Weekly Vulnerabilities Reports > April 24 to 30, 2023

Overview

470 new vulnerabilities reported during this period, including 78 critical vulnerabilities and 156 high severity vulnerabilities. This weekly summary report vulnerabilities in 613 products from 206 vendors including IBM, Netgear, Pimcore, Odoo, and Oretnom23. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Path Traversal", and "Classic Buffer Overflow".

  • 385 reported vulnerabilities are remotely exploitables.
  • 226 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 235 reported vulnerabilities are exploitable by an anonymous user.
  • IBM has the most reported vulnerabilities, with 21 reported vulnerabilities.
  • Tenda has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

78 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-28 CVE-2023-30856 Edex UI Project Origin Validation Error vulnerability in Edex-Ui Project Edex-Ui

eDEX-UI is a science fiction terminal emulator.

10.0
2023-04-25 CVE-2023-30838 Prestashop Cross-site Scripting vulnerability in Prestashop

PrestaShop is an Open Source e-commerce web application.

9.9
2023-04-30 CVE-2023-2429 Phpmyfaq Improper Access Control vulnerability in PHPmyfaq

Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.13.

9.8
2023-04-29 CVE-2023-2420 Mlecms SQL Injection vulnerability in Mlecms 3.0

A vulnerability was found in MLECMS 3.0.

9.8
2023-04-28 CVE-2023-31470 Smartdns Project Out-of-bounds Write vulnerability in Smartdns Project Smartdns

SmartDNS through 41 before 56d0332 allows an out-of-bounds write because of a stack-based buffer overflow in the _dns_encode_domain function in the dns.c file, via a crafted DNS request.

9.8
2023-04-28 CVE-2023-26781 Chshcms SQL Injection vulnerability in Chshcms Mccms 2.6

SQL injection vulnerability in mccms 2.6 allows remote attackers to run arbitrary SQL commands via Author Center ->Reader Comments ->Search.

9.8
2023-04-28 CVE-2023-26813 Wang Market SQL Injection vulnerability in Wang.Market Wangmarket CMS 4.10

SQL injection vulnerability in com.xnx3.wangmarket.plugin.dataDictionary.controller.DataDictionaryPluginController.java in wangmarket CMS 4.10 allows remote attackers to run arbitrary SQL commands via the TableName parameter to /plugin/dataDictionary/tableView.do.

9.8
2023-04-28 CVE-2023-1966 Illumina Improper Privilege Management vulnerability in Illumina products

Instruments with Illumina Universal Copy Service v1.x and v2.x contain an unnecessary privileges vulnerability.

9.8
2023-04-28 CVE-2023-27973 HP Out-of-bounds Write vulnerability in HP products

Certain HP LaserJet Pro print products are potentially vulnerable to Heap Overflow and/or Remote Code Execution.

9.8
2023-04-28 CVE-2023-27971 HP Classic Buffer Overflow vulnerability in HP products

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Elevation of Privilege.

9.8
2023-04-28 CVE-2023-27972 HP Classic Buffer Overflow vulnerability in HP products

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

9.8
2023-04-28 CVE-2023-0834 Hypr Incorrect Permission Assignment for Critical Resource vulnerability in Hypr Workforce Access

Incorrect Permission Assignment for Critical Resource vulnerability in HYPR Workforce Access on MacOS allows Privilege Escalation.This issue affects Workforce Access: from 6.12 before 8.1.

9.8
2023-04-28 CVE-2023-2370 Online DJ Management System Project SQL Injection vulnerability in Online DJ Management System Project Online DJ Management System 1.0

A vulnerability classified as critical has been found in SourceCodester Online DJ Management System 1.0.

9.8
2023-04-28 CVE-2023-2371 Online DJ Management System Project SQL Injection vulnerability in Online DJ Management System Project Online DJ Management System 1.0

A vulnerability classified as critical was found in SourceCodester Online DJ Management System 1.0.

9.8
2023-04-28 CVE-2022-41397 Sage Use of Hard-coded Credentials vulnerability in Sage 300 2020/2021/2022

The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key ("LandlordPassKey") to encrypt and decrypt secrets stored in configuration files and in database tables.

9.8
2023-04-28 CVE-2022-41400 Sage Use of Hard-coded Credentials vulnerability in Sage 300 2020/2021/2022

Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings stored in ISAM database files in the shared data directory.

9.8
2023-04-28 CVE-2023-2367 Faculty Evaluation System Project SQL Injection vulnerability in Faculty Evaluation System Project Faculty Evaluation System 1.0

A vulnerability was found in SourceCodester Faculty Evaluation System 1.0.

9.8
2023-04-28 CVE-2023-2368 Faculty Evaluation System Project SQL Injection vulnerability in Faculty Evaluation System Project Faculty Evaluation System 1.0

A vulnerability was found in SourceCodester Faculty Evaluation System 1.0.

9.8
2023-04-28 CVE-2023-2369 Faculty Evaluation System Project SQL Injection vulnerability in Faculty Evaluation System Project Faculty Evaluation System 1.0

A vulnerability was found in SourceCodester Faculty Evaluation System 1.0.

9.8
2023-04-28 CVE-2023-2365 Faculty Evaluation System Project SQL Injection vulnerability in Faculty Evaluation System Project Faculty Evaluation System 1.0

A vulnerability has been found in SourceCodester Faculty Evaluation System 1.0 and classified as critical.

9.8
2023-04-28 CVE-2023-2366 Faculty Evaluation System Project SQL Injection vulnerability in Faculty Evaluation System Project Faculty Evaluation System 1.0

A vulnerability was found in SourceCodester Faculty Evaluation System 1.0 and classified as critical.

9.8
2023-04-28 CVE-2023-2363 Resort Reservation System Project SQL Injection vulnerability in Resort Reservation System Project Resort Reservation System 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Resort Reservation System 1.0.

9.8
2023-04-28 CVE-2023-30466 Milesight Weak Password Recovery Mechanism for Forgotten Password vulnerability in Milesight products

This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight NVR web-based management interface.

9.8
2023-04-28 CVE-2023-30467 Milesight Incorrect Authorization vulnerability in Milesight products

This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR web-based management interface.

9.8
2023-04-27 CVE-2023-1967 Keysight Deserialization of Untrusted Data vulnerability in Keysight N8844A 2.1.7351

Keysight N8844A Data Analytics Web Service deserializes untrusted data without sufficiently verifying the resulting data will be valid.

9.8
2023-04-27 CVE-2023-2158 Synopsys Use of Hard-coded Credentials vulnerability in Synopsys Code DX

Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token.

9.8
2023-04-27 CVE-2023-2345 Oretnom23 Improper Authorization vulnerability in Oretnom23 Service Provider Management System 1.0

A vulnerability was found in SourceCodester Service Provider Management System 1.0 and classified as critical.

9.8
2023-04-27 CVE-2023-2346 Oretnom23 SQL Injection vulnerability in Oretnom23 Service Provider Management System 1.0

A vulnerability was found in SourceCodester Service Provider Management System 1.0.

9.8
2023-04-27 CVE-2023-2347 Oretnom23 SQL Injection vulnerability in Oretnom23 Service Provider Management System 1.0

A vulnerability was found in SourceCodester Service Provider Management System 1.0.

9.8
2023-04-27 CVE-2023-2348 Oretnom23 SQL Injection vulnerability in Oretnom23 Service Provider Management System 1.0

A vulnerability was found in SourceCodester Service Provider Management System 1.0.

9.8
2023-04-27 CVE-2023-2344 Oretnom23 SQL Injection vulnerability in Oretnom23 Service Provider Management System 1.0

A vulnerability has been found in SourceCodester Service Provider Management System 1.0 and classified as critical.

9.8
2023-04-27 CVE-2023-30349 Jflyfox Unspecified vulnerability in Jflyfox Jfinal CMS 5.1.0

JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.

9.8
2023-04-27 CVE-2023-1778 Gajshield Insufficiently Protected Credentials vulnerability in Gajshield Data Security Firewall Firmware

This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to insecure default credentials which allows remote attacker to login as superuser by using default username/password via web-based management interface and/or exposed SSH port thereby enabling remote attackers to execute arbitrary commands with administrative/superuser privileges on the targeted systems. The vulnerability has been addressed by forcing the user to change their default password to a new non-default password.

9.8
2023-04-27 CVE-2023-28769 Zyxel Classic Buffer Overflow vulnerability in Zyxel Dx5401-B0 Firmware

The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to execute some OS commands or to cause denial-of-service (DoS) conditions on a vulnerable device.

9.8
2023-04-27 CVE-2022-47758 Nanoleaf Improper Certificate Validation vulnerability in Nanoleaf Firmware 7.1.1

Nanoleaf firmware v7.1.1 and below is missing TLS verification, allowing attackers to execute arbitrary code via a DNS hijacking attack.

9.8
2023-04-27 CVE-2023-20852 Aenrich Deserialization of Untrusted Data vulnerability in Aenrich A+Hrd 6.8.1039V844

aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ interpreter.

9.8
2023-04-27 CVE-2023-20853 Aenrich Deserialization of Untrusted Data vulnerability in Aenrich A+Hrd 6.8.1039V844

aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ asynchronized message process.

9.8
2023-04-27 CVE-2023-28697 Moxa Missing Authentication for Critical Function vulnerability in Moxa Miineport E1 Firmware 1.7.2

Moxa MiiNePort E1 has a vulnerability of insufficient access control.

9.8
2023-04-26 CVE-2023-30363 Tencent Unspecified vulnerability in Tencent Vconsole 3.15.0

vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.

9.8
2023-04-26 CVE-2023-30845 Google Improper Authentication vulnerability in Google Espv2

ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure.

9.8
2023-04-26 CVE-2020-36070 Thecontrolgroup Improper Preservation of Permissions vulnerability in Thecontrolgroup Voyager

Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component.

