through User-Controlled Key vulnerability in multiple products Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. | 7.1 |
2023-03-23 | CVE-2023-28758 | An issue was discovered in Veritas NetBackup before 8.3.0.2. | 7.1 | |
2023-03-22 | CVE-2023-28685 | Jenkins | XXE vulnerability in Jenkins Absint A3 Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 7.1 |
2023-03-20 | CVE-2023-27586 | Courtbouillon | Server-Side Request Forgery (SSRF) vulnerability in Courtbouillon Cairosvg CairoSVG is an SVG converter based on Cairo, a 2D graphics library. | 7.1 |
201 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-03-23 | CVE-2023-20082 | Cisco | Unspecified vulnerability in Cisco IOS XE A vulnerability in Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute persistent code at boot time and break the chain of trust. | 6.8 |
2023-03-23 | CVE-2023-20100 | Cisco | Unspecified vulnerability in Cisco IOS XE 17.10.1 A vulnerability in the access point (AP) joining process of the Control and Provisioning of Wireless Access Points (CAPWAP) protocol of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 6.8 |
2023-03-22 | CVE-2023-28005 | Trendmicro | Unspecified vulnerability in Trendmicro Trend Micro Endpoint Encryption A vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption version 6.0.0.3204 and below could allow an attacker with physical access to an affected device to bypass Microsoft Windows? Secure Boot process in an attempt to execute other attacks to obtain access to the contents of the device. An attacker must first obtain physical access to the target system in order to exploit this vulnerability. | 6.8 |
2023-03-23 | CVE-2023-20097 | Cisco | Command Injection vulnerability in Cisco products A vulnerability in Cisco access points (AP) software could allow an authenticated, local attacker to inject arbitrary commands and execute them with root privileges. | 6.7 |
2023-03-23 | CVE-2023-28772 | Linux | Classic Buffer Overflow vulnerability in Linux Kernel An issue was discovered in the Linux kernel before 5.13.3. | 6.7 |
2023-03-22 | CVE-2023-0870 | Opennms | Cross-Site Request Forgery (CSRF) vulnerability in Opennms Horizon A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon. | 6.7 |
2023-03-21 | CVE-2023-25134 | Mcafee | Unspecified vulnerability in Mcafee Total Protection McAfee Total Protection prior to 16.0.50 may allow an adversary (with full administrative access) to modify a McAfee specific Component Object Model (COM) in the Windows Registry. | 6.7 |
2023-03-26 | CVE-2023-28859 | Redis | Incomplete Cleanup vulnerability in Redis Redis-Py redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. | 6.5 |
2023-03-24 | CVE-2023-24625 | Ladybirdweb | Authorization Bypass Through User-Controlled Key vulnerability in Ladybirdweb Faveo Servicedesk 5.0.1 Faveo 5.0.1 allows remote attackers to obtain sensitive information via a modified user ID in an Insecure Direct Object Reference (IDOR) attack. | 6.5 |
2023-03-23 | CVE-2023-20861 | Vmware | Unspecified vulnerability in VMWare Spring Framework In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. | 6.5 |
2023-03-23 | CVE-2023-28330 | Moodle | Unspecified vulnerability in Moodle Insufficient sanitizing in backup resulted in an arbitrary file read risk. | 6.5 |
2023-03-23 | CVE-2023-20059 | Cisco | Cleartext Storage of Sensitive Information vulnerability in Cisco DNA Center A vulnerability in the implementation of the Cisco Network Plug-and-Play (PnP) agent of Cisco DNA Center could allow an authenticated, remote attacker to view sensitive information in clear text. | 6.5 |
2023-03-23 | CVE-2023-20066 | Cisco | Path Traversal vulnerability in Cisco IOS XE 16.12.3/17.3.2/17.6.2 A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to perform a directory traversal and access resources that are outside the filesystem mountpoint of the web UI. | 6.5 |
2023-03-23 | CVE-2023-20067 | Cisco | Allocation of Resources Without Limits or Throttling vulnerability in Cisco IOS XE A vulnerability in the HTTP-based client profiling feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. | 6.5 |
2023-03-23 | CVE-2023-20112 | Cisco | Out-of-bounds Read vulnerability in Cisco products A vulnerability in Cisco access point (AP) software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. | 6.5 |
2023-03-22 | CVE-2023-28117 | Sentry | Information Exposure Through an Error Message vulnerability in Sentry Software Development KIT Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. | 6.5 |
2023-03-21 | CVE-2023-27873 | IBM | Unspecified vulnerability in IBM Aspera Faspex 4.4.1/4.4.2 IBM Aspera Faspex 4.4.2 could allow a remote authenticated attacker to obtain sensitive credential information using specially crafted XML input. | 6.5 |
2023-03-21 | CVE-2022-42334 | XEN Debian Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. | 6.5 |
