Weekly Vulnerabilities Reports > April 3 to 9, 2023
Overview
325 new vulnerabilities reported during this period, including 43 critical vulnerabilities and 73 high severity vulnerabilities. This weekly summary report vulnerabilities in 344 products from 143 vendors including Cisco, Debian, Fedoraproject, Google, and Oretnom23. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Cross-Site Request Forgery (CSRF)", and "OS Command Injection".
- 298 reported vulnerabilities are remotely exploitables.
- 174 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 174 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 38 reported vulnerabilities.
- Oretnom23 has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
43 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-04-04 | CVE-2023-1748 | Getnexx | Use of Hard-coded Credentials vulnerability in Getnexx products The listed versions of Nexx Smart Home devices use hard-coded credentials. | 10.0 |
2023-04-09 | CVE-2012-10011 | Contus | SQL Injection vulnerability in Contus HD FLV Player A vulnerability was found in HD FLV PLayer Plugin up to 1.7 on WordPress. | 9.8 |
2023-04-09 | CVE-2023-1962 | Best Online News Portal Project | SQL Injection vulnerability in Best Online News Portal Project Best Online News Portal 1.0 A vulnerability classified as critical was found in SourceCodester Best Online News Portal 1.0. | 9.8 |
2023-04-09 | CVE-2023-1963 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Bank Locker Management System 1.0 A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. | 9.8 |
2023-04-08 | CVE-2023-1958 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability, which was classified as critical, was found in SourceCodester Online Computer and Laptop Store 1.0. | 9.8 |
2023-04-08 | CVE-2023-1955 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability classified as critical has been found in SourceCodester Online Computer and Laptop Store 1.0. | 9.8 |
2023-04-08 | CVE-2013-10023 | Editorial Calendar Project | SQL Injection vulnerability in Editorial Calendar Project Editorial Calendar A vulnerability was found in Editorial Calendar Plugin up to 2.6 on WordPress. | 9.8 |
2023-04-08 | CVE-2023-1952 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0. | 9.8 |
2023-04-08 | CVE-2023-1949 | Phpgurukul | SQL Injection vulnerability in PHPgurukul BP Monitoring Management System 1.0 A vulnerability, which was classified as critical, was found in PHPGurukul BP Monitoring Management System 1.0. | 9.8 |
2023-04-08 | CVE-2023-1950 | Phpgurukul | SQL Injection vulnerability in PHPgurukul BP Monitoring Management System 1.0 A vulnerability has been found in PHPGurukul BP Monitoring Management System 1.0 and classified as critical. | 9.8 |
2023-04-08 | CVE-2023-1951 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0 and classified as critical. | 9.8 |
2023-04-07 | CVE-2023-1947 | Taogogo | Code Injection vulnerability in Taogogo Taocms 3.0.2 A vulnerability was found in taoCMS 3.0.2. | 9.8 |
2023-04-07 | CVE-2023-1941 | Simple AND Beautiful Shopping Cart System Project | SQL Injection vulnerability in Simple and Beautiful Shopping Cart System Project Simple and Beautiful Shopping Cart System 1.0 A vulnerability, which was classified as critical, has been found in SourceCodester Simple and Beautiful Shopping Cart System 1.0. | 9.8 |
2023-04-07 | CVE-2023-1942 | Oretnom23 | Unrestricted Upload of File with Dangerous Type vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability has been found in SourceCodester Online Computer and Laptop Store 1.0 and classified as critical. | 9.8 |
2023-04-06 | CVE-2023-28500 | Adobe | Deserialization of Untrusted Data vulnerability in Adobe Livecycle ES4 A Java insecure deserialization vulnerability in Adobe LiveCycle ES4 version 11.0 and earlier allows unauthenticated remote attackers to gain operating system code execution by submitting specially crafted Java serialized objects to a specific URL. | 9.8 |
2023-04-06 | CVE-2023-0580 | ABB | Insecure Storage of Sensitive Information vulnerability in ABB MY Control System 5.0/5.13 Insecure Storage of Sensitive Information vulnerability in ABB My Control System (on-premise) allows an attacker who successfully exploited this vulnerability to gain access to the secure application data or take control of the application. Of the services that make up the My Control System (on-premise) application, the following ones are affected by this vulnerability: User Interface System Monitoring1 Asset Inventory This issue affects My Control System (on-premise): from 5.0;0 through 5.13. | 9.8 |
2023-04-06 | CVE-2023-24538 | Golang | Code Injection vulnerability in Golang GO Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. | 9.8 |
2023-04-06 | CVE-2023-0750 | Lynx Technik | Missing Encryption of Sensitive Data vulnerability in Lynx-Technik Yellobrik PEC 1864 Firmware Yellobrik PEC-1864 implements authentication checks via javascript in the frontend interface. When the device can be accessed over the network an attacker could bypass authentication. This would allow an attacker to : - Change the password, resulting in a DOS of the users - Change the streaming source, compromising the integrity of the stream - Change the streaming destination, compromising the confidentiality of the stream This issue affects Yellowbrik: PEC 1864. | 9.8 |
2023-04-06 | CVE-2023-1908 | Simple Mobile Comparison Website Project | SQL Injection vulnerability in Simple Mobile Comparison Website Project Simple Mobile Comparison Website 1.0 A vulnerability was found in SourceCodester Simple Mobile Comparison Website 1.0. | 9.8 |
2023-04-05 | CVE-2022-4939 | Wclovers | Unspecified vulnerability in Wclovers Wcfm Membership THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings. | 9.8 |
2023-04-05 | CVE-2023-1886 | Phpmyfaq | Authentication Bypass by Capture-replay vulnerability in PHPmyfaq Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | 9.8 |
2023-04-05 | CVE-2023-20073 | Cisco | Unrestricted Upload of File with Dangerous Type vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. | 9.8 |
2023-04-05 | CVE-2023-25330 | Mybatis | SQL Injection vulnerability in Mybatis A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer. | 9.8 |
2023-04-05 | CVE-2023-1849 | Online Payroll System Project | SQL Injection vulnerability in Online Payroll System Project Online Payroll System 1.0 A vulnerability was found in SourceCodester Online Payroll System 1.0. | 9.8 |
2023-04-05 | CVE-2023-1850 | Online Payroll System Project | SQL Injection vulnerability in Online Payroll System Project Online Payroll System 1.0 A vulnerability was found in SourceCodester Online Payroll System 1.0. | 9.8 |
2023-04-05 | CVE-2023-1854 | Online Graduate Tracer System Project | Insufficient Session Expiration vulnerability in Online Graduate Tracer System Project Online Graduate Tracer System 1.0 A vulnerability, which was classified as problematic, was found in SourceCodester Online Graduate Tracer System 1.0. | 9.8 |
2023-04-05 | CVE-2023-1856 | AIR Cargo Management System Project | SQL Injection vulnerability in AIR Cargo Management System Project AIR Cargo Management System 1.0 A vulnerability has been found in SourceCodester Air Cargo Management System 1.0 and classified as critical. | 9.8 |
2023-04-05 | CVE-2023-1845 | Online Payroll System Project | SQL Injection vulnerability in Online Payroll System Project Online Payroll System 1.0 A vulnerability, which was classified as critical, was found in SourceCodester Online Payroll System 1.0. | 9.8 |