9.8
2023-04-26 CVE-2023-30280 Netgear Classic Buffer Overflow vulnerability in Netgear R6700 Firmware and R6900 Firmware

Buffer Overflow vulnerability found in Netgear R6900 v.1.0.2.26, R6700v3 v.1.0.4.128, R6700 v.1.0.0.26 allows a remote attacker to execute arbitrary code and cause a denial ofservice via the getInputData parameter of the fwSchedule.cgi page.

9.8
2023-04-26 CVE-2023-29268 Tibco Unrestricted Upload of File with Dangerous Type vulnerability in Tibco Spotfire Statistics Services

The Splus Server component of TIBCO Software Inc.'s TIBCO Spotfire Statistics Services contains a vulnerability that allows an unauthenticated remote attacker to upload or modify arbitrary files within the web server directory on the affected system.

9.8
2023-04-26 CVE-2023-30211 Ourphp SQL Injection vulnerability in Ourphp

OURPHP <= 7.2.0 is vulnerable to SQL Injection.

9.8
2023-04-26 CVE-2022-39989 Fighting Cock Information System Project Use of Hard-coded Credentials vulnerability in Fighting Cock Information System Project Fighting Cock Information System 1.0

An issue was discovered in Fighting Cock Information System 1.0, which uses default credentials, but does not force nor prompt the administrators to change the credentials.

9.8
2023-04-26 CVE-2023-24796 Vinga Unspecified vulnerability in Vinga Wr-Ac1200 Firmware 81.102.1.4370

Password vulnerability found in Vinga WR-AC1200 81.102.1.4370 and before allows a remote attacker to execute arbitrary code via the password parameter at the /goform/sysTools and /adm/systools.asp endpoints.

9.8
2023-04-26 CVE-2012-5872 Arc2 Project SQL Injection vulnerability in Arc2 Project Arc2

ARC (aka ARC2) through 2011-12-01 allows blind SQL Injection in getTriplePatternSQL in ARC2_StoreSelectQueryHandler.php via comments in a SPARQL WHERE clause.

9.8
2023-04-26 CVE-2023-27843 ASK FOR A Quote Project SQL Injection vulnerability in ASK for a Quote Project ASK for a Quote

SQL injection vulnerability found in PrestaShop askforaquote v.5.4.2 and before allow a remote attacker to gain privileges via the QuotesProduct::deleteProduct component.

9.8
2023-04-26 CVE-2023-30404 Aigital Unspecified vulnerability in Aigital Wireless-N Repeater Mini Router Firmware 0.131229

Aigital Wireless-N Repeater Mini_Router v0.131229 was discovered to contain a remote code execution (RCE) vulnerability via the sysCmd parameter in the formSysCmd function.

9.8
2023-04-25 CVE-2023-25313 Wwbn OS Command Injection vulnerability in Wwbn Avideo

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature.

9.8
2023-04-25 CVE-2023-27105 Shanling Path Traversal vulnerability in Shanling Eddict Player and Mtouch OS

A vulnerability in the Wi-Fi file transfer module of Shanling M5S Portable Music Player with Shanling MTouch OS v4.3 and Shanling M2X Portable Music Player with Shanling MTouch OS v3.3 allows attackers to arbitrarily read, delete, or modify any critical system files via directory traversal.

9.8
2023-04-25 CVE-2023-28771 Zyxel OS Command Injection vulnerability in Zyxel products

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.

9.8
2023-04-24 CVE-2023-1020 WP Live Chat Shoutbox Project Unspecified vulnerability in WP Live Chat Shoutbox Project WP Live Chat Shoutbox 1.4.2

The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

9.8
2023-04-24 CVE-2023-26865 Brandsdistribution SQL Injection vulnerability in Brandsdistribution Bdroppy

SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component.

9.8
2023-04-24 CVE-2023-27848 Broccoli Compass Project Command Injection vulnerability in Broccoli-Compass Project Broccoli-Compass 0.2.4

broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

9.8
2023-04-24 CVE-2023-27849 Rails Routes TO Json Project Command Injection vulnerability in Rails-Routes-To-Json Project Rails-Routes-To-Json 1.0.0

rails-routes-to-json v1.0.0 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

9.8
2023-04-24 CVE-2023-29566 Huedawn Tesseract Project
Dawnsparks Node Tesseract Project
Command Injection vulnerability in multiple products

huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

9.8
2023-04-24 CVE-2023-24823 Riot OS Type Confusion vulnerability in Riot-Os Riot

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames.

9.8
2023-04-24 CVE-2023-27524 Apache Insecure Default Initialization of Resource vulnerability in Apache Superset

Session Validation attacks in Apache Superset versions up to and including 2.0.1.

9.8
2023-04-24 CVE-2023-24819 Riot OS Out-of-bounds Write vulnerability in Riot-Os Riot

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames.

9.8
2023-04-24 CVE-2023-30370 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19

In Tenda AC15 V15.03.05.19, the function GetValue contains a stack-based buffer overflow vulnerability.

9.8
2023-04-24 CVE-2023-30371 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19

In Tenda AC15 V15.03.05.19, the function "sub_ED14" contains a stack-based buffer overflow vulnerability.

9.8
2023-04-24 CVE-2023-30372 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19

In Tenda AC15 V15.03.05.19, The function "xkjs_ver32" contains a stack-based buffer overflow vulnerability.

9.8
2023-04-24 CVE-2023-30373 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19

In Tenda AC15 V15.03.05.19, the function "xian_pppoe_user" contains a stack-based buffer overflow vulnerability.

9.8
2023-04-24 CVE-2023-30375 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19

In Tenda AC15 V15.03.05.19, the function "getIfIp" contains a stack-based buffer overflow vulnerability.

9.8
2023-04-24 CVE-2023-30376 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19

In Tenda AC15 V15.03.05.19, the function "henan_pppoe_user" contains a stack-based buffer overflow vulnerability.

9.8
2023-04-24 CVE-2023-30378 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19

In Tenda AC15 V15.03.05.19, the function "sub_8EE8" contains a stack-based buffer overflow vulnerability.

9.8
2023-04-24 CVE-2023-30368 Tenda Out-of-bounds Write vulnerability in Tenda AC5 Firmware 15.03.06.28

Tenda AC5 V15.03.06.28 is vulnerable to Buffer Overflow via the initWebs function.

9.8
2023-04-24 CVE-2023-30369 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19

Tenda AC15 V15.03.05.19 is vulnerable to Buffer Overflow.

9.8
2023-04-24 CVE-2022-48477 Jetbrains Server-Side Request Forgery (SSRF) vulnerability in Jetbrains HUB

In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing

9.8
2023-04-24 CVE-2023-25133 Cyberpower Improper Privilege Management vulnerability in Cyberpower Powerpanel

Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors.

9.8
2023-04-24 CVE-2023-25131 Cyberpower Improper Authentication vulnerability in Cyberpower Powerpanel

Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions.

9.8
2023-04-24 CVE-2023-25132 Cyberpower Unrestricted Upload of File with Dangerous Type vulnerability in Cyberpower Powerpanel

Unrestricted upload of file with dangerous type vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors.

9.8
2023-04-24 CVE-2023-22581 Home Cern Unspecified vulnerability in Home.Cern White Rabbit Switch Firmware

White Rabbit Switch contains a vulnerability which makes it possible for an attacker to perform system commands under the context of the web application (the default installation makes the webserver run as the root user).

9.8
2023-04-24 CVE-2023-31060 Repetier Server Unspecified vulnerability in Repetier-Server

Repetier Server through 1.4.10 executes as SYSTEM.

9.8
2023-04-24 CVE-2023-28131 Expo Insufficiently Protected Credentials vulnerability in Expo Software Development KIT 45.0.0/46.0.0/47.0.0

A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in.

9.6
2023-04-25 CVE-2021-44547 Odoo Unspecified vulnerability in Odoo

A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation.

9.1
2023-04-24 CVE-2023-30613 Kiwitcms Unrestricted Upload of File with Dangerous Type vulnerability in Kiwitcms Kiwi Tcms

Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc.

9.0

156 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-29 CVE-2023-2424 Dedecms Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7.106

A vulnerability was found in DedeCMS 5.7.106 and classified as critical.

8.8
2023-04-28 CVE-2023-24269 Textpattern Unrestricted Upload of File with Dangerous Type vulnerability in Textpattern 4.8.8

An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a crafted Zip file.

8.8
2023-04-28 CVE-2023-29057 Lenovo Unspecified vulnerability in Lenovo products

A valid XCC user's local account permissions overrides their active directory permissions under specific configurations.

8.8
2023-04-28 CVE-2023-2376 UI Command Injection vulnerability in UI Er-X-Sfp Firmware and Er-X Firmware

A vulnerability was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6.

8.8
2023-04-28 CVE-2023-2377 UI Command Injection vulnerability in UI Er-X-Sfp Firmware and Er-X Firmware

A vulnerability was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6.

8.8
2023-04-28 CVE-2023-2378 UI Command Injection vulnerability in UI Er-X-Sfp Firmware and Er-X Firmware

A vulnerability was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6.

8.8
2023-04-28 CVE-2023-30854 Wwbn OS Command Injection vulnerability in Wwbn Avideo

AVideo is an open source video platform.

8.8
2023-04-28 CVE-2023-1477 Hypr Improper Authentication vulnerability in Hypr Keycloak Authenticator

Improper Authentication vulnerability in HYPR Keycloak Authenticator Extension allows Authentication Abuse.This issue affects HYPR Keycloak Authenticator Extension: before 7.10.2, before 8.0.3.

8.8
2023-04-28 CVE-2023-29815 Chshcms Cross-Site Request Forgery (CSRF) vulnerability in Chshcms Mccms 2.6.3

mccms v2.6.3 is vulnerable to Cross Site Request Forgery (CSRF).