2023-03-21 | CVE-2023-27979 | Schneider Electric | Insufficient Verification of Data Authenticity vulnerability in Schneider-Electric Custom Reports, Igss Dashboard and Igss Data Server A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server TCP port. | 6.5 |
2023-03-20 | CVE-2023-0890 | Getshortcodes | Missing Authorization vulnerability in Getshortcodes Shortcodes Ultimate The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. | 6.5 |
2023-03-20 | CVE-2023-0911 | Getshortcodes | Missing Authorization vulnerability in Getshortcodes Shortcodes Ultimate The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not validate the user meta to be retrieved via the user shortcode, allowing any authenticated users such as subscriber to retrieve arbitrary user meta (except the user_pass), such as the user email and activation key by default. | 6.5 |
2023-03-20 | CVE-2023-22681 | Online Exam Software | Cross-Site Request Forgery (CSRF) vulnerability in Online Exam Software : Eexamhall Project Online Exam Software : Eexamhall 4.0 Cross-Site Request Forgery (CSRF) vulnerability in Aarvanshinfotech Online Exam Software: eExamhall plugin <= 4.0 versions. | 6.5 |
2023-03-23 | CVE-2023-1544 | Qemu Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. | 6.3 |
2023-03-25 | CVE-2023-1635 | Otcms | Cross-site Scripting vulnerability in Otcms 6.72 A vulnerability was found in OTCMS 6.72. | 6.1 |
2023-03-25 | CVE-2016-15030 | Twofactorauth Project | Open Redirect vulnerability in Twofactorauth Project Twofactorauth A vulnerability classified as problematic has been found in Arno0x TwoFactorAuth. | 6.1 |
2023-03-24 | CVE-2023-28435 | Dataease | Cross-site Scripting vulnerability in Dataease Dataease is an open source data visualization and analysis tool. | 6.1 |
2023-03-23 | CVE-2023-1613 | Ruifang Tech | Cross-site Scripting vulnerability in Ruifang-Tech Rebuild A vulnerability has been found in Rebuild up to 3.2.3 and classified as problematic. | 6.1 |
2023-03-23 | CVE-2023-28331 | Moodle | Cross-site Scripting vulnerability in Moodle Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk. | 6.1 |
2023-03-23 | CVE-2023-28332 | Moodle | Cross-site Scripting vulnerability in Moodle If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS risk. | 6.1 |
2023-03-23 | CVE-2022-47145 | Blockonomics | Cross-site Scripting vulnerability in Blockonomics Reflected Cross-Site Scripting (XSS) vulnerability in Blockonomics WordPress Bitcoin Payments – Blockonomics plugin <= 3.5.7 versions. | 6.1 |
2023-03-23 | CVE-2022-47431 | Tussendoor | Cross-site Scripting vulnerability in Tussendoor Open RDW Kenteken Voertuiginformatie Reflected Cross-Site Scripting (XSS) vulnerability in Tussendoor internet & marketing Open RDW kenteken voertuiginformatie plugin <= 2.0.14 versions. | 6.1 |
2023-03-23 | CVE-2023-22704 | Mtrv | Cross-site Scripting vulnerability in Mtrv Teachpress Reflected Cross-Site Scripting (XSS) vulnerability in Michael Winkler teachPress plugin <= 8.1.8 versions. | 6.1 |
2023-03-23 | CVE-2023-1593 | Automatic Question Paper Generator System Project | Cross-site Scripting vulnerability in Automatic Question Paper Generator System Project Automatic Question Paper Generator System 1.0 A vulnerability, which was classified as problematic, has been found in SourceCodester Automatic Question Paper Generator System 1.0. | 6.1 |
2023-03-23 | CVE-2023-1051 | Askoc | Cross-site Scripting vulnerability in Askoc web Report System Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in As Koc Energy Web Report System allows Reflected XSS.This issue affects Web Report System: before 23.03.10. | 6.1 |
2023-03-22 | CVE-2022-45004 | Getgophish | Cross-site Scripting vulnerability in Getgophish Gophish Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page. | 6.1 |
2023-03-22 | CVE-2023-28439 | Ckeditor Fedoraproject | Cross-site Scripting vulnerability in multiple products CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. | 6.1 |
2023-03-22 | CVE-2023-1573 | Datagear | Cross-site Scripting vulnerability in Datagear A vulnerability was found in DataGear up to 1.11.1 and classified as problematic. | 6.1 |
2023-03-22 | CVE-2023-26913 | Evolucare | Cross-site Scripting vulnerability in Evolucare ECS Imaging 6.21.5 EVOLUCARE ECSIMAGING (aka ECS Imaging) < 6.21.5 is vulnerable to Cross Site Scripting (XSS) via new_movie. | 6.1 |
2023-03-22 | CVE-2023-1567 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Student Study Center Desk Management System 1.0 A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. | 6.1 |
2023-03-22 | CVE-2022-37940 | HPE | Open Redirect vulnerability in HPE products Potential security vulnerabilities have been identified in the HPE FlexFabric 5700 Switch Series. | 6.1 |
2023-03-22 | CVE-2023-25593 | Arubanetworks | Cross-site Scripting vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. | 6.1 |
