Weekly Vulnerabilities Reports > March 27 to April 2, 2023

Overview

348 new vulnerabilities reported during this period, including 60 critical vulnerabilities and 121 high severity vulnerabilities. This weekly summary report vulnerabilities in 375 products from 163 vendors including Fedoraproject, Linux, Hasthemes, Dlink, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Read", "Out-of-bounds Write", and "OS Command Injection".

  • 264 reported vulnerabilities are remotely exploitables.
  • 142 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 200 reported vulnerabilities are exploitable by an anonymous user.
  • Fedoraproject has the most reported vulnerabilities, with 18 reported vulnerabilities.
  • Debian has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

60 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-02 CVE-2023-27284 IBM Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM Aspera Cargo and Aspera Connect

IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 are vulnerable to a buffer overflow, caused by improper bounds checking.

9.8
2023-04-02 CVE-2023-27286 IBM Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM Aspera Cargo and Aspera Connect

IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 are vulnerable to a buffer overflow, caused by improper bounds checking.

9.8
2023-04-02 CVE-2023-1800 GO Fastdfs Project Unrestricted Upload of File with Dangerous Type vulnerability in Go-Fastdfs Project Go-Fastdfs

A vulnerability, which was classified as critical, has been found in sjqzhang go-fastdfs up to 1.4.3.

9.8
2023-04-02 CVE-2023-1797 Otcms Unrestricted Upload of File with Dangerous Type vulnerability in Otcms 6.01

A vulnerability classified as critical was found in OTCMS 6.0.1.

9.8
2023-04-02 CVE-2023-1793 Police Crime Record Management System Project SQL Injection vulnerability in Police Crime Record Management System Project Police Crime Record Management System 1.0

A vulnerability was found in SourceCodester Police Crime Record Management System 1.0.

9.8
2023-04-02 CVE-2023-1791 Simple Task Allocation System Project SQL Injection vulnerability in Simple Task Allocation System Project Simple Task Allocation System 1.0

A vulnerability has been found in SourceCodester Simple Task Allocation System 1.0 and classified as critical.

9.8
2023-04-02 CVE-2023-1792 Simple Mobile Comparison Website Project SQL Injection vulnerability in Simple Mobile Comparison Website Project Simple Mobile Comparison Website 1.0

A vulnerability was found in SourceCodester Simple Mobile Comparison Website 1.0 and classified as critical.

9.8
2023-03-31 CVE-2023-1784 Jeecg Improper Authentication vulnerability in Jeecg Boot 3.5.0

A vulnerability was found in jeecg-boot 3.5.0 and classified as critical.

9.8
2023-03-31 CVE-2023-1785 Earnings AND Expense Tracker APP Project SQL Injection vulnerability in Earnings and Expense Tracker APP Project Earnings and Expense Tracker APP 1.0

A vulnerability was found in SourceCodester Earnings and Expense Tracker App 1.0.

9.8
2023-03-31 CVE-2023-29141 Mediawiki
Fedoraproject
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3.
9.8
2023-03-31 CVE-2023-28879 Artifex
Debian
Out-of-bounds Write vulnerability in multiple products

In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c.

9.8
2023-03-31 CVE-2023-28862 Lemonldap NG Improper Authentication vulnerability in Lemonldap-Ng Lemonldap::Ng

An issue was discovered in LemonLDAP::NG before 2.16.1.

9.8
2023-03-31 CVE-2023-1770 Grade Point Average GPA Calculator Project SQL Injection vulnerability in Grade Point Average (Gpa) Calculator Project Grade Point Average (Gpa) Calculator 1.0

A vulnerability has been found in SourceCodester Grade Point Average GPA Calculator 1.0 and classified as critical.

9.8
2023-03-31 CVE-2023-1773 Rockoa Code Injection vulnerability in Rockoa 2.3.2

A vulnerability was found in Rockoa 2.3.2.

9.8
2023-03-31 CVE-2023-1753 Phpmyfaq Weak Password Requirements vulnerability in PHPmyfaq

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

9.8
2023-03-30 CVE-2023-1741 Jeecg SQL Injection vulnerability in Jeecg Boot 3.5.0

A vulnerability was found in jeecg-boot 3.5.0.

9.8
2023-03-30 CVE-2023-1738 Young Entrepreneur E Negosyo System Project SQL Injection vulnerability in Young Entrepreneur E-Negosyo System Project Young Entrepreneur E-Negosyo System 1.0

A vulnerability has been found in SourceCodester Young Entrepreneur E-Negosyo System 1.0 and classified as critical.

9.8
2023-03-30 CVE-2023-1739 Simple AND Beautiful Shopping Cart System Project Unrestricted Upload of File with Dangerous Type vulnerability in Simple and Beautiful Shopping Cart System Project Simple and Beautiful Shopping Cart System 1.0

A vulnerability was found in SourceCodester Simple and Beautiful Shopping Cart System 1.0 and classified as critical.

9.8
2023-03-30 CVE-2023-1740 AIR Cargo Management System Project SQL Injection vulnerability in AIR Cargo Management System Project AIR Cargo Management System 1.0

A vulnerability was found in SourceCodester Air Cargo Management System 1.0.

9.8
2023-03-30 CVE-2023-1735 Young Entrepreneur E Negosyo System Project SQL Injection vulnerability in Young Entrepreneur E-Negosyo System Project Young Entrepreneur E-Negosyo System 1.0

A vulnerability classified as critical was found in SourceCodester Young Entrepreneur E-Negosyo System 1.0.

9.8
2023-03-30 CVE-2023-1737 Young Entrepreneur E Negosyo System Project SQL Injection vulnerability in Young Entrepreneur E-Negosyo System Project Young Entrepreneur E-Negosyo System 1.0

A vulnerability, which was classified as critical, was found in SourceCodester Young Entrepreneur E-Negosyo System 1.0.

9.8
2023-03-30 CVE-2023-1734 Young Entrepreneur E Negosyo System Project Unrestricted Upload of File with Dangerous Type vulnerability in Young Entrepreneur E-Negosyo System Project Young Entrepreneur E-Negosyo System 1.0

A vulnerability classified as critical has been found in SourceCodester Young Entrepreneur E-Negosyo System 1.0.

9.8
2023-03-30 CVE-2023-1725 Infoline TR Server-Side Request Forgery (SSRF) vulnerability in Infoline-Tr Project Management System

Server-Side Request Forgery (SSRF) vulnerability in Infoline Project Management System allows Server Side Request Forgery.This issue affects Project Management System: before 4.09.31.125.

9.8
2023-03-30 CVE-2023-25076 Sniproxy Project Classic Buffer Overflow vulnerability in Sniproxy Project Sniproxy 0.6.02/0.6.1

A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba).

9.8
2023-03-30 CVE-2023-28731 Acymailing Unrestricted Upload of File with Dangerous Type vulnerability in Acymailing

AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected.

9.8
2023-03-30 CVE-2023-1699 Rapid7 Forced Browsing vulnerability in Rapid7 Nexpose

Rapid7 Nexpose versions 6.6.186 and below suffer from a forced browsing vulnerability.  This vulnerability allows an attacker to manipulate URLs to forcefully browse to and access administrative pages.

9.8
2023-03-29 CVE-2022-43634 Netatalk Heap-based Buffer Overflow vulnerability in Netatalk 3.1.13

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk.

9.8
2023-03-29 CVE-2022-2825 PTC
Softwaretoolbox
Rockwellautomation
GE
Stack-based Buffer Overflow vulnerability in multiple products

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0.

9.8
2023-03-29 CVE-2022-36983 Ivanti Missing Authentication for Critical Function vulnerability in Ivanti Avalanche

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche.

9.8
2023-03-29 CVE-2023-1684 Hadsky Unrestricted Upload of File with Dangerous Type vulnerability in Hadsky 7.7.16

A vulnerability was found in HadSky 7.7.16.