2023-04-05 | CVE-2023-1846 | Online Payroll System Project | SQL Injection vulnerability in Online Payroll System Project Online Payroll System 1.0 A vulnerability has been found in SourceCodester Online Payroll System 1.0 and classified as critical. | 9.8 |
2023-04-05 | CVE-2023-1847 | Online Payroll System Project | SQL Injection vulnerability in Online Payroll System Project Online Payroll System 1.0 A vulnerability was found in SourceCodester Online Payroll System 1.0 and classified as critical. | 9.8 |
2023-04-05 | CVE-2023-1848 | Online Payroll System Project | SQL Injection vulnerability in Online Payroll System Project Online Payroll System 1.0 A vulnerability was found in SourceCodester Online Payroll System 1.0. | 9.8 |
2023-04-04 | CVE-2023-27488 | Envoyproxy | Unspecified vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy designed for cloud-native applications. | 9.8 |
2023-04-04 | CVE-2023-28613 | Samsung | Integer Overflow or Wraparound vulnerability in Samsung products An issue was discovered in Samsung Exynos Mobile Processor and Baseband Modem Processor for Exynos 1280, Exynos 2200, and Exynos Modem 5300. | 9.8 |
2023-04-04 | CVE-2020-29312 | Zend | Deserialization of Untrusted Data vulnerability in Zend Framework An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. | 9.8 |
2023-04-04 | CVE-2023-26750 | Yiiframework | SQL Injection vulnerability in Yiiframework YII SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. | 9.8 |
2023-04-04 | CVE-2023-1827 | Centralized Covid Vaccination Records System Project | SQL Injection vulnerability in Centralized Covid Vaccination Records System Project Centralized Covid Vaccination Records System 1.0 A vulnerability has been found in SourceCodester Centralized Covid Vaccination Records System 1.0 and classified as critical. | 9.8 |
2023-04-04 | CVE-2023-1671 | Sophos | Command Injection vulnerability in Sophos web Appliance A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code. | 9.8 |
2023-04-04 | CVE-2023-1826 | Oretnom23 | Unrestricted Upload of File with Dangerous Type vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability, which was classified as critical, was found in SourceCodester Online Computer and Laptop Store 1.0. | 9.8 |
2023-04-03 | CVE-2022-43939 | Hitachi | Unspecified vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented. | 9.8 |
2023-04-03 | CVE-2023-1765 | Akbim | SQL Injection vulnerability in Akbim Panon Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Akbim Computer Panon allows SQL Injection.This issue affects Panon: before 1.0.2. | 9.8 |
2023-04-03 | CVE-2023-26119 | Htmlunit | Unspecified vulnerability in Htmlunit Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. | 9.8 |
2023-04-09 | CVE-2023-1964 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Bank Locker Management System 1.0 A vulnerability classified as critical has been found in PHPGurukul Bank Locker Management System 1.0. | 9.1 |
2023-04-07 | CVE-2023-1940 | Simple AND Beautiful Shopping Cart System Project | SQL Injection vulnerability in Simple and Beautiful Shopping Cart System Project Simple and Beautiful Shopping Cart System 1.0 A vulnerability classified as critical was found in SourceCodester Simple and Beautiful Shopping Cart System 1.0. | 9.1 |
73 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-04-09 | CVE-2012-10010 | Bestwebsoft | Cross-Site Request Forgery (CSRF) vulnerability in Bestwebsoft Contact Form 3.21 A vulnerability was found in BestWebSoft Contact Form 3.21. | 8.8 |
2023-04-08 | CVE-2013-10025 | Exit Strategy Project | Cross-Site Request Forgery (CSRF) vulnerability in Exit Strategy Project Exit Strategy 1.55 A vulnerability was found in Exit Strategy Plugin 1.55 on WordPress and classified as problematic. | 8.8 |
2023-04-08 | CVE-2023-1960 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0 and classified as critical. | 8.8 |
2023-04-08 | CVE-2023-1957 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability, which was classified as critical, has been found in SourceCodester Online Computer and Laptop Store 1.0. | 8.8 |
2023-04-08 | CVE-2023-1959 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability has been found in SourceCodester Online Computer and Laptop Store 1.0 and classified as critical. | 8.8 |
2023-04-08 | CVE-2023-1953 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0. | 8.8 |
2023-04-08 | CVE-2023-1954 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0. | 8.8 |
2023-04-08 | CVE-2023-1956 | Oretnom23 | Path Traversal vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability classified as critical was found in SourceCodester Online Computer and Laptop Store 1.0. | 8.8 |
2023-04-06 | CVE-2023-29008 | Svelte | Cross-Site Request Forgery (CSRF) vulnerability in Svelte Sveltekit 1.15.0/1.15.1 The SvelteKit framework offers developers an option to create simple REST APIs. | 8.8 |
2023-04-06 | CVE-2022-46793 | Adtribes | Cross-Site Request Forgery (CSRF) vulnerability in Adtribes Product Feed PRO for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in AdTribes.Io Product Feed PRO for WooCommerce plugin <= 12.4.4 versions. | 8.8 |
2023-04-06 | CVE-2023-23801 | Hasthemes | Cross-Site Request Forgery (CSRF) vulnerability in Hasthemes Really Simple Google TAG Manager Cross-Site Request Forgery (CSRF) vulnerability in HasThemes Really Simple Google Tag Manager plugin <= 1.0.6 versions. | 8.8 |
2023-04-06 | CVE-2023-29421 | Bzip3 Project | Out-of-bounds Write vulnerability in Bzip3 Project Bzip3 An issue was discovered in libbzip3.a in bzip3 before 1.2.3. | 8.8 |
2023-04-05 | CVE-2022-4941 | Wclovers | Unspecified vulnerability in Wclovers Wcfm Membership The WCFM Membership plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10 due to missing nonce checks on various AJAX actions. | 8.8 |
2023-04-05 | CVE-2023-20102 | Cisco | Deserialization of Untrusted Data vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Secure Network Analytics could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system. | 8.8 |
2023-04-05 | CVE-2023-1522 | Genetec | SQL Injection vulnerability in Genetec Security Center 5.11.2 SQL Injection in the Hardware Inventory report of Security Center 5.11.2. | 8.8 |
2023-04-05 | CVE-2022-4935 | Wclovers | Missing Authorization vulnerability in Wclovers Wcfm Marketplace The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. | 8.8 |
2023-04-05 | CVE-2022-4936 | Wclovers | Unspecified vulnerability in Wclovers Wcfm Marketplace The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. | 8.8 |
2023-04-05 | CVE-2022-4937 | Wclovers | Missing Authorization vulnerability in Wclovers Frontend Manager for Woocommerce Along With Bookings Subscription Listings Compatible The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. | 8.8 |
2023-04-05 | CVE-2022-4938 | Wclovers | Unspecified vulnerability in Wclovers Frontend Manager for Woocommerce Along With Bookings Subscription Listings Compatible The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. | 8.8 |
2023-04-04 | CVE-2023-29003 | Svelte | Cross-Site Request Forgery (CSRF) vulnerability in Svelte Sveltekit 1.15.0 SvelteKit is a web development framework. | 8.8 |
2023-04-04 | CVE-2023-1810 | Google Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Visuals in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-04-04 | CVE-2023-1811 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Frames in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-04-04 | CVE-2023-1812 | Google Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Out of bounds memory access in DOM Bindings in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. | 8.8 |