2023-03-21 | CVE-2023-1154 | Pacsrapor | Cross-site Scripting vulnerability in Pacsrapor Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pacsrapor allows Reflected XSS.This issue affects Pacsrapor: before 1.22. | 6.1 |
2023-03-21 | CVE-2016-15029 | Mapicoin Project | Cross-site Scripting vulnerability in Mapicoin Project Mapicoin A vulnerability has been found in Ydalb mapicoin up to 1.9.0 and classified as problematic. | 6.1 |
2023-03-20 | CVE-2023-0681 | Rapid7 | Open Redirect vulnerability in Rapid7 Insightvm Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. | 6.1 |
2023-03-20 | CVE-2023-0876 | Joomunited | Unspecified vulnerability in Joomunited WP Meta SEO The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability. | 6.1 |
2023-03-20 | CVE-2023-0937 | Vektor INC | Unspecified vulnerability in Vektor-Inc VK ALL in ONE Expansion Unit The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 6.1 |
2023-03-20 | CVE-2023-28429 | Pimcore | Cross-site Scripting vulnerability in Pimcore Pimcore is an open source data and experience management platform. | 6.1 |
2023-03-20 | CVE-2022-47591 | MAP Multi Marker Project | Cross-site Scripting vulnerability in MAP Multi Marker Project MAP Multi Marker Reflected Cross-Site Scripting (XSS) vulnerability in Mickael Austoni Map Multi Marker plugin <= 3.2.1 versions. | 6.1 |
2023-03-20 | CVE-2022-47592 | Magicform Project | Cross-site Scripting vulnerability in Magicform Project Magicform Reflected Cross-Site Scripting (XSS) vulnerability in Dmytriy.Cooperman MagicForm plugin <= 0.1 versions. | 6.1 |
2023-03-20 | CVE-2023-22682 | Pixedelic | Cross-site Scripting vulnerability in Pixedelic Camera Slideshow Reflected Cross-Site Scripting (XSS) vulnerability in Manuel Masia | Pixedelic.Com Camera slideshow plugin <= 1.4.0.1 versions. | 6.1 |
2023-03-20 | CVE-2023-1507 | E Commerce System Project | Cross-site Scripting vulnerability in E-Commerce System Project E-Commerce System 1.0 A vulnerability has been found in SourceCodester E-Commerce System 1.0 and classified as problematic. | 6.1 |
2023-03-20 | CVE-2023-1248 | Otrs | Cross-site Scripting vulnerability in Otrs Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | 6.1 |
2023-03-23 | CVE-2023-20081 | Cisco | Out-of-bounds Write vulnerability in Cisco products A vulnerability in the IPv6 DHCP (DHCPv6) client module of Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, Cisco IOS Software, and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 5.9 |
2023-03-21 | CVE-2022-38458 | Netgear | Cleartext Transmission of Sensitive Information vulnerability in Netgear Rbs750 Firmware 4.6.8.5 A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. | 5.9 |
2023-03-26 | CVE-2023-1644 | Iobit | Improper Resource Shutdown or Release vulnerability in Iobit Malware Fighter 9.4.0.776 A vulnerability was found in IObit Malware Fighter 9.4.0.776 and classified as problematic. | 5.5 |
2023-03-26 | CVE-2023-1645 | Iobit | Improper Resource Shutdown or Release vulnerability in Iobit Malware Fighter 9.4.0.776 A vulnerability was found in IObit Malware Fighter 9.4.0.776. | 5.5 |
2023-03-26 | CVE-2023-1640 | Iobit | Improper Resource Shutdown or Release vulnerability in Iobit Malware Fighter 9.4.0.776 A vulnerability classified as problematic was found in IObit Malware Fighter 9.4.0.776. | 5.5 |
2023-03-26 | CVE-2023-1641 | Iobit | Improper Resource Shutdown or Release vulnerability in Iobit Malware Fighter 9.4.0.776 A vulnerability, which was classified as problematic, has been found in IObit Malware Fighter 9.4.0.776. | 5.5 |
2023-03-26 | CVE-2023-1642 | Iobit | Improper Resource Shutdown or Release vulnerability in Iobit Malware Fighter 9.4.0.776 A vulnerability, which was classified as problematic, was found in IObit Malware Fighter 9.4.0.776. | 5.5 |
2023-03-26 | CVE-2023-1643 | Iobit | Improper Resource Shutdown or Release vulnerability in Iobit Malware Fighter 9.4.0.776 A vulnerability has been found in IObit Malware Fighter 9.4.0.776 and classified as problematic. | 5.5 |
2023-03-26 | CVE-2023-1638 | Iobit | Improper Resource Shutdown or Release vulnerability in Iobit Malware Fighter 9.4.0.776 A vulnerability was found in IObit Malware Fighter 9.4.0.776. | 5.5 |
2023-03-26 | CVE-2023-1639 | Iobit | Improper Resource Shutdown or Release vulnerability in Iobit Malware Fighter 9.4.0.776 A vulnerability classified as problematic has been found in IObit Malware Fighter 9.4.0.776. | 5.5 |
2023-03-25 | CVE-2023-1627 | Jiangmin | Improper Resource Shutdown or Release vulnerability in Jiangmin Antivirus 16.2.2022.418 A vulnerability was found in Jianming Antivirus 16.2.2022.418. | 5.5 |
2023-03-25 | CVE-2023-1628 | Jiangmin | NULL Pointer Dereference vulnerability in Jiangmin Antivirus 16.2.2022.418 A vulnerability classified as problematic has been found in Jianming Antivirus 16.2.2022.418. | 5.5 |