8.8
2023-04-28 CVE-2023-2374 UI Command Injection vulnerability in UI Er-X-Sfp Firmware and Er-X Firmware

A vulnerability has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6 and classified as critical.

8.8
2023-04-28 CVE-2023-2375 UI Command Injection vulnerability in UI Er-X-Sfp Firmware and Er-X Firmware

A vulnerability was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6 and classified as critical.

8.8
2023-04-28 CVE-2023-2373 UI Command Injection vulnerability in UI Edgemax Edgerouter Firmware 2.0.9

A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6.

8.8
2023-04-27 CVE-2023-28384 Myscada OS Command Injection vulnerability in Myscada Mypro

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.

8.8
2023-04-27 CVE-2023-28400 Myscada OS Command Injection vulnerability in Myscada Mypro

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.

8.8
2023-04-27 CVE-2023-28716 Myscada OS Command Injection vulnerability in Myscada Mypro

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.

8.8
2023-04-27 CVE-2023-29150 Myscada OS Command Injection vulnerability in Myscada Mypro

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.

8.8
2023-04-27 CVE-2023-29169 Myscada OS Command Injection vulnerability in Myscada Mypro

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.

8.8
2023-04-27 CVE-2023-25437 Vtech Cleartext Transmission of Sensitive Information vulnerability in Vtech Vcs754A Firmware

An issue was discovered in vTech VCS754 version 1.1.1.A before 1.1.1.H, allows attackers to gain escalated privileges and gain sensitive information due to cleartext passwords passed in the raw HTML.

8.8
2023-04-27 CVE-2023-30624 Bytecodealliance Reliance on Undefined, Unspecified, or Implementation-Defined Behavior vulnerability in Bytecodealliance Wasmtime

Wasmtime is a standalone runtime for WebAssembly.

8.8
2023-04-27 CVE-2023-30850 Pimcore SQL Injection vulnerability in Pimcore

Pimcore is an open source data and experience management platform.

8.8
2023-04-27 CVE-2023-30848 Pimcore SQL Injection vulnerability in Pimcore

Pimcore is an open source data and experience management platform.

8.8
2023-04-27 CVE-2023-30849 Pimcore SQL Injection vulnerability in Pimcore

Pimcore is an open source data and experience management platform.

8.8
2023-04-27 CVE-2023-2338 Pimcore SQL Injection vulnerability in Pimcore

SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21.

8.8
2023-04-27 CVE-2023-24836 SUN NET Path Traversal vulnerability in Sun.Net Ctms 7.01227

SUNNET CTMS has vulnerability of path traversal within its file uploading function.

8.8
2023-04-26 CVE-2023-27107 MYQ Solution Incorrect Authorization vulnerability in Myq-Solution Central Server and Print Server

Incorrect access control in the runReport function of MyQ Solution Print Server before 8.2 Patch 32 and Central Server before 8.2 Patch 22 allows users who do not have appropriate access rights to generate internal reports using a direct URL.

8.8
2023-04-26 CVE-2023-30266 Cltphp Unrestricted Upload of File with Dangerous Type vulnerability in Cltphp 6.0

CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type.

8.8
2023-04-25 CVE-2023-20872 Vmware Out-of-bounds Write vulnerability in VMWare Fusion and Workstation

VMware Workstation and Fusion contain an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation.

8.8
2023-04-25 CVE-2022-40724 Pingidentity Cross-Site Request Forgery (CSRF) vulnerability in Pingidentity Pingfederate 10.3.0/10.3.4/11.0.0

The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.

8.8
2023-04-25 CVE-2023-30839 Prestashop SQL Injection vulnerability in Prestashop

PrestaShop is an Open Source e-commerce web application.

8.8
2023-04-24 CVE-2023-30623 WIP Project Command Injection vulnerability in WIP Project WIP

`embano1/wip` is a GitHub Action written in Bash.

8.8
2023-04-24 CVE-2023-30628 Kiwitcms OS Command Injection vulnerability in Kiwitcms Kiwi Tcms

Kiwi TCMS is an open source test management system.

8.8
2023-04-24 CVE-2023-2258 ALF Improper Neutralization of Formula Elements in a CSV File vulnerability in ALF

Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.

8.8
2023-04-24 CVE-2023-2260 ALF Authorization Bypass Through User-Controlled Key vulnerability in ALF

Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.

8.8
2023-04-24 CVE-2023-0388 Random Text Project SQL Injection vulnerability in Random Text Project Random Text 0.3.0

The Random Text WordPress plugin through 0.3.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers.

8.8
2023-04-24 CVE-2023-27991 Zyxel OS Command Injection vulnerability in Zyxel products

The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker to execute some OS commands remotely.

8.8
2023-04-24 CVE-2023-26060 Nokia Code Injection vulnerability in Nokia Netact 18A

An issue was discovered in Nokia NetAct before 22 FP2211.

8.8
2023-04-24 CVE-2023-30622 Clusternet Improper Privilege Management vulnerability in Clusternet

Clusternet is a general-purpose system for controlling Kubernetes clusters across different environments.

8.8
2023-04-24 CVE-2023-29849 Hockeycomputindo SQL Injection vulnerability in Hockeycomputindo Bang Resto 1.0

Bang Resto 1.0 was discovered to contain multiple SQL injection vulnerabilities via the btnMenuItemID, itemID, itemPrice, menuID, staffID, or itemqty parameter.

8.8
2023-04-24 CVE-2023-29578 Mp4V2 Project Out-of-bounds Write vulnerability in Mp4V2 Project Mp4V2 2.0.0

mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the mp4v2::impl::MP4StringProperty::~MP4StringProperty() function at src/mp4property.cpp.

8.8
2023-04-24 CVE-2023-31061 Repetier Server Cross-Site Request Forgery (CSRF) vulnerability in Repetier-Server

Repetier Server through 1.4.10 does not have CSRF protection.

8.8
2023-04-25 CVE-2021-23166 Odoo Unspecified vulnerability in Odoo

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.

8.7
2023-04-25 CVE-2021-23186 Odoo Unspecified vulnerability in Odoo

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system.

8.7
2023-04-26 CVE-2022-41739 IBM Unspecified vulnerability in IBM Spectrum Scale Container Native Storage Access 5.1.4.1

IBM Spectrum Scale (IBM Spectrum Scale Container Native Storage Access 5.1.2.1 through 5.1.6.0) could allow programs running inside the container to overcome isolation mechanism and gain additional capabilities or access sensitive information on the host.

8.4
2023-04-27 CVE-2023-30847 Dena Access of Uninitialized Pointer vulnerability in Dena H2O

H2O is an HTTP server.

8.2
2023-04-25 CVE-2023-20869 Vmware Out-of-bounds Write vulnerability in VMWare Fusion and Workstation

VMware Workstation (17.x) and VMware Fusion (13.x) contain a stack-based buffer-overflow vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.

8.2
2023-04-29 CVE-2023-31484 Cpanpm Project
Perl
Improper Certificate Validation vulnerability in multiple products

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

8.1
2023-04-29 CVE-2023-31486 Http
Perl
Improper Certificate Validation vulnerability in multiple products

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

8.1
2023-04-27 CVE-2023-21712 Microsoft Race Condition vulnerability in Microsoft products

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

8.1
2023-04-27 CVE-2023-2297 Cozmoslabs Improper Authentication vulnerability in Cozmoslabs Profile Builder

The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0.

8.1
2023-04-26 CVE-2023-26567 Sangoma Insufficiently Protected Credentials vulnerability in Sangoma Freepbx Linux 7

Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables.

8.1
2023-04-26 CVE-2023-28008 Hcltech XXE vulnerability in Hcltech Workload Automation 10.1.0/9.4.0/9.5.0

HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

8.1
2023-04-26 CVE-2023-28009 Hcltech XXE vulnerability in Hcltech Workload Automation 10.1.0/9.4.0/9.5.0

HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

8.1
2023-04-26 CVE-2023-30269 Cltphp Improper Input Validation vulnerability in Cltphp 6.0

CLTPHP <=6.0 is vulnerable to Improper Input Validation via application/admin/controller/Template.php.

8.1
2023-04-25 CVE-2021-45111 Odoo Unspecified vulnerability in Odoo

Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.

8.1
2023-04-24 CVE-2023-30626 Jellyfin Path Traversal vulnerability in Jellyfin

Jellyfin is a free-software media system.

8.1
2023-04-24 CVE-2023-22913 Zyxel Command Injection vulnerability in Zyxel products

A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an affected device.

8.1
2023-04-24 CVE-2023-22916 Zyxel Unspecified vulnerability in Zyxel products

The configuration parser of Zyxel ATP series firmware versions 5.10 through 5.35, USG FLEX series firmware versions 5.00 through 5.35, USG FLEX 50(W) firmware versions 5.10 through 5.35, USG20(W)-VPN firmware versions 5.10 through 5.35, and VPN series firmware versions 5.00 through 5.35, which fails to properly sanitize user input.

8.1
2023-04-29 CVE-2022-41736 IBM Unspecified vulnerability in IBM Spectrum Scale Container Native Storage Access 5.1.4.1

IBM Spectrum Scale Container Native Storage Access 5.1.2.1 through 5.1.6.0 contains an unspecified vulnerability that could allow a local user to obtain root privileges.

7.8
2023-04-29 CVE-2023-2417 KS Soft Unquoted Search Path or Element vulnerability in Ks-Soft Advanced Host Monitor 12.56

A vulnerability was found in ks-soft Advanced Host Monitor up to 12.56 and classified as problematic.

7.8
2023-04-28 CVE-2023-25496 Lenovo Unspecified vulnerability in Lenovo Drivers Management 2.7.1128.1046

A privilege escalation vulnerability was reported in Lenovo Drivers Management Lenovo Driver Manager that could allow a local user to execute code with elevated privileges.