2023-04-04 | CVE-2023-1815 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Networking APIs in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-04-04 | CVE-2023-1818 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Vulkan in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-04-04 | CVE-2023-1820 | Google Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Browser History in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-04-04 | CVE-2020-21514 | Fluentd | Unspecified vulnerability in Fluentd and Fluentd-Ui An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 allows attackers to gain escalated privileges and execute arbitrary code due to a default password. | 8.8 |
2023-04-04 | CVE-2022-41633 | Peepso | Cross-Site Request Forgery (CSRF) vulnerability in Peepso Cross-Site Request Forgery (CSRF) vulnerability in PeepSo Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin <= 6.0.2.0 versions. | 8.8 |
2023-04-03 | CVE-2022-43938 | Hitachi | Code Injection vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager. | 8.8 |
2023-04-03 | CVE-2022-43940 | Hitachi | Incorrect Authorization vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service. | 8.8 |
2023-04-03 | CVE-2022-43773 | Hitachi | Incorrect Permission Assignment for Critical Resource vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled. | 8.8 |
2023-04-03 | CVE-2023-0820 | Bestwebsoft | Unspecified vulnerability in Bestwebsoft User Role The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role. | 8.8 |
2023-04-04 | CVE-2023-28840 | Mobyproject | Failing Open vulnerability in Mobyproject Moby Moby is an open source container framework developed by Docker Inc. | 8.7 |
2023-04-07 | CVE-2022-33959 | IBM | Unspecified vulnerability in IBM Sterling Order Management 10 IBM Sterling Order Management 10.0 could allow a user to bypass validation and perform unauthorized actions on behalf of other users. | 8.1 |
2023-04-07 | CVE-2023-28051 | Dell | Unspecified vulnerability in Dell Power Manager 3.10/3.3 Dell Power Manager, versions 3.10 and prior, contains an Improper Access Control vulnerability. | 7.8 |
2023-04-06 | CVE-2023-0652 | Cloudflare | Link Following vulnerability in Cloudflare Warp Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files. As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files. | 7.8 |
2023-04-06 | CVE-2023-25542 | Dell | Incorrect Default Permissions vulnerability in Dell Trusted Device Agent Dell Trusted Device Agent, versions prior to 5.3.0, contain(s) an improper installation permissions vulnerability. | 7.8 |
2023-04-05 | CVE-2023-20122 | Cisco | OS Command Injection vulnerability in Cisco Identity Services Engine 3.2 Multiple vulnerabilities in the restricted shell of Cisco Evolved Programmable Network Manager (EPNM), Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system. | 7.8 |
2023-04-05 | CVE-2023-1412 | Cloudflare | Link Following vulnerability in Cloudflare Warp An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (<= 2022.12.582.0) to perform privileged operations with SYSTEM context by working with a combination of opportunistic locks (oplock) and symbolic links (which can both be created by an unprivileged user). After installing the Cloudflare WARP Client (admin privileges required), an MSI-Installer is placed under C:\Windows\Installer. | 7.8 |
2023-04-04 | CVE-2023-29323 | Openbsd Opensmtpd | ascii_load_sockaddr in smtpd in OpenBSD before 7.1 errata 024 and 7.2 before errata 020, and OpenSMTPD Portable before 7.0.0-portable commit f748277, can abort upon a connection from a local, scoped IPv6 address. | 7.8 |
2023-04-04 | CVE-2023-26775 | Monitorr | Unrestricted Upload of File with Dangerous Type vulnerability in Monitorr 1.7.6M File Upload vulnerability found in Monitorr v.1.7.6 allows a remote attacker t oexecute arbitrary code via a crafted file upload to the assets/php/upload.php endpoint. | 7.8 |
2023-04-04 | CVE-2023-25941 | Dell | Incorrect Default Permissions vulnerability in Dell EMC Powerscale Onefs Dell PowerScale OneFS versions 8.2.x-9.5.0.x contain an elevation of privilege vulnerability. | 7.8 |
2023-04-04 | CVE-2023-25940 | Dell | Link Following vulnerability in Dell EMC Powerscale Onefs 9.5.0.0 Dell PowerScale OneFS version 9.5.0.0 contains improper link resolution before file access vulnerability in isi_gather_info. | 7.8 |
2023-04-03 | CVE-2023-1579 | GNU | Out-of-bounds Write vulnerability in GNU Binutils 2.39 Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64. | 7.8 |
2023-04-03 | CVE-2023-0975 | Trellix | Improper Preservation of Permissions vulnerability in Trellix Agent 5.7.7/5.7.8 A vulnerability exists in Trellix Agent for Windows version 5.7.8 and earlier, that allows local users, during install/upgrade workflow, to replace one of the Agent’s executables before it can be executed. | 7.8 |
2023-04-09 | CVE-2023-27727 | F5 | Out-of-bounds Read vulnerability in F5 NJS 0.7.10 Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_function.h. | 7.5 |
2023-04-09 | CVE-2023-27728 | F5 | Out-of-bounds Read vulnerability in F5 NJS 0.7.10 Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_dump_is_recursive at src/njs_vmcode.c. | 7.5 |
2023-04-09 | CVE-2023-27729 | F5 | Unspecified vulnerability in F5 NJS 0.7.10 Nginx NJS v0.7.10 was discovered to contain an illegal memcpy via the function njs_vmcode_return at src/njs_vmcode.c. | 7.5 |
2023-04-09 | CVE-2023-27730 | F5 | Out-of-bounds Read vulnerability in F5 NJS 0.7.10 Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_lvlhsh_find at src/njs_lvlhsh.c. | 7.5 |
2023-04-08 | CVE-2013-10024 | Exit Strategy Project | Information Exposure vulnerability in Exit Strategy Project Exit Strategy 1.55 A vulnerability has been found in Exit Strategy Plugin 1.55 on WordPress and classified as problematic. | 7.5 |
2023-04-07 | CVE-2023-28707 | Apache | Improper Input Validation vulnerability in Apache Apache-Airflow-Providers-Apache-Drill Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2. | 7.5 |
2023-04-07 | CVE-2023-28710 | Apache | Improper Input Validation vulnerability in Apache Apache-Airflow-Providers-Apache-Spark Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1. | 7.5 |
2023-04-07 | CVE-2022-34333 | IBM | Weak Password Requirements vulnerability in IBM Sterling Order Management 10 IBM Sterling Order Management 10.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. | 7.5 |
2023-04-06 | CVE-2023-24537 | Golang | Integer Overflow or Wraparound vulnerability in Golang GO Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. | 7.5 |
2023-04-06 | CVE-2023-24534 | Golang | Resource Exhaustion vulnerability in Golang GO HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. | 7.5 |
2023-04-06 | CVE-2023-24536 | Golang | Allocation of Resources Without Limits or Throttling vulnerability in Golang GO Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. | 7.5 |
2023-04-06 | CVE-2023-1802 | Docker | Cleartext Transmission of Sensitive Information vulnerability in Docker Desktop 4.17.0/4.17.1 In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. | 7.5 |
2023-04-05 | CVE-2023-20051 | Cisco | Unspecified vulnerability in Cisco Packet Data Network Gateway 21.26.0/21.27.0 A vulnerability in the Vector Packet Processor (VPP) of Cisco Packet Data Network Gateway (PGW) could allow an unauthenticated, remote attacker to stop ICMP traffic from being processed over an IPsec connection. | 7.5 |