2023-03-25 | CVE-2023-1630 | Jiangmin | Improper Resource Shutdown or Release vulnerability in Jiangmin Antivirus 16.2.2022.418 A vulnerability, which was classified as problematic, has been found in JiangMin Antivirus 16.2.2022.418. | 5.5 |
2023-03-25 | CVE-2023-1631 | Jiangmin | NULL Pointer Dereference vulnerability in Jiangmin Antivirus 16.2.2022.418 A vulnerability, which was classified as problematic, was found in JiangMin Antivirus 16.2.2022.418. | 5.5 |
2023-03-24 | CVE-2023-1583 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. | 5.5 |
2023-03-24 | CVE-2023-20910 | Resource Exhaustion vulnerability in Google Android In add of WifiNetworkSuggestionsManager.java, there is a possible way to trigger permanent DoS due to resource exhaustion. | 5.5 | |
2023-03-24 | CVE-2023-20972 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 13.0 In btm_vendor_specific_evt of btm_devctl.cc, there is a possible out of bounds read due to a missing bounds check. | 5.5 | |
2023-03-24 | CVE-2023-20973 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_create_conn_cancel_complete of btm_sec.cc, there is a possible out of bounds read due to a missing bounds check. | 5.5 | |
2023-03-24 | CVE-2023-20974 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_ble_add_resolving_list_entry_complete of btm_ble_privacy.cc, there is a possible out of bounds read due to a missing bounds check. | 5.5 | |
2023-03-24 | CVE-2023-20979 | Out-of-bounds Read vulnerability in Google Android 13.0 In GetNextSourceDataPacket of bta_av_co.cc, there is a possible out of bounds read due to a missing bounds check. | 5.5 | |
2023-03-24 | CVE-2023-20980 | Out-of-bounds Read vulnerability in Google Android 13.0 In btu_ble_ll_conn_param_upd_evt of btu_hcif.cc, there is a possible out of bounds read due to a missing bounds check. | 5.5 | |
2023-03-23 | CVE-2022-3101 | Redhat Openstack | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A flaw was found in tripleo-ansible. | 5.5 |
2023-03-23 | CVE-2022-3146 | Redhat Openstack | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A flaw was found in tripleo-ansible. | 5.5 |
2023-03-23 | CVE-2023-1249 | Linux | Use After Free vulnerability in Linux Kernel A use-after-free flaw was found in the Linux kernel’s core dump subsystem. | 5.5 |
2023-03-23 | CVE-2023-1289 | Imagemagick Fedoraproject Redhat | Improper Input Validation vulnerability in multiple products A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. | 5.5 |
2023-03-23 | CVE-2023-20056 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the management CLI of Cisco access point (AP) software could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected device. | 5.5 |
2023-03-23 | CVE-2023-27655 | Xpdfreader | Out-of-bounds Write vulnerability in Xpdfreader Xpdf 4.04 xpdf v4.04 was discovered to contain a stack overflow in the component pdftotext. | 5.5 |
2023-03-23 | CVE-2023-27249 | Swftools | Out-of-bounds Write vulnerability in Swftools 0.9.2 swfdump v0.9.2 was discovered to contain a heap buffer overflow in the function swf_GetPlaceObject at swfobject.c. | 5.5 |
2023-03-22 | CVE-2023-25862 | Adobe | Out-of-bounds Read vulnerability in Adobe Illustrator Illustrator version 26.5.2 (and earlier) and 27.2.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. | 5.5 |
2023-03-22 | CVE-2023-27754 | Vox2Mesh Project | Out-of-bounds Write vulnerability in Vox2Mesh Project Vox2Mesh 1.0 vox2mesh 1.0 has stack-overflow in main.cpp, this is stack-overflow caused by incorrect use of memcpy() funciton. | 5.5 |
2023-03-22 | CVE-2023-1570 | Tinydng Project | Heap-based Buffer Overflow vulnerability in Tinydng Project Tinydng A vulnerability, which was classified as problematic, has been found in syoyo tinydng. | 5.5 |
2023-03-22 | CVE-2023-1560 | Tinytiff Project | Classic Buffer Overflow vulnerability in Tinytiff Project Tinytiff 3.0.0.0 A vulnerability, which was classified as problematic, has been found in TinyTIFF 3.0.0.0. | 5.5 |
2023-03-22 | CVE-2023-25595 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A vulnerability exists in the ClearPass OnGuard Ubuntu agent that allows for an attacker with local Ubuntu instance access to potentially obtain sensitive information. | 5.5 |
2023-03-21 | CVE-2022-41696 | Visam | Unspecified vulnerability in Visam Vbase Automation Base Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | 5.5 |
2023-03-21 | CVE-2022-43512 | Visam | XXE vulnerability in Visam Vbase Automation Base Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | 5.5 |
2023-03-21 | CVE-2022-45121 | Visam | Unspecified vulnerability in Visam Vbase Automation Base Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | 5.5 |
2023-03-21 | CVE-2022-45468 | Visam | Unspecified vulnerability in Visam Vbase Automation Base Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | 5.5 |