9.8
2023-03-28 CVE-2023-1674 School Registration AND FEE System Project SQL Injection vulnerability in School Registration and FEE System Project School Registration and FEE System 1.0

A vulnerability was found in SourceCodester School Registration and Fee System 1.0 and classified as critical.

9.8
2023-03-28 CVE-2023-1675 School Registration AND FEE System Project SQL Injection vulnerability in School Registration and FEE System Project School Registration and FEE System 1.0

A vulnerability was found in SourceCodester School Registration and Fee System 1.0.

9.8
2023-03-28 CVE-2023-27394 Propumpservice OS Command Injection vulnerability in Propumpservice Osprey Pump Controller Firmware 1.01

Osprey Pump Controller version 1.01 is vulnerable an unauthenticated OS command injection vulnerability.

9.8
2023-03-28 CVE-2023-27886 Propumpservice OS Command Injection vulnerability in Propumpservice Osprey Pump Controller Firmware 1.01

Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability.

9.8
2023-03-28 CVE-2023-28398 Propumpservice Improper Authentication vulnerability in Propumpservice Osprey Pump Controller Firmware 1.01

Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system.

9.8
2023-03-28 CVE-2023-28654 Propumpservice Use of Hard-coded Credentials vulnerability in Propumpservice Osprey Pump Controller Firmware 1.01

Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration.

9.8
2023-03-28 CVE-2023-28712 Propumpservice Command Injection vulnerability in Propumpservice Osprey Pump Controller Firmware 1.01

Osprey Pump Controller version 1.01 contains an unauthenticated command injection vulnerability that could allow system access with www-data permissions.

9.8
2023-03-28 CVE-2023-28631 Comrak Project Improper Handling of Exceptional Conditions vulnerability in Comrak Project Comrak

comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust.

9.8
2023-03-28 CVE-2022-46387 Cmder
Maximus5
ConEmu through 220807 and Cmder before 1.3.21 report the title of the terminal, including control characters, which allows an attacker to change the title and then execute it as commands.
9.8
2023-03-28 CVE-2022-0194 Netatalk
Debian
Out-of-bounds Write vulnerability in multiple products

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk.

9.8
2023-03-28 CVE-2022-23121 Netatalk
Debian
Improper Handling of Exceptional Conditions vulnerability in multiple products

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk.

9.8
2023-03-28 CVE-2022-23122 Netatalk
Debian
Out-of-bounds Write vulnerability in multiple products

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk.

9.8
2023-03-28 CVE-2022-23123 Netatalk
Debian
Out-of-bounds Read vulnerability in multiple products

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk.

9.8
2023-03-28 CVE-2022-23124 Netatalk
Debian
Out-of-bounds Read vulnerability in multiple products

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk.

9.8
2023-03-28 CVE-2022-23125 Netatalk
Debian
Out-of-bounds Write vulnerability in multiple products

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk.

9.8
2023-03-28 CVE-2023-28326 Apache Missing Authentication for Critical Function vulnerability in Apache Openmeetings

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room

9.8
2023-03-27 CVE-2023-1666 Automatic Question Paper Generator System Project SQL Injection vulnerability in Automatic Question Paper Generator System Project Automatic Question Paper Generator System 1.0

A vulnerability has been found in SourceCodester Automatic Question Paper Generator System 1.0 and classified as critical.

9.8
2023-03-27 CVE-2023-1399 Keysight Deserialization of Untrusted Data vulnerability in Keysight N6854A Firmware 2.3.0/2.4.0/2.4.2

N6854A Geolocation Server versions 2.4.2 are vulnerable to untrusted data deserialization, which may allow a malicious actor to escalate privileges in the affected device’s default configuration and achieve remote code execution.

9.8
2023-03-27 CVE-2023-1133 Deltaww Deserialization of Untrusted Data vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default.

9.8
2023-03-27 CVE-2023-1140 Deltaww Missing Authentication for Critical Function vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator.

9.8
2023-03-27 CVE-2023-1142 Deltaww Path Traversal vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.

9.8
2023-03-27 CVE-2023-26959 Phpgurukul SQL Injection vulnerability in PHPgurukul Park Ticketing Management System 1.0

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to SQL Injection via the User Name parameter.

9.8
2023-03-27 CVE-2022-4126 ABB Improper Authentication vulnerability in ABB Rccmd

Use of Default Password vulnerability in ABB RCCMD on Windows, Linux, MacOS allows Try Common or Default Usernames and Passwords.This issue affects RCCMD: before 4.40 230207.

9.8
2023-03-27 CVE-2023-24838 Hgiga Information Exposure vulnerability in Hgiga Powerstation Firmware

HGiga PowerStation has a vulnerability of Information Leakage.

9.8
2023-03-27 CVE-2023-25909 HGiga OAKlouds file uploading function does not restrict upload of file with dangerous type.
9.8
2023-03-27 CVE-2023-28883 Cerebrate Project SQL Injection vulnerability in Cerebrate-Project Cerebrate 1.13

In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint.

9.8
2023-03-29 CVE-2022-2560 Enterprisedt Path Traversal vulnerability in Enterprisedt Completeftp Server

This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP 22.1.0 Server.

9.1
2023-03-29 CVE-2022-2848 PTC
Softwaretoolbox
Rockwellautomation
GE
Heap-based Buffer Overflow vulnerability in multiple products

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0.

9.1
2023-03-28 CVE-2022-3686 Hitachienergy Unspecified vulnerability in Hitachienergy Sdm600

A vulnerability exists in a SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, the SDM600 web services become busy rendering the application unresponsive. This issue affects: All SDM600 versions prior to version 1.2 FP3 HF4 (Build Nr.

9.1
2023-03-31 CVE-2023-0432 Deltaww Cross-site Scripting vulnerability in Deltaww Dx-2100L1-Cn Firmware

The web configuration service of the affected device contains an authenticated command injection vulnerability.

9.0

121 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-02 CVE-2022-42447 Hcltech Cross-Site Request Forgery (CSRF) vulnerability in Hcltech HCL Compass

HCL Compass is vulnerable to Cross-Origin Resource Sharing (CORS).

8.8
2023-04-02 CVE-2023-20558 AMD Unspecified vulnerability in AMD products

Insufficient control flow management in AmdCpmOemSmm may allow a privileged attacker to tamper with the SMM handler potentially leading to an escalation of privileges.

8.8
2023-04-02 CVE-2023-20559 AMD Unspecified vulnerability in AMD products

Insufficient control flow management in AmdCpmGpioInitSmm may allow a privileged attacker to tamper with the SMM handler potentially leading to escalation of privileges.

8.8
2023-03-31 CVE-2023-1747 Ibos SQL Injection vulnerability in Ibos

A vulnerability has been found in IBOS up to 4.5.4 and classified as critical.

8.8
2023-03-30 CVE-2023-1744 Ibos Unrestricted Upload of File with Dangerous Type vulnerability in Ibos

A vulnerability classified as critical was found in IBOS 4.5.5.

8.8
2023-03-30 CVE-2023-1742 Ibos SQL Injection vulnerability in Ibos

A vulnerability was found in IBOS 4.5.5.

8.8
2023-03-30 CVE-2023-1736 Young Entrepreneur E Negosyo System Project SQL Injection vulnerability in Young Entrepreneur E-Negosyo System Project Young Entrepreneur E-Negosyo System 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Young Entrepreneur E-Negosyo System 1.0.

8.8
2023-03-30 CVE-2023-27533 Haxx
Fedoraproject
Netapp
Injection vulnerability in multiple products

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation.

8.8
2023-03-30 CVE-2023-27534 Haxx
Fedoraproject
Netapp
Broadcom
Path Traversal vulnerability in multiple products

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory.