2023-04-05 | CVE-2023-1858 | Earnings AND Expense Tracker APP Project | Unspecified vulnerability in Earnings and Expense Tracker APP Project Earnings and Expense Tracker APP 1.0 A vulnerability was found in SourceCodester Earnings and Expense Tracker App 1.0. | 7.5 |
2023-04-04 | CVE-2023-27496 | Envoyproxy | Unspecified vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy designed for cloud-native applications. | 7.5 |
2023-04-03 | CVE-2023-29218 | Unspecified vulnerability in Twitter Recommendation Algorithm 20230331 The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023. | 7.5 | |
2023-04-03 | CVE-2022-36440 | Frrouting Fedoraproject Debian | Reachable Assertion vulnerability in multiple products A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. | 7.5 |
2023-04-03 | CVE-2023-28625 | Openidc | Unspecified vulnerability in Openidc MOD Auth Openidc mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. | 7.5 |
2023-04-05 | CVE-2023-20103 | Cisco | Improper Input Validation vulnerability in Cisco Secure Network Analytics 2.1.1/7.4.1 A vulnerability in Cisco Secure Network Analytics could allow an authenticated, remote attacker to execute arbitrary code as a root user on an affected device. | 7.2 |
2023-04-05 | CVE-2023-20117 | Cisco | OS Command Injection vulnerability in Cisco Rv320 Firmware and Rv325 Firmware Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. | 7.2 |
2023-04-05 | CVE-2023-20124 | Cisco | Command Injection vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. | 7.2 |
2023-04-05 | CVE-2023-20128 | Cisco | OS Command Injection vulnerability in Cisco Rv320 Firmware and Rv325 Firmware Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. | 7.2 |
2023-04-03 | CVE-2022-43769 | Hitachi | Code Injection vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream. | 7.2 |
2023-04-03 | CVE-2023-1124 | Wpeasycart | Unspecified vulnerability in Wpeasycart WP Easycart The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks. | 7.2 |
2023-04-07 | CVE-2023-27876 | IBM | XXE vulnerability in IBM Tririga Application Platform 4.0 IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. | 7.1 |
2023-04-06 | CVE-2023-28046 | Dell | Least Privilege Violation vulnerability in Dell Display Manager 2.0.0/2.1.0 Dell Display Manager, versions 2.1.0 and prior, contains an arbitrary file or folder deletion vulnerability during uninstallation A local low privilege attacker could potentially exploit this vulnerability, leading to the deletion of arbitrary files on the operating system with high privileges. | 7.1 |
2023-04-05 | CVE-2023-1838 | Linux Netapp | Use After Free vulnerability in multiple products A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. | 7.1 |
2023-04-04 | CVE-2023-1750 | Getnexx | Authorization Bypass Through User-Controlled Key vulnerability in Getnexx products The listed versions of Nexx Smart Home devices lack proper access control when executing actions. | 7.1 |
207 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-04-04 | CVE-2023-28841 | Mobyproject | Failing Open vulnerability in Mobyproject Moby Moby is an open source container framework developed by Docker Inc. | 6.8 |
2023-04-04 | CVE-2023-28842 | Mobyproject | Failing Open vulnerability in Mobyproject Moby Moby) is an open source container framework developed by Docker Inc. | 6.8 |
2023-04-05 | CVE-2023-20121 | Cisco | OS Command Injection vulnerability in Cisco Identity Services Engine and Prime Infrastructure Multiple vulnerabilities in the restricted shell of Cisco Evolved Programmable Network Manager (EPNM), Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system. | 6.7 |
2023-04-05 | CVE-2023-20153 | Cisco | OS Command Injection vulnerability in Cisco Identity Services Engine 3.2 Multiple vulnerabilities in specific Cisco Identity Services Engine (ISE) CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. | 6.7 |
2023-04-05 | CVE-2023-20152 | Cisco | OS Command Injection vulnerability in Cisco Identity Services Engine 3.2 Multiple vulnerabilities in specific Cisco Identity Services Engine (ISE) CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. | 6.7 |
2023-04-05 | CVE-2023-20022 | Cisco | OS Command Injection vulnerability in Cisco Identity Services Engine 3.2 Multiple vulnerabilities in specific Cisco Identity Services Engine (ISE) CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. | 6.7 |
2023-04-05 | CVE-2023-20023 | Cisco | OS Command Injection vulnerability in Cisco Identity Services Engine 3.2 Multiple vulnerabilities in specific Cisco Identity Services Engine (ISE) CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. | 6.7 |
2023-04-05 | CVE-2023-20021 | Cisco | OS Command Injection vulnerability in Cisco Identity Services Engine 3.2 Multiple vulnerabilities in specific Cisco Identity Services Engine (ISE) CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. | 6.7 |
2023-04-07 | CVE-2023-1801 | Tcpdump | Out-of-bounds Write vulnerability in Tcpdump 4.99.3 The SMB protocol decoder in tcpdump version 4.99.3 can perform an out-of-bounds write when decoding a crafted network packet. | 6.5 |
2023-04-07 | CVE-2023-1909 | Phpgurukul | SQL Injection vulnerability in PHPgurukul BP Monitoring Management System 1.0 A vulnerability, which was classified as critical, was found in PHPGurukul BP Monitoring Management System 1.0. | 6.5 |
2023-04-07 | CVE-2022-43928 | IBM | Unspecified vulnerability in IBM DB2 Mirror for I 7.4/7.5 The IBM Toolbox for Java (Db2 Mirror for i 7.4 and 7.5) could allow a user to obtain sensitive information, caused by utilizing a Java string for processing. | 6.5 |
2023-04-06 | CVE-2023-29415 | Bzip3 Project Debian | An issue was discovered in libbzip3.a in bzip3 before 1.3.0. | 6.5 |
2023-04-06 | CVE-2023-29416 | Bzip3 Project | Out-of-bounds Write vulnerability in Bzip3 Project Bzip3 An issue was discovered in libbzip3.a in bzip3 before 1.3.0. | 6.5 |
2023-04-06 | CVE-2023-29417 | Bzip3 Project | Out-of-bounds Read vulnerability in Bzip3 Project Bzip3 1.2.2 An issue was discovered in libbzip3.a in bzip3 1.2.2. | 6.5 |
2023-04-06 | CVE-2023-29418 | Bzip3 Project | Out-of-bounds Read vulnerability in Bzip3 Project Bzip3 An issue was discovered in libbzip3.a in bzip3 before 1.2.3. | 6.5 |
2023-04-06 | CVE-2023-29419 | Bzip3 Project | Out-of-bounds Read vulnerability in Bzip3 Project Bzip3 An issue was discovered in libbzip3.a in bzip3 before 1.2.3. | 6.5 |
2023-04-06 | CVE-2023-29420 | Bzip3 Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Bzip3 Project Bzip3 An issue was discovered in libbzip3.a in bzip3 before 1.2.3. | 6.5 |
2023-04-05 | CVE-2022-4940 | Wclovers | Unspecified vulnerability in Wclovers Wcfm Membership The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. | 6.5 |
2023-04-05 | CVE-2023-20127 | Cisco | Unspecified vulnerability in Cisco Prime Infrastructure Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. | 6.5 |
2023-04-05 | CVE-2023-20129 | Cisco | Path Traversal vulnerability in Cisco Prime Infrastructure Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. | 6.5 |
2023-04-05 | CVE-2023-20130 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Prime Infrastructure Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. | 6.5 |
2023-04-05 | CVE-2023-20134 | Cisco | Unrestricted Upload of File with Dangerous Type vulnerability in Cisco Webex Meetings Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or upload arbitrary files as recordings. | 6.5 |