7.8
2023-04-28 CVE-2022-38583 Sage Incorrect Default Permissions vulnerability in Sage 300 2020/2021/2022

On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could abuse their access to the "SharedData" folder on the connected Sage 300 server to view and/or modify the credentials associated with Sage 300 users and SQL accounts to impersonate users and/or access the SQL database as a system administrator.

7.8
2023-04-28 CVE-2022-48481 Jetbrains Insufficient Control Flow Management vulnerability in Jetbrains Toolbox

In JetBrains Toolbox App before 1.28 a DYLIB injection on macOS was possible

7.8
2023-04-28 CVE-2023-28528 IBM OS Command Injection vulnerability in IBM AIX and Vios

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the invscout command to execute arbitrary commands.

7.8
2023-04-28 CVE-2023-31436 Linux Out-of-bounds Write vulnerability in Linux Kernel

qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.

7.8
2023-04-27 CVE-2022-37326 Docker Unspecified vulnerability in Docker Desktop

Docker Desktop for Windows before 4.6.0 allows attackers to delete (or create) any file through the dockerBackendV2 windowscontainers/start API by controlling the pidfile field inside the DaemonJSON field in the WindowsContainerStartRequest class.

7.8
2023-04-27 CVE-2023-2355 Acronis Uncontrolled Search Path Element vulnerability in Acronis Snap Deploy 6

Local privilege escalation due to a DLL hijacking vulnerability.

7.8
2023-04-27 CVE-2023-2331 42Gears Unquoted Search Path or Element vulnerability in 42Gears Surelock

Unquoted service Path or Element vulnerability in 42Gears Surelock Windows SureLock Service (NixService.Exe) on Windows application will allows to insert arbitrary code into the service. This issue affects Surelock Windows : from 2.3.12 through 2.40.0.

7.8
2023-04-27 CVE-2023-31287 Serenity Weak Password Recovery Mechanism for Forgotten Password vulnerability in Serenity Serene and Startsharp

An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0.

7.8
2023-04-27 CVE-2023-26243 Hyundai Exposure of Resource to Wrong Sphere vulnerability in Hyundai Gen5W L In-Vehicle Infotainment System Firmware 5W.Xxx.S5Wl.001.001.221129/Aeepeeur.S5Wl001.001.211214

An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214.

7.8
2023-04-27 CVE-2023-26244 Hyundai Improper Privilege Management vulnerability in Hyundai Gen5W L In-Vehicle Infotainment System Firmware 5W.Xxx.S5Wl.001.001.221129/Aeepeeur.S5Wl001.001.211214

An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214.

7.8
2023-04-27 CVE-2023-26245 Hyundai Improper Privilege Management vulnerability in Hyundai Gen5W L In-Vehicle Infotainment System Firmware 5W.Xxx.S5Wl.001.001.221129/Aeepeeur.S5Wl001.001.211214

An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214.

7.8
2023-04-27 CVE-2023-26246 Hyundai Improper Privilege Management vulnerability in Hyundai Gen5W L In-Vehicle Infotainment System Firmware 5W.Xxx.S5Wl.001.001.221129/Aeepeeur.S5Wl001.001.211214

An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214.

7.8
2023-04-26 CVE-2023-2291 Zohocorp Unspecified vulnerability in Zohocorp products

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360.

7.8
2023-04-26 CVE-2023-29596 Cmix Project Classic Buffer Overflow vulnerability in Cmix Project Cmix 19

Buffer Overflow vulnerability found in ByronKnoll Cmix v.19 allows an attacker to execute arbitrary code and cause a denial of service via the paq8 function.

7.8
2023-04-26 CVE-2023-29835 Wondershare Unspecified vulnerability in Wondershare Dr.Fone 12.9.6

Insecure Permission vulnerability found in Wondershare Dr.Fone v.12.9.6 allows a remote attacker to escalate privileges via the service permission function.

7.8
2023-04-26 CVE-2023-26286 IBM Unspecified vulnerability in IBM AIX and Vios

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX runtime services library to execute arbitrary commands.

7.8
2023-04-25 CVE-2023-20871 Vmware Unspecified vulnerability in VMWare Fusion

VMware Fusion contains a local privilege escalation vulnerability.

7.8
2023-04-25 CVE-2023-29007 GIT SCM
Fedoraproject
Injection vulnerability in multiple products

Git is a revision control system.

7.8
2023-04-25 CVE-2023-29011 GIT FOR Windows Project Uncontrolled Search Path Element vulnerability in GIT for Windows Project GIT for Windows

Git for Windows, the Windows port of Git, ships with an executable called `connect.exe`, which implements a SOCKS5 proxy that can be used to connect e.g.

7.8
2023-04-25 CVE-2023-29012 GIT FOR Windows Project Uncontrolled Search Path Element vulnerability in GIT for Windows Project GIT for Windows

Git for Windows is the Windows port of Git.

7.8
2023-04-25 CVE-2023-30549 Lfprojects
Sylabs
Redhat
Use After Free vulnerability in multiple products

Apptainer is an open source container platform for Linux.

7.8
2023-04-25 CVE-2023-28088 HP Insufficiently Protected Credentials vulnerability in HP Oneview

An HPE OneView appliance dump may expose SAN switch administrative credentials

7.8
2023-04-25 CVE-2022-31244 Nokia Incorrect Default Permissions vulnerability in Nokia One-Network Directory Server 17R2

Nokia OneNDS 17r2 has Insecure Permissions vulnerability that allows for privilege escalation.

7.8
2023-04-25 CVE-2022-42335 XEN
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode.

7.8
2023-04-25 CVE-2023-25348 Churchcrm Improper Neutralization of Formula Elements in a CSV File vulnerability in Churchcrm 4.5.3

ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person.

7.8
2023-04-25 CVE-2023-26098 Telindus Unrestricted Upload of File with Dangerous Type vulnerability in Telindus Apsal 3.14.2022.235B

An issue was discovered in the Open Document feature in Telindus Apsal 3.14.2022.235 b.

7.8
2023-04-24 CVE-2023-2007 Linux
Debian
Netapp
Improper Locking vulnerability in multiple products

The specific flaw exists within the DPT I2O Controller driver.

7.8
2023-04-24 CVE-2023-2257 Devolutions Incorrect Authorization vulnerability in Devolutions Workspace

Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub Business space without being prompted to enter the password via an unimplemented "Force Login" security feature. This vulnerability occurs only if "Force Login" feature is enabled on the Hub Business instance and that an attacker has access to a locked Workspace desktop application configured with a Hub Business space.

7.8
2023-04-24 CVE-2023-30533 Sheetjs Unspecified vulnerability in Sheetjs

SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file.

7.8
2023-04-29 CVE-2023-30441 IBM Unspecified vulnerability in IBM products

IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations.

7.5
2023-04-28 CVE-2023-31483 Cauldrondevelopment Path Traversal vulnerability in Cauldrondevelopment Cbang

tar/TarFileReader.cpp in Cauldron cbang before bastet-v8.1.17 has a directory traversal during extraction that allows the attacker to create or write to files outside the current directory via a crafted tar archive.

7.5
2023-04-28 CVE-2023-30858 Denosaurs Unspecified vulnerability in Denosaurs Emoji

The Denosaurs emoji package provides emojis for dinosaurs.

7.5
2023-04-28 CVE-2023-31444 Talend Unspecified vulnerability in Talend Studio

In Talend Studio before 7.3.1-R2022-10 and 8.x before 8.0.1-R2022-09, microservices allow unauthenticated access to the Jolokia endpoint of the microservice.

7.5
2023-04-28 CVE-2023-1968 Illumina Unspecified vulnerability in Illumina products

Instruments with Illumina Universal Copy Service v2.x are vulnerable due to binding to an unrestricted IP address.

7.5
2023-04-28 CVE-2023-26021 IBM Improper Input Validation vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause.

7.5
2023-04-28 CVE-2023-26022 IBM Improper Input Validation vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash when an Out of Memory occurs using the DBMS_OUTPUT module.

7.5
2023-04-28 CVE-2023-27555 IBM Improper Input Validation vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 is vulnerable to a denial of service when attempting to use ACR client affinity for unfenced DRDA federation wrappers.

7.5
2023-04-28 CVE-2023-30455 Ebankit Unspecified vulnerability in Ebankit

An issue was discovered in ebankIT before 7.

7.5
2023-04-28 CVE-2023-2379 UI Improper Resource Shutdown or Release vulnerability in UI Er-X-Sfp Firmware and Er-X Firmware

A vulnerability classified as critical has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6.

7.5
2023-04-28 CVE-2022-41398 Sage Use of Hard-coded Credentials vulnerability in Sage 300 2020/2021/2022

The optional Global Search feature for Sage 300 through version 2022 uses a set of hard-coded credentials for the accompanying Apache Solr instance.

7.5
2023-04-28 CVE-2022-41399 Sage Use of Hard-coded Credentials vulnerability in Sage 300 2020/2021/2022

The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml".

7.5
2023-04-28 CVE-2023-2360 Acronis Unspecified vulnerability in Acronis Cyber Infrastructure

Sensitive information disclosure due to CORS misconfiguration.

7.5
2023-04-28 CVE-2023-28882 Trustwave Resource Exhaustion vulnerability in Trustwave Modsecurity 3.0.5/3.0.6

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.

7.5
2023-04-28 CVE-2023-27557 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Safer Payments

IBM Counter Fraud Management for Safer Payments 6.1.0.00 through 6.1.1.02, 6.2.0.00 through 6.2.2.02, 6.3.0.00 through 6.3.1.02, 6.4.0.00 through 6.4.2.01, and 6.5.0.00 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2023-04-28 CVE-2023-27556 IBM Allocation of Resources Without Limits or Throttling vulnerability in IBM Safer Payments

IBM Counter Fraud Management for Safer Payments 6.1.0.00, 6.2.0.00, 6.3.0.00 through 6.3.1.03, 6.4.0.00 through 6.4.2.02 and 6.5.0.00 does not properly allocate resources without limits or throttling which could allow a remote attacker to cause a denial of service.