8.8
2023-03-30 CVE-2023-28935 Apache Command Injection vulnerability in Apache Unstructured Information Management Architecture

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC. When using the "Distributed UIMA Cluster Computing" (DUCC) module of Apache UIMA, an authenticated user that has the permissions to modify core entities can cause command execution as the system user that runs the web process. As the "Distributed UIMA Cluster Computing" module for UIMA is retired, we do not plan to release a fix for this issue. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

8.8
2023-03-29 CVE-2022-43620 Dlink Improper Authentication vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-1935 1.03 routers.

8.8
2023-03-29 CVE-2022-43621 Dlink Incorrect Comparison vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-1935 1.03 routers.

8.8
2023-03-29 CVE-2022-43622 Dlink Stack-based Buffer Overflow vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

8.8
2023-03-29 CVE-2022-43630 Dlink Stack-based Buffer Overflow vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

8.8
2023-03-29 CVE-2022-27645 Netgear Missing Authentication for Critical Function vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 routers.

8.8
2023-03-29 CVE-2022-38077 Essentialplugin Cross-Site Request Forgery (CSRF) vulnerability in Essentialplugin Popup Anything

Cross-Site Request Forgery (CSRF) vulnerability in WP OnlineSupport, Essential Plugin Popup Anything – A Marketing Popup and Lead Generation Conversions plugin <= 2.2.1 versions.

8.8
2023-03-29 CVE-2023-23861 Gmace Project Cross-Site Request Forgery (CSRF) vulnerability in Gmace Project Gmace 1.5.2

Cross-Site Request Forgery (CSRF) vulnerability in German Mesky GMAce plugin <= 1.5.2 versions.

8.8
2023-03-29 CVE-2023-1509 Gmace Project Unspecified vulnerability in Gmace Project Gmace 1.5.2

The GMAce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.2.

8.8
2023-03-28 CVE-2022-3682 Hitachienergy Unrestricted Upload of File with Dangerous Type vulnerability in Hitachienergy Sdm600

A vulnerability exists in the SDM600 file permission validation.

8.8
2023-03-27 CVE-2020-36666 E Plugins Unspecified vulnerability in E-Plugins products

The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls.

8.8
2023-03-27 CVE-2023-0955 Veronalabs Unspecified vulnerability in Veronalabs WP Statistics

The WP Statistics WordPress plugin before 14.0 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks.

8.8
2023-03-27 CVE-2023-1134 Deltaww Path Traversal vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a path traversal vulnerability, which could allow an attacker to read local files, disclose plaintext credentials, and escalate privileges.

8.8
2023-03-27 CVE-2023-1137 Deltaww Insufficiently Protected Credentials vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which a low-level user could extract files and plaintext credentials of administrator users, resulting in privilege escalation.

8.8
2023-03-27 CVE-2023-1139 Deltaww Deserialization of Untrusted Data vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-gateway service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.

8.8
2023-03-27 CVE-2023-1141 Deltaww Command Injection vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a command injection vulnerability that could allow an attacker to inject arbitrary commands, which could result in remote code execution.

8.8
2023-03-27 CVE-2023-1143 Deltaww Unspecified vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.

8.8
2023-03-27 CVE-2023-1144 Deltaww Incorrect Authorization vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.

8.8
2023-03-27 CVE-2023-27296 Apache Deserialization of Untrusted Data vulnerability in Apache Inlong

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0.

8.8
2023-03-27 CVE-2022-30705 Wordpress Ping Optimizer Project Cross-Site Request Forgery (CSRF) vulnerability in Wordpress Ping Optimizer Project Wordpress Ping Optimizer

Cross-Site Request Forgery (CSRF) vulnerability in Pankaj Jha WordPress Ping Optimizer plugin <= 2.35.1.2.3 versions.

8.8
2023-03-27 CVE-2023-24837 HGiga PowerStation remote management function has insufficient filtering for user input.
8.8
2023-03-27 CVE-2023-1647 CAL Improper Access Control vulnerability in CAL Cal.Com

Improper Access Control in GitHub repository calcom/cal.com prior to 2.7.

8.8
2023-03-28 CVE-2023-28427 Matrix Unspecified vulnerability in Matrix Javascript SDK

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript.

8.2
2023-03-29 CVE-2022-48434 Ffmpeg Use After Free vulnerability in Ffmpeg

libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).

8.1
2023-03-28 CVE-2023-25195 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Fineract

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.  This issue affects Apache Fineract: from 1.4 through 1.8.3.

8.1
2023-03-27 CVE-2023-0441 Simplygallery Unspecified vulnerability in Simplygallery Simply Gallery Blocks With Lightbox

The Gallery Blocks with Lightbox WordPress plugin before 3.0.8 has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber.

8.1
2023-03-27 CVE-2023-25017 RIFARTEK IOT Wall has a vulnerability of incorrect authorization.
8.1
2023-03-28 CVE-2023-28718 Propumpservice Cross-Site Request Forgery (CSRF) vulnerability in Propumpservice Osprey Pump Controller Firmware 1.01

Osprey Pump Controller version 1.01 allows users to perform certain actions via HTTP requests without performing any checks to verify the requests.

8.0
2023-04-01 CVE-2023-0189 Nvidia Unspecified vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

7.8
2023-04-01 CVE-2023-0198 Nvidia Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where improper restriction of operations within the bounds of a memory buffer can lead to denial of service, information disclosure, and data tampering.

7.8
2023-03-31 CVE-2023-28464 Linux
Netapp
Double Free vulnerability in multiple products

hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put.

7.8
2023-03-30 CVE-2023-1745 Pandora Uncontrolled Search Path Element vulnerability in Pandora Kmplayer 4.2.2.73

A vulnerability, which was classified as problematic, has been found in KMPlayer 4.2.2.73.

7.8
2023-03-30 CVE-2023-1670 Linux Use After Free vulnerability in Linux Kernel

A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.

7.8
2023-03-30 CVE-2022-4744 Linux Double Free vulnerability in Linux Kernel

A double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier).

7.8
2023-03-30 CVE-2023-1393 X ORG
Fedoraproject
Use After Free vulnerability in multiple products

A flaw was found in X.Org Server Overlay Window.

7.8
2023-03-29 CVE-2022-44370 Nasm Out-of-bounds Write vulnerability in Nasm Netwide Assembler

NASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856

7.8
2023-03-29 CVE-2023-0664 Qemu
Redhat
Fedoraproject
Improper Privilege Management vulnerability in multiple products

A flaw was found in the QEMU Guest Agent service for Windows.

7.8
2023-03-29 CVE-2023-28642 Linuxfoundation Link Following vulnerability in Linuxfoundation Runc

runc is a CLI tool for spawning and running containers according to the OCI specification.

7.8
2023-03-29 CVE-2022-37381 Foxit Use After Free vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader.

7.8
2023-03-28 CVE-2023-1678 Drivergenius Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Drivergenius 9.70.0.346

A vulnerability classified as critical has been found in DriverGenius 9.70.0.346.

7.8
2023-03-28 CVE-2023-1679 Drivergenius Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Drivergenius 9.70.0.346

A vulnerability classified as critical was found in DriverGenius 9.70.0.346.

7.8
2023-03-28 CVE-2023-1516 Robodk Incorrect Permission Assignment for Critical Resource vulnerability in Robodk 5.5.3

RoboDK versions 5.5.3 and prior contain an insecure permission assignment to critical directories vulnerability, which could allow a local user to escalate privileges and write files to the RoboDK process and achieve code execution.

7.8
2023-03-28 CVE-2023-1676 Drivergenius Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Drivergenius 9.70.0.346

A vulnerability was found in DriverGenius 9.70.0.346.

7.8
2023-03-27 CVE-2023-0179 Linux
Canonical
Fedoraproject
Redhat
Integer Overflow or Wraparound vulnerability in multiple products

A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel.