2023-03-21 | CVE-2022-46286 | Visam | Unspecified vulnerability in Visam Vbase Automation Base Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | 5.5 |
2023-03-21 | CVE-2022-46300 | Visam | XXE vulnerability in Visam Vbase Automation Base Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | 5.5 |
2023-03-21 | CVE-2023-25686 | IBM | Insufficiently Protected Credentials vulnerability in IBM Security KEY Lifecycle Manager IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 stores user credentials in plain clear text which can be read by a local user. | 5.5 |
2023-03-21 | CVE-2022-42331 | XEN Fedoraproject | x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. | 5.5 |
2023-03-20 | CVE-2023-28425 | Redis | Reachable Assertion vulnerability in Redis 7.0.8 Redis is an in-memory database that persists on disk. | 5.5 |
2023-03-24 | CVE-2021-3844 | Rapid7 | Insufficient Session Expiration vulnerability in Rapid7 Insightvm Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. | 5.4 |
2023-03-24 | CVE-2023-1616 | Teacms Project | Cross-site Scripting vulnerability in Teacms Project Teacms 2.0/2.0.1/2.0.2 A vulnerability was found in XiaoBingBy TeaCMS up to 2.0.2. | 5.4 |
2023-03-23 | CVE-2023-1609 | Crmeb | Cross-site Scripting vulnerability in Crmeb Java 1.3.4 A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. | 5.4 |
2023-03-23 | CVE-2023-23707 | Awsm | Unrestricted Upload of File with Dangerous Type vulnerability in Awsm Embed ANY Document Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Unrestricted Upload of File with Dangerous Type vulnerability in Awsm Innovations Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files allows Stored XSS via upload of SVG and HTML files. This issue affects Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin <= 2.7.1 versions. | 5.4 |
2023-03-23 | CVE-2023-22702 | Wpmobile APP Project | Cross-site Scripting vulnerability in Wpmobile.App Project Wpmobile.App Auth. | 5.4 |
2023-03-23 | CVE-2023-23728 | Winwar | Cross-site Scripting vulnerability in Winwar WP Flipclock Auth. | 5.4 |
2023-03-23 | CVE-2023-22712 | Templatesnext | Cross-site Scripting vulnerability in Templatesnext Toolkit Auth. | 5.4 |
2023-03-23 | CVE-2023-23650 | Mainwp | Cross-site Scripting vulnerability in Mainwp Code Snippets Extension Auth. | 5.4 |
2023-03-23 | CVE-2023-23864 | Very Simple Google Maps Project | Cross-site Scripting vulnerability in Very Simple Google Maps Project Very Simple Google Maps Auth. | 5.4 |
2023-03-23 | CVE-2022-45843 | Nextendweb | Cross-site Scripting vulnerability in Nextendweb Smart Slider 3 Auth. | 5.4 |
2023-03-22 | CVE-2023-21615 | Adobe | Cross-site Scripting vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2023-03-22 | CVE-2023-21616 | Adobe | Cross-site Scripting vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22252 | Adobe | Cross-site Scripting vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22253 | Adobe | Cross-site Scripting vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22254 | Adobe | Cross-site Scripting vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22256 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22257 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22258 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22259 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22260 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22261 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22262 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22263 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22264 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22265 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22266 | Adobe | Open Redirect vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. | 5.4 |
2023-03-22 | CVE-2023-22269 | Adobe | Cross-site Scripting vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2023-03-22 | CVE-2023-1568 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Student Study Center Desk Management System 1.0 A vulnerability classified as problematic has been found in SourceCodester Student Study Center Desk Management System 1.0. | 5.4 |
2023-03-22 | CVE-2023-1569 | E Commerce System Project | Cross-site Scripting vulnerability in E-Commerce System Project E-Commerce System 1.0 A vulnerability classified as problematic was found in SourceCodester E-Commerce System 1.0. | 5.4 |
2023-03-22 | CVE-2023-1565 | Feifeicms | Cross-site Scripting vulnerability in Feifeicms 2.7.130201 A vulnerability was found in FeiFeiCMS 2.7.130201. | 5.4 |
2023-03-22 | CVE-2023-1572 | Datagear | Cross-site Scripting vulnerability in Datagear A vulnerability has been found in DataGear up to 1.11.1 and classified as problematic. | 5.4 |