7.5
2023-04-28 CVE-2023-2356 Lfprojects Relative Path Traversal vulnerability in Lfprojects Mlflow

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.

7.5
2023-04-27 CVE-2023-30380 Dedecms Path Traversal vulnerability in Dedecms 5.7.107

An issue in the component /dialog/select_media.php of DedeCMS v5.7.107 allows attackers to execute a directory traversal.

7.5
2023-04-27 CVE-2023-2335 42Gears Insufficiently Protected Credentials vulnerability in 42Gears Surelock

Plaintext Password in Registry vulnerability in 42gears surelock windows surelockwinsetupv2.40.0.Exe on Windows (Registery modules) allows Retrieve Admin user credentials This issue affects surelock windows: from 2.3.12 through 2.40.0.

7.5
2023-04-27 CVE-2023-29255 IBM Improper Input Validation vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as it may trap when compiling a variation of an anonymous block.

7.5
2023-04-27 CVE-2023-28770 Zyxel Unspecified vulnerability in Zyxel Dx5401-B0 Firmware

The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.

7.5
2023-04-26 CVE-2023-30846 Microsoft Unspecified vulnerability in Microsoft Typed-Rest-Client

typed-rest-client is a library for Node Rest and Http Clients with typings for use with TypeScript.

7.5
2023-04-26 CVE-2022-45456 Acronis Unspecified vulnerability in Acronis Agent

Denial of service due to unauthenticated API endpoint.

7.5
2023-04-26 CVE-2023-27559 IBM Improper Input Validation vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash when using a specially crafted subquery.

7.5
2023-04-26 CVE-2022-44232 Libming Classic Buffer Overflow vulnerability in Libming 0.4.8

libming 0.4.8 0.4.8 is vulnerable to Buffer Overflow.

7.5
2023-04-26 CVE-2023-30546 Contiki NG Off-by-one Error vulnerability in Contiki-Ng

Contiki-NG is an operating system for Internet of Things devices.

7.5
2023-04-26 CVE-2022-27978 Tooljet Improper Handling of Exceptional Conditions vulnerability in Tooljet 1.6

Tooljet v1.6 does not properly handle missing values in the API, allowing attackers to arbitrarily reset passwords via a crafted HTTP request.

7.5
2023-04-26 CVE-2022-25273 Drupal Improper Input Validation vulnerability in Drupal

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation.

7.5
2023-04-26 CVE-2022-25275 Drupal Unspecified vulnerability in Drupal

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

7.5
2023-04-26 CVE-2023-1387 Grafana Unspecified vulnerability in Grafana

Grafana is an open-source platform for monitoring and observability.

7.5
2023-04-26 CVE-2023-30112 Medicine Tracker System Project SQL Injection vulnerability in Medicine Tracker System Project Medicine Tracker System 1.0.0

Medicine Tracker System in PHP 1.0.0 is vulnerable to SQL Injection.

7.5
2023-04-26 CVE-2023-2273 Rapid7 Path Traversal vulnerability in Rapid7 Insight Agent

Rapid7 Insight Agent token handler versions 3.2.6 and below, suffer from a Directory Traversal vulnerability whereby unsanitized input from a CLI argument flows into io.ioutil.WriteFile, where it is used as a path.

7.5
2023-04-26 CVE-2023-26735 Prometheus Server-Side Request Forgery (SSRF) vulnerability in Prometheus Blackbox Exporter 0.23.0

blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface.

7.5
2023-04-25 CVE-2023-0045 Linux
Debian
Netapp
Externally Controlled Reference to a Resource in Another Sphere vulnerability in multiple products

The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall.

7.5
2023-04-25 CVE-2023-25652 GIT SCM
Fedoraproject
Path Traversal vulnerability in multiple products

Git is a revision control system.

7.5
2023-04-25 CVE-2021-23178 Odoo Unspecified vulnerability in Odoo

Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another user, causing the victim's payment method to be charged instead.

7.5
2023-04-25 CVE-2021-23203 Odoo Unspecified vulnerability in Odoo 14.0/15.0

Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.

7.5
2023-04-25 CVE-2023-23837 Solarwinds Improper Handling of Exceptional Conditions vulnerability in Solarwinds Database Performance Analyzer

No exception handling vulnerability which revealed sensitive or excessive information to users.

7.5
2023-04-25 CVE-2023-28847 Nextcloud Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud Server

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform.

7.5
2023-04-25 CVE-2023-29552 Netapp
Suse
Vmware
Service Location Protocol Project
The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated, remote attacker to register arbitrary services.
7.5
2023-04-25 CVE-2023-29779 Sengled Unspecified vulnerability in Sengled E1E-G7F Firmware 0.0.9

Sengled Dimmer Switch V0.0.9 contains a denial of service (DOS) vulnerability, which allows a remote attacker to send malicious Zigbee messages to a vulnerable device and cause crashes.

7.5
2023-04-24 CVE-2023-30629 Vyperlang Always-Incorrect Control Flow Implementation vulnerability in Vyperlang Vyper

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine.

7.5
2023-04-24 CVE-2023-29780 3Reality Improper Input Validation vulnerability in 3Reality 3Rsb015Bz Firmware 1.00.54

Third Reality Smart Blind 1.00.54 contains a denial-of-service vulnerability, which allows a remote attacker to send malicious Zigbee messages to a vulnerable device and cause crashes.

7.5
2023-04-24 CVE-2023-22915 Zyxel Classic Buffer Overflow vulnerability in Zyxel products

A buffer overflow vulnerability in the “fbwifi_forward.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.30 through 5.35, USG20(W)-VPN firmware versions 4.30 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote unauthenticated attacker to cause DoS conditions by sending a crafted HTTP request if the Facebook WiFi function were enabled on an affected device.

7.5
2023-04-24 CVE-2023-22917 Zyxel Classic Buffer Overflow vulnerability in Zyxel products

A buffer overflow vulnerability in the “sdwan_iface_ipc” binary of Zyxel ATP series firmware versions 5.10 through 5.32, USG FLEX series firmware versions 5.00 through 5.32, USG FLEX 50(W) firmware versions 5.10 through 5.32, USG20(W)-VPN firmware versions 5.10 through 5.32, and VPN series firmware versions 5.00 through 5.35, which could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file.

7.5
2023-04-24 CVE-2023-24821 Riot OS Integer Underflow (Wrap or Wraparound) vulnerability in Riot-Os Riot

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames.

7.5
2023-04-24 CVE-2023-24822 Riot OS NULL Pointer Dereference vulnerability in Riot-Os Riot

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames.

7.5
2023-04-24 CVE-2023-24818 Riot OS NULL Pointer Dereference vulnerability in Riot-Os Riot

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames.

7.5
2023-04-24 CVE-2023-24820 Riot OS Integer Underflow (Wrap or Wraparound) vulnerability in Riot-Os Riot

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames.

7.5
2023-04-24 CVE-2023-29480 Ribose Cleartext Storage of Sensitive Information vulnerability in Ribose RNP

Ribose RNP before 0.16.3 sometimes lets secret keys remain unlocked after use.

7.5
2023-04-24 CVE-2023-2251 Yaml Project Uncaught Exception vulnerability in Yaml Project Yaml

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5.

7.5
2023-04-24 CVE-2022-48476 Jetbrains Path Traversal vulnerability in Jetbrains Ktor

In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible

7.5
2023-04-24 CVE-2023-22577 Home Cern Unspecified vulnerability in Home.Cern White Rabbit Switch Firmware

Within White Rabbit Switch it's possible as an unauthenticated user to retrieve sensitive information such as password hashes and the SNMP community strings.

7.5
2023-04-24 CVE-2023-31059 Repetier Server Path Traversal vulnerability in Repetier-Server

Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php.

7.5
2023-04-29 CVE-2023-2419 Crmeb Unrestricted Upload of File with Dangerous Type vulnerability in Crmeb 4.6.0

A vulnerability was found in Zhong Bang CRMEB 4.6.0.

7.2
2023-04-26 CVE-2022-25277 Drupal Unrestricted Upload of File with Dangerous Type vulnerability in Drupal

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

7.2
2023-04-26 CVE-2023-29257 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to remote code execution as a database administrator of one database may execute code or read/write files from another database within the same instance.

7.2
2023-04-26 CVE-2022-36769 IBM Unrestricted Upload of File with Dangerous Type vulnerability in IBM Cloud PAK for Data 4.5/4.6

IBM Cloud Pak for Data 4.5 and 4.6 could allow a privileged user to upload malicious files of dangerous types that can be automatically processed within the product's environment.

7.2
2023-04-25 CVE-2022-45291 Pwsdashboard Use of Hard-coded Credentials vulnerability in Pwsdashboard Personal Weather Station Dashboard

PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php.

7.2
2023-04-24 CVE-2023-2259 ALF Code Injection vulnerability in ALF

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.

7.2
2023-04-24 CVE-2023-22914 Zyxel Path Traversal vulnerability in Zyxel products

A path traversal vulnerability in the “account_print.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker with administrator privileges to execute unauthorized OS commands in the “tmp” directory by uploading a crafted file if the hotspot function were enabled.

7.2
2023-04-24 CVE-2023-1731 Meinbergglobal Unrestricted Upload of File with Dangerous Type vulnerability in Meinbergglobal Lantime Firmware

In Meinbergs LTOS versions prior to V7.06.013, the configuration file upload function would not correctly validate the input, which would allow an remote authenticated attacker with high privileges to execute arbitrary commands.