7.8
2023-03-27 CVE-2023-0494 X ORG
Fedoraproject
Redhat
Use After Free vulnerability in multiple products

A vulnerability was found in X.Org.

7.8
2023-03-27 CVE-2023-1078 Linux Type Confusion vulnerability in Linux Kernel

A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol.

7.8
2023-03-27 CVE-2023-25863 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
7.8
2023-03-27 CVE-2023-25864 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-25865 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-25866 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-25867 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-25868 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-25869 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
7.8
2023-03-27 CVE-2023-25870 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-25871 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-25872 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-25873 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
7.8
2023-03-27 CVE-2023-25874 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-25908 Adobe Photoshop versions 23.5.3 (and earlier) and 24.1.1 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
7.8
2023-03-27 CVE-2023-1654 Gpac Resource Exhaustion vulnerability in Gpac

Denial of Service in GitHub repository gpac/gpac prior to 2.4.0.

7.8
2023-03-27 CVE-2023-1135 Deltaww Incorrect Permission Assignment for Critical Resource vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could set incorrect directory permissions, which could result in local privilege escalation.

7.8
2023-03-27 CVE-2023-1145 Deltaww Deserialization of Untrusted Data vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.

7.8
2023-04-02 CVE-2023-1580 Devolutions Resource Exhaustion vulnerability in Devolutions Gateway 2023.1.1

Uncontrolled resource consumption in the logging feature in Devolutions Gateway 2023.1.1 and earlier allows an attacker to cause a denial of service by filling up the disk and render the system unusable.

7.5
2023-04-01 CVE-2023-1790 Simple Task Allocation System Project Unspecified vulnerability in Simple Task Allocation System Project Simple Task Allocation System 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester Simple Task Allocation System 1.0.

7.5
2023-03-31 CVE-2023-26485 Github Resource Exhaustion vulnerability in Github Cmark-Gfm

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C.

7.5
2023-03-31 CVE-2022-4899 Facebook Resource Exhaustion vulnerability in Facebook Zstandard 1.4.10

A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

7.5
2023-03-31 CVE-2023-28877 Vtex Unspecified vulnerability in Vtex Apps-Graphql 2.X

The VTEX [email protected] GraphQL API module does not properly restrict unauthorized access to private configuration data.

7.5
2023-03-31 CVE-2023-0343 Akuvox Use of Insufficiently Random Values vulnerability in Akuvox E11 Firmware

Akuvox E11 contains a function that encrypts messages which are then forwarded.

7.5
2023-03-31 CVE-2023-0344 Akuvox Unspecified vulnerability in Akuvox E11 Firmware

Akuvox E11 appears to be using a custom version of dropbear SSH server.

7.5
2023-03-31 CVE-2023-1769 Grade Point Average GPA Calculator Project Unspecified vulnerability in Grade Point Average (Gpa) Calculator Project Grade Point Average (Gpa) Calculator 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester Grade Point Average GPA Calculator 1.0.

7.5
2023-03-30 CVE-2023-28846 Unpoly Resource Exhaustion vulnerability in Unpoly Unpoly-Rails

Unpoly is a JavaScript framework for server-side web applications.

7.5
2023-03-30 CVE-2023-28644 Nextcloud Unspecified vulnerability in Nextcloud Server 25.0.0/25.0.2

Nextcloud server is an open source home cloud implementation.

7.5
2023-03-30 CVE-2023-24472 Openimageio Uncontrolled Recursion vulnerability in Openimageio 2.4.7.1

A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1.

7.5
2023-03-30 CVE-2023-28732 Acymailing Path Traversal vulnerability in Acymailing

Missing access control in AnyMailing Joomla Plugin allows to list and access files containing sensitive information from the plugin itself and access to system files via path traversal, when being granted access to the campaign's creation on front-office.

7.5
2023-03-30 CVE-2023-1014 Dizayn Unspecified vulnerability in Dizayn Vira-Investing

Improper Protection for Outbound Error Messages and Alert Signals vulnerability in Virames Vira-Investing allows Account Footprinting.This issue affects Vira-Investing: before 1.0.84.86.

7.5
2023-03-29 CVE-2023-0836 Haproxy Incomplete Cleanup vulnerability in Haproxy

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1.

7.5
2023-03-29 CVE-2023-1656 Forgerock Cleartext Transmission of Sensitive Information vulnerability in Forgerock Ldap Connector

Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc.

7.5
2023-03-29 CVE-2023-1680 Xunruicms Unspecified vulnerability in Xunruicms 4.6.1

A vulnerability, which was classified as problematic, has been found in Xunrui CMS 4.61.

7.5
2023-03-29 CVE-2023-1683 Xunruicms Cleartext Storage of Sensitive Information vulnerability in Xunruicms 4.6.1

A vulnerability was found in Xunrui CMS 4.61 and classified as problematic.

7.5
2023-03-29 CVE-2023-1682 Xunruicms Forced Browsing vulnerability in Xunruicms 4.6.1

A vulnerability has been found in Xunrui CMS 4.61 and classified as problematic.

7.5
2023-03-28 CVE-2023-1681 Xunruicms Unspecified vulnerability in Xunruicms 4.6.1

A vulnerability, which was classified as problematic, was found in Xunrui CMS 4.61.

7.5
2023-03-28 CVE-2023-1518 Cpplusworld Insufficiently Protected Credentials vulnerability in Cpplusworld Kvms PRO 2.01.0.T.190521

CP Plus KVMS Pro versions 2.01.0.T.190521 and prior are vulnerable to sensitive credentials being leaked because they are insufficiently protected.

7.5
2023-03-28 CVE-2023-28375 Propumpservice Files or Directories Accessible to External Parties vulnerability in Propumpservice Osprey Pump Controller Firmware 1.01

Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure.

7.5
2023-03-28 CVE-2023-28626 Comrak Project Resource Exhaustion vulnerability in Comrak Project Comrak

comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust.

7.5
2023-03-28 CVE-2023-28395 Propumpservice Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Propumpservice Osprey Pump Controller Firmware 1.01

Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass.

7.5
2023-03-28 CVE-2022-3683 Hitachienergy Unspecified vulnerability in Hitachienergy Sdm600

A vulnerability exists in the SDM600 API web services authorization validation implementation.

7.5
2023-03-28 CVE-2022-3684 Hitachienergy Improper Resource Shutdown or Release vulnerability in Hitachienergy Sdm600

A vulnerability exists in a SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, the SDM600 web services become busy rendering the application unresponsive. This issue affects: All SDM600 versions prior to version 1.2 FP3 HF4 (Build Nr.

7.5
2023-03-28 CVE-2023-23330 Amano Files or Directories Accessible to External Parties vulnerability in Amano Xoffice 7.1.3879

amano Xparc parking solutions 7.1.3879 was discovered to be vulnerable to local file inclusion.

7.5
2023-03-27 CVE-2022-3116 Heimdal Project NULL Pointer Dereference vulnerability in Heimdal Project Heimdal

The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance.

7.5
2023-03-27 CVE-2023-0210 Linux Out-of-bounds Write vulnerability in Linux Kernel

A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.

7.5
2023-03-27 CVE-2023-20860 Vmware Unspecified vulnerability in VMWare Spring Framework

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

7.5
2023-03-27 CVE-2023-22247 Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read.
7.5
2023-03-27 CVE-2023-1136 Deltaww Incorrect Authorization vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an unauthenticated attacker could generate a valid token, which would lead to authentication bypass.

7.5
2023-03-27 CVE-2023-1138 Deltaww Unspecified vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain an improper access control vulnerability, which could allow an attacker to retrieve Gateway configuration files to obtain plaintext credentials.

7.5
2023-03-27 CVE-2022-47925 Csaf Validator LIB Project Improper Input Validation vulnerability in Csaf-Validator-Lib Project Csaf-Validator-Lib

The validate JSON endpoint of the Secvisogram csaf-validator-service in versions < 0.1.0 processes tests with unexpected names.

