Weekly Vulnerabilities Reports > April 10 to 16, 2023

Overview

489 new vulnerabilities reported during this period, including 80 critical vulnerabilities and 222 high severity vulnerabilities. This weekly summary report vulnerabilities in 998 products from 206 vendors including Qualcomm, Adobe, Fortinet, Jenkins, and Xwiki. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Out-of-bounds Read", and "Use After Free".

  • 366 reported vulnerabilities are remotely exploitables.
  • 182 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 303 reported vulnerabilities are exploitable by an anonymous user.
  • Qualcomm has the most reported vulnerabilities, with 33 reported vulnerabilities.
  • Lexmark has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

80 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-14 CVE-2023-29199 VM2 Project Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.

10.0
2023-04-11 CVE-2023-26121 Safe Eval Project Unspecified vulnerability in Safe-Eval Project Safe-Eval

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.

10.0
2023-04-11 CVE-2023-26122 Safe Eval Project Unspecified vulnerability in Safe-Eval Project Safe-Eval

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization.

10.0
2023-04-16 CVE-2023-2108 Judging Management System Project SQL Injection vulnerability in Judging Management System Project Judging Management System 1.0

A vulnerability has been found in SourceCodester Judging Management System 1.0 and classified as critical.

9.8
2023-04-16 CVE-2021-33990 Liferay Improper Preservation of Permissions vulnerability in Liferay Portal 6.2.5

Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists.

9.8
2023-04-16 CVE-2022-34128 Glpi Project Unrestricted Upload of File with Dangerous Type vulnerability in Glpi-Project Positions

The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php.

9.8
2023-04-15 CVE-2018-17452 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

9.8
2023-04-15 CVE-2020-29007 Mediawiki Code Injection vulnerability in Mediawiki Score

The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable.

9.8
2023-04-15 CVE-2023-2106 Calibre WEB Project Weak Password Requirements vulnerability in Calibre-Web Project Calibre-Web

Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.

9.8
2023-04-15 CVE-2023-2107 Ibos SQL Injection vulnerability in Ibos 4.5.5

A vulnerability, which was classified as critical, was found in IBOS 4.5.5.

9.8
2023-04-15 CVE-2022-2525 Calibre WEB Project Improper Restriction of Excessive Authentication Attempts vulnerability in Calibre-Web Project Calibre-Web

Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.

9.8
2023-04-15 CVE-2023-2097 Vehicle Service Management System Project SQL Injection vulnerability in Vehicle Service Management System Project Vehicle Service Management System 1.0

A vulnerability was found in SourceCodester Vehicle Service Management System 1.0.

9.8
2023-04-15 CVE-2023-2094 Vehicle Service Management System Project SQL Injection vulnerability in Vehicle Service Management System Project Vehicle Service Management System 1.0

A vulnerability has been found in SourceCodester Vehicle Service Management System 1.0 and classified as critical.

9.8
2023-04-15 CVE-2023-2095 Vehicle Service Management System Project SQL Injection vulnerability in Vehicle Service Management System Project Vehicle Service Management System 1.0

A vulnerability was found in SourceCodester Vehicle Service Management System 1.0 and classified as critical.

9.8
2023-04-15 CVE-2023-2096 Vehicle Service Management System Project SQL Injection vulnerability in Vehicle Service Management System Project Vehicle Service Management System 1.0

A vulnerability was found in SourceCodester Vehicle Service Management System 1.0.

9.8
2023-04-15 CVE-2023-2092 Vehicle Service Management System Project SQL Injection vulnerability in Vehicle Service Management System Project Vehicle Service Management System 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Vehicle Service Management System 1.0.

9.8
2023-04-15 CVE-2023-2093 Vehicle Service Management System Project SQL Injection vulnerability in Vehicle Service Management System Project Vehicle Service Management System 1.0

A vulnerability, which was classified as critical, was found in SourceCodester Vehicle Service Management System 1.0.

9.8
2023-04-15 CVE-2023-2027 ZM Ajax Login Register Project Improper Authentication vulnerability in ZM Ajax Login & Register Project ZM Ajax Login & Register

The ZM Ajax Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.2.

9.8
2023-04-15 CVE-2021-46880 Openbsd Improper Certificate Validation vulnerability in Openbsd

x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0 errata 006, allows authentication bypass because an error for an unverified certificate chain is sometimes discarded.

9.8
2023-04-15 CVE-2023-26463 Strongswan Improper Certificate Validation vulnerability in Strongswan 5.9.8/5.9.9

strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function.

9.8
2023-04-14 CVE-2023-27654 Whoapp Unspecified vulnerability in Whoapp WHO 1.0.28/1.0.30/1.0.32

An issue found in WHOv.1.0.28, v.1.0.30, v.1.0.32 allows an attacker to cause a escalation of privileges via the TTMultiProvider component.

9.8
2023-04-14 CVE-2023-2075 Campcodes Online Traffic Offense Management System Project SQL Injection vulnerability in Campcodes Online Traffic Offense Management System Project Campcodes Online Traffic Offense Management System 1.0

A vulnerability classified as critical has been found in Campcodes Online Traffic Offense Management System 1.0.

9.8
2023-04-14 CVE-2022-3748 Forgerock Unspecified vulnerability in Forgerock Access Management

Improper Authorization vulnerability in ForgeRock Inc.

9.8
2023-04-14 CVE-2023-1803 Redline Authentication Bypass by Alternate Name vulnerability in Redline Router Firmware

Authentication Bypass by Alternate Name vulnerability in DTS Electronics Redline Router firmware allows Authentication Bypass.This issue affects Redline Router: before 7.17.

9.8
2023-04-14 CVE-2023-1833 Redline Authentication Bypass by Primary Weakness vulnerability in Redline Router Firmware

Authentication Bypass by Primary Weakness vulnerability in DTS Electronics Redline Router firmware allows Authentication Bypass.This issue affects Redline Router: before 7.17.

9.8
2023-04-14 CVE-2023-29798 Totolink Command Injection vulnerability in Totolink X18 Firmware 9.1.0Cu.2024B20220329

TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the command parameter in the setTracerouteCfg function.

9.8
2023-04-14 CVE-2023-29799 Totolink Command Injection vulnerability in Totolink X18 Firmware 9.1.0Cu.2024B20220329

TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the hostname parameter in the setOpModeCfg function.

9.8
2023-04-14 CVE-2023-29800 Totolink Command Injection vulnerability in Totolink X18 Firmware 9.1.0Cu.2024B20220329

TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function.

9.8
2023-04-14 CVE-2023-29801 Totolink Command Injection vulnerability in Totolink X18 Firmware 9.1.0Cu.2024B20220329

TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain multiple command injection vulnerabilities via the rtLogEnabled and rtLogServer parameters in the setSyslogCfg function.

9.8
2023-04-14 CVE-2023-29802 Totolink Command Injection vulnerability in Totolink X18 Firmware 9.1.0Cu.2021B20220326/9.1.0Cu.2024B20220329

TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the ip parameter in the setDiagnosisCfg function.

9.8
2023-04-14 CVE-2023-29803 Totolink Command Injection vulnerability in Totolink X18 Firmware 9.1.0Cu.2024B20220329

TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the pid parameter in the disconnectVPN function.

9.8
2023-04-14 CVE-2023-2056 Dedecms Code Injection vulnerability in Dedecms

A vulnerability was found in DedeCMS up to 5.7.87 and classified as critical.

9.8
2023-04-14 CVE-2022-47027 Timmystudios Path Traversal vulnerability in Timmystudios Fast Typing Keyboard 1.275.1.162

Timmystudios Fast Typing Keyboard v1.275.1.162 allows unauthorized apps to overwrite arbitrary files in its internal storage via a dictionary traversal vulnerability and achieve arbitrary code execution.

9.8
2023-04-14 CVE-2023-1617 BR Automation Improper Authentication vulnerability in Br-Automation VC4

Improper Authentication vulnerability in B&R Industrial Automation B&R VC4 (VNC-Server modules).  This vulnerability may allow an unauthenticated network-based attacker to bypass the authentication mechanism of the VC4 visualization on affected devices.

9.8
2023-04-14 CVE-2023-27648 Timmystudios Path Traversal vulnerability in Timmystudios Change Color of Keypad 1.275.1.277

Directory Traversal vulnerability found in T-ME Studios Change Color of Keypad v.1.275.1.277 allows a remote attacker to execute arbitrary code via the dex file in the internal storage.

9.8
2023-04-14 CVE-2023-2050 Advanced Online Voting System Project SQL Injection vulnerability in Advanced Online Voting System Project Advanced Online Voting System 1.0

A vulnerability was found in Campcodes Advanced Online Voting System 1.0.

9.8
2023-04-14 CVE-2023-2051 Advanced Online Voting System Project SQL Injection vulnerability in Advanced Online Voting System Project Advanced Online Voting System 1.0

A vulnerability classified as critical has been found in Campcodes Advanced Online Voting System 1.0.

9.8
2023-04-14 CVE-2023-2052 Advanced Online Voting System Project SQL Injection vulnerability in Advanced Online Voting System Project Advanced Online Voting System 1.0

A vulnerability classified as critical was found in Campcodes Advanced Online Voting System 1.0.

9.8
2023-04-14 CVE-2023-2043 Assaabloy SQL Injection vulnerability in Assaabloy Control ID Rhid 23.3.19.0

A vulnerability, which was classified as problematic, was found in Control iD RHiD 23.3.19.0.

9.8
2023-04-14 CVE-2023-1863 Eskom SQL Injection vulnerability in Eskom EL Terminali (Su Okuma) Uygulamalarimiz

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eskom Water Metering Software allows Command Line Execution through SQL Injection.This issue affects Water Metering Software: before 23.04.06.

9.8
2023-04-14 CVE-2023-2037 Campcodes Video Sharing Website Project SQL Injection vulnerability in Campcodes Video Sharing Website Project Campcodes Video Sharing Website 1.0

A vulnerability was found in Campcodes Video Sharing Website 1.0.

9.8
2023-04-14 CVE-2023-29622 Purchase Order Management Project SQL Injection vulnerability in Purchase Order Management Project Purchase Order Management 1.0

Purchase Order Management v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /purchase_order/admin/login.php.

9.8
2023-04-14 CVE-2023-26918 Filereplicationpro Incorrect Default Permissions vulnerability in Filereplicationpro File Replication PRO 7.5.0

Diasoft File Replication Pro 7.5.0 allows attackers to escalate privileges by replacing a legitimate file with a Trojan horse that will be executed as LocalSystem.

9.8
2023-04-13 CVE-2023-27667 Auto Dealer Management System Project SQL Injection vulnerability in Auto Dealer Management System Project Auto Dealer Management System 1.0

Auto Dealer Management System v1.0 was discovered to contain a SQL injection vulnerability.

9.8
2023-04-13 CVE-2023-27746 Blackvue Improper Restriction of Excessive Authentication Attempts vulnerability in Blackvue Dr750-2Ch IR LTE Firmware and Dr750-2Ch LTE Firmware

BlackVue DR750-2CH LTE v.1.012_2022.10.26 was discovered to contain a weak default passphrase which can be easily cracked via a brute force attack if the WPA2 handshake is intercepted.

9.8
2023-04-13 CVE-2023-27748 Blackvue Insufficient Verification of Data Authenticity vulnerability in Blackvue Dr750-2Ch IR LTE Firmware and Dr750-2Ch LTE Firmware

BlackVue DR750-2CH LTE v.1.012_2022.10.26 does not employ authenticity check for uploaded firmware.

9.8
2023-04-13 CVE-2023-27779 Amsystem SQL Injection vulnerability in Amsystem AM Presencia 3.7.3

AM Presencia v3.7.3 was discovered to contain a SQL injection vulnerability via the user parameter in the login form.

9.8
2023-04-13 CVE-2023-29598 Lmxcms SQL Injection vulnerability in Lmxcms 1.4.1

lmxcms v1.4.1 was discovered to contain a SQL injection vulnerability via the setbook parameter at index.php.