2023-04-05 | CVE-2023-1865 | Plugin | Unspecified vulnerability in Plugin Yourchannel The YourChannel plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check when resetting plugin settings via the yrc_nuke GET parameter in versions up to, and including, 1.2.3. | 6.5 |
2023-04-05 | CVE-2023-0382 | M Files | Resource Exhaustion vulnerability in M-Files Server User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption. | 6.5 |
2023-04-04 | CVE-2023-1813 | Google Fedoraproject Debian | Inappropriate implementation in Extensions in Google Chrome prior to 112.0.5615.49 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted HTML page. | 6.5 |
2023-04-04 | CVE-2023-1814 | Google Fedoraproject Debian | Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to bypass download checking via a crafted HTML page. | 6.5 |
2023-04-04 | CVE-2023-1816 | Google Fedoraproject Debian | Incorrect security UI in Picture In Picture in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially perform navigation spoofing via a crafted HTML page. | 6.5 |
2023-04-04 | CVE-2023-1817 | Google Fedoraproject Debian | Insufficient policy enforcement in Intents in Google Chrome on Android prior to 112.0.5615.49 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | 6.5 |
2023-04-04 | CVE-2023-1819 | Google Fedoraproject Debian | Out-of-bounds Read vulnerability in multiple products Out of bounds read in Accessibility in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. | 6.5 |
2023-04-04 | CVE-2023-1821 | Google Fedoraproject Debian | Inappropriate implementation in WebShare in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially hide the contents of the Omnibox (URL bar) via a crafted HTML page. | 6.5 |
2023-04-04 | CVE-2023-1822 | Google Fedoraproject Debian | Incorrect security UI in Navigation in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | 6.5 |
2023-04-04 | CVE-2023-1823 | Google Fedoraproject Debian | Inappropriate implementation in FedCM in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | 6.5 |
2023-04-04 | CVE-2023-28853 | Joinmastodon | LDAP Injection vulnerability in Joinmastodon Mastodon Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. | 6.5 |
2023-04-04 | CVE-2023-27492 | Envoyproxy | Allocation of Resources Without Limits or Throttling vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy designed for cloud-native applications. | 6.5 |
2023-04-04 | CVE-2023-1749 | Getnexx | Authorization Bypass Through User-Controlled Key vulnerability in Getnexx products The listed versions of Nexx Smart Home devices lack proper access control when executing actions. | 6.5 |
2023-04-04 | CVE-2023-25942 | Dell | Improper Control of a Resource Through its Lifetime vulnerability in Dell EMC Powerscale Onefs Dell PowerScale OneFS versions 8.2.x-9.4.x contain an uncontrolled resource consumption vulnerability. | 6.5 |
2023-04-03 | CVE-2023-0614 | Samba | Cleartext Storage of Sensitive Information vulnerability in Samba The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. | 6.5 |
2023-04-03 | CVE-2022-43771 | Hitachi | Path Traversal vulnerability in Hitachi Vantara Pentaho Business Analytics Server Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds. | 6.5 |
2023-04-03 | CVE-2022-43772 | Hitachi | Information Exposure Through Log Files vulnerability in Hitachi Vantara Pentaho Business Analytics Server Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs. | 6.5 |
2023-04-03 | CVE-2022-43941 | Hitachi | XXE vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference. | 6.5 |
2023-04-03 | CVE-2023-0977 | Trellix | Out-of-bounds Write vulnerability in Trellix Agent 5.7.7/5.7.8 A heap-based overflow vulnerability in Trellix Agent (Windows and Linux) version 5.7.8 and earlier, allows a remote user to alter the page heap in the macmnsvc process memory block resulting in the service becoming unavailable. | 6.5 |
2023-04-03 | CVE-2023-1330 | Inisev | Unspecified vulnerability in Inisev Redirection The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack. | 6.5 |
2023-04-04 | CVE-2023-28999 | Nextcloud | Missing Encryption of Sensitive Data vulnerability in Nextcloud Desktop Nextcloud is an open-source productivity platform. | 6.4 |
2023-04-05 | CVE-2023-1855 | Linux Debian | Use After Free vulnerability in multiple products A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). | 6.3 |
2023-04-03 | CVE-2023-1611 | Fedoraproject Linux | Use After Free vulnerability in multiple products A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea | 6.3 |
2023-04-03 | CVE-2022-3960 | Hitachi | Code Injection vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin. | 6.3 |
2023-04-09 | CVE-2014-125095 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Contact Form 1.3.4 A vulnerability was found in BestWebSoft Contact Form Plugin 1.3.4 on WordPress and classified as problematic. | 6.1 |
2023-04-08 | CVE-2023-1961 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0. | 6.1 |
2023-04-08 | CVE-2015-10098 | Wpmudev | Cross-site Scripting vulnerability in Wpmudev Broken Link Checker A vulnerability was found in Broken Link Checker Plugin up to 1.10.5 on WordPress. | 6.1 |
2023-04-08 | CVE-2023-1948 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul BP Monitoring Management System 1.0 A vulnerability, which was classified as problematic, has been found in PHPGurukul BP Monitoring Management System 1.0. | 6.1 |
2023-04-07 | CVE-2023-1946 | Survey Application System Project | Cross-site Scripting vulnerability in Survey Application System Project Survey Application System 1.0 A vulnerability was found in SourceCodester Survey Application System 1.0 and classified as problematic. | 6.1 |
2023-04-07 | CVE-2023-28781 | Cimatti | Cross-site Scripting vulnerability in Cimatti Wordpress Contact Forms Unauth. | 6.1 |
2023-04-07 | CVE-2023-28789 | Cimatti | Cross-site Scripting vulnerability in Cimatti Wordpress Contact Forms Unauth. | 6.1 |
2023-04-07 | CVE-2023-28792 | I13Websolution | Cross-site Scripting vulnerability in I13Websolution Continuous Image Carosel With Lightbox Unauth. | 6.1 |
2023-04-07 | CVE-2023-29171 | Magic Post Thumbnail | Cross-site Scripting vulnerability in Magic-Post-Thumbnail Magic Post Thumbnail Unauth. | 6.1 |
2023-04-07 | CVE-2023-29172 | WP Property Hive | Cross-site Scripting vulnerability in Wp-Property-Hive Propertyhive Unauth. | 6.1 |
2023-04-07 | CVE-2023-29388 | Implecode | Cross-site Scripting vulnerability in Implecode Product Catalog Simple Unauth. | 6.1 |
2023-04-07 | CVE-2023-25711 | Wpglobus | Cross-site Scripting vulnerability in Wpglobus Translate Options Unauth. | 6.1 |
2023-04-07 | CVE-2023-25713 | Fullworksplugins | Cross-site Scripting vulnerability in Fullworksplugins Quick Paypal Payments Unauth. | 6.1 |
2023-04-07 | CVE-2023-25020 | Kibokolabs | Cross-site Scripting vulnerability in Kibokolabs Arigato Autoresponder and Newsletter Unauth. | 6.1 |
2023-04-07 | CVE-2023-25041 | Cththemes | Cross-site Scripting vulnerability in Cththemes Monolit Unauth. | 6.1 |
2023-04-07 | CVE-2023-28993 | Albo Pretorio ON Line Project | Cross-site Scripting vulnerability in Albo Pretorio on Line Project Albo Pretorio on Line Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ignazio Scimone Albo Pretorio On Line plugin <= 4.6.1 versions. | 6.1 |
2023-04-07 | CVE-2023-29236 | Cththemes | Cross-site Scripting vulnerability in Cththemes Outdoor Unauth. | 6.1 |
2023-04-06 | CVE-2014-125094 | Phpminiadmin Project | Cross-site Scripting vulnerability in PHPminiadmin Project PHPminiadmin 1.7.110429/1.7.111025/1.8.120510 A vulnerability classified as problematic was found in phpMiniAdmin up to 1.8.120510. | 6.1 |