7.5
2023-03-29 CVE-2022-45355 Thimpress SQL Injection vulnerability in Thimpress WP Pipes

Auth.

7.2
2023-03-29 CVE-2023-1685 Hadsky Command Injection vulnerability in Hadsky

A vulnerability was found in HadSky up to 7.11.8.

7.2
2023-03-29 CVE-2023-23355 Qnap Command Injection vulnerability in Qnap products

An OS command injection vulnerability has been reported to affect QNAP operating systems.

7.2
2023-03-28 CVE-2022-3685 Hitachienergy Unspecified vulnerability in Hitachienergy Sdm600

A vulnerability exists in the SDM600 software.

7.2
2023-03-27 CVE-2023-25828 Pluck CMS Unrestricted Upload of File with Dangerous Type vulnerability in Pluck-Cms Pluck

Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module.

7.2
2023-03-27 CVE-2023-24835 Softnext Technologies Corp.’s SPAM SQR has a vulnerability of Code Injection within its specific function.
7.2
2023-03-27 CVE-2023-24840 HGiga MailSherlock mail query function has vulnerability of insufficient validation for user input.
7.2
2023-03-27 CVE-2023-24841 HGiga MailSherlock query function for connection log has a vulnerability of insufficient filtering for user input.
7.2
2023-04-01 CVE-2023-0180 Nvidia Unspecified vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in a kernel mode layer handler, which may lead to denial of service or information disclosure.

7.1
2023-04-01 CVE-2023-0181 Nvidia Incorrect Default Permissions vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in a kernel mode layer handler, where memory permissions are not correctly checked, which may lead to denial of service and data tampering.

7.1
2023-04-01 CVE-2023-0183 Nvidia Out-of-bounds Write vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer where an out-of-bounds write can lead to denial of service and data tampering.

7.1
2023-04-01 CVE-2023-0185 Nvidia Incorrect Conversion between Numeric Types vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where sign conversion issuescasting an unsigned primitive to signed may lead to denial of service or information disclosure.

7.1
2023-04-01 CVE-2023-0191 Nvidia Out-of-bounds Write vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds access may lead to denial of service or data tampering.

7.1
2023-04-01 CVE-2023-0208 Nvidia Out-of-bounds Write vulnerability in Nvidia Data Center GPU Manager

NVIDIA DCGM for Linux contains a vulnerability in HostEngine (server component) where a user may cause a heap-based buffer overflow through the bound socket.

7.1
2023-03-29 CVE-2023-1652 Linux
Redhat
Use After Free vulnerability in multiple products

A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel.

7.1
2023-03-27 CVE-2023-1380 Redhat
Linux
Netapp
Debian
Canonical
Out-of-bounds Read vulnerability in multiple products

A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel.

7.1
2023-03-27 CVE-2023-1077 Linux
Debian
Netapp
Type Confusion vulnerability in multiple products

In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.

7.0

161 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-03-29 CVE-2022-43619 Dlink Use of Externally-Controlled Format String vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43623 Dlink Command Injection vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43624 Dlink OS Command Injection vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43625 Dlink Stack-based Buffer Overflow vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43626 Dlink OS Command Injection vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43627 Dlink OS Command Injection vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43628 Dlink OS Command Injection vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43629 Dlink OS Command Injection vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43631 Dlink OS Command Injection vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43632 Dlink OS Command Injection vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-29 CVE-2022-43633 Dlink OS Command Injection vulnerability in Dlink Dir-1935 Firmware 1.03

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers.

6.8
2023-03-27 CVE-2023-1079 Linux Use After Free vulnerability in Linux Kernel

A flaw was found in the Linux kernel.

6.8
2023-03-30 CVE-2023-0620 Hashicorp SQL Injection vulnerability in Hashicorp Vault

HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend.

6.7
2023-03-27 CVE-2023-1073 Linux
Redhat
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device.

6.6
2023-04-02 CVE-2023-1202 Devolutions Incorrect Authorization vulnerability in Devolutions Remote Desktop Manager

Permission bypass when importing or synchronizing entries in User vault in Devolutions Remote Desktop Manager 2023.1.9 and prior versions allows users with restricted rights to bypass entry permission via id collision.

6.5
2023-04-02 CVE-2023-1574 Devolutions Insufficiently Protected Credentials vulnerability in Devolutions Remote Desktop Manager

Information disclosure in the user creation feature of a MSSQL data source in Devolutions Remote Desktop Manager 2023.1.9 and below on Windows allows an attacker with access to the user interface to obtain sensitive information via the error message dialog that displays the password in clear text.

6.5
2023-04-02 CVE-2023-1603 Devolutions Incorrect Authorization vulnerability in Devolutions Server

Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision.

6.5
2023-03-31 CVE-2023-27163 Rbaskets Server-Side Request Forgery (SSRF) vulnerability in Rbaskets Request Baskets

request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}.

6.5
2023-03-31 CVE-2023-1775 Mattermost Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server

When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

6.5
2023-03-30 CVE-2023-0665 Hashicorp Unspecified vulnerability in Hashicorp Vault

HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount.

6.5
2023-03-27 CVE-2023-27927 Sauter Controls Cleartext Transmission of Sensitive Information vulnerability in Sauter-Controls Ey-As525F001 Firmware

An authenticated malicious user could acquire the simple mail transfer protocol (SMTP) Password in cleartext format, despite it being protected and hidden behind asterisks.

6.5
2023-03-27 CVE-2023-28652 Sauter Controls Unrestricted Upload of File with Dangerous Type vulnerability in Sauter-Controls Ey-As525F001 Firmware

An authenticated malicious user could successfully upload a malicious image could lead to a denial-of-service condition.

6.5
2023-03-27 CVE-2023-0335 Wpvar Missing Authorization vulnerability in Wpvar WP Shamsi

The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment.

6.5
2023-03-27 CVE-2023-0336 Ooohboi Steroids FOR Elementor Project Missing Authorization vulnerability in Ooohboi Steroids for Elementor Project Ooohboi Steroids for Elementor

The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.

6.5
2023-03-27 CVE-2023-0500 Hasthemes Unspecified vulnerability in Hasthemes WP Film Studio

The WP Film Studio WordPress plugin before 1.3.5 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

6.5
2023-03-27 CVE-2023-0501 Hasthemes Unspecified vulnerability in Hasthemes WP Insurance

The WP Insurance WordPress plugin before 2.1.4 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

6.5
2023-03-27 CVE-2023-0502 Hasthemes Unspecified vulnerability in Hasthemes WP News

The WP News WordPress plugin through 1.1.9 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

6.5
2023-03-27 CVE-2023-0816 Strategy11 Authentication Bypass by Spoofing vulnerability in Strategy11 Formidable Form Builder

The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.

6.5
2023-03-27 CVE-2023-1092 Miniorange Unspecified vulnerability in Miniorange Oauth Single Sign on

The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack

6.5
2023-03-27 CVE-2023-1093 Miniorange Unspecified vulnerability in Miniorange Oauth Single Sign on

The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack

6.5
2023-03-27 CVE-2022-47924 Csaf Validator LIB Project Unspecified vulnerability in Csaf-Validator-Lib Project Csaf-Validator-Lib

An high privileged attacker may pass crafted arguments to the validate function of csaf-validator-lib of a locally installed Secvisogram in versions < 0.1.0 wich can result in arbitrary code execution and DoS once the users triggers the validation.

6.5
2023-03-27 CVE-2023-24834 WisdomGarden Tronclass has improper access control when uploading file.
6.5
2023-03-29 CVE-2023-25809 Linuxfoundation Improper Preservation of Permissions vulnerability in Linuxfoundation Runc

runc is a CLI tool for spawning and running containers according to the OCI specification.