9.8
2023-04-13 CVE-2022-25678 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Memory correction in modem due to buffer overwrite during coap connection

9.8
2023-04-13 CVE-2022-25740 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Memory corruption in modem due to buffer overwrite while building an IPv6 multicast address based on the MAC address of the iface

9.8
2023-04-13 CVE-2022-25745 Qualcomm Always-Incorrect Control Flow Implementation vulnerability in Qualcomm products

Memory corruption in modem due to improper input validation while handling the incoming CoAP message

9.8
2023-04-13 CVE-2022-33211 Qualcomm Incorrect Calculation of Buffer Size vulnerability in Qualcomm products

memory corruption in modem due to improper check while calculating size of serialized CoAP message

9.8
2023-04-13 CVE-2022-33259 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Memory corruption due to buffer copy without checking the size of input in modem while decoding raw SMS received.

9.8
2023-04-12 CVE-2023-28121 Automattic Improper Authentication vulnerability in Automattic Woocommerce Payments and Woopayments

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator.

9.8
2023-04-11 CVE-2023-28808 Hikvision Unspecified vulnerability in Hikvision products

Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission.

9.8
2023-04-11 CVE-2020-19802 Doyocms Project Unrestricted Upload of File with Dangerous Type vulnerability in Doyocms Project Doyocms 2.3

File Upload vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the upload file type parameter.

9.8
2023-04-11 CVE-2023-1984 Complaint Management System Project SQL Injection vulnerability in Complaint Management System Project Complaint Management System 1.0

A vulnerability classified as critical was found in SourceCodester Complaint Management System 1.0.

9.8
2023-04-11 CVE-2022-41331 Fortinet Missing Authentication for Critical Function vulnerability in Fortinet Fortiproxy

A missing authentication for critical function vulnerability [CWE-306] in FortiPresence infrastructure server before version 1.2.1 allows a remote, unauthenticated attacker to access the Redis and MongoDB instances via crafted authentication requests.

9.8
2023-04-11 CVE-2023-1983 Sales Tracker Management System Project SQL Injection vulnerability in Sales Tracker Management System Project Sales Tracker Management System 1.0

A vulnerability was found in SourceCodester Sales Tracker Management System 1.0.

9.8
2023-04-11 CVE-2023-27192 Dualspace Unspecified vulnerability in Dualspace Super Security 2.3.7

An issue found in DUALSPACE Super Secuirty v.2.3.7 allows an attacker to cause a denial of service via the key_wifi_safe_net_check_url, KEY_Cirus_scan_whitelist and KEY_AD_NEW_USER_AVOID_TIME parameters.

9.8
2023-04-11 CVE-2023-28489 Siemens Command Injection vulnerability in Siemens Cp-8031 Firmware and Cp-8050 Firmware

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05).

9.8
2023-04-10 CVE-2023-26063 Lexmark Type Confusion vulnerability in Lexmark products

Certain Lexmark devices through 2023-02-19 access a Resource By Using an Incompatible Type.

9.8
2023-04-10 CVE-2023-26064 Lexmark Out-of-bounds Write vulnerability in Lexmark products

Certain Lexmark devices through 2023-02-19 have an Out-of-bounds Write.

9.8
2023-04-10 CVE-2023-26065 Lexmark Integer Overflow or Wraparound vulnerability in Lexmark products

Certain Lexmark devices through 2023-02-19 have an Integer Overflow.

9.8
2023-04-10 CVE-2023-26066 Lexmark Improper Validation of Array Index vulnerability in Lexmark products

Certain Lexmark devices through 2023-02-19 have Improper Validation of an Array Index.

9.8
2023-04-10 CVE-2023-26068 Lexmark Improper Input Validation vulnerability in Lexmark products

Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 2 of 4).

9.8
2023-04-10 CVE-2023-26069 Lexmark Improper Input Validation vulnerability in Lexmark products

Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 3 of 4).

9.8
2023-04-10 CVE-2023-26070 Lexmark Improper Input Validation vulnerability in Lexmark products

Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 4 of 4).

9.8
2023-04-10 CVE-2022-46709 Apple Out-of-bounds Write vulnerability in Apple Iphone OS

A memory corruption issue was addressed with improved state management.

9.8
2023-04-10 CVE-2015-10100 Qurl SQL Injection vulnerability in Qurl Dynamic Widgets

A vulnerability, which was classified as critical, has been found in Dynamic Widgets Plugin up to 1.5.10 on WordPress.

9.8
2023-04-10 CVE-2023-1969 Online Eyewear Shop Project SQL Injection vulnerability in Online Eyewear Shop Project Online Eyewear Shop 1.0

A vulnerability classified as critical was found in SourceCodester Online Eyewear Shop 1.0.

9.8
2023-04-10 CVE-2023-1478 Incsub Unspecified vulnerability in Incsub Hummingbird

The Hummingbird WordPress plugin before 3.4.2 does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module.

9.8
2023-04-10 CVE-2015-10099 Codepeople SQL Injection vulnerability in Codepeople CP Appointment Calendar 1.1.5

A vulnerability classified as critical has been found in CP Appointment Calendar Plugin up to 1.1.5 on WordPress.

9.8
2023-04-16 CVE-2022-48312 Huawei Out-of-bounds Write vulnerability in Huawei Emui and Harmonyos

The HwPCAssistant module has the out-of-bounds read/write vulnerability.

9.1
2023-04-13 CVE-2023-27812 Bloofox Path Traversal vulnerability in Bloofox Bloofoxcms 0.5.2

bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function.

9.1
2023-04-15 CVE-2023-29207 Xwiki Cross-site Scripting vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

9.0
2023-04-15 CVE-2023-29201 Xwiki Cross-site Scripting vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

9.0
2023-04-15 CVE-2023-29202 Xwiki Cross-site Scripting vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

9.0
2023-04-13 CVE-2022-45064 Apache Cross-site Scripting vulnerability in Apache Sling

The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level.

9.0
2023-04-12 CVE-2023-27830 Tightvnc Improper Privilege Management vulnerability in Tightvnc

TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer.

9.0

222 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-16 CVE-2023-29509 Xwiki Code Injection vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

8.8
2023-04-16 CVE-2023-29511 Xwiki Eval Injection vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

8.8
2023-04-16 CVE-2023-30474 Ultimate Noindex Nofollow Tool II Project Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Noindex Nofollow Tool II Project Ultimate Noindex Nofollow Tool II 1.3

Cross-Site Request Forgery (CSRF) vulnerability in Kilian Evang Ultimate Noindex Nofollow Tool II plugin <= 1.3 versions.

8.8
2023-04-16 CVE-2023-30537 Xwiki Code Injection vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

8.8
2023-04-16 CVE-2023-30542 Openzeppelin Unspecified vulnerability in Openzeppelin Contracts and Contracts Upgradeable

OpenZeppelin Contracts is a library for secure smart contract development.

8.8
2023-04-16 CVE-2023-29211 Xwiki Code Injection vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

8.8
2023-04-16 CVE-2023-29212 Xwiki Code Injection vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

8.8
2023-04-16 CVE-2023-29214 Xwiki Code Injection vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

8.8
2023-04-16 CVE-2022-38841 Linksys OS Command Injection vulnerability in Linksys E8450 Firmware 1.1.00

Linksys AX3200 1.1.00 is vulnerable to OS command injection by authenticated users via shell metacharacters to the diagnostics traceroute page.

8.8
2023-04-15 CVE-2018-17451 Gitlab Cross-Site Request Forgery (CSRF) vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

8.8
2023-04-15 CVE-2021-45464 Kvmtool Project Out-of-bounds Write vulnerability in Kvmtool Project Kvmtool

kvmtool through 39181fc allows an out-of-bounds write, related to virtio/balloon.c and virtio/pci.c.

8.8
2023-04-15 CVE-2023-29209 Xwiki Code Injection vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

8.8
2023-04-15 CVE-2023-29210 Xwiki Code Injection vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

8.8
2023-04-15 CVE-2023-2105 Easyappointments Session Fixation vulnerability in Easyappointments

Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

8.8
2023-04-15 CVE-2023-2090 Employee AND Visitor Gate Pass Logging System Project SQL Injection vulnerability in Employee and Visitor Gate Pass Logging System Project Employee and Visitor Gate Pass Logging System 1.0

A vulnerability classified as critical has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0.

8.8
2023-04-15 CVE-2023-2089 Complaint Management System Project SQL Injection vulnerability in Complaint Management System Project Complaint Management System 1.0

A vulnerability was found in SourceCodester Complaint Management System 1.0.

8.8
2023-04-15 CVE-2022-45030 Rconfig SQL Injection vulnerability in Rconfig 3.9.7

A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact with secure-file-priv).

8.8
2023-04-14 CVE-2023-30535 Snowflake Command Injection vulnerability in Snowflake Jdbc

Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake.

8.8
2023-04-14 CVE-2023-29018 Linuxfoundation Unspecified vulnerability in Linuxfoundation Openfeature

The OpenFeature Operator allows users to expose feature flags to applications.

8.8
2023-04-14 CVE-2023-2033 Google
Debian
Fedoraproject
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-04-14 CVE-2023-2042 Datagear Deserialization of Untrusted Data vulnerability in Datagear

A vulnerability, which was classified as problematic, has been found in DataGear up to 4.5.1.

8.8
2023-04-14 CVE-2023-2040 Xxyopen SQL Injection vulnerability in Xxyopen Novel-Plus 3.6.2

A vulnerability classified as critical has been found in novel-plus 3.6.2.

8.8
2023-04-14 CVE-2023-2041 Xxyopen SQL Injection vulnerability in Xxyopen Novel-Plus 3.6.2

A vulnerability classified as critical was found in novel-plus 3.6.2.

8.8
2023-04-14 CVE-2023-2039 Xxyopen SQL Injection vulnerability in Xxyopen Novel-Plus 3.6.2

A vulnerability was found in novel-plus 3.6.2.

8.8
2023-04-14 CVE-2023-29621 Purchase Order Management Project Unrestricted Upload of File with Dangerous Type vulnerability in Purchase Order Management Project Purchase Order Management 1.0

Purchase Order Management v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

8.8
2023-04-14 CVE-2023-29625 Employee Performance Evaluation System Project Unrestricted Upload of File with Dangerous Type vulnerability in Employee Performance Evaluation System Project Employee Performance Evaluation System 1.0

Employee Performance Evaluation System v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

8.8
2023-04-14 CVE-2023-29627 Online Pizza Ordering Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Pizza Ordering Project Online Pizza Ordering 1.0

Online Pizza Ordering v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

8.8
2023-04-14 CVE-2023-2034 Froxlor Unrestricted Upload of File with Dangerous Type vulnerability in Froxlor

Unrestricted Upload of File with Dangerous Type in GitHub repository froxlor/froxlor prior to 2.0.14.

8.8
2023-04-13 CVE-2023-22951 Tigergraph Unspecified vulnerability in Tigergraph Cloud and Tigergraph Enterprise

An issue was discovered in TigerGraph Enterprise Free Edition 3.x.

8.8
2023-04-13 CVE-2023-29597 Bloofox SQL Injection vulnerability in Bloofox Bloofoxcms 0.5.2

bloofox v0.5.2 was discovered to contain a SQL injection vulnerability via the component /index.php?mode=content&page=pages&action=edit&eid=1.

8.8
2023-04-13 CVE-2022-33288 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Memory corruption due to buffer copy without checking the size of input in Core while sending SCM command to get write protection information.

8.8
2023-04-12 CVE-2023-30525 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Report Portal

A cross-site request forgery (CSRF) vulnerability in Jenkins Report Portal Plugin 0.5 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified bearer token authentication.

8.8
2023-04-12 CVE-2023-27216 Dlink OS Command Injection vulnerability in Dlink Dsl-3782 Firmware 1.03

An issue found in D-Link DSL-3782 v.1.03 allows remote authenticated users to execute arbitrary code as root via the network settings page.

8.8
2023-04-12 CVE-2023-1874 Wpdataaccess Unspecified vulnerability in Wpdataaccess WP Data Access

The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7.

8.8
2023-04-11 CVE-2023-22613 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5.

8.8
2023-04-11 CVE-2023-22614 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5.

8.8
2023-04-11 CVE-2023-24885 Microsoft Unspecified vulnerability in Microsoft products

Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

8.8
2023-04-11 CVE-2023-28231 Microsoft Unspecified vulnerability in Microsoft products

DHCP Server Service Remote Code Execution Vulnerability

8.8
2023-04-11 CVE-2023-22612 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5.