2023-04-06 | CVE-2023-1912 | Limit Login Attempts Project | Unspecified vulnerability in Limit Login Attempts Project Limit Login Attempts The Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lock logging feature in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. | 6.1 |
2023-04-06 | CVE-2023-22985 | Simple Guestbook Management System Project | Cross-site Scripting vulnerability in Simple Guestbook Management System Project Simple Guestbook Management System 1.0 Sourcecodester Simple Guestbook Management System version 1 is vulnerable to Cross Site Scripting (XSS) via Name, Referrer, Location, and Comments. | 6.1 |
2023-04-06 | CVE-2023-23979 | Fullworksplugins | Cross-site Scripting vulnerability in Fullworksplugins Quick Event Manager Unauth. | 6.1 |
2023-04-05 | CVE-2023-20137 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20138 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20139 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20140 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20141 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20142 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20143 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20144 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20145 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20146 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20147 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20148 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20149 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20150 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2023-20151 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. | 6.1 |
2023-04-05 | CVE-2013-10022 | Bestwebsoft | Cross-site Scripting vulnerability in Bestwebsoft Contact Form 3.51 A vulnerability, which was classified as problematic, has been found in BestWebSoft Contact Form Plugin 3.51 on WordPress. | 6.1 |
2023-04-05 | CVE-2023-1860 | Keysight | Cross-site Scripting vulnerability in Keysight Hawkeye 3.3.16.28 A vulnerability was found in Keysight IXIA Hawkeye 3.3.16.28. | 6.1 |
2023-04-05 | CVE-2023-1851 | Online Payroll System Project | Cross-site Scripting vulnerability in Online Payroll System Project Online Payroll System 1.0 A vulnerability classified as problematic has been found in SourceCodester Online Payroll System 1.0. | 6.1 |
2023-04-05 | CVE-2023-1852 | Online Payroll System Project | Cross-site Scripting vulnerability in Online Payroll System Project Online Payroll System 1.0 A vulnerability classified as problematic was found in SourceCodester Online Payroll System 1.0. | 6.1 |
2023-04-05 | CVE-2023-1853 | Online Payroll System Project | Cross-site Scripting vulnerability in Online Payroll System Project Online Payroll System 1.0 A vulnerability, which was classified as problematic, has been found in SourceCodester Online Payroll System 1.0. | 6.1 |
2023-04-05 | CVE-2023-1857 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Online Computer and Laptop Store 1.0 A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0 and classified as problematic. | 6.1 |
2023-04-04 | CVE-2023-26776 | Monitorr | Cross-site Scripting vulnerability in Monitorr 1.7.6M Cross Site Scripting vulnerability found in Monitorr v.1.7.6 allows a remote attacker to execute arbitrary code via the title parameter of the post_receiver-services.php file. | 6.1 |
2023-04-04 | CVE-2023-28998 | Nextcloud | Missing Required Cryptographic Step vulnerability in Nextcloud Desktop The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. | 6.1 |
2023-04-03 | CVE-2022-4771 | Hitachi | Cross-site Scripting vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables. | 6.1 |
2023-04-03 | CVE-2023-1377 | Solidres | Unspecified vulnerability in Solidres The Solidres WordPress plugin through 0.9.4 does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 6.1 |
2023-04-03 | CVE-2023-1766 | Akbim | Cross-site Scripting vulnerability in Akbim Panon Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Akbim Computer Panon allows Reflected XSS.This issue affects Panon: before 1.0.2. | 6.1 |
2023-04-03 | CVE-2022-27665 | Progress | Cross-site Scripting vulnerability in Progress WS FTP Server 8.6.0 Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. | 6.1 |
2023-04-05 | CVE-2023-20030 | Cisco | XXE vulnerability in Cisco Identity Services Engine A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. | 6.0 |
2023-04-03 | CVE-2023-0922 | Samba | Cleartext Transmission of Sensitive Information vulnerability in Samba The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. | 5.9 |
2023-04-03 | CVE-2023-26112 | Configobj Project | Unspecified vulnerability in Configobj Project Configobj All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. | 5.9 |
2023-04-07 | CVE-2022-43309 | Supermicro | Incorrect Permission Assignment for Critical Resource vulnerability in Supermicro products Supermicro X11SSL-CF HW Rev 1.01, BMC firmware v1.63 was discovered to contain insecure permissions. | 5.5 |
2023-04-07 | CVE-2020-11935 | Canonical Debian | It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. | 5.5 |
2023-04-07 | CVE-2022-43914 | IBM | Cross-site Scripting vulnerability in IBM Tririga Application Platform IBM TRIRIGA Application Platform 4.0 is vulnerable to cross-site scripting. | 5.4 |
2023-04-07 | CVE-2023-27620 | Robogallery | Cross-site Scripting vulnerability in Robogallery Robo Gallery Auth. | 5.4 |
2023-04-07 | CVE-2023-1726 | Prolizyazilim | Cross-site Scripting vulnerability in Prolizyazilim Student Affairs Information System Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proliz OBS allows Stored XSS for an authenticated user.This issue affects OBS: before 23.04.01. | 5.4 |
2023-04-07 | CVE-2023-23885 | Fullworksplugins | Cross-site Scripting vulnerability in Fullworksplugins Quick Contact Form Auth. | 5.4 |
2023-04-07 | CVE-2023-25061 | Kibokolabs | Cross-site Scripting vulnerability in Kibokolabs Arigato Autoresponder and Newsletter Auth. | 5.4 |
2023-04-06 | CVE-2023-23891 | Oceanwp | Cross-site Scripting vulnerability in Oceanwp Ocean Extra Auth. | 5.4 |
2023-04-06 | CVE-2023-24374 | Material Design Icons FOR Page Builders Project | Cross-site Scripting vulnerability in Material Design Icons for Page Builders Project Material Design Icons for Page Builders Auth. | 5.4 |
2023-04-06 | CVE-2023-24378 | Codeat | Cross-site Scripting vulnerability in Codeat Glossary Auth. | 5.4 |
2023-04-06 | CVE-2023-23898 | Creativethemes | Cross-site Scripting vulnerability in Creativethemes Blocksy Companion Auth. | 5.4 |
2023-04-06 | CVE-2023-24411 | Bnecreative | Cross-site Scripting vulnerability in Bnecreative BNE Testimonials Auth. | 5.4 |
2023-04-06 | CVE-2023-24003 | Timersys | Cross-site Scripting vulnerability in Timersys WP Popups Auth. | 5.4 |
2023-04-06 | CVE-2023-23815 | Multi Column TAG MAP Project | Cross-site Scripting vulnerability in Multi-Column TAG MAP Project Multi-Column TAG MAP Auth. | 5.4 |
2023-04-05 | CVE-2023-20096 | Cisco | Cross-site Scripting vulnerability in Cisco Unified Contact Center Express A vulnerability in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. | 5.4 |
2023-04-05 | CVE-2023-20131 | Cisco | Cross-site Scripting vulnerability in Cisco Prime Infrastructure Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. | 5.4 |
2023-04-05 | CVE-2023-20132 | Cisco | Cross-site Scripting vulnerability in Cisco Webex Meetings Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or upload arbitrary files as recordings. | 5.4 |