6.3
2023-03-28 CVE-2023-25197 Apache SQL Injection vulnerability in Apache Fineract

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components.

6.3
2023-04-02 CVE-2023-1795 Gadget Works Online Ordering System Project Cross-site Scripting vulnerability in Gadget Works Online Ordering System Project Gadget Works Online Ordering System 1.0

A vulnerability was found in SourceCodester Gadget Works Online Ordering System 1.0.

6.1
2023-04-02 CVE-2023-1794 Police Crime Record Management System Project Cross-site Scripting vulnerability in Police Crime Record Management System Project Police Crime Record Management System 1.0

A vulnerability was found in SourceCodester Police Crime Record Management System 1.0.

6.1
2023-03-31 CVE-2023-1771 Grade Point Average GPA Calculator Project Cross-site Scripting vulnerability in Grade Point Average (Gpa) Calculator Project Grade Point Average (Gpa) Calculator 1.0

A vulnerability was found in SourceCodester Grade Point Average GPA Calculator 1.0 and classified as problematic.

6.1
2023-03-31 CVE-2023-1060 Ykmbilisim Cross-site Scripting vulnerability in Ykmbilisim YKM CRM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YKM YKM CRM allows Reflected XSS.This issue affects YKM CRM: before 23.03.30.

6.1
2023-03-30 CVE-2023-1743 Grade Point Average GPA Calculator Project Cross-site Scripting vulnerability in Grade Point Average (Gpa) Calculator Project Grade Point Average (Gpa) Calculator 1.0

A vulnerability classified as problematic has been found in SourceCodester Grade Point Average GPA Calculator 1.0.

6.1
2023-03-30 CVE-2023-28733 Acymailing Cross-site Scripting vulnerability in Acymailing

AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office.

6.1
2023-03-30 CVE-2023-23677 Gtmetrix Cross-site Scripting vulnerability in Gtmetrix

Reflected Cross-Site Scripting (XSS) vulnerability in GTmetrix GTmetrix for WordPress plugin <= 0.4.5 versions.

6.1
2023-03-30 CVE-2023-1013 Dizayn Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Dizayn Vira-Investing

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Virames Vira-Investing allows Cross-Site Scripting (XSS).This issue affects Vira-Investing: before 1.0.84.86.

6.1
2023-03-29 CVE-2023-22705 Collne Cross-site Scripting vulnerability in Collne Welcart E-Commerce

Unauth.

6.1
2023-03-29 CVE-2022-47603 Wpdevart Cross-site Scripting vulnerability in Wpdevart Image and Video Gallery With Thumbnails

Unauth.

6.1
2023-03-29 CVE-2023-26290 Forcepoint Cross-site Scripting vulnerability in Forcepoint Cloud Security Gateway and web Security

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_reset_request.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_reset_request.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023.

6.1
2023-03-29 CVE-2023-26291 Forcepoint Cross-site Scripting vulnerability in Forcepoint Cloud Security Gateway and web Security

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_form.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_form.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023.

6.1
2023-03-29 CVE-2023-26292 Forcepoint Cross-site Scripting vulnerability in Forcepoint Cloud Security Gateway and web Security

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_submit.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_submit.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023.

6.1
2023-03-29 CVE-2022-47433 Multi Rating Project Cross-site Scripting vulnerability in Multi Rating Project Multi Rating

Unauth.

6.1
2023-03-29 CVE-2022-47444 Properfraction Cross-site Scripting vulnerability in Properfraction Profilepress

Unauth.

6.1
2023-03-29 CVE-2023-1690 Earnings AND Expense Tracker APP Project Cross-site Scripting vulnerability in Earnings and Expense Tracker APP Project Earnings and Expense Tracker APP 1.0

A vulnerability, which was classified as problematic, has been found in SourceCodester Earnings and Expense Tracker App 1.0.

6.1
2023-03-29 CVE-2023-1689 Earnings AND Expense Tracker APP Project Cross-site Scripting vulnerability in Earnings and Expense Tracker APP Project Earnings and Expense Tracker APP 1.0

A vulnerability classified as problematic was found in SourceCodester Earnings and Expense Tracker App 1.0.

6.1
2023-03-29 CVE-2023-1688 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Earnings and Expense Tracker Application 1.0

A vulnerability classified as problematic has been found in SourceCodester Earnings and Expense Tracker App 1.0.

6.1
2023-03-29 CVE-2023-1687 Task Allocation System Project Cross-site Scripting vulnerability in Task Allocation System Project Task Allocation System 1.0

A vulnerability classified as problematic has been found in SourceCodester Simple Task Allocation System 1.0.

6.1
2023-03-29 CVE-2023-1686 Young Entrepreneur E Negosyo System Project Cross-site Scripting vulnerability in Young Entrepreneur E-Negosyo System Project Young Entrepreneur E-Negosyo System 1.0

A vulnerability was found in SourceCodester Young Entrepreneur E-Negosyo System 1.0.

6.1
2023-03-28 CVE-2023-28447 Smarty
Fedoraproject
Cross-site Scripting vulnerability in multiple products

Smarty is a template engine for PHP.

6.1
2023-03-28 CVE-2023-28648 Propumpservice Cross-site Scripting vulnerability in Propumpservice Osprey Pump Controller Firmware 1.01

Osprey Pump Controller version 1.01 inputs passed to a GET parameter are not properly sanitized before being returned to the user.

6.1
2023-03-28 CVE-2022-45825 Liquidweb Cross-site Scripting vulnerability in Liquidweb Wpcomplete

Unauth.

6.1
2023-03-28 CVE-2022-45831 Oxilab Cross-site Scripting vulnerability in Oxilab Image Hover Effects for Elementor With Lightbox and Flipbox

Unauth.

6.1
2023-03-27 CVE-2023-22300 Sauter Controls Cross-site Scripting vulnerability in Sauter-Controls Ey-As525F001 Firmware

An unauthenticated remote attacker could force all authenticated users, such as administrative users, to perform unauthorized actions by viewing the logs.

6.1
2023-03-27 CVE-2023-28650 Sauter Controls Cross-site Scripting vulnerability in Sauter-Controls Ey-As525F001 Firmware

An unauthenticated remote attacker could provide a malicious link and trick an unsuspecting user into clicking on it.

6.1
2023-03-27 CVE-2022-47146 Contempothemes Cross-site Scripting vulnerability in Contempothemes Real Estate 7

Unauth.

6.1
2023-03-27 CVE-2022-46843 Levantoan Cross-site Scripting vulnerability in Levantoan Woocommerce Vietnam Checkout

Unauth.

6.1
2023-03-27 CVE-2023-24839 HGiga MailSherlock’s specific function has insufficient filtering for user input.
6.1
2023-03-27 CVE-2023-28884 Misp Project Cross-site Scripting vulnerability in Misp-Project Malware Information Sharing Platform 2.4.169

In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index.

6.1
2023-03-30 CVE-2023-27535 Haxx
Fedoraproject
Debian
Netapp
Improper Authentication vulnerability in multiple products

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers.

5.9
2023-03-30 CVE-2023-27536 Haxx
Fedoraproject
Debian
Netapp
Improper Authentication vulnerability in multiple products

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option.

5.9
2023-03-30 CVE-2023-27537 Haxx
Netapp
Broadcom
Double Free vulnerability in multiple products

A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles".

5.9
2023-03-27 CVE-2023-28638 Snappier Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Snappier Project Snappier 1.1.0

Snappier is a high performance C# implementation of the Snappy compression algorithm.

5.9
2023-04-01 CVE-2023-0187 Nvidia Out-of-bounds Read vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read can lead to denial of service.

5.5
2023-04-01 CVE-2023-0188 Nvidia Out-of-bounds Read vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged user can cause improper restriction of operations within the bounds of a memory buffer cause an out-of-bounds read, which may lead to denial of service.