8.8
2023-04-11 CVE-2020-19803 Doyocms Project Cross-Site Request Forgery (CSRF) vulnerability in Doyocms Project Doyocms 2.3

Cross Site Request Forgery vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the background system settings.

8.8
2023-04-11 CVE-2022-27487 Fortinet Improper Privilege Management vulnerability in Fortinet Fortideceptor and Fortisandbox

A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.

8.8
2023-04-11 CVE-2022-43947 Fortinet Improper Restriction of Excessive Authentication Attempts vulnerability in Fortinet Fortios and Fortiproxy

An improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiOS version 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 administrative interface allows an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.

8.8
2023-04-11 CVE-2023-27995 Fortinet Unspecified vulnerability in Fortinet Fortisoar 7.3.0/7.3.1

A improper neutralization of special elements used in a template engine vulnerability in Fortinet FortiSOAR 7.3.0 through 7.3.1 allows an authenticated, remote attacker to execute arbitrary code via a crafted payload.

8.8
2023-04-11 CVE-2023-1976 Answer Password Aging with Long Expiration vulnerability in Answer

Password Aging with Long Expiration in GitHub repository answerdev/answer prior to 1.0.6.

8.8
2023-04-10 CVE-2023-28205 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

8.8
2023-04-10 CVE-2023-1381 Joomunited Unspecified vulnerability in Joomunited WP Meta SEO

The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability.

8.8
2023-04-10 CVE-2023-1406 Crocoblock Unrestricted Upload of File with Dangerous Type vulnerability in Crocoblock Jetengine for Elementor

The JetEngine WordPress plugin before 3.1.3.1 includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability.

8.8
2023-04-10 CVE-2012-10012 Bestwebsoft Cross-Site Request Forgery (CSRF) vulnerability in Bestwebsoft Facebook Button

A vulnerability has been found in BestWebSoft Facebook Like Button up to 2.13 and classified as problematic.

8.8
2023-04-15 CVE-2020-17354 Lilypond Incorrect Authorization vulnerability in Lilypond

LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format.

8.6
2023-04-10 CVE-2023-28206 Apple Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS

An out-of-bounds write issue was addressed with improved input validation.

8.6
2023-04-11 CVE-2023-22615 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O 05.37.03/05.45.01/05.53.01

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5.

8.4
2023-04-10 CVE-2023-1668 Cloudbase
Debian
Redhat
Always-Incorrect Control Flow Implementation vulnerability in multiple products

A flaw was found in openvswitch (OVS).

8.2
2023-04-11 CVE-2023-28288 Microsoft Unspecified vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server

Microsoft SharePoint Server Spoofing Vulnerability

8.1
2023-04-11 CVE-2023-25409 Aten Exposure of Resource to Wrong Sphere vulnerability in Aten Pe8108 Firmware 2.4.232

Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control.

8.1
2023-04-11 CVE-2022-43946 Fortinet Incorrect Permission Assignment for Critical Resource vulnerability in Fortinet Forticlient

Multiple vulnerabilities including an incorrect permission assignment for critical resource [CWE-732] vulnerability and a time-of-check time-of-use (TOCTOU) race condition [CWE-367] vulnerability in Fortinet FortiClientWindows before 7.0.7 allows attackers on the same file sharing network to execute commands via writing data into a windows pipe.

8.1
2023-04-11 CVE-2023-22642 Fortinet Improper Certificate Validation vulnerability in Fortinet Fortianalyzer and Fortimanager

An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4.8 through 6.4.10 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and the remote FortiGuard server hosting outbreakalert ressources.

8.1
2023-04-11 CVE-2022-43770 Hitachivantara Incorrect Authorization vulnerability in Hitachivantara Pentaho Business Analytics 8.0

Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.

8.1
2023-04-10 CVE-2023-26067 Lexmark Improper Input Validation vulnerability in Lexmark products

Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 1 of 4).

8.1
2023-04-15 CVE-2023-2091 Kylinos OS Command Injection vulnerability in Kylinos Youker-Assistant

A vulnerability classified as critical was found in KylinSoft youker-assistant on KylinOS.

7.8
2023-04-15 CVE-2023-22669 Opendesign Out-of-bounds Write vulnerability in Opendesign Drawings SDK

Parsing of DWG files in Open Design Alliance Drawings SDK before 2023.6 lacks proper validation of the length of user-supplied XRecord data prior to copying it to a fixed-length heap-based buffer.

7.8
2023-04-15 CVE-2023-22670 Opendesign Out-of-bounds Write vulnerability in Opendesign Drawings SDK

A heap-based buffer overflow exists in the DXF file reading procedure in Open Design Alliance Drawings SDK before 2023.6.

7.8
2023-04-14 CVE-2023-2008 Linux Improper Validation of Array Index vulnerability in Linux Kernel

A flaw was found in the Linux kernel's udmabuf device driver.

7.8
2023-04-14 CVE-2023-27912 Autodesk Out-of-bounds Read vulnerability in Autodesk products

A maliciously crafted X_B file when parsed through Autodesk® AutoCAD® 2023 can force an Out-of-Bound Read.

7.8
2023-04-14 CVE-2023-27913 Autodesk Integer Overflow or Wraparound vulnerability in Autodesk products

A maliciously crafted X_B file when parsed through Autodesk® AutoCAD® 2023 can be used to cause an Integer Overflow.

7.8
2023-04-14 CVE-2023-27914 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted X_B file when parsed through Autodesk® AutoCAD® 2023 can be used to write beyond the allocated buffer causing a Stack Buffer Overflow.

7.8
2023-04-14 CVE-2023-27915 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted X_B file when parsed through Autodesk® AutoCAD® 2023 could lead to memory corruption vulnerability by read access violation.

7.8
2023-04-14 CVE-2023-29067 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted X_B file when parsed through Autodesk® AutoCAD® 2023 could lead to memory corruption vulnerability by write access violation.

7.8
2023-04-14 CVE-2023-27193 Dualspace Unspecified vulnerability in Dualspace Space Clean & Super Cleaner 1.1.3

An issue found in DUALSPACE v.1.1.3 allows a local attacker to gain privileges via the key_ad_new_user_avoid_time field.

7.8
2023-04-14 CVE-2023-27651 Egostudiogroup Unspecified vulnerability in Egostudiogroup Superclean 1.1.5/1.1.9

An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges via the update_info field of the _default_.xml file.

7.8
2023-04-14 CVE-2023-29491 GNU Out-of-bounds Write vulnerability in GNU Ncurses

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

7.8
2023-04-13 CVE-2023-24509 Arista Unspecified vulnerability in Arista EOS

On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation.

7.8
2023-04-13 CVE-2023-26398 Adobe Out-of-bounds Read vulnerability in Adobe Substance 3D Designer

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.

7.8
2023-04-13 CVE-2023-26409 Adobe Out-of-bounds Read vulnerability in Adobe Substance 3D Designer

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.

7.8
2023-04-13 CVE-2023-26410 Adobe Use After Free vulnerability in Adobe Substance 3D Designer

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-13 CVE-2023-26411 Adobe Out-of-bounds Read vulnerability in Adobe Substance 3D Designer

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.

7.8
2023-04-13 CVE-2023-26412 Adobe Out-of-bounds Write vulnerability in Adobe Substance 3D Designer

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-13 CVE-2023-26413 Adobe Out-of-bounds Write vulnerability in Adobe Substance 3D Designer

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-13 CVE-2023-26414 Adobe Use After Free vulnerability in Adobe Substance 3D Designer

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-13 CVE-2023-26415 Adobe Out-of-bounds Write vulnerability in Adobe Substance 3D Designer

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-13 CVE-2023-26416 Adobe Out-of-bounds Write vulnerability in Adobe Substance 3D Designer

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-13 CVE-2022-33231 Qualcomm Double Free vulnerability in Qualcomm products

Memory corruption due to double free in core while initializing the encryption key.

7.8
2023-04-13 CVE-2022-33269 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Memory corruption due to integer overflow or wraparound in Core while DDR memory assignment.

7.8
2023-04-13 CVE-2022-33282 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Memory corruption in Automotive Multimedia due to integer overflow to buffer overflow during IOCTL calls in video playback.

7.8
2023-04-13 CVE-2022-33296 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Memory corruption due to integer overflow to buffer overflow in Modem while parsing Traffic Channel Neighbor List Update message.

7.8
2023-04-13 CVE-2022-33298 Qualcomm Use After Free vulnerability in Qualcomm products

Memory corruption due to use after free in Modem while modem initialization.

7.8
2023-04-13 CVE-2022-33301 Qualcomm Incorrect Type Conversion or Cast vulnerability in Qualcomm products

Memory corruption due to incorrect type conversion or cast in audio while using audio playback/capture when crafted address is sent from AGM IPC to AGM.

7.8
2023-04-13 CVE-2022-33302 Qualcomm Improper Validation of Array Index vulnerability in Qualcomm products

Memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.

7.8
2023-04-13 CVE-2022-40532 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Memory corruption due to integer overflow or wraparound in WLAN while sending WMI cmd from host to target.

7.8
2023-04-13 CVE-2023-21630 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Memory Corruption in Multimedia Framework due to integer overflow when synx bind is called along with synx signal.

7.8
2023-04-12 CVE-2023-21582 Adobe Out-of-bounds Write vulnerability in Adobe Digital Editions

Adobe Digital Editions version 4.5.11.187303 (and earlier) is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-22235 Adobe Use After Free vulnerability in Adobe Incopy

InCopy versions 18.1 (and earlier), 17.4 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26395 Adobe Out-of-bounds Write vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26396 Adobe Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user.

7.8
2023-04-12 CVE-2023-26405 Adobe Improper Input Validation vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26406 Adobe Unspecified vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26407 Adobe Improper Input Validation vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26408 Adobe Unspecified vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26417 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26418 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26419 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26420 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26421 Adobe Integer Underflow (Wrap or Wraparound) vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Integer Underflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26422 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26423 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26424 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-04-12 CVE-2023-26425 Adobe Out-of-bounds Read vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.

7.8
2023-04-12 CVE-2023-22616 Insyde Externally Controlled Reference to a Resource in Another Sphere vulnerability in Insyde Insydeh2O

An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5.

7.8
2023-04-12 CVE-2023-1829 Linux Use After Free vulnerability in Linux Kernel

A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.

7.8
2023-04-11 CVE-2023-28296 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2017

Visual Studio Remote Code Execution Vulnerability

7.8
2023-04-11 CVE-2023-28252 Microsoft Unspecified vulnerability in Microsoft products

Windows Common Log File System Driver Elevation of Privilege Vulnerability

7.8
2023-04-11 CVE-2023-28304 Microsoft Unspecified vulnerability in Microsoft Odbc and OLE DB

Microsoft ODBC and OLE DB Remote Code Execution Vulnerability

7.8
2023-04-11 CVE-2023-28285 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Office Remote Code Execution Vulnerability

7.8
2023-04-11 CVE-2023-23375 Microsoft Unspecified vulnerability in Microsoft Odbc and OLE DB

Microsoft ODBC and OLE DB Remote Code Execution Vulnerability

7.8
2023-04-11 CVE-2023-28248 Microsoft Unspecified vulnerability in Microsoft products

Windows Kernel Elevation of Privilege Vulnerability

7.8
2023-04-11 CVE-2023-28293 Microsoft Unspecified vulnerability in Microsoft products

Windows Kernel Elevation of Privilege Vulnerability

7.8
2023-04-11 CVE-2021-46878 Treasuredata Type Confusion vulnerability in Treasuredata Fluent BIT 1.7.1

An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and arrays, leading to use-after-free.

7.8
2023-04-11 CVE-2021-46879 Treasuredata Out-of-bounds Write vulnerability in Treasuredata Fluent BIT 1.7.1

An issue was discovered in Treasure Data Fluent Bit 1.7.1, a wrong variable is used to get the msgpack data resulting in a heap overflow in flb_msgpack_gelf_value_ext.