7.2
2023-04-27 CVE-2022-31647 Docker Link Following vulnerability in Docker Desktop

Docker Desktop before 4.6.0 on Windows allows attackers to delete any file through the hyperv/destroy dockerBackendV2 API via a symlink in the DataFolder parameter, a different vulnerability than CVE-2022-26659.

7.1
2023-04-27 CVE-2022-34292 Docker Link Following vulnerability in Docker Desktop

Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647.

7.1
2023-04-25 CVE-2023-28089 HP Insufficiently Protected Credentials vulnerability in HP Oneview

An HPE OneView appliance dump may expose FTP credentials for c7000 Interconnect Modules

7.1
2023-04-24 CVE-2023-26099 Telindus Unspecified vulnerability in Telindus Apsal 3.14.2022.235B

An issue was discovered in Telindus Apsal 3.14.2022.235 b.

7.1
2023-04-24 CVE-2023-2006 Linux
Netapp
Race Condition vulnerability in multiple products

A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles.

7.0

232 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-25 CVE-2021-44476 Odoo Unspecified vulnerability in Odoo

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files.

6.8
2023-04-24 CVE-2023-2250 Linuxfoundation Unspecified vulnerability in Linuxfoundation Open Cluster Management

A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments.

6.7
2023-04-28 CVE-2023-30024 Magicjack Improper Privilege Management vulnerability in Magicjack A921 Firmware 1.4

The MagicJack device, a VoIP solution for internet phone calls, contains a hidden NAND flash memory partition allowing unauthorized read/write access.

6.6
2023-04-29 CVE-2023-2412 Oretnom23 SQL Injection vulnerability in Oretnom23 AC Repair and Services System 1.0

A vulnerability was found in SourceCodester AC Repair and Services System 1.0.

6.5
2023-04-29 CVE-2023-2413 Oretnom23 SQL Injection vulnerability in Oretnom23 AC Repair and Services System 1.0

A vulnerability was found in SourceCodester AC Repair and Services System 1.0.

6.5
2023-04-28 CVE-2023-2408 Oretnom23 SQL Injection vulnerability in Oretnom23 AC Repair and Services System 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester AC Repair and Services System 1.0.

6.5
2023-04-28 CVE-2023-2409 Oretnom23 SQL Injection vulnerability in Oretnom23 AC Repair and Services System 1.0

A vulnerability, which was classified as critical, was found in SourceCodester AC Repair and Services System 1.0.

6.5
2023-04-28 CVE-2023-2410 Oretnom23 SQL Injection vulnerability in Oretnom23 AC Repair and Services System 1.0

A vulnerability has been found in SourceCodester AC Repair and Services System 1.0 and classified as critical.

6.5
2023-04-28 CVE-2023-2411 Oretnom23 SQL Injection vulnerability in Oretnom23 AC Repair and Services System 1.0

A vulnerability was found in SourceCodester AC Repair and Services System 1.0 and classified as critical.

6.5
2023-04-28 CVE-2023-29058 Lenovo Unspecified vulnerability in Lenovo products

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI.

6.5
2023-04-28 CVE-2023-26782 Chshcms Code Injection vulnerability in Chshcms Mccms 2.6.1

An issue discovered in mccms 2.6.1 allows remote attackers to cause a denial of service via Backend management interface ->System Configuration->Cache Configuration->Cache security characters.

6.5
2023-04-28 CVE-2023-2380 Netgear Improper Resource Shutdown or Release vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability, which was classified as problematic, was found in Netgear SRX5308 up to 4.3.5-3.

6.5
2023-04-28 CVE-2023-30853 Gradle Cleartext Storage of Sensitive Information vulnerability in Gradle Build Action

Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow.

6.5
2023-04-27 CVE-2023-30444 IBM Server-Side Request Forgery (SSRF) vulnerability in IBM Watson Machine Learning on Cloud PAK for Data 4.0/4.5

IBM Watson Machine Learning on Cloud Pak for Data 4.0 and 4.5 is vulnerable to server-side request forgery (SSRF).

6.5
2023-04-27 CVE-2023-2336 Pimcore Path Traversal vulnerability in Pimcore

Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21.

6.5
2023-04-26 CVE-2023-30843 Payloadcms Information Exposure vulnerability in Payloadcms Payload

Payload is a free and open source headless content management system.

6.5
2023-04-26 CVE-2023-31250 Drupal Incorrect Authorization vulnerability in Drupal

The file download facility doesn't sufficiently sanitize file paths in certain situations.

6.5
2023-04-26 CVE-2023-2307 Builder Cross-Site Request Forgery (CSRF) vulnerability in Builder Qwik

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.

6.5
2023-04-26 CVE-2022-25278 Drupal Unspecified vulnerability in Drupal

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly.

6.5
2023-04-26 CVE-2023-30265 Cltphp Path Traversal vulnerability in Cltphp 6.0

CLTPHP <=6.0 is vulnerable to Directory Traversal.

6.5
2023-04-26 CVE-2023-26560 Northern Tech Unspecified vulnerability in Northern.Tech Cfengine

Northern.tech CFEngine Enterprise before 3.21.1 allows a subset of authenticated users to leverage the Scheduled Reports feature to read arbitrary files and potentially discover credentials.

6.5
2023-04-25 CVE-2023-23839 Solarwinds Unspecified vulnerability in Solarwinds Platform

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability.

6.5
2023-04-25 CVE-2023-24512 Arista Incorrect Authorization vulnerability in Arista products

On affected platforms running Arista EOS, an authorized attacker with permissions to perform gNMI requests could craft a request allowing it to update arbitrary configurations in the switch.

6.5
2023-04-25 CVE-2021-23176 Odoo Unspecified vulnerability in Odoo

Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via crafted RPC packets.

6.5
2023-04-25 CVE-2021-44460 Odoo Unspecified vulnerability in Odoo

Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests.

6.5
2023-04-25 CVE-2022-40723 Pingidentity Improper Authentication vulnerability in Pingidentity Pingfederate, Pingid Integration KIT and Radius PCV

The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations.

6.5
2023-04-25 CVE-2023-2282 Devolutions Unspecified vulnerability in Devolutions Remote Desktop Manager

Improper access control in the Web Login listener in Devolutions Remote Desktop Manager 2023.1.22 and earlier on Windows allows an authenticated user to bypass administrator-enforced Web Login restrictions and gain access to entries via an unexpected vector.

6.5
2023-04-25 CVE-2023-23838 Solarwinds Path Traversal vulnerability in Solarwinds Database Performance Analyzer

Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.

6.5
2023-04-25 CVE-2023-29200 Contao Path Traversal vulnerability in Contao

Contao is an open source content management system.

6.5
2023-04-25 CVE-2023-30545 Prestashop SQL Injection vulnerability in Prestashop

PrestaShop is an Open Source e-commerce web application.

6.5
2023-04-25 CVE-2023-26057 Nokia XXE vulnerability in Nokia Netact 20.1

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page.

6.5
2023-04-25 CVE-2023-26058 Nokia XXE vulnerability in Nokia Netact 20.1

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page.

6.5
2023-04-25 CVE-2023-26841 Churchcrm Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3

A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in.

6.5
2023-04-24 CVE-2023-28484 Xmlsoft
Debian
NULL Pointer Dereference vulnerability in multiple products

In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault.

6.5
2023-04-24 CVE-2023-29469 Xmlsoft
Debian
Double Free vulnerability in multiple products

An issue was discovered in libxml2 before 2.10.4.

6.5
2023-04-24 CVE-2023-29530 Guzzlephp
Getlaminas
Fedoraproject
Improper Input Validation vulnerability in multiple products

Laminas Diactoros provides PSR HTTP Message implementations.

6.5
2023-04-24 CVE-2023-1129 WP Fevents Book Project Unspecified vulnerability in WP Fevents Book Project WP Fevents Book 0.46

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users.

6.5
2023-04-24 CVE-2023-1623 Webdevstudios Unspecified vulnerability in Webdevstudios Custom Post Type UI

The Custom Post Type UI WordPress plugin before 1.13.5 does not properly check for CSRF when sending the debug information to a user supplied email, which could allow attackers to make a logged in admin send such information to an arbitrary email address via a CSRF attack.

6.5
2023-04-24 CVE-2023-1624 Wpcode Unspecified vulnerability in Wpcode

The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder.

6.5
2023-04-24 CVE-2023-22918 Zyxel Unspecified vulnerability in Zyxel products

A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, VPN series firmware versions 4.30 through 5.35, NWA110AX firmware version 6.50(ABTG.2) and earlier versions, WAC500 firmware version 6.50(ABVS.0) and earlier versions, and WAX510D firmware version 6.50(ABTF.2) and earlier versions, which could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device.

6.5
2023-04-24 CVE-2023-30776 Apache Insufficiently Protected Credentials vulnerability in Apache Superset

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1.

6.5
2023-04-27 CVE-2022-38730 Docker Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Docker Desktop

Docker Desktop for Windows before 4.6 allows attackers to overwrite any file through the windowscontainers/start dockerBackendV2 API by controlling the data-root field inside the DaemonJSON field in the WindowsContainerStartRequest class.

6.3
2023-04-30 CVE-2015-10104 Woocommerce Open Redirect vulnerability in Woocommerce Icons for Features 1.0.0

A vulnerability, which was classified as problematic, has been found in Icons for Features Plugin 1.0.0 on WordPress.

6.1
2023-04-29 CVE-2023-30792 Facebook Cross-site Scripting vulnerability in Facebook Lexical

Anchor tag hrefs in Lexical prior to v0.10.0 would render javascript: URLs, allowing for cross-site scripting on link clicks in cases where input was being parsed from untrusted sources.

6.1
2023-04-29 CVE-2023-2421 Controlid Cross-site Scripting vulnerability in Controlid Rhid 23.3.19.0

A vulnerability classified as problematic has been found in Control iD RHiD 23.3.19.0.