5.5
2023-03-30 CVE-2023-27538 Haxx
Fedoraproject
Debian
Netapp
Broadcom
Improper Authentication vulnerability in multiple products

An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse.

5.5
2023-03-29 CVE-2023-1550 F5 Information Exposure Through Log Files vulnerability in F5 Nginx Agent and Nginx Instance Manager

Insertion of Sensitive Information into log file vulnerability in NGINX Agent.

5.5
2023-03-28 CVE-2023-1677 Drivergenius Unspecified vulnerability in Drivergenius 9.70.0.346

A vulnerability was found in DriverGenius 9.70.0.346.

5.5
2023-03-27 CVE-2023-1637 Linux Improper Cross-boundary Removal of Sensitive Data vulnerability in Linux Kernel 5.18

A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM.

5.5
2023-03-27 CVE-2023-26924 Llvm Classic Buffer Overflow vulnerability in Llvm 20230122

LLVM a0dab4950 has a segmentation fault in mlir::outlineSingleBlockRegion.

5.5
2023-03-27 CVE-2023-1074 Linux Memory Leak vulnerability in Linux Kernel

A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol.

5.5
2023-03-27 CVE-2023-1076 Linux Type Confusion vulnerability in Linux Kernel

A flaw was found in the Linux Kernel.

5.5
2023-03-27 CVE-2023-25875 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.
5.5
2023-03-27 CVE-2023-25876 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.
5.5
2023-03-27 CVE-2023-25877 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.
5.5
2023-03-27 CVE-2023-25878 Adobe Substance 3D Stager versions 2.0.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.
5.5
2023-04-02 CVE-2022-42452 Hcltechsw Cross-site Scripting vulnerability in Hcltechsw HCL Launch

HCL Launch is vulnerable to HTML injection.

5.4
2023-04-02 CVE-2023-26283 IBM Cross-site Scripting vulnerability in IBM Websphere Application Server 9.0

IBM WebSphere Application Server 9.0 is vulnerable to cross-site scripting.

5.4
2023-04-02 CVE-2023-1798 Eyoucms Cross-site Scripting vulnerability in Eyoucms

A vulnerability, which was classified as problematic, has been found in EyouCMS up to 1.5.4.

5.4
2023-04-02 CVE-2023-1799 Eyoucms Cross-site Scripting vulnerability in Eyoucms

A vulnerability, which was classified as problematic, was found in EyouCMS up to 1.5.4.

5.4
2023-04-02 CVE-2023-1796 Employee Payslip Generator System Project Cross-site Scripting vulnerability in Employee Payslip Generator System Project Employee Payslip Generator System 1.0

A vulnerability classified as problematic has been found in SourceCodester Employee Payslip Generator 1.0.

5.4
2023-03-31 CVE-2023-1774 Mattermost Missing Authorization vulnerability in Mattermost Server

When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.

5.4
2023-03-31 CVE-2023-1776 Mattermost Cross-site Scripting vulnerability in Mattermost Server

Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.

5.4
2023-03-31 CVE-2023-1761 Phpmyfaq Cross-site Scripting vulnerability in PHPmyfaq

Cross-site Scripting in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

5.4
2023-03-30 CVE-2023-1746 Dreamer CMS Project Cross-site Scripting vulnerability in Dreamer CMS Project Dreamer CMS

A vulnerability, which was classified as problematic, was found in Dreamer CMS up to 3.5.0.

5.4
2023-03-30 CVE-2022-43473 Zohocorp XXE vulnerability in Zohocorp Manageengine Opmanager

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168.

5.4
2023-03-30 CVE-2023-23681 Webdevocean Cross-site Scripting vulnerability in Webdevocean Image Hover Effects for Wpbakery Page Builder

Auth.

5.4
2023-03-30 CVE-2023-24399 Oceanwp Cross-site Scripting vulnerability in Oceanwp Ocean Extra

Auth.

5.4
2023-03-30 CVE-2023-25040 Getshortcodes Cross-site Scripting vulnerability in Getshortcodes Shortcodes Ultimate

Auth.

5.4
2023-03-30 CVE-2023-23670 Heateor Cross-site Scripting vulnerability in Heateor Fancy Comments

Auth.

5.4
2023-03-29 CVE-2022-1274 Redhat Cross-site Scripting vulnerability in Redhat Keycloak and Single Sign-On

A flaw was found in Keycloak in the execute-actions-email endpoint.

5.4
2023-03-29 CVE-2022-47602 Joomunited Cross-site Scripting vulnerability in Joomunited WP Table Manager

Auth.

5.4
2023-03-29 CVE-2022-47438 Wpdevart Cross-site Scripting vulnerability in Wpdevart Booking Calendar

Auth.

5.4
2023-03-28 CVE-2022-46848 Themeisle Cross-site Scripting vulnerability in Themeisle Visualizer

Auth.

5.4
2023-03-28 CVE-2022-46855 Wpdarko Cross-site Scripting vulnerability in Wpdarko Responsive Pricing Table

Auth.

5.4
2023-03-27 CVE-2023-28655 Sauter Controls Cross-site Scripting vulnerability in Sauter-Controls Ey-As525F001 Firmware

A malicious user could leverage this vulnerability to escalate privileges or perform unauthorized actions in the context of the targeted privileged users.

5.4
2023-03-27 CVE-2022-48429 Jetbrains Cross-site Scripting vulnerability in Jetbrains HUB

In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible

5.4
2023-03-27 CVE-2023-0272 Basixonline Unspecified vulnerability in Basixonline Nex-Forms

The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-03-27 CVE-2023-0395 Menu Shortcode Project Unspecified vulnerability in Menu Shortcode Project Menu Shortcode 1.0

The menu shortcode WordPress plugin through 1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-03-27 CVE-2023-0491 Schedulicity Unspecified vulnerability in Schedulicity

The Schedulicity WordPress plugin through 2.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-03-27 CVE-2023-0589 WP Image Carousel Project Unspecified vulnerability in WP Image Carousel Project WP Image Carousel

The WP Image Carousel WordPress plugin through 1.0.2 does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

5.4
2023-03-27 CVE-2023-0660 Nextendweb Unspecified vulnerability in Nextendweb Smart Slider 3

The Smart Slider 3 WordPress plugin before 3.5.1.14 does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-03-27 CVE-2023-0823 HU Manity Unspecified vulnerability in Hu-Manity Cookie Notice & Compliance for Gdpr / Ccpa

The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.4.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-03-27 CVE-2023-1069 Really Simple Plugins Unspecified vulnerability in Really-Simple-Plugins Complianz

The Complianz WordPress plugin before 6.4.2, Complianz Premium WordPress plugin before 6.4.2 do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-03-27 CVE-2023-22707 Greenshiftwp Cross-site Scripting vulnerability in Greenshiftwp Greenshift - Animation and Page Builder Blocks

Auth.

5.4
2023-03-27 CVE-2023-22902 Openfind Mail2000 file uploading function has insufficient filtering for user input.
5.4
2023-03-27 CVE-2023-25018 RIFARTEK IOT Wall transportation function has insufficient filtering for user input.
5.4
2023-03-31 CVE-2022-3192 ABB Improper Check for Unusual or Exceptional Conditions vulnerability in ABB Ac500 CPU Firmware

Improper Input Validation vulnerability in ABB AC500 V2 PM5xx allows Client-Server Protocol Manipulation.This issue affects AC500 V2: from 2.0.0 before 2.8.6.

5.3
2023-03-31 CVE-2023-1777 Mattermost Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

5.3
2023-03-31 CVE-2023-1258 ABB Information Exposure vulnerability in ABB products

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ABB Flow-X firmware on Flow-X embedded hardware (web service modules) allows Footprinting.This issue affects Flow-X: before 4.0.