7.8
2023-04-11 CVE-2022-40679 Fortinet OS Command Injection vulnerability in Fortinet Fortiadc, Fortiddos and Fortiddos-F

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC 5.x all versions, 6.0 all versions, 6.1 all versions, 6.2.0 through 6.2.4, 7.0.0 through 7.0.3, 7.1.0; FortiDDoS 4.x all versions, 5.0 all versions, 5.1 all versions, 5.2 all versions, 5.3 all versions, 5.4 all versions, 5.5 all versions, 5.6 all versions and FortiDDoS-F 6.4.0, 6.3.0 through 6.3.3, 6.2.0 through 6.2.2, 6.1.0 through 6.1.4 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

7.8
2023-04-11 CVE-2022-40682 Fortinet Incorrect Authorization vulnerability in Fortinet Forticlient

A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.

7.8
2023-04-11 CVE-2022-42470 Fortinet Path Traversal vulnerability in Fortinet Forticlient

A relative path traversal vulnerability in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.

7.8
2023-04-11 CVE-2022-43948 Fortinet OS Command Injection vulnerability in Fortinet Fortiadc and Fortiweb

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.3, FortiADC version 7.1.0 through 7.1.1, FortiADC version 7.0.0 through 7.0.3, FortiADC 6.2 all versions, FortiADC 6.1 all versions, FortiADC 6.0 all versions, FortiADC 5.4 all versions, FortiADC 5.3 all versions, FortiADC 5.2 all versions, FortiADC 5.1 all versions allows attacker to execute unauthorized code or commands via specifically crafted arguments to existing commands.

7.8
2023-04-11 CVE-2023-22635 Fortinet Download of Code Without Integrity Check vulnerability in Fortinet Forticlient

A download of code without Integrity check vulnerability [CWE-494] in FortiClientMac version 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions, 5.6 all versions, 5.4 all versions, 5.2 all versions, 5.0 all versions and 4.0 all versions may allow a local attacker to escalate their privileges via modifying the installer upon upgrade.

7.8
2023-04-11 CVE-2023-1552 GE Deserialization of Untrusted Data vulnerability in GE Toolboxst 04.07.05C/07.09.07C

ToolboxST prior to version 7.10 is affected by a deserialization vulnerability.

7.8
2023-04-11 CVE-2023-26593 Yokogawa Cleartext Storage of Sensitive Information vulnerability in Yokogawa products

CENTUM series provided by Yokogawa Electric Corporation are vulnerable to cleartext storage of sensitive information.

7.8
2023-04-16 CVE-2023-22687 Freesoul Deactivate Plugins Plugin Manager AND Cleanup Project Insecure Storage of Sensitive Information vulnerability in Freesoul Deactivate Plugins - Plugin Manager and Cleanup Project Freesoul Deactivate Plugins - Plugin Manager and Cleanup

Insecure Storage of Sensitive Information vulnerability in Jose Mortellaro Freesoul Deactivate Plugins – Plugin manager and cleanup plugin <= 1.9.4.0 versions.

7.5
2023-04-16 CVE-2021-36520 Washington SQL Injection vulnerability in Washington I-Tech Trainsmart R1044

A SQL injection vulnerability in I-Tech Trainsmart r1044 exists via a evaluation/assign-evaluation?id= URI.

7.5
2023-04-16 CVE-2022-34126 Glpi Project Path Traversal vulnerability in Glpi-Project Activity

The Activity plugin before 3.1.1 for GLPI allows reading local files via directory traversal in the front/cra.send.php file parameter.

7.5
2023-04-16 CVE-2022-34127 Glpi Project Path Traversal vulnerability in Glpi-Project Manageentities

The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.

7.5
2023-04-16 CVE-2022-37255 TP Link Use of Hard-coded Credentials vulnerability in Tp-Link Tapo C310 Firmware 1.3.0

TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603.

7.5
2023-04-16 CVE-2022-38840 Guralp XXE vulnerability in Guralp Man-Eam-0003 3.2.4

cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.

7.5
2023-04-16 CVE-2022-40946 Dlink Unspecified vulnerability in Dlink Dir-819 Firmware 1.06

On D-Link DIR-819 Firmware Version 1.06 Hardware Version A1 devices, it is possible to trigger a Denial of Service via the sys_token parameter in a cgi-bin/webproc?getpage=html/index.html request.

7.5
2023-04-15 CVE-2018-15472 Gitlab Unspecified vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

7.5
2023-04-15 CVE-2018-17449 Gitlab Authorization Bypass Through User-Controlled Key vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

7.5
2023-04-15 CVE-2018-17455 Gitlab Authorization Bypass Through User-Controlled Key vulnerability in Gitlab

An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

7.5
2023-04-15 CVE-2021-43612 Lldpd Project
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

In lldpd before 1.0.13, when decoding SONMP packets in the sonmp_decode function, it's possible to trigger an out-of-bounds heap read via short SONMP packets.

7.5
2023-04-15 CVE-2021-39295 Openbmc Project Resource Exhaustion vulnerability in Openbmc-Project Openbmc 2.9.0

In OpenBMC 2.9, crafted IPMI messages allow an attacker to cause a denial of service to the BMC via the netipmid (IPMI lan+) interface.

7.5
2023-04-15 CVE-2023-29208 Xwiki Exposure of Resource to Wrong Sphere vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

7.5
2023-04-15 CVE-2022-47522 Ieee
Sonicwall
Authentication Bypass by Spoofing vulnerability in multiple products

The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target's MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (such as authentication frames or re-association frames) to remove the target's original security context.

7.5
2023-04-15 CVE-2023-24607 QT Unspecified vulnerability in QT

Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4.

7.5
2023-04-14 CVE-2023-29085 Samsung Out-of-bounds Write vulnerability in Samsung products

An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos 9110, and Exynos Auto T5123.

7.5
2023-04-14 CVE-2023-29086 Samsung Out-of-bounds Write vulnerability in Samsung products

An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos 9110, and Exynos Auto T5123.

7.5
2023-04-14 CVE-2023-29087 Samsung Out-of-bounds Write vulnerability in Samsung products

An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos 9110, and Exynos Auto T5123.

7.5
2023-04-14 CVE-2023-29088 Samsung Out-of-bounds Write vulnerability in Samsung products

An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos 9110, and Exynos Auto T5123.

7.5
2023-04-14 CVE-2023-29089 Samsung Out-of-bounds Read vulnerability in Samsung products

An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos 9110, and Exynos Auto T5123.

7.5
2023-04-14 CVE-2023-29090 Samsung Out-of-bounds Write vulnerability in Samsung products

An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos 9110, and Exynos Auto T5123.

7.5
2023-04-14 CVE-2023-29091 Samsung Out-of-bounds Write vulnerability in Samsung products

An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos 9110, and Exynos Auto T5123.

7.5
2023-04-14 CVE-2023-29193 Authzed Information Exposure Through an Error Message vulnerability in Authzed Spicedb

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

7.5
2023-04-14 CVE-2023-2074 Campcodes Online Traffic Offense Management System Project SQL Injection vulnerability in Campcodes Online Traffic Offense Management System Project Campcodes Online Traffic Offense Management System 1.0

A vulnerability was found in Campcodes Online Traffic Offense Management System 1.0.

7.5
2023-04-14 CVE-2023-29013 Traefik Resource Exhaustion vulnerability in Traefik

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices.

7.5
2023-04-14 CVE-2023-2073 Campcodes Online Traffic Offense Management System Project SQL Injection vulnerability in Campcodes Online Traffic Offense Management System Project Campcodes Online Traffic Offense Management System 1.0

A vulnerability was found in Campcodes Online Traffic Offense Management System 1.0.

7.5
2023-04-14 CVE-2022-47501 Apache Path Traversal vulnerability in Apache Ofbiz

Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin.

7.5
2023-04-14 CVE-2023-29850 Slims Unspecified vulnerability in Slims Senayan Library Management System 9.5.2

SENAYAN Library Management System (SLiMS) Bulian v9.5.2 does not strip exif data from uploaded images.

7.5
2023-04-14 CVE-2023-2053 Advanced Online Voting System Project SQL Injection vulnerability in Advanced Online Voting System Project Advanced Online Voting System 1.0

A vulnerability, which was classified as critical, has been found in Campcodes Advanced Online Voting System 1.0.

7.5
2023-04-14 CVE-2023-2054 Advanced Online Voting System Project SQL Injection vulnerability in Advanced Online Voting System Project Advanced Online Voting System 1.0

A vulnerability, which was classified as critical, was found in Campcodes Advanced Online Voting System 1.0.

7.5
2023-04-14 CVE-2023-26756 Revive Improper Restriction of Excessive Authentication Attempts vulnerability in Revive Adserver 5.4.1

The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks.

7.5
2023-04-14 CVE-2023-27643 Powerampapp Resource Exhaustion vulnerability in Powerampapp Poweramp 925Bundleplay/954Uni

An issue found in POWERAMP 925-bundle-play and Poweramp 954-uni allows a remote attacker to cause a denial of service via the Rescan button in Queue and Select Folders button in Library

7.5
2023-04-14 CVE-2023-27649 Bestools SQL Injection vulnerability in Bestools Trusted Tools Free Music

SQL injection vulnerability found in Trusted Tools Free Music v.2.1.0.47, v.2.0.0.46, v.1.9.1.45, v.1.8.2.43 allows a remote attacker to cause a denial of service via the search history table

7.5
2023-04-14 CVE-2023-27653 Whoapp Unspecified vulnerability in Whoapp WHO 1.0.28/1.0.30/1.0.32

An issue found in WHOv.1.0.28, v.1.0.30, v.1.0.32 allows an attacker to cause a denial of service via the SharedPreference files.

7.5
2023-04-14 CVE-2023-2047 Campcodes Advanced Online Voting System Project SQL Injection vulnerability in Campcodes Advanced Online Voting System Project Campcodes Advanced Online Voting System 1.0

A vulnerability was found in Campcodes Advanced Online Voting System 1.0 and classified as critical.

7.5
2023-04-14 CVE-2023-2048 Campcodes Advanced Online Voting System Project SQL Injection vulnerability in Campcodes Advanced Online Voting System Project Campcodes Advanced Online Voting System 1.0

A vulnerability was found in Campcodes Advanced Online Voting System 1.0.

7.5
2023-04-14 CVE-2023-2049 Campcodes Advanced Online Voting System Project SQL Injection vulnerability in Campcodes Advanced Online Voting System Project Campcodes Advanced Online Voting System 1.0

A vulnerability was found in Campcodes Advanced Online Voting System 1.0.

7.5
2023-04-14 CVE-2023-2038 Campcodes Video Sharing Website Project SQL Injection vulnerability in Campcodes Video Sharing Website Project Campcodes Video Sharing Website 1.0

A vulnerability was found in Campcodes Video Sharing Website 1.0.

7.5
2023-04-14 CVE-2023-2036 Campcodes Video Sharing Website Project SQL Injection vulnerability in Campcodes Video Sharing Website Project Campcodes Video Sharing Website 1.0

A vulnerability was found in Campcodes Video Sharing Website 1.0 and classified as critical.

7.5
2023-04-14 CVE-2023-2035 Campcodes Video Sharing Website Project SQL Injection vulnerability in Campcodes Video Sharing Website Project Campcodes Video Sharing Website 1.0

A vulnerability has been found in Campcodes Video Sharing Website 1.0 and classified as critical.

7.5
2023-04-14 CVE-2023-26969 Atrocore Path Traversal vulnerability in Atrocore Atropim 1.5.26

Atropim 1.5.26 is vulnerable to Directory Traversal.

7.5
2023-04-14 CVE-2023-29626 Yoga Class Registration System Project SQL Injection vulnerability in Yoga Class Registration System Project Yoga Class Registration System 1.0

Yoga Class Registration System 1.0 was discovered to contain a SQL injection vulnerability via the cid parameter at /admin/login.php.

7.5
2023-04-13 CVE-2023-30635 Tikv Unspecified vulnerability in Tikv 6.1.2

TiKV 6.1.2 allows remote attackers to cause a denial of service (fatal error) upon an attempt to get a timestamp from the Placement Driver.

7.5
2023-04-13 CVE-2023-30636 Tikv Unspecified vulnerability in Tikv 6.1.2

TiKV 6.1.2 allows remote attackers to cause a denial of service (fatal error, with RpcStatus UNAVAILABLE for "not leader") upon an attempt to start a node in a situation where the context deadline is exceeded

7.5
2023-04-13 CVE-2023-30637 Baidu Memory Leak vulnerability in Baidu Braft 1.1.2

Baidu braft 1.1.2 has a memory leak related to use of the new operator in example/atomic/atomic_server.