6.1
2023-04-28 CVE-2023-2395 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability classified as problematic has been found in Netgear SRX5308 up to 4.3.5-3.

6.1
2023-04-28 CVE-2023-2396 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability classified as problematic was found in Netgear SRX5308 up to 4.3.5-3.

6.1
2023-04-28 CVE-2020-21643 Hongcms Project Cross-site Scripting vulnerability in Hongcms Project Hongcms 3.0.0

Cross Site Scripting (XSS) vulnerability in HongCMS 3.0 allows attackers to run arbitrary code via the callback parameter to /ajax/myshop.

6.1
2023-04-28 CVE-2020-23647 Boxbilling Cross-site Scripting vulnerability in Boxbilling

Cross Site Scripting (XSS) vulnerability in BoxBilling 4.19, 4.19.1, 4.20, and 4.21 allows remote attackers to run arbitrary code via the message field on the submit new ticket form.

6.1
2023-04-28 CVE-2023-30454 Ebankit Cross-site Scripting vulnerability in Ebankit

An issue was discovered in ebankIT before 7.

6.1
2023-04-28 CVE-2023-28475 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.

6.1
2023-04-28 CVE-2023-30125 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.6.1Utf8Sp1

EyouCms V1.6.1-UTF8-sp1 is vulnerable to Cross Site Scripting (XSS).

6.1
2023-04-27 CVE-2023-29489 Cpanel Cross-site Scripting vulnerability in Cpanel

An issue was discovered in cPanel before 11.109.9999.116.

6.1
2023-04-27 CVE-2023-28286 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

6.1
2023-04-27 CVE-2023-24966 IBM Cross-site Scripting vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting.

6.1
2023-04-27 CVE-2023-2341 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

6.1
2023-04-27 CVE-2023-31285 Serenity Cross-site Scripting vulnerability in Serenity Serene and Startsharp

An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0.

6.1
2023-04-27 CVE-2023-25292 Group Office Cross-site Scripting vulnerability in Group-Office Group Office 6.6.145

Reflected Cross Site Scripting (XSS) in Intermesh BV Group-Office version 6.6.145, allows attackers to gain escalated privileges and gain sensitive information via the GO_LANGUAGE cookie.

6.1
2023-04-26 CVE-2023-29442 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Applications Manager

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.

6.1
2023-04-26 CVE-2023-29836 Exelysis Cross-site Scripting vulnerability in Exelysis Unified Communications Solution 1.0

Cross Site Scripting vulnerability found in Exelysis Unified Communication Solutions (EUCS) v.1.0 allows a remote attacker to execute arbitrary code via the Username parameter of the eucsAdmin login form.

6.1
2023-04-26 CVE-2023-30212 Ourphp Cross-site Scripting vulnerability in Ourphp

OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php.

6.1
2023-04-26 CVE-2023-30210 Ourphp Cross-site Scripting vulnerability in Ourphp

OURPHP <= 7.2.0 is vulnerable to Cross Site Scripting (XSS) via ourphp_tz.php.

6.1
2023-04-26 CVE-2022-25276 Drupal Cross-site Scripting vulnerability in Drupal

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain.

6.1
2023-04-26 CVE-2023-22729 Silverstripe Open Redirect vulnerability in Silverstripe Framework

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system.

6.1
2023-04-26 CVE-2023-30267 Cltphp Cross-site Scripting vulnerability in Cltphp 6.0

CLTPHP <=6.0 is vulnerable to Cross Site Scripting (XSS) via application/home/controller/Changyan.php.

6.1
2023-04-26 CVE-2023-2294 Ucms Project Cross-site Scripting vulnerability in Ucms Project Ucms 1.6

A vulnerability was found in UCMS 1.6.0.

6.1
2023-04-26 CVE-2012-5873 Arc2 Project Cross-site Scripting vulnerability in Arc2 Project Arc2

ARC (aka ARC2) through 2011-12-01 allows reflected XSS via the end_point.php query parameter in an output=htmltab action.

6.1
2023-04-26 CVE-2023-30106 Medicine Tracker System Project Cross-site Scripting vulnerability in Medicine Tracker System Project Medicine Tracker System 1.0

Sourcecodester Medicine Tracker System in PHP 1.0.0 is vulnerable to Cross Site Scripting (XSS) via page=about.

6.1
2023-04-26 CVE-2023-30111 Medicine Tracker System Project Cross-site Scripting vulnerability in Medicine Tracker System Project Medicine Tracker System 1.0

Medicine Tracker System in PHP 1.0.0 is vulnerable to Cross Site Scripting (XSS).

6.1
2023-04-25 CVE-2021-26263 Odoo Cross-site Scripting vulnerability in Odoo 14.0/15.0

Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.

6.1
2023-04-25 CVE-2021-26947 Odoo Cross-site Scripting vulnerability in Odoo

Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link.

6.1
2023-04-25 CVE-2021-44461 Odoo Cross-site Scripting vulnerability in Odoo 13.0/14.0/15.0

Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim.

6.1
2023-04-25 CVE-2021-44775 Odoo Cross-site Scripting vulnerability in Odoo

Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.

6.1
2023-04-25 CVE-2021-45071 Odoo Cross-site Scripting vulnerability in Odoo

Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names.

6.1
2023-04-25 CVE-2022-40725 Pingidentity Missing Authentication for Critical Function vulnerability in Pingidentity Desktop

PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated.

6.1
2023-04-25 CVE-2023-30177 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS 3.7.59

CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS).

6.1
2023-04-25 CVE-2023-25314 Wwbn Cross-site Scripting vulnerability in Wwbn Avideo

Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user.

6.1
2023-04-25 CVE-2023-25346 Churchcrm Cross-site Scripting vulnerability in Churchcrm 4.5.3

A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.

6.1
2023-04-25 CVE-2022-45837 Wpjam Cross-site Scripting vulnerability in Wpjam Wechat Robot

Reflected Cross-Site Scripting (XSS) vulnerability in Denis ???????? plugin <= 6.0.1 versions.

6.1
2023-04-24 CVE-2022-28354 Mybb Cross-site Scripting vulnerability in Mybb Active Threads 1.3.0

In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period.

6.1
2023-04-24 CVE-2023-0899 WP Live Chat Shoutbox Project Unspecified vulnerability in WP Live Chat Shoutbox Project WP Live Chat Shoutbox 1.4.2

The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before outputting it back in the Shoutbox, leading to Stored Cross-Site Scripting which could be used against high privilege users such as admins.

6.1
2023-04-24 CVE-2023-1324 Yikesinc Unspecified vulnerability in Yikesinc Easy Forms for Mailchimp

The Easy Forms for Mailchimp WordPress plugin before 6.8.8 does not sanitise and escape some parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2023-04-24 CVE-2023-1420 Ajax Search Project Unspecified vulnerability in Ajax Search Project Ajax Search

The Ajax Search Lite WordPress plugin before 4.11.1, Ajax Search Pro WordPress plugin before 4.26.2 does not sanitise and escape a parameter before outputting it back in a response of an AJAX action, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2023-04-24 CVE-2023-1435 Ajax Search Project Unspecified vulnerability in Ajax Search Project Ajax Search

The Ajax Search Pro WordPress plugin before 4.26.2 does not sanitise and escape various parameters before outputting them back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2023-04-24 CVE-2012-10013 KAU Boys Cross-site Scripting vulnerability in Kau-Boys Backend Localization

A vulnerability was found in Kau-Boy Backend Localization Plugin up to 1.6.1 on WordPress.

6.1
2023-04-24 CVE-2012-10014 KAU Boys Cross-site Scripting vulnerability in Kau-Boys Backend Localization

A vulnerability classified as problematic has been found in Kau-Boy Backend Localization Plugin 2.0 on WordPress.

6.1
2023-04-24 CVE-2023-26494 Thethingsnetwork Open Redirect vulnerability in Thethingsnetwork Lorawan-Stack

lorawan-stack is an open source LoRaWAN network server.

6.1
2023-04-24 CVE-2022-45084 Loginizer Cross-site Scripting vulnerability in Loginizer

Unauth.

6.1
2023-04-25 CVE-2023-20870 Vmware Out-of-bounds Read vulnerability in VMWare Fusion and Workstation

VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.

6.0
2023-04-29 CVE-2023-2418 Konghq Use of Insufficiently Random Values vulnerability in Konghq Kong 2.8.3

A vulnerability was found in Konga 2.8.3 on Kong.

5.9
2023-04-29 CVE-2023-31485 Gitlab Improper Certificate Validation vulnerability in Gitlab::Api::V4 Project Gitlab::Api::V4

GitLab::API::v4 through 0.26 does not verify TLS certificates when connecting to a GitLab server, enabling machine-in-the-middle attacks.

5.9
2023-04-28 CVE-2023-29056 Lenovo Unspecified vulnerability in Lenovo products

A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC.

5.9
2023-04-28 CVE-2023-25930 IBM Improper Input Validation vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.1, 11.1, and 11.5 is vulnerable to a denial of service.

5.9
2023-04-27 CVE-2023-31290 Trustwallet Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Trustwallet Trust Wallet Browser Extension and Trust Wallet Core

Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023.

5.9
2023-04-25 CVE-2022-40722 Pingidentity Use of a Broken or Risky Cryptographic Algorithm vulnerability in Pingidentity products

A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.

5.8
2023-04-27 CVE-2023-28261 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

5.7
2023-04-29 CVE-2023-2426 VIM Use of Out-of-range Pointer Offset vulnerability in VIM

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.

5.5
2023-04-28 CVE-2022-31643 HP Unspecified vulnerability in HP products

A potential security vulnerability has been identified in the system BIOS for certain HP PC products which may allow loss of integrity.

5.5
2023-04-27 CVE-2023-29471 Lightbend Cleartext Storage of Sensitive Information vulnerability in Lightbend Alpakka Kafka

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured).