2023-03-22 | CVE-2023-28083 | HP | Cross-site Scripting vulnerability in HP products A remote Cross-site Scripting vulnerability was discovered in HPE Integrated Lights-Out 6 (iLO 6), Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4). | 5.4 |
2023-03-21 | CVE-2022-41785 | Robogallery | Cross-site Scripting vulnerability in Robogallery Gallery Images APE Auth. | 5.4 |
2023-03-21 | CVE-2022-41831 | WP Glossary Project | Cross-site Scripting vulnerability in WP Glossary Project WP Glossary Auth. | 5.4 |
2023-03-21 | CVE-2022-42485 | Galaxyweblinks | Cross-site Scripting vulnerability in Galaxyweblinks Gallery With Thumbnail Slider Auth. | 5.4 |
2023-03-21 | CVE-2023-1535 | Answer | Cross-site Scripting vulnerability in Answer Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7. | 5.4 |
2023-03-21 | CVE-2023-1536 | Answer | Cross-site Scripting vulnerability in Answer Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7. | 5.4 |
2023-03-21 | CVE-2023-1542 | Answer | Unspecified vulnerability in Answer Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6. | 5.4 |
2023-03-21 | CVE-2023-1527 | Corebos | Cross-site Scripting vulnerability in Corebos 5.4/5.5/7.0 Cross-site Scripting (XSS) - Generic in GitHub repository tsolucio/corebos prior to 8.0. | 5.4 |
2023-03-20 | CVE-2023-0145 | Saan | Unspecified vulnerability in Saan World Clock The Saan World Clock WordPress plugin through 1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
2023-03-20 | CVE-2023-0167 | Getresponse | Unspecified vulnerability in Getresponse The GetResponse for WordPress plugin through 5.5.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
2023-03-20 | CVE-2023-0175 | Accesspressthemes | Unspecified vulnerability in Accesspressthemes Smart Logo Showcase Lite The Responsive Clients Logo Gallery Plugin for WordPress plugin through 1.1.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
2023-03-20 | CVE-2023-0273 | Custom Content Shortcode Project | Unspecified vulnerability in Custom Content Shortcode Project Custom Content Shortcode The Custom Content Shortcode WordPress plugin through 4.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 5.4 |
2023-03-20 | CVE-2023-0364 | Real KIT Project | Unspecified vulnerability in Real.Kit Project Real.Kit The real.Kit WordPress plugin before 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
2023-03-20 | CVE-2023-0365 | React Webcam Project | Unspecified vulnerability in React Webcam Project React Webcam The React Webcam WordPress plugin through 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
2023-03-20 | CVE-2023-0369 | Gotowp | Unspecified vulnerability in Gotowp The GoToWP WordPress plugin through 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
2023-03-20 | CVE-2023-0370 | Wpbean | Cross-site Scripting vulnerability in Wpbean WPB Advanced FAQ 1.02/1.03 The WPB Advanced FAQ WordPress plugin through 1.0.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
2023-03-20 | CVE-2023-22288 | Tribe29 Checkmk | Cross-site Scripting vulnerability in multiple products HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails | 5.4 |
2023-03-20 | CVE-2023-1515 | Pimcore | Cross-site Scripting vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19. | 5.4 |
2023-03-20 | CVE-2023-0320 | University Information Management System Project | Cross-site Scripting vulnerability in University Information Management System Project University Information Management System Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Izmir Katip Celebi University UBYS allows Stored XSS.This issue affects UBYS: before 23.03.16. | 5.4 |
2023-03-24 | CVE-2023-28442 | Geosolutionsgroup | Information Exposure vulnerability in Geosolutionsgroup Geonode GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. | 5.3 |
2023-03-22 | CVE-2023-22271 | Adobe | Inadequate Encryption Strength vulnerability in Adobe Experience Manager Experience Manager versions 6.5.15.0 (and earlier) are affected by a Weak Cryptography for Passwords vulnerability that can lead to a security feature bypass. | 5.3 |
2023-03-22 | CVE-2023-25688 | IBM | Path Traversal vulnerability in IBM Security KEY Lifecycle Manager IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1could allow a remote attacker to traverse directories on the system. | 5.3 |
2023-03-21 | CVE-2023-1261 | Silabs | Missing Authorization vulnerability in Silabs Wi-Sun Software Development KIT Missing MAC layer security in Silicon Labs Wi-SUN SDK v1.5.0 and earlier allows malicious node to route malicious messages through network. | 5.3 |
2023-03-21 | CVE-2023-1262 | Silabs | Missing Authorization vulnerability in Silabs Wireless Smart Ubiquitous Network Linux Border Router Firmware Missing MAC layer security in Silicon Labs Wi-SUN Linux Border Router v1.5.2 and earlier allows malicious node to route malicious messages through network. | 5.3 |