7.5
2023-04-13 CVE-2023-27747 Blackvue Missing Authentication for Critical Function vulnerability in Blackvue Dr750-2Ch IR LTE Firmware and Dr750-2Ch LTE Firmware

BlackVue DR750-2CH LTE v.1.012_2022.10.26 does not employ authentication in its web server.

7.5
2023-04-13 CVE-2023-27772 MZ Automation Improper Check for Unusual or Exceptional Conditions vulnerability in Mz-Automation Libiec61850 1.5.1

libiec61850 v1.5.1 was discovered to contain a segmentation violation via the function ControlObjectClient_setOrigin() at /client/client_control.c.

7.5
2023-04-13 CVE-2022-33258 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure due to buffer over-read in modem while reading configuration parameters.

7.5
2023-04-13 CVE-2022-25726 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure in modem data due to array out of bound access while handling the incoming DNS response packet

7.5
2023-04-13 CVE-2022-25730 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure in modem due to improper check of IP type while processing DNS server query

7.5
2023-04-13 CVE-2022-25731 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure in modem due to buffer over-read while processing packets from DNS server

7.5
2023-04-13 CVE-2022-25737 Qualcomm Use of Uninitialized Resource vulnerability in Qualcomm products

Information disclosure in modem due to missing NULL check while reading packets received from local network

7.5
2023-04-13 CVE-2022-25739 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Denial of service in modem due to missing null check while processing the ipv6 packet received during ECM call

7.5
2023-04-13 CVE-2022-25747 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure in modem due to improper input validation during parsing of upcoming CoAP message

7.5
2023-04-13 CVE-2022-33222 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure due to buffer over-read while parsing DNS response packets in Modem.

7.5
2023-04-13 CVE-2022-33223 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Transient DOS in Modem due to null pointer dereference while processing the incoming packet with http chunked encoding.

7.5
2023-04-13 CVE-2022-33228 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure sue to buffer over-read in modem while processing ipv6 packet with hop-by-hop or destination option in header.

7.5
2023-04-13 CVE-2022-33287 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure in Modem due to buffer over-read while getting length of Unfragmented headers in an IPv6 packet.

7.5
2023-04-13 CVE-2022-33291 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure in Modem due to buffer over-read while receiving a IP header with malformed length.

7.5
2023-04-13 CVE-2022-33294 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Transient DOS in Modem due to NULL pointer dereference while receiving response of lwm2m registration/update/bootstrap request message.

7.5
2023-04-13 CVE-2022-33295 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure in Modem due to buffer over-read while parsing the wms message received given the buffer and its length.

7.5
2023-04-13 CVE-2022-40503 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure due to buffer over-read in Bluetooth Host while A2DP streaming.

7.5
2023-04-12 CVE-2023-22620 Securepoint Incorrect Authorization vulnerability in Securepoint Unified Threat Management

An issue was discovered in SecurePoint UTM before 12.2.5.1.

7.5
2023-04-12 CVE-2023-1992 Wireshark
Debian
Fedoraproject
Resource Exhaustion vulnerability in multiple products

RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file

7.5
2023-04-12 CVE-2023-24511 Arista Memory Leak vulnerability in Arista EOS

On affected platforms running Arista EOS with SNMP configured, a specially crafted packet can cause a memory leak in the snmpd process.

7.5
2023-04-12 CVE-2023-24545 Arista Resource Exhaustion vulnerability in Arista Cloudeos

On affected platforms running Arista CloudEOS an issue in the Software Forwarding Engine (Sfe) can lead to a potential denial of service attack by sending malformed packets to the switch.

7.5
2023-04-12 CVE-2023-24513 Arista Out-of-bounds Read vulnerability in Arista Cloudeos

On affected platforms running Arista CloudEOS an issue in the Software Forwarding Engine (Sfe) can lead to a potential denial of service attack by sending malformed packets to the switch.

7.5
2023-04-12 CVE-2023-30513 Jenkins Cleartext Transmission of Sensitive Information vulnerability in Jenkins Kubernetes

Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

7.5
2023-04-12 CVE-2023-30514 Jenkins Cleartext Transmission of Sensitive Information vulnerability in Jenkins Azure KEY Vault

Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

7.5
2023-04-12 CVE-2023-30515 Jenkins Cleartext Transmission of Sensitive Information vulnerability in Jenkins Thycotic Devops Secrets Vault

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

7.5
2023-04-11 CVE-2022-43951 Fortinet Unspecified vulnerability in Fortinet Fortinac and Fortinac-F

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.11 and below, 8.7.6 and below may allow an unauthenticated attacker to access sensitive information via crafted HTTP requests.

7.5
2023-04-11 CVE-2023-26964 Hyper Allocation of Resources Without Limits or Throttling vulnerability in Hyper H2 and Hyper

An issue was discovered in hyper v0.13.7.

7.5
2023-04-11 CVE-2022-43716 Siemens Use After Free vulnerability in Siemens products

A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions), SIMATIC CP 1243-1 (All versions), SIMATIC CP 1243-1 DNP3 (incl.

7.5
2023-04-11 CVE-2022-43767 Siemens Deadlock vulnerability in Siemens products

A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions), SIMATIC CP 1243-1 (All versions), SIMATIC CP 1243-1 DNP3 (incl.

7.5
2023-04-11 CVE-2022-43768 Siemens Allocation of Resources Without Limits or Throttling vulnerability in Siemens products

A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions), SIMATIC CP 1243-1 (All versions), SIMATIC CP 1243-1 DNP3 (incl.

7.5
2023-04-11 CVE-2023-28766 Siemens NULL Pointer Dereference vulnerability in Siemens products

A vulnerability has been identified in SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 6MD86 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 6MD89 (CP300) (All versions >= V7.80 < V9.64), SIPROTEC 5 6MU85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7KE85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions < V9.40), SIPROTEC 5 7SA86 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SA87 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SD82 (CP100) (All versions), SIPROTEC 5 7SD82 (CP150) (All versions < V9.40), SIPROTEC 5 7SD86 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SD87 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SJ81 (CP100) (All versions < V8.89), SIPROTEC 5 7SJ81 (CP150) (All versions < V9.40), SIPROTEC 5 7SJ82 (CP100) (All versions < V8.89), SIPROTEC 5 7SJ82 (CP150) (All versions < V9.40), SIPROTEC 5 7SJ85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SJ86 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SK82 (CP100) (All versions < V8.89), SIPROTEC 5 7SK82 (CP150) (All versions < V9.40), SIPROTEC 5 7SK85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SL82 (CP100) (All versions), SIPROTEC 5 7SL82 (CP150) (All versions < V9.40), SIPROTEC 5 7SL86 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SL87 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SS85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7ST85 (CP300) (All versions >= V7.80 < V9.64), SIPROTEC 5 7ST86 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7SX82 (CP150) (All versions < V9.40), SIPROTEC 5 7SX85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7UM85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7UT82 (CP100) (All versions), SIPROTEC 5 7UT82 (CP150) (All versions < V9.40), SIPROTEC 5 7UT85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7UT86 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7UT87 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7VE85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7VK87 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 7VU85 (CP300) (All versions >= V7.80 < V9.40), SIPROTEC 5 Communication Module ETH-BA-2EL (All versions < V9.40 installed on CP150 and CP300 devices), SIPROTEC 5 Communication Module ETH-BA-2EL (All versions < V8.89 installed on CP100 devices), SIPROTEC 5 Communication Module ETH-BB-2FO (All versions < V9.40 installed on CP150 and CP300 devices), SIPROTEC 5 Communication Module ETH-BB-2FO (All versions < V8.89 installed on CP100 devices), SIPROTEC 5 Communication Module ETH-BD-2FO (All versions < V9.40), SIPROTEC 5 Compact 7SX800 (CP050) (All versions < V9.40).

7.5
2023-04-11 CVE-2023-29054 Siemens Inadequate Encryption Strength vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X200-4P IRT (All versions < V5.5.2), SCALANCE X201-3P IRT (All versions < V5.5.2), SCALANCE X201-3P IRT PRO (All versions < V5.5.2), SCALANCE X202-2IRT (All versions < V5.5.2), SCALANCE X202-2IRT (All versions < V5.5.2), SCALANCE X202-2P IRT (All versions < V5.5.2), SCALANCE X202-2P IRT PRO (All versions < V5.5.2), SCALANCE X204IRT (All versions < V5.5.2), SCALANCE X204IRT (All versions < V5.5.2), SCALANCE X204IRT PRO (All versions < V5.5.2), SCALANCE XF201-3P IRT (All versions < V5.5.2), SCALANCE XF202-2P IRT (All versions < V5.5.2), SCALANCE XF204-2BA IRT (All versions < V5.5.2), SCALANCE XF204IRT (All versions < V5.5.2), SIPLUS NET SCALANCE X202-2P IRT (All versions < V5.5.2).

7.4
2023-04-11 CVE-2023-23384 Microsoft Unspecified vulnerability in Microsoft SQL Server

Microsoft SQL Server Remote Code Execution Vulnerability

7.3
2023-04-11 CVE-2023-26293 Siemens Improper Input Validation vulnerability in Siemens TIA Portal

A vulnerability has been identified in Totally Integrated Automation Portal (TIA Portal) V15 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 6), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 1).

7.3
2023-04-11 CVE-2023-25950 Haproxy HTTP Request Smuggling vulnerability in Haproxy

HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request.

7.3
2023-04-16 CVE-2023-27610 Transbank SQL Injection vulnerability in Transbank Webpay Rest

Auth.

7.2
2023-04-16 CVE-2023-29507 Xwiki Unspecified vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

7.2
2023-04-14 CVE-2023-30459 Smartptt Unspecified vulnerability in Smartptt Scada 1.1

SmartPTT SCADA 1.1.0.0 allows remote code execution (when the attacker has administrator privileges) by writing a malicious C# script and executing it on the server (via server settings in the administrator control panel on port 8101, by default).

7.2
2023-04-14 CVE-2023-30638 Atos Command Injection vulnerability in Atos products

Atos Unify OpenScape SBC 10 before 10R3.1.3, OpenScape Branch 10 before 10R3.1.2, and OpenScape BCF 10 before 10R10.7.0 allow remote authenticated admins to inject commands.

7.2
2023-04-13 CVE-2023-29084 Zohocorp Command Injection vulnerability in Zohocorp Manageengine Admanager Plus

Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.

7.2
2023-04-13 CVE-2023-20118 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to improper validation of user input within incoming HTTP packets.

7.2
2023-04-12 CVE-2023-26852 Textpattern Unrestricted Upload of File with Dangerous Type vulnerability in Textpattern

An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file.

7.2
2023-04-12 CVE-2022-47605 Kunalnagar SQL Injection vulnerability in Kunalnagar Custom 404 PRO

Auth.

7.2
2023-04-11 CVE-2023-1986 Oretnom23 SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0

A vulnerability, which was classified as critical, was found in SourceCodester Online Computer and Laptop Store 1.0.

7.2
2023-04-11 CVE-2023-1987 Oretnom23 SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0

A vulnerability has been found in SourceCodester Online Computer and Laptop Store 1.0 and classified as critical.

7.2
2023-04-11 CVE-2023-1985 Oretnom23 SQL Injection vulnerability in Oretnom23 Online Computer and Laptop Store 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Online Computer and Laptop Store 1.0.

7.2
2023-04-10 CVE-2023-1970 Tpadmin Project Unrestricted Upload of File with Dangerous Type vulnerability in Tpadmin Project Tpadmin 1.3.12

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, has been found in yuan1994 tpAdmin 1.3.12.

7.2
2023-04-10 CVE-2023-1425 Groundhogg Unspecified vulnerability in Groundhogg

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins

7.2
2023-04-14 CVE-2023-27647 Dualspace Unspecified vulnerability in Dualspace Lock Master 2.2.4

An issue found in DUALSPACE Lock Master v.2.2.4 allows a local attacker to cause a denial of service or gain sensitive information via the com.ludashi.superlock.util.pref.SharedPrefProviderEntryMethod: insert of the android.net.Uri.insert method.

7.1
2023-04-13 CVE-2023-30630 Nongnu Unspecified vulnerability in Nongnu Dmidecode

Dmidecode before 3.5 allows -dump-bin to overwrite a local file.