5.3
2023-03-31 CVE-2023-28755 Ruby Lang
Debian
Fedoraproject
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1.
5.3
2023-03-31 CVE-2023-28756 Ruby Lang
Debian
Fedoraproject
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1.
5.3
2023-03-30 CVE-2023-26116 Angularjs
Fedoraproject
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression.
5.3
2023-03-30 CVE-2023-26117 Angularjs
Fedoraproject
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression.
5.3
2023-03-30 CVE-2023-26118 Angularjs
Fedoraproject
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality.
5.3
2023-03-29 CVE-2023-1663 Synopsys Forced Browsing vulnerability in Synopsys Coverity

Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors.

5.3
2023-03-28 CVE-2022-36060 Matrix Unspecified vulnerability in Matrix React SDK

matrix-react-sdk is a Matrix chat protocol SDK for React Javascript.

5.3
2023-03-28 CVE-2023-0465 Openssl Improper Certificate Validation vulnerability in Openssl

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

5.3
2023-03-28 CVE-2023-0466 Openssl Improper Certificate Validation vulnerability in Openssl

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification.

5.3
2023-03-27 CVE-2023-22250 Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass.
5.3
2023-03-27 CVE-2023-24842 HGiga MailSherlock has vulnerability of insufficient access control.
5.3
2023-03-27 CVE-2023-28866 Linux Out-of-bounds Read vulnerability in Linux Kernel

In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not.

5.3
2023-03-31 CVE-2023-1772 Datagear Cross-site Scripting vulnerability in Datagear

A vulnerability was found in DataGear up to 4.5.1.

4.8
2023-03-30 CVE-2023-23675 Catchsquare Cross-site Scripting vulnerability in Catchsquare WP Smart Preloader

Auth.

4.8
2023-03-29 CVE-2022-47607 Usersnap Cross-site Scripting vulnerability in Usersnap

Auth.

4.8
2023-03-29 CVE-2022-47610 Mrdigital Cross-site Scripting vulnerability in Mrdigital Simple Image Popup

Auth.

4.8
2023-03-29 CVE-2022-47613 Quantumcloud Cross-site Scripting vulnerability in Quantumcloud AI Chatbot

Auth.

4.8
2023-03-29 CVE-2022-47596 Jeffrey WP Cross-site Scripting vulnerability in Jeffrey-Wp Media Library Categories

Auth.

4.8
2023-03-29 CVE-2023-1575 Megamain Unspecified vulnerability in Megamain Mega Main Menu

The Mega Main Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via some of its settings parameters in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping.

4.8
2023-03-28 CVE-2022-46863 Fullworksplugins Cross-site Scripting vulnerability in Fullworksplugins Quick Event Manager

Auth.

4.8
2023-03-28 CVE-2022-47170 Unlimited Elements Cross-site Scripting vulnerability in Unlimited-Elements Unlimited Elements for Elementor (Free Widgets, Addons, Templates)

Auth.

4.8
2023-03-28 CVE-2023-25704 Wpmart Cross-site Scripting vulnerability in Wpmart Interactive SVG Image MAP Builder 1.0

Auth.

4.8
2023-03-27 CVE-2023-22249 Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields.
4.8
2023-03-27 CVE-2023-1025 Simplefilelist Cross-site Scripting vulnerability in Simplefilelist Simple File List

The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-03-27 CVE-2023-1400 Webnus Unspecified vulnerability in Webnus Modern Events Calendar Lite

The Modern Events Calendar Lite WordPress plugin before 6.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-03-27 CVE-2023-26958 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Park Ticketing Management System 1.0

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin Name parameter.

4.8
2023-03-31 CVE-2023-1754 Phpmyfaq Cross-site Scripting vulnerability in PHPmyfaq

Improper Neutralization of Input During Web Page Generation in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

4.7
2023-03-30 CVE-2023-25000 Hashicorp Information Exposure Through Discrepancy vulnerability in Hashicorp Vault

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks.

4.7
2023-04-01 CVE-2023-0194 Nvidia Unspecified vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer driver, where an invalid display configuration may lead to denial of service.

4.6
2023-03-29 CVE-2022-42432 Linux Use of Uninitialized Variable vulnerability in Linux Kernel 6.0

This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2.

4.4
2023-03-28 CVE-2023-25196 Apache SQL Injection vulnerability in Apache Fineract

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components.

4.3
2023-03-27 CVE-2023-22251 Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability.
4.3
2023-03-27 CVE-2023-0467 Wppool Path Traversal vulnerability in Wppool WP Dark Mode

The WP Dark Mode WordPress plugin before 4.0.8 does not properly sanitize the style parameter in shortcodes before using it to load a PHP template.

4.3
2023-03-27 CVE-2023-0484 Hasthemes Unspecified vulnerability in Hasthemes Contact Form 7 Widget for Elementor Page Builder & Gutenberg Blocks

The Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks WordPress plugin before 1.1.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-0495 Hasthemes Unspecified vulnerability in Hasthemes HT Slider for Elementor

The HT Slider For Elementor WordPress plugin before 1.4.0 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-0496 Hasthemes Unspecified vulnerability in Hasthemes HT Event

The HT Event WordPress plugin before 1.4.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-0497 Hasthemes Unspecified vulnerability in Hasthemes HT Portfolio

The HT Portfolio WordPress plugin before 1.1.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-0498 Hasthemes Cross-Site Request Forgery (CSRF) vulnerability in Hasthemes WP Education

The WP Education WordPress plugin before 1.2.7 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-0499 Hasthemes Unspecified vulnerability in Hasthemes Quickswish

The QuickSwish WordPress plugin before 1.1.0 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-0503 Hasthemes Unspecified vulnerability in Hasthemes Free Woocommerce Theme 99Fy Extension

The Free WooCommerce Theme 99fy Extension WordPress plugin before 1.2.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-0504 Hasthemes Unspecified vulnerability in Hasthemes HT Politic

The HT Politic WordPress plugin before 2.3.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-0505 Hasthemes Unspecified vulnerability in Hasthemes Ever Compare

The Ever Compare WordPress plugin through 1.2.3 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-1086 Hasthemes Unspecified vulnerability in Hasthemes Preview Link Generator 1.0.0/1.0.2/1.0.3

The Preview Link Generator WordPress plugin before 1.0.4 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-1087 Hasthemes Unspecified vulnerability in Hasthemes WC Sales Notification

The WC Sales Notification WordPress plugin before 1.2.3 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-1088 Hasthemes Unspecified vulnerability in Hasthemes WP Plugin Manager

The WP Plugin Manager WordPress plugin before 1.1.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3
2023-03-27 CVE-2023-1089 Hasthemes Cross-Site Request Forgery (CSRF) vulnerability in Hasthemes Coupon ZEN

The Coupon Zen WordPress plugin before 1.0.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

4.3

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-03-27 CVE-2023-28640 Apiman Missing Authorization vulnerability in Apiman 3.0.0

Apiman is a flexible and open source API Management platform.

3.1
2023-03-29 CVE-2022-27597 Qnap Unspecified vulnerability in Qnap products

A vulnerability has been reported to affect QNAP operating systems.

2.7
2023-03-29 CVE-2022-27598 Qnap Unspecified vulnerability in Qnap products

A vulnerability has been reported to affect QNAP operating systems.

2.7
2023-04-01 CVE-2023-0195 Nvidia Improper Validation of Specified Quantity in Input vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer driver nvlddmkm.sys, where an can cause CWE-1284, which may lead to hypothetical Information leak of unimportant data such as local variable data of the driver

2.4
2023-03-27 CVE-2022-39043 Juiker Insecure Storage of Sensitive Information vulnerability in Juiker 4.6.0607.1

Juiker app stores debug logs which contains sensitive information to mobile external storage.

2.4
2023-03-27 CVE-2021-3923 Redhat
Fedoraproject
A flaw was found in the Linux kernel's implementation of RDMA over infiniband.
2.3