2023-03-21 | CVE-2023-25689 | IBM | Path Traversal vulnerability in IBM Security KEY Lifecycle Manager IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1 , and 4.1.1 could allow a remote attacker to traverse directories on the system. | 5.3 |
2023-03-21 | CVE-2023-27977 | Schneider Electric | Insufficient Verification of Data Authenticity vulnerability in Schneider-Electric Custom Reports, Igss Dashboard and Igss Data Server A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS project report directory, this could lead to loss of data when an attacker sends specific crafted messages to the Data Server TCP port. | 5.3 |
2023-03-21 | CVE-2023-1538 | Answer | Information Exposure Through Discrepancy vulnerability in Answer Observable Timing Discrepancy in GitHub repository answerdev/answer prior to 1.0.6. | 5.3 |
2023-03-21 | CVE-2023-1539 | Answer | Improper Restriction of Excessive Authentication Attempts vulnerability in Answer Improper Restriction of Excessive Authentication Attempts in GitHub repository answerdev/answer prior to 1.0.6. | 5.3 |
2023-03-21 | CVE-2023-1540 | Answer | Information Exposure Through Discrepancy vulnerability in Answer Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6. | 5.3 |
2023-03-23 | CVE-2023-26361 | Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. | 4.9 | |
2023-03-22 | CVE-2023-25596 | Arubanetworks | Cleartext Storage of Sensitive Information vulnerability in Arubanetworks Clearpass Policy Manager A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. | 4.9 |
2023-03-23 | CVE-2023-25456 | Klaviyo | Cross-site Scripting vulnerability in Klaviyo Auth. | 4.8 |
2023-03-23 | CVE-2023-25992 | Cminds | Cross-site Scripting vulnerability in Cminds CM Answers Auth. | 4.8 |
2023-03-23 | CVE-2023-26008 | TOP 10 Popular Posts Project | Cross-site Scripting vulnerability in TOP 10 - Popular Posts Project TOP 10 - Popular Posts Auth. | 4.8 |
2023-03-23 | CVE-2022-47173 | Advancedformintegration | Cross-site Scripting vulnerability in Advancedformintegration Advanced Form Integration Auth. | 4.8 |
2023-03-23 | CVE-2022-47589 | Thisfunctional | Cross-site Scripting vulnerability in Thisfunctional CTT Expresso Para Woocommerce Auth. | 4.8 |
2023-03-23 | CVE-2023-23722 | Winwar | Cross-site Scripting vulnerability in Winwar WP Ebay Product Feeds Auth. | 4.8 |
2023-03-23 | CVE-2023-22715 | WP Commentnavi Project | Cross-site Scripting vulnerability in Wp-Commentnavi Project Wp-Commentnavi Auth. | 4.8 |
2023-03-23 | CVE-2023-22716 | Oopspam | Cross-site Scripting vulnerability in Oopspam Anti-Spam Auth. | 4.8 |
2023-03-23 | CVE-2022-44742 | Community Events Project | Cross-site Scripting vulnerability in Community Events Project Community Events Auth. | 4.8 |
2023-03-23 | CVE-2023-28422 | Mage People | Cross-site Scripting vulnerability in Mage-People Event Manager and Tickets Selling for Woocommerce Auth. | 4.8 |
2023-03-23 | CVE-2023-1410 | Grafana | Cross-site Scripting vulnerability in Grafana Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. | 4.8 |
2023-03-20 | CVE-2023-1517 | Pimcore | Cross-site Scripting vulnerability in Pimcore Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19. | 4.8 |
2023-03-20 | CVE-2023-22679 | WP Better Emails Project | Cross-site Scripting vulnerability in WP Better Emails Project WP Better Emails Auth. | 4.8 |
2023-03-20 | CVE-2023-22680 | Altanic | Cross-site Scripting vulnerability in Altanic NO API Amazon Affiliate Auth. | 4.8 |
2023-03-20 | CVE-2023-23718 | Page Loading Effects Project | Cross-site Scripting vulnerability in Page Loading Effects Project Page Loading Effects Auth. | 4.8 |
2023-03-20 | CVE-2023-24381 | Nsthemes | Cross-site Scripting vulnerability in Nsthemes Advanced Social Pixel Auth. | 4.8 |
2023-03-20 | CVE-2023-25064 | WP Htpasswd Project | Cross-site Scripting vulnerability in WP Htpasswd Project WP Htpasswd 1.7 Auth. | 4.8 |
2023-03-20 | CVE-2023-25794 | Nooz Project | Cross-site Scripting vulnerability in Nooz Project Nooz Auth. | 4.8 |
2023-03-20 | CVE-2023-25795 | WP Master | Cross-site Scripting vulnerability in Wp-Master Feed Changer & Remover 0.1/0.2 Auth. | 4.8 |
2023-03-20 | CVE-2023-25782 | Plustime | Cross-site Scripting vulnerability in Plustime Service Area Postcode Checker Auth. | 4.8 |
2023-03-24 | CVE-2023-21031 | Out-of-bounds Read vulnerability in Google Android 13.0 In setPowerMode of HWC2.cpp, there is a possible out of bounds read due to a race condition. | 4.7 | |
2023-03-23 | CVE-2023-0590 | Linux | Use After Free vulnerability in Linux Kernel A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. | 4.7 |
2023-03-24 | CVE-2023-20987 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_read_link_quality_complete of btm_acl.cc, there is a possible out of bounds read due to a missing bounds check. | 4.5 | |