2023-04-05 | CVE-2023-1885 | Phpmyfaq | Cross-site Scripting vulnerability in PHPmyfaq Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | 5.4 |
2023-04-05 | CVE-2023-1756 | Phpmyfaq | Cross-site Scripting vulnerability in PHPmyfaq Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | 5.4 |
2023-04-05 | CVE-2023-26536 | Followmedarling | Cross-site Scripting vulnerability in Followmedarling Spotify-Play-Button-For-Wordpress Auth. | 5.4 |
2023-04-05 | CVE-2023-28069 | Dell | Open Redirect vulnerability in Dell Streaming Data Platform Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. | 5.4 |
2023-04-04 | CVE-2023-23977 | Heateor | Cross-site Scripting vulnerability in Heateor Social Comments Auth. | 5.4 |
2023-04-04 | CVE-2023-23685 | Radiustheme | Cross-site Scripting vulnerability in Radiustheme Portfolio Auth. | 5.4 |
2023-04-04 | CVE-2023-23686 | Simple Staff List Project | Cross-site Scripting vulnerability in Simple Staff List Project Simple Staff List Auth. | 5.4 |
2023-04-04 | CVE-2023-23878 | Flippercode | Cross-site Scripting vulnerability in Flippercode WP Google MAP Auth. | 5.4 |
2023-04-03 | CVE-2023-24724 | SAS | Cross-site Scripting vulnerability in SAS web Administration Interface 9.4 A stored cross site scripting (XSS) vulnerability was discovered in the user management module of the SAS 9.4 Admin Console, due to insufficient validation and sanitization of data input into the user creation and editing form fields. | 5.4 |
2023-04-03 | CVE-2023-0399 | Image Over Image FOR Wpbakery Page Builder Project | Unspecified vulnerability in Image Over Image for Wpbakery Page Builder Project Image Over Image for Wpbakery Page Builder The Image Over Image For WPBakery Page Builder WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
2023-04-05 | CVE-2023-0842 | Xml2Js Project | Unspecified vulnerability in Xml2Js Project Xml2Js 0.4.23 xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. | 5.3 |
2023-04-05 | CVE-2023-1868 | Plugin | Unspecified vulnerability in Plugin Yourchannel The YourChannel plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check when clearing the plugin cache via the yrc_clear_cache GET parameter in versions up to, and including, 1.2.3. | 5.3 |
2023-04-04 | CVE-2023-1751 | Getnexx | Unspecified vulnerability in Getnexx products The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. | 5.3 |
2023-04-04 | CVE-2023-1768 | Tribe29 Checkmk | Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption of agent data to fail silently and transmit the data in plaintext in certain configurations. | 5.3 |
2023-04-03 | CVE-2023-26916 | Cesnet Fedoraproject | NULL Pointer Dereference vulnerability in multiple products libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lys_parse_mem at lys_parse_mem.c. | 5.3 |
2023-04-07 | CVE-2023-27801 | H3C | Out-of-bounds Write vulnerability in H3C Magic R100 Firmware V100R005 H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the DelDNSHnList interface at /goform/aspForm. | 4.9 |
2023-04-07 | CVE-2023-27802 | H3C | Out-of-bounds Write vulnerability in H3C Magic R100 Firmware V100R005 H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the EditvsList parameter at /goform/aspForm. | 4.9 |
2023-04-07 | CVE-2023-27803 | H3C | Out-of-bounds Write vulnerability in H3C Magic R100 Firmware V100R005 H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the EdittriggerList interface at /goform/aspForm. | 4.9 |
2023-04-07 | CVE-2023-27804 | H3C | Out-of-bounds Write vulnerability in H3C Magic R100 Firmware V100R005 H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the DelvsList interface at /goform/aspForm. | 4.9 |
2023-04-07 | CVE-2023-27805 | H3C | Out-of-bounds Write vulnerability in H3C Magic R100 Firmware V100R005 H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the EditSTList interface at /goform/aspForm. | 4.9 |
2023-04-07 | CVE-2023-27806 | H3C | Out-of-bounds Write vulnerability in H3C Magic R100 Firmware V100R005 H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the ipqos_lanip_dellist interface at /goform/aspForm. | 4.9 |
2023-04-07 | CVE-2023-27807 | H3C | Out-of-bounds Write vulnerability in H3C Magic R100 Firmware V100R005 H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the Delstlist interface at /goform/aspForm. | 4.9 |
2023-04-07 | CVE-2023-27808 | H3C | Out-of-bounds Write vulnerability in H3C Magic R100 Firmware V100R005 H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm. | 4.9 |
2023-04-07 | CVE-2023-27810 | H3C | Out-of-bounds Write vulnerability in H3C Magic R100 Firmware V100R005 H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the ipqos_lanip_editlist interface at /goform/aspForm. | 4.9 |
2023-04-03 | CVE-2023-28837 | Torchbox | Allocation of Resources Without Limits or Throttling vulnerability in Torchbox Wagtail Wagtail is an open source content management system built on Django. | 4.9 |
2023-04-07 | CVE-2023-29170 | Piwebsolution | Cross-site Scripting vulnerability in Piwebsolution Product Enquiry for Woocommerce 2.2.7 Auth. | 4.8 |
2023-04-07 | CVE-2023-23799 | Easy Panorama Project | Cross-site Scripting vulnerability in Easy Panorama Project Easy Panorama Auth. | 4.8 |
2023-04-07 | CVE-2023-25442 | Zeno Font Resizer Project | Cross-site Scripting vulnerability in Zeno Font Resizer Project Zeno Font Resizer Auth. | 4.8 |
2023-04-07 | CVE-2023-25464 | Streamweasels | Cross-site Scripting vulnerability in Streamweasels Twitch Player 2.0.9/2.1.0 Auth. | 4.8 |
2023-04-07 | CVE-2023-25702 | Fullworksplugins | Cross-site Scripting vulnerability in Fullworksplugins Quick Paypal Payments Auth. | 4.8 |
2023-04-07 | CVE-2023-25705 | Goprayer | Cross-site Scripting vulnerability in Goprayer WP Prayer Auth. | 4.8 |
2023-04-07 | CVE-2023-25712 | WP Buddy | Cross-site Scripting vulnerability in Wp-Buddy Google Analytics Opt-Out Auth. | 4.8 |
2023-04-07 | CVE-2023-29094 | Piwebsolution | Cross-site Scripting vulnerability in Piwebsolution Product Page Shipping Calculator for Woocommerce Auth. | 4.8 |
2023-04-07 | CVE-2023-23994 | Auto Hide Admin BAR Project | Cross-site Scripting vulnerability in Auto Hide Admin BAR Project Auto Hide Admin BAR Auth. | 4.8 |
2023-04-07 | CVE-2023-25031 | Kibokolabs | Cross-site Scripting vulnerability in Kibokolabs Arigato Autoresponder and Newsletter Auth. | 4.8 |
2023-04-07 | CVE-2023-25049 | Implecode | Cross-site Scripting vulnerability in Implecode Ecommerce Product Catalog Auth. | 4.8 |
2023-04-07 | CVE-2023-25716 | Announce From THE Dashboard Project | Cross-site Scripting vulnerability in Announce From the Dashboard Project Announce From the Dashboard Auth (admin+) Stored Cross-Site Scripting (XSS) vulnerability in gqevu6bsiz Announce from the Dashboard plugin <= 1.5.1 versions. | 4.8 |
2023-04-07 | CVE-2023-25022 | Kibokolabs | Cross-site Scripting vulnerability in Kibokolabs Watu Quiz Auth. | 4.8 |
2023-04-07 | CVE-2023-25023 | Saleswonder | Cross-site Scripting vulnerability in Saleswonder Webinar Ignition Auth. | 4.8 |
2023-04-07 | CVE-2023-25024 | Icegram | Cross-site Scripting vulnerability in Icegram Collect Auth. | 4.8 |
2023-04-07 | CVE-2023-25027 | Kibokolabs | Cross-site Scripting vulnerability in Kibokolabs Chained Quiz Auth. | 4.8 |
2023-04-07 | CVE-2023-24398 | Snapcreek | Cross-site Scripting vulnerability in Snapcreek EZP Coming Soon Page 1.0.7.3 Auth. | 4.8 |
2023-04-07 | CVE-2023-25046 | Podlove | Cross-site Scripting vulnerability in Podlove Podcast Publisher Auth. | 4.8 |
2023-04-07 | CVE-2023-24402 | Wpbookingsystem | Cross-site Scripting vulnerability in Wpbookingsystem WP Booking System Auth. | 4.8 |