7.1
2023-04-14 CVE-2023-26980 PAX Race Condition vulnerability in PAX Paydroid 8.1

PAX Technology PAX A920 Pro PayDroid 8.1suffers from a Race Condition vulnerability, which allows attackers to bypass the payment software and force the OS to boot directly to Android during the boot process.

7.0
2023-04-12 CVE-2023-1872 Linux
Debian
Use After Free vulnerability in multiple products

A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.

7.0
2023-04-11 CVE-2023-1989 Linux
Netapp
Debian
Use After Free vulnerability in multiple products

A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel.

7.0

181 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-13 CVE-2022-33289 Qualcomm Improper Validation of Array Index vulnerability in Qualcomm products

Memory corruption occurs in Modem due to improper validation of array index when malformed APDU is sent from card.

6.8
2023-04-16 CVE-2022-37704 Zmanda Command Injection vulnerability in Zmanda Amanda 3.5.1

Amanda 3.5.1 allows privilege escalation from the regular user backup to root.

6.7
2023-04-16 CVE-2022-37705 Zmanda Argument Injection or Modification vulnerability in Zmanda Amanda 3.5.1

A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges.

6.7
2023-04-11 CVE-2023-29187 SAP Uncontrolled Search Path Element vulnerability in SAP Sapsetup 9.0

A Windows user with basic user authorization can exploit a DLL hijacking attack in SapSetup (Software Installation Program) - version 9.0, resulting in a privilege escalation running code as administrator of the very same Windows PC.

6.7
2023-04-16 CVE-2022-48313 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The Bluetooth module has a vulnerability of bypassing the user confirmation in the pairing process.

6.5
2023-04-16 CVE-2022-48314 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The Bluetooth module has a vulnerability of bypassing the user confirmation in the pairing process.

6.5
2023-04-16 CVE-2022-34125 Glpi Project Information Exposure vulnerability in Glpi-Project Cmdb

front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter.

6.5
2023-04-16 CVE-2019-14944 Gitlab Command Injection vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6.

6.5
2023-04-16 CVE-2020-27545 Libdwarf Project Release of Invalid Pointer or Reference vulnerability in Libdwarf Project Libdwarf

libdwarf before 20201017 has a one-byte out-of-bounds read because of an invalid pointer dereference via an invalid line table in a crafted object.

6.5
2023-04-16 CVE-2020-28163 Libdwarf Project NULL Pointer Dereference vulnerability in Libdwarf Project Libdwarf

libdwarf before 20201201 allows a dwarf_print_lines.c NULL pointer dereference and application crash via a DWARF5 line-table header that has an invalid FORM for a pathname.

6.5
2023-04-15 CVE-2023-2101 Mogublog Project Absolute Path Traversal vulnerability in Mogublog Project Mogublog

A vulnerability, which was classified as problematic, has been found in moxi624 Mogu Blog v2 up to 5.2.

6.5
2023-04-13 CVE-2023-20863 Vmware Expression Language Injection vulnerability in VMWare Spring Framework

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

6.5
2023-04-13 CVE-2023-20866 Vmware Unspecified vulnerability in VMWare Spring Session 3.0.0

In Spring Session version 3.0.0, the session id can be logged to the standard output stream.

6.5
2023-04-13 CVE-2023-22950 Tigergraph Incorrect Resource Transfer Between Spheres vulnerability in Tigergraph

An issue was discovered in TigerGraph Enterprise Free Edition 3.x.

6.5
2023-04-12 CVE-2023-22897 Securepoint Use of Uninitialized Resource vulnerability in Securepoint Unified Threat Management

An issue was discovered in SecurePoint UTM before 12.2.5.1.

6.5
2023-04-12 CVE-2023-1994 Wireshark
Debian
Fedoraproject
Resource Exhaustion vulnerability in multiple products

GQUIC dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file

6.5
2023-04-12 CVE-2023-1993 Wireshark
Debian
Fedoraproject
Excessive Iteration vulnerability in multiple products

LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file

6.5
2023-04-12 CVE-2023-30516 Jenkins Improper Certificate Validation vulnerability in Jenkins Image TAG Parameter

Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters that were created before 2.0 having SSL/TLS certificate validation disabled by default.

6.5
2023-04-12 CVE-2023-30526 Jenkins Missing Authorization vulnerability in Jenkins Report Portal

A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.

6.5
2023-04-12 CVE-2023-30528 Jenkins Cleartext Storage of Sensitive Information vulnerability in Jenkins Wso2 Oauth

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it.

6.5
2023-04-12 CVE-2023-30531 Jenkins Cleartext Storage of Sensitive Information vulnerability in Jenkins Consul KV Builder

Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it.

6.5
2023-04-12 CVE-2023-30532 Jenkins Missing Authorization vulnerability in Jenkins Turboscript

A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.

6.5
2023-04-12 CVE-2023-0004 Paloaltonetworks
Fedoraproject
A local file deletion vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to delete files from the local file system with elevated privileges. These files can include logs and system components that impact the integrity and availability of PAN-OS software.
6.5
2023-04-12 CVE-2023-28488 Intel Out-of-bounds Write vulnerability in Intel Connman

client.c in gdhcp in ConnMan through 1.41 could be used by network-adjacent attackers (operating a crafted DHCP server) to cause a stack-based buffer overflow and denial of service, terminating the connman process.

6.5
2023-04-12 CVE-2023-30512 Linuxfoundation Incorrect Permission Assignment for Critical Resource vulnerability in Linuxfoundation Cubefs

CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation.

6.5
2023-04-11 CVE-2023-1980 Devolutions Unspecified vulnerability in Devolutions Remote Desktop Manager

Two factor authentication bypass on login in Devolutions Remote Desktop Manager 2022.3.35 and earlier allow user to cancel the two factor authentication via the application user interface and open entries.

6.5
2023-04-11 CVE-2022-27485 Fortinet SQL Injection vulnerability in Fortinet Fortisandbox

A improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-89] in Fortinet FortiSandbox version 4.2.0, 4.0.0 through 4.0.2, 3.2.0 through 3.2.3, 3.1.x and 3.0.x allows a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request.

6.5
2023-04-11 CVE-2023-27520 Epson Cross-Site Request Forgery (CSRF) vulnerability in Epson products

Cross-site request forgery (CSRF) vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote unauthenticated attacker to hijack the authentication and perform unintended operations by having a logged-in user view a malicious page.

6.5
2023-04-10 CVE-2023-28093 Pega Improper Certificate Validation vulnerability in Pega Synchronization Engine

A user with a compromised configuration can start an unsigned binary as a service.

6.5
2023-04-10 CVE-2023-1426 Keetrax Unspecified vulnerability in Keetrax WP Tiles 1.1.2

The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example.

6.5
2023-04-10 CVE-2023-30456 Linux Unspecified vulnerability in Linux Kernel

An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8.

6.5
2023-04-16 CVE-2023-30772 Linux Use After Free vulnerability in Linux Kernel

The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.

6.4
2023-04-11 CVE-2023-26555 NTP Out-of-bounds Write vulnerability in NTP 4.2.8

praecis_parse in ntpd/refclock_palisade.c in NTP 4.2.8p15 has an out-of-bounds write.

6.4
2023-04-15 CVE-2021-34337 GNU Unspecified vulnerability in GNU Mailman

An issue was discovered in Mailman Core before 3.3.5.

6.3
2023-04-12 CVE-2023-0006 Paloaltonetworks Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Paloaltonetworks Globalprotect

A local file deletion vulnerability in the Palo Alto Networks GlobalProtect app on Windows devices enables a user to delete system files from the endpoint with elevated privileges through a race condition.

6.3
2023-04-11 CVE-2023-23588 Siemens
Microchip
Improper Certificate Validation vulnerability in multiple products

A vulnerability has been identified in SIMATIC IPC1047 (All versions), SIMATIC IPC1047E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows), SIMATIC IPC647D (All versions), SIMATIC IPC647E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows), SIMATIC IPC847D (All versions), SIMATIC IPC847E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows).

6.3
2023-04-16 CVE-2023-29506 Xwiki Cross-site Scripting vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

6.1
2023-04-16 CVE-2022-28353 External Redirect Warning Project Cross-site Scripting vulnerability in External Redirect Warning Project External Redirect Warning 1.3

In the External Redirect Warning Plugin 1.3 for MyBB, the redirect URL (aka external.php?url=) is vulnerable to XSS.

6.1
2023-04-16 CVE-2022-37306 Open Xchange Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5/7.10.6

OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.

6.1
2023-04-16 CVE-2018-17883 Otrs Cross-site Scripting vulnerability in Otrs

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12.

6.1
2023-04-15 CVE-2015-10101 Google Analytics TOP Content Widget Project Cross-site Scripting vulnerability in Google Analytics TOP Content Widget Project Google Analytics TOP Content Widget

A vulnerability classified as problematic was found in Google Analytics Top Content Widget Plugin up to 1.5.6 on WordPress.

6.1
2023-04-15 CVE-2023-29204 Xwiki Open Redirect vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

6.1
2023-04-15 CVE-2023-2100 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Vehicle Service Management System 1.0

A vulnerability classified as problematic was found in SourceCodester Vehicle Service Management System 1.0.

6.1
2023-04-15 CVE-2023-2098 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Vehicle Service Management System 1.0

A vulnerability was found in SourceCodester Vehicle Service Management System 1.0.

6.1
2023-04-15 CVE-2023-2099 Vehicle Service Management System Project Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System 1.0

A vulnerability classified as problematic has been found in SourceCodester Vehicle Service Management System 1.0.

6.1
2023-04-15 CVE-2022-43696 Open Xchange Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5/7.10.6

OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.

6.1
2023-04-15 CVE-2022-43697 Open Xchange Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5/7.10.6

OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob.

6.1
2023-04-15 CVE-2023-27572 Commscope Cross-site Scripting vulnerability in Commscope Dg3450 Firmware Ar01.02.056.18041520711.Ncs.10

An issue was discovered in CommScope Arris DG3450 Cable Gateway AR01.02.056.18_041520_711.NCS.10.

6.1
2023-04-14 CVE-2022-46886 Servicenow Open Redirect vulnerability in Servicenow Quebec/Rome/Sandiego

There exists an open redirect within the response list update functionality of ServiceNow.

6.1
2023-04-14 CVE-2023-2076 Online Traffic Offense Management System Project Cross-site Scripting vulnerability in Online Traffic Offense Management System Project Online Traffic Offense Management System 1.0

A vulnerability classified as problematic was found in Campcodes Online Traffic Offense Management System 1.0.

6.1
2023-04-14 CVE-2023-2077 Online Traffic Offense Management System Project Cross-site Scripting vulnerability in Online Traffic Offense Management System Project Online Traffic Offense Management System 1.0

A vulnerability, which was classified as problematic, has been found in Campcodes Online Traffic Offense Management System 1.0.

6.1
2023-04-14 CVE-2023-2057 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.5.4

A vulnerability was found in EyouCms 1.5.4.

6.1
2023-04-14 CVE-2023-2058 Eyoucms Cross-site Scripting vulnerability in Eyoucms

A vulnerability was found in EyouCms up to 1.6.2.

6.1
2023-04-14 CVE-2023-2055 Advanced Online Voting System Project Cross-site Scripting vulnerability in Advanced Online Voting System Project Advanced Online Voting System 1.0

A vulnerability has been found in Campcodes Advanced Online Voting System 1.0 and classified as problematic.

6.1
2023-04-14 CVE-2023-27666 Auto Dealer Management System Project Cross-site Scripting vulnerability in Auto Dealer Management System Project Auto Dealer Management System 1.0

Auto Dealer Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the name parameter at /classes/SystemSettings.php?f=update_settings.

6.1
2023-04-14 CVE-2023-2044 Assaabloy Cross-site Scripting vulnerability in Assaabloy Control ID Idsecure 4.7.29.1

A vulnerability has been found in Control iD iDSecure 4.7.29.1 and classified as problematic.