2023-03-24 | CVE-2023-20988 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_read_rssi_complete of btm_acl.cc, there is a possible out of bounds read due to a missing bounds check. | 4.5 | |
2023-03-24 | CVE-2023-20992 | Out-of-bounds Read vulnerability in Google Android 13.0 In on_iso_link_quality_read of btm_iso_impl.h, there is a possible out of bounds read due to a missing bounds check. | 4.5 | |
2023-03-24 | CVE-2023-20968 | Out-of-bounds Read vulnerability in Google Android 13.0 In multiple functions of p2p_iface.cpp, there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2023-03-24 | CVE-2023-20977 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_ble_read_remote_features_complete of btm_ble_gap.cc, there is a possible out of bounds read due to improper input validation. | 4.4 | |
2023-03-24 | CVE-2023-20981 | Out-of-bounds Read vulnerability in Google Android 13.0 In btu_ble_rc_param_req_evt of btu_hcif.cc, there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2023-03-24 | CVE-2023-20982 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_read_tx_power_complete of btm_acl.cc, there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2023-03-24 | CVE-2023-20983 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_ble_rand_enc_complete of btm_ble.cc, there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2023-03-24 | CVE-2023-20984 | Out-of-bounds Read vulnerability in Google Android 13.0 In ParseBqrLinkQualityEvt of btif_bqr.cc, there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2023-03-24 | CVE-2023-20986 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_ble_clear_resolving_list_completecomplete of btm_ble_privacy.cc, there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2023-03-24 | CVE-2023-20989 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_ble_write_adv_enable_complete of btm_ble_gap.cc, there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2023-03-24 | CVE-2023-20990 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_ble_rand_enc_complete of btm_ble.cc, there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2023-03-24 | CVE-2023-20991 | Out-of-bounds Read vulnerability in Google Android 13.0 In btm_ble_process_periodic_adv_sync_lost_evt of ble_scanner_hci_interface.cc , there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2023-03-23 | CVE-2023-1402 | Moodle | Exposure of Resource to Wrong Sphere vulnerability in Moodle The course participation report required additional checks to prevent roles being displayed which the user did not have access to view. | 4.3 |
2023-03-23 | CVE-2023-28334 | Moodle | Authorization Bypass Through User-Controlled Key vulnerability in Moodle Authenticated users were able to enumerate other users' names via the learning plans page. | 4.3 |
2023-03-23 | CVE-2023-28336 | Moodle Fedoraproject | Exposure of Resource to Wrong Sphere vulnerability in multiple products Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access. | 4.3 |
2023-03-22 | CVE-2023-1562 | Mattermost | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. | 4.3 |
2023-03-22 | CVE-2023-28708 | Apache | Unprotected Transport of Credentials vulnerability in Apache Tomcat When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. | 4.3 |
2023-03-22 | CVE-2022-45634 | Megaeis | Unspecified vulnerability in Megaeis Dbd+ 1.4.4 An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 allows authenticated attacker to gain access to sensitive account information | 4.3 |
2023-03-21 | CVE-2023-25687 | IBM | Information Exposure Through Log Files vulnerability in IBM Security KEY Lifecycle Manager IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an authenticated user to obtain sensitive information from log files. | 4.3 |
2023-03-20 | CVE-2022-3894 | Dash10 | Unspecified vulnerability in Dash10 Oauth Server The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack. | 4.3 |
2023-03-20 | CVE-2022-4148 | Dash10 | Missing Authorization vulnerability in Dash10 Oauth Server The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client. | 4.3 |
2023-03-22 | CVE-2023-28114 | Cilium | Improper Handling of Exceptional Conditions vulnerability in Cilium Cilium-Cli `cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. | 4.1 |
4 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-03-21 | CVE-2023-1541 | Answer | Unspecified vulnerability in Answer Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6. | 3.8 |
2023-03-26 | CVE-2023-28858 | Redis | Off-by-one Error vulnerability in Redis Redis-Py redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. | 3.7 |
2023-03-23 | CVE-2023-1513 | Linux Fedoraproject Redhat | Improper Initialization vulnerability in multiple products A flaw was found in KVM. | 3.3 |
2023-03-20 | CVE-2023-28428 | Pdfio Project | Allocation of Resources Without Limits or Throttling vulnerability in Pdfio Project Pdfio PDFio is a C library for reading and writing PDF files. | 3.3 |