2023-04-07 | CVE-2023-25059 | Avalex | Cross-site Scripting vulnerability in Avalex Auth. | 4.8 |
2023-04-06 | CVE-2023-1913 | Webfactoryltd | Unspecified vulnerability in Webfactoryltd Maps Widget for Google Maps The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. | 4.8 |
2023-04-06 | CVE-2023-24396 | Vikwp | Cross-site Scripting vulnerability in Vikwp Vikbooking Hotel Booking Engine & PMS Auth. | 4.8 |
2023-04-06 | CVE-2023-25062 | Pinpoint | Cross-site Scripting vulnerability in Pinpoint Booking System Auth. | 4.8 |
2023-04-06 | CVE-2023-24383 | Kibokolabs | Cross-site Scripting vulnerability in Kibokolabs Namaste! LMS Auth. | 4.8 |
2023-04-06 | CVE-2023-24387 | Wpdevart | Cross-site Scripting vulnerability in Wpdevart Organization Chart Auth. | 4.8 |
2023-04-06 | CVE-2023-24403 | Wpforthewin | Cross-site Scripting vulnerability in Wpforthewin Bbpress Voting Auth. | 4.8 |
2023-04-06 | CVE-2023-24002 | Wpdevart | Cross-site Scripting vulnerability in Wpdevart Youtube Embed, Playlist and Popup Auth. | 4.8 |
2023-04-06 | CVE-2023-24004 | Wpdevart | Cross-site Scripting vulnerability in Wpdevart Download Image and Video Lightbox, Image Popup Auth. | 4.8 |
2023-04-06 | CVE-2023-23980 | Mailoptin | Cross-site Scripting vulnerability in Mailoptin Auth. | 4.8 |
2023-04-06 | CVE-2023-23996 | Properfraction | Cross-site Scripting vulnerability in Properfraction Profilepress Auth. | 4.8 |
2023-04-06 | CVE-2023-23998 | E4Jconnect | Cross-site Scripting vulnerability in E4Jconnect Vikrentcar Auth. | 4.8 |
2023-04-06 | CVE-2023-24001 | Modal Dialog Project | Cross-site Scripting vulnerability in Modal Dialog Project Modal Dialog Auth. | 4.8 |
2023-04-06 | CVE-2023-24006 | Linksoftwarellc | Cross-site Scripting vulnerability in Linksoftwarellc WP Terms Popup Auth. | 4.8 |
2023-04-06 | CVE-2023-23971 | Codepeople | Cross-site Scripting vulnerability in Codepeople WP Time Slots Booking Form Auth. | 4.8 |
2023-04-06 | CVE-2023-23972 | Wpdevart | Cross-site Scripting vulnerability in Wpdevart Social Like BOX and Page Auth. | 4.8 |
2023-04-06 | CVE-2023-23987 | Wpeverest | Cross-site Scripting vulnerability in Wpeverest User Registration Auth. | 4.8 |
2023-04-06 | CVE-2023-23981 | Quantumcloud | Cross-site Scripting vulnerability in Quantumcloud Conversational Forms for Chatbot Auth. | 4.8 |
2023-04-06 | CVE-2023-23982 | Wpfrom Email Project | Cross-site Scripting vulnerability in Wpfrom Email Project Wpfrom Email Auth. | 4.8 |
2023-04-05 | CVE-2023-1869 | Plugin | Cross-site Scripting vulnerability in Plugin Yourchannel The YourChannel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. | 4.8 |
2023-04-04 | CVE-2023-1840 | Followmedarling | Unspecified vulnerability in Followmedarling Spotify-Play-Button-For-Wordpress The Sp*tify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.07 due to insufficient input sanitization and output escaping. | 4.8 |
2023-04-04 | CVE-2023-23870 | Wpdevart | Cross-site Scripting vulnerability in Wpdevart Responsive Vertical Icon Menu Auth. | 4.8 |
2023-04-04 | CVE-2023-23821 | Interactive Polish MAP Project | Cross-site Scripting vulnerability in Interactive Polish MAP Project Interactive Polish MAP Auth. | 4.8 |
2023-04-03 | CVE-2023-26529 | Dupeoff Project | Cross-site Scripting vulnerability in Dupeoff Project Dupeoff Auth. | 4.8 |
2023-04-05 | CVE-2023-1582 | Linux | Race Condition vulnerability in Linux Kernel A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. | 4.7 |
2023-04-05 | CVE-2023-20123 | Cisco | Authentication Bypass by Capture-replay vulnerability in Cisco DUO and DUO Authentication for Windows Logon and RDP A vulnerability in the offline access mode of Cisco Duo Two-Factor Authentication for macOS and Duo Authentication for Windows Logon and RDP could allow an unauthenticated, physical attacker to replay valid user session credentials and gain unauthorized access to an affected macOS or Windows device. | 4.6 |
2023-04-07 | CVE-2023-1937 | MY Blog Project | Cross-Site Request Forgery (CSRF) vulnerability in My-Blog Project My-Blog A vulnerability, which was classified as problematic, was found in zhenfeng13 My-Blog. | 4.3 |
2023-04-06 | CVE-2023-1927 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1928 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the wpfc_preload_single_callback function in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1929 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the wpfc_purgecache_varnish_callback function in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1930 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the wpfc_clear_cache_of_allsites_callback function in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1931 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the deleteCssAndJsCacheToolbar function in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1918 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1919 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1920 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1921 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1922 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1923 | Wpfastestcache | Cross-Site Request Forgery (CSRF) vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1924 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1925 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-06 | CVE-2023-1926 | Wpfastestcache | Unspecified vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. | 4.3 |
2023-04-05 | CVE-2023-1866 | Plugin | Unspecified vulnerability in Plugin Yourchannel The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. | 4.3 |
2023-04-05 | CVE-2023-1867 | Plugin | Unspecified vulnerability in Plugin Yourchannel The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. | 4.3 |
2023-04-05 | CVE-2023-1870 | Plugin | Unspecified vulnerability in Plugin Yourchannel The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. | 4.3 |
2023-04-05 | CVE-2023-1871 | Plugin | Unspecified vulnerability in Plugin Yourchannel The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. | 4.3 |
2023-04-04 | CVE-2023-1752 | Getnexx | Improper Authentication vulnerability in Getnexx products The listed versions of Nexx Smart Home devices could allow any user to register an already registered alarm or associated device with only the device’s MAC address. | 4.3 |
2023-04-03 | CVE-2023-0225 | Samba | Incorrect Permission Assignment for Critical Resource vulnerability in Samba A flaw was found in Samba. | 4.3 |
2023-04-03 | CVE-2022-4769 | Hitachi | Information Exposure Through an Error Message vulnerability in Hitachi Vantara Pentaho Business Analytics Server Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name. | 4.3 |
2023-04-03 | CVE-2022-4770 | Hitachi | Information Exposure Through an Error Message vulnerability in Hitachi Vantara Pentaho Business Analytics Server Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt). | 4.3 |
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-04-06 | CVE-2022-46781 | ARM | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in ARM products An issue was discovered in the Arm Mali GPU Kernel Driver. | 3.3 |
2023-04-06 | CVE-2023-26083 | ARM | Memory Leak vulnerability in ARM products Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 - r32p0, Bifrost GPU Kernel Driver all versions from r0p0 - r42p0, Valhall GPU Kernel Driver all versions from r19p0 - r42p0, and Avalon GPU Kernel Driver all versions from r41p0 - r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata. | 3.3 |