6.1
2023-04-14 CVE-2023-26123 Raylib Cross-site Scripting vulnerability in Raylib

Versions of the package raysan5/raylib before 4.5.0 are vulnerable to Cross-site Scripting (XSS) such that the SetClipboardText API does not properly escape the ' character, allowing attacker-controlled input to break out of the string and execute arbitrary JavaScript via emscripten_run_script function. **Note:** This vulnerability is present only when compiling raylib for PLATFORM_WEB.

6.1
2023-04-14 CVE-2023-29623 Purchase Order Management Project Cross-site Scripting vulnerability in Purchase Order Management Project Purchase Order Management 1.0

Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the password parameter at /purchase_order/classes/login.php.

6.1
2023-04-11 CVE-2023-24935 Microsoft Open Redirect vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Spoofing Vulnerability

6.1
2023-04-11 CVE-2022-35850 Fortinet Cross-site Scripting vulnerability in Fortinet Fortiauthenticator

An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the "reset-password" page.

6.1
2023-04-11 CVE-2022-43955 Fortinet Cross-site Scripting vulnerability in Fortinet Fortiweb

An improper neutralization of input during web page generation [CWE-79] in the FortiWeb web interface 7.0.0 through 7.0.3, 6.3.0 through 6.3.21, 6.4 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allow an unauthenticated and remote attacker to perform a reflected cross site scripting attack (XSS) via injecting malicious payload in log entries used to build report.

6.1
2023-04-11 CVE-2022-41330 Fortinet Cross-site Scripting vulnerability in Fortinet Fortios and Fortiproxy

An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9, version 6.4.0 through 6.4.11 and before 6.2.12 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.

6.1
2023-04-11 CVE-2022-3695 Hitachivantara Cross-site Scripting vulnerability in Hitachivantara Pentaho Business Analytics 8.0

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.

6.1
2023-04-11 CVE-2023-23277 Snippet BOX Project Cross-site Scripting vulnerability in Snippet BOX Project Snippet BOX 1.0.0

Snippet-box 1.0.0 is vulnerable to Cross Site Scripting (XSS).

6.1
2023-04-10 CVE-2023-1916 Libtiff Out-of-bounds Read vulnerability in Libtiff

A flaw was found in tiffcrop, a program distributed by the libtiff package.

6.1
2023-04-10 CVE-2018-25084 Pingidentity Cross-site Scripting vulnerability in Pingidentity Self-Service Account Manager 1.1.2

A vulnerability, which was classified as problematic, has been found in Ping Identity Self-Service Account Manager 1.1.2.

6.1
2023-04-10 CVE-2022-39048 Servicenow Cross-site Scripting vulnerability in Servicenow

A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect.

6.1
2023-04-10 CVE-2023-0983 Stylishcostcalculator Unspecified vulnerability in Stylishcostcalculator Stylish Cost Calculator

The stylish-cost-calculator-premium WordPress plugin before 7.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Stored Cross-Site Scripting which could be used against admins when viewing submissions submitted through the Email Quote Form.

6.1
2023-04-10 CVE-2023-26120 Xuxueli Cross-site Scripting vulnerability in Xuxueli Xxl-Job

This affects all versions of the package com.xuxueli:xxl-job.

6.1
2023-04-10 CVE-2014-125098 Dart Cross-site Scripting vulnerability in Dart Http Server

A vulnerability was found in Dart http_server up to 0.9.5 and classified as problematic.

6.1
2023-04-10 CVE-2014-125097 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Facebook Button

A vulnerability, which was classified as problematic, was found in BestWebSoft Facebook Like Button up to 2.33.

6.1
2023-04-10 CVE-2014-125096 Fancy Gallery Project Cross-site Scripting vulnerability in Fancy Gallery Project Fancy Gallery 1.5.12

A vulnerability was found in Fancy Gallery Plugin 1.5.12 on WordPress.

6.1
2023-04-10 CVE-2009-10004 Sandbox Theme Project Cross-site Scripting vulnerability in Sandbox Theme Project Sandbox Theme

A vulnerability was found in Turante Sandbox Theme up to 1.5.2.

6.1
2023-04-16 CVE-2022-37186 Lemonldap NG Insufficient Session Expiration vulnerability in Lemonldap-Ng Lemonldap::Ng

In LemonLDAP::NG before 2.0.15.

5.9
2023-04-16 CVE-2019-14942 Gitlab Cleartext Transmission of Sensitive Information vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6.

5.9
2023-04-14 CVE-2023-25597 Mitel Improper Authentication vulnerability in Mitel Micollab

A vulnerability in the web conferencing component of Mitel MiCollab through 9.6.2.9 could allow an unauthenticated attacker to download a shared file via a crafted request - including the exact path and filename - due to improper authentication control.

5.9
2023-04-14 CVE-2023-1285 Mitsubishielectric Race Condition vulnerability in Mitsubishielectric Gc-Enet-Com Firmware

Signal Handler Race Condition vulnerability in Mitsubishi Electric India GC-ENET-COM whose first 2 digits of 11-digit serial number of unit are "16" allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition in Ethernet communication by sending a large number of specially crafted packets to any UDP port when GC-ENET-COM is configured as a Modbus TCP Server.

5.9
2023-04-13 CVE-2022-33270 Qualcomm Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Qualcomm products

Transient DOS due to time-of-check time-of-use race condition in Modem while processing RRC Reconfiguration message.

5.9
2023-04-11 CVE-2023-28828 Siemens XXE vulnerability in Siemens Polarion ALM

A vulnerability has been identified in Polarion ALM (All versions < V22R2).

5.9
2023-04-11 CVE-2022-43293 Wacom Link Following vulnerability in Wacom Driver 6.3.451/6.3.461

Wacom Driver 6.3.46-1 for Windows was discovered to contain an arbitrary file write vulnerability via the component \Wacom\Wacom_Tablet.exe.

5.9
2023-04-11 CVE-2023-26551 NTP Out-of-bounds Write vulnerability in NTP 4.2.8

mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write in the cp<cpdec while loop.

5.6
2023-04-11 CVE-2023-26552 NTP Out-of-bounds Write vulnerability in NTP 4.2.8

mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a decimal point.

5.6
2023-04-11 CVE-2023-26553 NTP Out-of-bounds Write vulnerability in NTP 4.2.8

mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when copying the trailing number.

5.6
2023-04-11 CVE-2023-26554 NTP Out-of-bounds Write vulnerability in NTP 4.2.8

mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a '\0' character.

5.6
2023-04-14 CVE-2023-24934 Microsoft Unspecified vulnerability in Microsoft Malware Protection Platform

Microsoft Defender Security Feature Bypass Vulnerability

5.5
2023-04-14 CVE-2023-28085 HPE Unspecified vulnerability in HPE Oneview Global Dashboard 2.31/2.32

An HPE OneView Global Dashboard (OVGD) appliance dump may expose OVGD user account credentials

5.5
2023-04-14 CVE-2023-28091 HP Unspecified vulnerability in HP Oneview

HPE OneView virtual appliance "Migrate server hardware" option may expose sensitive information in an HPE OneView support dump

5.5
2023-04-13 CVE-2022-48468 Protobuf C Project Integer Overflow or Wraparound vulnerability in Protobuf-C Project Protobuf-C

protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member.

5.5
2023-04-13 CVE-2023-29573 Axiosys Allocation of Resources Without Limits or Throttling vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain an out-of-memory bug in the mp4info component.

5.5
2023-04-13 CVE-2023-26263 Talend XXE vulnerability in Talend Data Catalog 7.320210930

All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server.

5.5
2023-04-13 CVE-2023-26264 Talend XXE vulnerability in Talend Data Catalog 7.320210930

All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code.

5.5
2023-04-13 CVE-2022-33297 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Information disclosure due to buffer overread in Linux sensors

5.5
2023-04-13 CVE-2023-25954 Kyocera
Triumph Adler
Olivetti
Exposure of Resource to Wrong Sphere vulnerability in multiple products

KYOCERA Mobile Print' v3.2.0.230119 and earlier, 'UTAX/TA MobilePrint' v3.2.0.230119 and earlier, and 'Olivetti Mobile Print' v3.2.0.230119 and earlier are vulnerable to improper intent handling.

5.5
2023-04-12 CVE-2023-1906 Imagemagick
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c.

5.5
2023-04-12 CVE-2023-26397 Adobe Out-of-bounds Read vulnerability in Adobe products

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

5.5
2023-04-12 CVE-2023-29581 Yasm Project Unspecified vulnerability in Yasm Project Yasm 1.3.0.55.G101Bc

yasm 1.3.0.55.g101bc has a segmentation violation in the function delete_Token at modules/preprocs/nasm/nasm-pp.c.

5.5
2023-04-12 CVE-2022-24350 Insyde Classic Buffer Overflow vulnerability in Insyde Insydeh2O

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5.

5.5
2023-04-12 CVE-2023-29580 Yasm Project Unspecified vulnerability in Yasm Project Yasm 1.3.0.55.G101Bc

yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the component yasm_expr_create at /libyasm/expr.c.

5.5
2023-04-11 CVE-2023-28299 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2017

Visual Studio Spoofing Vulnerability

5.5
2023-04-11 CVE-2023-28263 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2019

Visual Studio Information Disclosure Vulnerability

5.5
2023-04-11 CVE-2023-28271 Microsoft Unspecified vulnerability in Microsoft products

Windows Kernel Memory Information Disclosure Vulnerability

5.5
2023-04-11 CVE-2023-29576 Axiosys Out-of-bounds Read vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a segmentation violation via the AP4_TrunAtom::SetDataOffset(int) function in Ap4TrunAtom.h.

5.5
2023-04-11 CVE-2020-24736 Ghost Classic Buffer Overflow vulnerability in Ghost Sqlite3 3.27.1

Buffer Overflow vulnerability found in SQLite3 v.3.27.1 and before allows a local attacker to cause a denial of service via a crafted script.

5.5
2023-04-11 CVE-2022-42477 Fortinet Improper Input Validation vulnerability in Fortinet Fortianalyzer

An improper input validation vulnerability [CWE-20] in FortiAnalyzer version 7.2.1 and below, version 7.0.6 and below, 6.4 all versions may allow an authenticated attacker to disclose file system information via custom dataset SQL queries.

5.5
2023-04-10 CVE-2022-46703 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

A logic issue was addressed with improved restrictions.

5.5
2023-04-16 CVE-2022-43458 Codetides Cross-site Scripting vulnerability in Codetides Advanced Floating Content

Auth.

5.4
2023-04-16 CVE-2022-45849 Colorlib Cross-site Scripting vulnerability in Colorlib Activello Theme

Auth.

5.4
2023-04-16 CVE-2023-29508 Xwiki Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

5.4
2023-04-16 CVE-2018-17537 Gitlab Cross-site Scripting vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

5.4
2023-04-15 CVE-2018-17454 Gitlab Cross-site Scripting vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

5.4
2023-04-15 CVE-2018-17536 Gitlab Cross-site Scripting vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

5.4
2023-04-15 CVE-2023-29205 Xwiki Cross-site Scripting vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

5.4
2023-04-15 CVE-2023-29206 Xwiki Cross-site Scripting vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

5.4
2023-04-15 CVE-2023-2103 Easyappointments Cross-site Scripting vulnerability in Easyappointments

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

5.4
2023-04-15 CVE-2023-2104 Easyappointments Improper Access Control vulnerability in Easyappointments

Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

5.4
2023-04-15 CVE-2022-48177 X2Crm Cross-site Scripting vulnerability in X2Crm 6.6/6.9

X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the adin/importModels Import Records Model field (model parameter).

5.4
2023-04-15 CVE-2022-48178 X2Crm Cross-site Scripting vulnerability in X2Crm 6.6/6.9

X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI.

5.4
2023-04-14 CVE-2023-29847 Aerocms Project Cross-site Scripting vulnerability in Aerocms Project Aerocms 0.0.1

AeroCMS v0.0.1 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the comment_author and comment_content parameters at /post.php.

5.4
2023-04-14 CVE-2023-27890 Export User Project Cross-site Scripting vulnerability in Export User Project Export User 2.0

The Export User plugin through 2.0 for MyBB allows XSS during the process of an admin generating DSGVO data for a user, via the Custom User Title, Location, or Bio field.

5.4
2023-04-13 CVE-2022-45358 Colorlib Cross-site Scripting vulnerability in Colorlib Activello

Auth.

5.4
2023-04-13 CVE-2023-2021 Teampass Cross-site Scripting vulnerability in Teampass

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.

5.4
2023-04-12 CVE-2023-30520 Jenkins Cross-site Scripting vulnerability in Jenkins Quay.Io Trigger

Jenkins Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads.

5.4
2023-04-11 CVE-2022-43952 Fortinet Cross-site Scripting vulnerability in Fortinet Fortiadc

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiADC version 7.1.1 and below, version 7.0.3 and below, version 6.2.5 and below may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

5.4
2023-04-11 CVE-2023-22641 Fortinet Open Redirect vulnerability in Fortinet Fortios and Fortiproxy

A url redirection to untrusted site ('open redirect') in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.9, FortiOS versions 6.4.0 through 6.4.12, FortiOS all versions 6.2, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.2, FortiProxy version 7.0.0 through 7.0.8, FortiProxy all versions 2.0, FortiProxy all versions 1.2, FortiProxy all versions 1.1, FortiProxy all versions 1.0 allows an authenticated attacker to execute unauthorized code or commands via specially crafted requests.

5.4
2023-04-11 CVE-2023-26846 Opencats Cross-site Scripting vulnerability in Opencats 0.9.7

A stored cross-site scripting (XSS) vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the city parameter at opencats/index.php?m=candidates.

5.4
2023-04-11 CVE-2023-26847 Opencats Cross-site Scripting vulnerability in Opencats 0.9.7

A stored cross-site scripting (XSS) vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the state parameter at opencats/index.php?m=candidates.

5.4
2023-04-11 CVE-2023-24182 Openwrt Cross-site Scripting vulnerability in Openwrt 22.03.3

LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js.

5.4
2023-04-10 CVE-2023-26467 Pega Insufficient Verification of Data Authenticity vulnerability in Pega Synchronization Engine

A man in the middle can redirect traffic to a malicious server in a compromised configuration.

5.4
2023-04-10 CVE-2022-4827 Keetrax Unspecified vulnerability in Keetrax WP Tiles 1.1.2

The WP Tiles WordPress plugin through 1.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-04-10 CVE-2023-0363 NLB Creations Cross-site Scripting vulnerability in Nlb-Creations Scheduled Announcements Widget

The Scheduled Announcements Widget WordPress plugin before 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-04-10 CVE-2023-0546 Fluentforms Unspecified vulnerability in Fluentforms Contact Form

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.

5.4
2023-04-10 CVE-2022-37462 Upstreamworks Cross-site Scripting vulnerability in Upstreamworks Upstream Works on Finesse

A stored Cross-Site Scripting (XSS) vulnerability in the Chat gadget in Upstream Works Agent Desktop for Cisco Finesse through 4.2.12 and 5.0 allows remote attackers to inject arbitrary web script or HTML via AttachmentId in the file-upload details.

5.4
2023-04-16 CVE-2022-30076 Entab Unspecified vulnerability in Entab ERP 1.0

ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000.

5.3
2023-04-15 CVE-2018-17453 Gitlab Unspecified vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

5.3
2023-04-15 CVE-2023-29203 Xwiki Exposure of Resource to Wrong Sphere vulnerability in Xwiki

XWiki Commons are technical libraries common to several other top level XWiki projects.

5.3
2023-04-15 CVE-2023-27571 Commscope Missing Authentication for Critical Function vulnerability in Commscope Dg3450 Firmware Ar01.02.056.18041520711.Ncs.10

An issue was discovered in DG3450 Cable Gateway AR01.02.056.18_041520_711.NCS.10.

5.3
2023-04-14 CVE-2023-29529 Matrix Unspecified vulnerability in Matrix Javascript SDK

matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript.

5.3
2023-04-14 CVE-2023-2059 Dedecms Path Traversal: '..filedir' vulnerability in Dedecms 5.7.87

A vulnerability was found in DedeCMS 5.7.87.

5.3
2023-04-14 CVE-2023-26559 Sync Path Traversal vulnerability in Sync Oxygen Content Fusion and Oxygen XML web Author

A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request.

5.3
2023-04-14 CVE-2023-29132 Irssi Use After Free vulnerability in Irssi

Irssi 1.3.x and 1.4.x before 1.4.4 has a use-after-free because of use of a stale special collector reference.

5.3
2023-04-12 CVE-2023-30517 Jenkins Improper Certificate Validation vulnerability in Jenkins Neuvector vulnerability Scanner

Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.

5.3
2023-04-12 CVE-2023-30519 Jenkins Missing Authorization vulnerability in Jenkins Quay.Io Trigger

A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

5.3
2023-04-12 CVE-2023-30521 Jenkins Missing Authorization vulnerability in Jenkins Assembla Merge Request Builder

A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

5.3
2023-04-12 CVE-2022-48437 Openbsd Improper Certificate Validation vulnerability in Openbsd

An issue was discovered in x509/x509_verify.c in LibreSSL before 3.6.1, and in OpenBSD before 7.2 errata 001.

5.3
2023-04-14 CVE-2023-22949 Tigergraph Cleartext Storage of Sensitive Information vulnerability in Tigergraph Cloud and Tigergraph Enterprise

An issue was discovered in TigerGraph Enterprise Free Edition 3.x.

4.9
2023-04-13 CVE-2023-22948 Tigergraph Missing Encryption of Sensitive Data vulnerability in Tigergraph

An issue was discovered in TigerGraph Enterprise Free Edition 3.x.

4.9
2023-04-12 CVE-2023-0005 Paloaltonetworks Cleartext Storage of Sensitive Information vulnerability in Paloaltonetworks Pan-Os

A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys.

4.9
2023-04-10 CVE-2023-1971 Tpadmin Project Server-Side Request Forgery (SSRF) vulnerability in Tpadmin Project Tpadmin 1.3.12

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in yuan1994 tpAdmin 1.3.12.

4.9
2023-04-10 CVE-2023-0156 Updraftplus Unspecified vulnerability in Updraftplus All-In-One Security

The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access).

4.9
2023-04-16 CVE-2022-43480 Magneticlab Cross-site Scripting vulnerability in Magneticlab Homepage Pop-Up 1.2.5

Auth.

4.8
2023-04-16 CVE-2022-44734 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft CAR Rental

Auth.

4.8
2023-04-15 CVE-2023-2102 Easyappointments Cross-site Scripting vulnerability in Easyappointments

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

4.8
2023-04-13 CVE-2022-44625 Cyclodev Cross-site Scripting vulnerability in Cyclodev WP Notify

Auth.

4.8
2023-04-13 CVE-2023-2014 Microweber Cross-site Scripting vulnerability in Microweber

Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.

4.8
2023-04-11 CVE-2023-1988 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Online Computer and Laptop Store 1.0

A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0 and classified as problematic.

4.8
2023-04-11 CVE-2023-23572 Epson Cross-site Scripting vulnerability in Epson products

Cross-site scripting vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.

4.8
2023-04-10 CVE-2023-0157 Updraftplus Cross-site Scripting vulnerability in Updraftplus All-In-One Security

The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page.

4.8
2023-04-10 CVE-2023-0422 Article Directory Project Unspecified vulnerability in Article Directory Project Article Directory 1.3

The Article Directory WordPress plugin through 1.3 does not properly sanitize the `publish_terms_text` setting before displaying it in the administration panel, which may enable administrators to conduct Stored XSS attacks in multisite contexts.

4.8
2023-04-10 CVE-2023-0423 Wordpress Amazon S3 Project Unspecified vulnerability in Wordpress Amazon S3 Project Wordpress Amazon S3

The WordPress Amazon S3 Plugin WordPress plugin before 1.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

4.8
2023-04-10 CVE-2023-0605 Auto Rename Media ON Upload Project Unspecified vulnerability in Auto Rename Media on Upload Project Auto Rename Media on Upload

The Auto Rename Media On Upload WordPress plugin before 1.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-04-10 CVE-2023-0874 Klaviyo Unspecified vulnerability in Klaviyo Klavio

The Klaviyo WordPress plugin before 3.0.10 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-04-10 CVE-2023-0893 Dcac Unspecified vulnerability in Dcac Time Sheets

The Time Sheets WordPress plugin before 1.29.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-04-10 CVE-2023-1120 Ibenic Unspecified vulnerability in Ibenic Simple Giveaways

The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-04-10 CVE-2023-1121 Ibenic Cross-site Scripting vulnerability in Ibenic Simple Giveaways

The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-04-10 CVE-2023-1122 Ibenic Unspecified vulnerability in Ibenic Simple Giveaways

The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its Giveaways options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-04-12 CVE-2023-1990 Linux Use After Free vulnerability in Linux Kernel

A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel.

4.7
2023-04-15 CVE-2018-17450 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

4.3
2023-04-15 CVE-2021-30153 Mediawiki Exposure of Resource to Wrong Sphere vulnerability in Mediawiki

An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2.

4.3
2023-04-15 CVE-2022-43698 Open Xchange Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange OX APP Suite 7.10.5/7.10.6

OX App Suite before 7.10.6-rev30 allows SSRF because changing a POP3 account disregards the deny-list.

4.3
2023-04-15 CVE-2022-43699 Open Xchange Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange OX APP Suite 7.10.5/7.10.6

OX App Suite before 7.10.6-rev30 allows SSRF because e-mail account discovery disregards the deny-list and thus can be attacked by an adversary who controls the DNS records of an external domain (found in the host part of an e-mail address).

4.3
2023-04-12 CVE-2023-30518 Jenkins Missing Authorization vulnerability in Jenkins Thycotic Secret Server

A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

4.3
2023-04-12 CVE-2023-30522 Jenkins Missing Authorization vulnerability in Jenkins Fogbugz

A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.

4.3
2023-04-12 CVE-2023-30523 Jenkins Cleartext Storage of Sensitive Information vulnerability in Jenkins Report Portal

Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

4.3
2023-04-12 CVE-2023-30524 Jenkins Unspecified vulnerability in Jenkins Report Portal

Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form, increasing the potential for attackers to observe and capture them.

4.3
2023-04-12 CVE-2023-30527 Jenkins Cleartext Storage of Sensitive Information vulnerability in Jenkins Wso2 Oauth

Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

4.3
2023-04-12 CVE-2023-30529 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Lucene-Search 370.V62A5F618Cd3A

Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, allowing attackers to reindex the database.

4.3
2023-04-12 CVE-2023-30530 Jenkins Cleartext Storage of Sensitive Information vulnerability in Jenkins Consul KV Builder

Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

4.3
2023-04-11 CVE-2023-1939 Devolutions Incorrect Permission Assignment for Critical Resource vulnerability in Devolutions Remote Desktop Manager

No access control for the OTP key   on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.

4.3
2023-04-11 CVE-2022-42469 Fortinet Unspecified vulnerability in Fortinet Fortios

A permissive list of allowed inputs vulnerability [CWE-183] in FortiGate version 7.2.3 and below, version 7.0.9 and below Policy-based NGFW Mode may allow an authenticated SSL-VPN user to bypass the policy via bookmarks in the web portal.

4.3
2023-04-11 CVE-2023-26845 Opencats Cross-Site Request Forgery (CSRF) vulnerability in Opencats 0.9.7

A Cross-Site Request Forgery (CSRF) in OpenCATS 0.9.7 allows attackers to force users into submitting web requests via unspecified vectors.

4.3
2023-04-11 CVE-2023-28301 Microsoft Unspecified vulnerability in Microsoft Edge

Microsoft Edge (Chromium-based) Tampering Vulnerability

4.2

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-11 CVE-2020-9009 Shipstation Missing Authorization vulnerability in Shipstation

The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked.

3.7
2023-04-14 CVE-2023-29383 Shadow Project Injection vulnerability in Shadow Project Shadow 4.13

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger).

3.3
2023-04-11 CVE-2022-46396 ARM Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in ARM products

An issue was discovered in the Arm Mali Kernel Driver.

3.3
2023-04-11 CVE-2023-22808 ARM Out-of-bounds Read vulnerability in ARM products

An issue was discovered in the Arm Android Gralloc Module.

3.3
2023-04-14 CVE-2023-29194 Linuxfoundation Unspecified vulnerability in Linuxfoundation Vitess

Vitess is a database clustering system for horizontal scaling of MySQL.

2.7
2023-04-10 CVE-2022-46717 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

A logic issue was addressed with improved restrictions.

2.4