5.5
2023-04-27 CVE-2023-29950 Swftools Out-of-bounds Write vulnerability in Swftools 0.9.2

swfrender v0.9.2 was discovered to contain a heap buffer overflow in the function enumerateUsedIDs_fillstyle at modules/swftools.c

5.5
2023-04-26 CVE-2023-1786 Canonical
Fedoraproject
Information Exposure Through Log Files vulnerability in multiple products

Sensitive data could be exposed in logs of cloud-init before version 23.1.2.

5.5
2023-04-26 CVE-2022-45876 Visam XXE vulnerability in Visam Vbase 11.7.0.2

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

5.5
2023-04-26 CVE-2023-26930 Xpdfreader Classic Buffer Overflow vulnerability in Xpdfreader Xpdf 4.04

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in the pdftotext.cc function.

5.5
2023-04-26 CVE-2023-26934 Xpdfreader Unspecified vulnerability in Xpdfreader Xpdf 4.04

An issue found in XPDF v.4.04 allows an attacker to cause a denial of service via a crafted pdf file in the object.cc parameter.

5.5
2023-04-26 CVE-2023-26935 Xpdfreader Classic Buffer Overflow vulnerability in Xpdfreader Xpdf 4.04

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via SharedFile::readBlock at /xpdf/Stream.cc.

5.5
2023-04-26 CVE-2023-26936 Xpdfreader Classic Buffer Overflow vulnerability in Xpdfreader Xpdf 4.04

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via gmalloc in gmem.cc

5.5
2023-04-26 CVE-2023-26937 Xpdfreader Classic Buffer Overflow vulnerability in Xpdfreader Xpdf 4.04

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via GString::resize located in goo/GString.cc

5.5
2023-04-26 CVE-2023-26938 Xpdfreader Classic Buffer Overflow vulnerability in Xpdfreader Xpdf 4.04

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service viaSharedFile::readBlock located in goo/gfile.cc.

5.5
2023-04-26 CVE-2023-30841 Linuxfoundation Cleartext Transmission of Sensitive Information vulnerability in Linuxfoundation Baremetal Operator

Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes.

5.5
2023-04-25 CVE-2023-28084 HPE
HP
Insufficiently Protected Credentials vulnerability in multiple products

HPE OneView and HPE OneView Global Dashboard appliance dumps may expose authentication tokens

5.5
2023-04-25 CVE-2023-28086 HP Unspecified vulnerability in HP Oneview

An HPE OneView appliance dump may expose proxy credential settings

5.5
2023-04-25 CVE-2023-28087 HP Unspecified vulnerability in HP Oneview

An HPE OneView appliance dump may expose OneView user accounts

5.5
2023-04-25 CVE-2023-28090 HP Insufficiently Protected Credentials vulnerability in HP Oneview

An HPE OneView appliance dump may expose SNMPv3 read credentials

5.5
2023-04-25 CVE-2023-30402 Yasm Project Out-of-bounds Write vulnerability in Yasm Project Yasm 1.3.0

YASM v1.3.0 was discovered to contain a heap overflow via the function handle_dot_label at /nasm/nasm-token.re.

5.5
2023-04-24 CVE-2023-30406 Jerryscript Resource Exhaustion vulnerability in Jerryscript

Jerryscript commit 1a2c047 was discovered to contain a segmentation violation via the component ecma_find_named_property at /base/ecma-helpers.c.

5.5
2023-04-24 CVE-2023-30408 Jerryscript Resource Exhaustion vulnerability in Jerryscript

Jerryscript commit 1a2c047 was discovered to contain a segmentation violation via the component build/bin/jerry.

5.5
2023-04-24 CVE-2023-30410 Jerryscript Out-of-bounds Write vulnerability in Jerryscript

Jerryscript commit 1a2c047 was discovered to contain a stack overflow via the component ecma_op_function_construct at /operations/ecma-function-object.c.

5.5
2023-04-24 CVE-2023-30414 Jerryscript Out-of-bounds Write vulnerability in Jerryscript

Jerryscript commit 1a2c047 was discovered to contain a stack overflow via the component vm_loop at /jerry-core/vm/vm.c.

5.5
2023-04-24 CVE-2023-26097 Telindus Incorrect Authorization vulnerability in Telindus Apsal 3.14.2022.235B

An issue was discovered in Telindus Apsal 3.14.2022.235 b.

5.5
2023-04-24 CVE-2023-29570 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_ffi_cb_free at src/mjs_ffi.c.

5.5
2023-04-24 CVE-2023-29579 Yasm Project Out-of-bounds Write vulnerability in Yasm Project Yasm 1.3.0.55.G101Bc

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the component yasm/yasm+0x43b466 in vsprintf.

5.5
2023-04-24 CVE-2023-29582 Yasm Project Out-of-bounds Write vulnerability in Yasm Project Yasm 1.3.0.55.G101Bc

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the function parse_expr1 at /nasm/nasm-parse.c.

5.5
2023-04-24 CVE-2023-29583 Yasm Project Out-of-bounds Write vulnerability in Yasm Project Yasm 1.3.0.55.G101Bc

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the function parse_expr5 at /nasm/nasm-parse.c.

5.5
2023-04-24 CVE-2023-31081 Linux NULL Pointer Dereference vulnerability in Linux Kernel 6.2

An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel 6.2.

5.5
2023-04-24 CVE-2023-31082 Linux Release of Invalid Pointer or Reference vulnerability in Linux Kernel 6.2

An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2.

5.5
2023-04-24 CVE-2023-31084 Linux
Fedoraproject
Debian
Netapp
An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2.
5.5
2023-04-24 CVE-2023-31085 Linux Divide By Zero vulnerability in Linux Kernel 6.2

An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2.

5.5
2023-04-30 CVE-2023-2428 Phpmyfaq Cross-site Scripting vulnerability in PHPmyfaq

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.13.

5.4
2023-04-29 CVE-2022-43871 IBM Cross-site Scripting vulnerability in IBM Financial Transaction Manager for Multiplatform 3.2.4

IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to cross-site scripting.

5.4
2023-04-28 CVE-2023-30405 Aigital Cross-site Scripting vulnerability in Aigital Wireless-N Repeater Mini Router Firmware 0.131229

A cross-site scripting (XSS) vulnerability in Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the wl_ssid parameter at /boafrm/formHomeWlanSetup.

5.4
2023-04-28 CVE-2023-27864 IBM Cross-site Scripting vulnerability in IBM Maximo Asset Management 7.6.1.2/7.6.1.3

IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 is vulnerable to HTML injection.

5.4
2023-04-28 CVE-2023-28471 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name.

5.4
2023-04-28 CVE-2023-28474 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.

5.4
2023-04-28 CVE-2023-28476 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.

5.4
2023-04-28 CVE-2023-28477 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.

5.4
2023-04-28 CVE-2023-28819 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names.

5.4
2023-04-28 CVE-2023-28820 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

5.4
2023-04-28 CVE-2023-30123 Wuzhicms Cross-site Scripting vulnerability in Wuzhicms 4.1.0

wuzhicms v4.1.0 is vulnerable to Cross Site Scripting (XSS) in the Member Center, Account Settings.

5.4
2023-04-28 CVE-2023-2364 Resort Reservation System Project Cross-site Scripting vulnerability in Resort Reservation System Project Resort Reservation System 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester Resort Reservation System 1.0.

5.4
2023-04-28 CVE-2023-2361 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4
2023-04-27 CVE-2023-2349 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Service Provider Management System 1.0

A vulnerability classified as problematic has been found in SourceCodester Service Provider Management System 1.0.

5.4
2023-04-27 CVE-2023-2350 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Service Provider Management System 1.0

A vulnerability classified as problematic was found in SourceCodester Service Provider Management System 1.0.

5.4
2023-04-27 CVE-2023-30338 Emlog Cross-site Scripting vulnerability in Emlog 2.0.3

Multiple stored cross-site scripting (XSS) vulnerabilities in Emlog Pro v2.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Article Title or Article Summary parameters.

5.4
2023-04-27 CVE-2023-2342 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4
2023-04-27 CVE-2023-2343 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4
2023-04-27 CVE-2023-2340 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4
2023-04-27 CVE-2023-2339 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4
2023-04-27 CVE-2023-2327 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4
2023-04-27 CVE-2023-2328 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4
2023-04-27 CVE-2023-2322 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4
2023-04-27 CVE-2023-2323 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4
2023-04-26 CVE-2022-27979 Tooljet Cross-site Scripting vulnerability in Tooljet 1.6.0

A cross-site scripting (XSS) vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component.

5.4
2023-04-26 CVE-2022-25274 Drupal Incorrect Authorization vulnerability in Drupal

Drupal 9.3 implemented a generic entity access API for entity revisions.

5.4
2023-04-25 CVE-2023-31223 Dradisframework Cross-site Scripting vulnerability in Dradisframework Dradis

Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars.

5.4
2023-04-25 CVE-2023-23866 Auth.
5.4
2023-04-25 CVE-2023-23889 Fullworksplugins Cross-site Scripting vulnerability in Fullworksplugins Quick Paypal Payments

Auth.

5.4
2023-04-25 CVE-2023-25347 Churchcrm Cross-site Scripting vulnerability in Churchcrm 4.5.3

A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields.

5.4
2023-04-25 CVE-2023-26843 Churchcrm Cross-site Scripting vulnerability in Churchcrm 4.5.3

A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.

5.4
2023-04-25 CVE-2023-30417 Pearadmin Cross-site Scripting vulnerability in Pearadmin Pear Admin Boot

A cross-site scripting (XSS) vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message.

5.4
2023-04-25 CVE-2023-27619 Machothemes Cross-site Scripting vulnerability in Machothemes Regina Lite

Auth (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Macho Themes Regina Lite theme <= 2.0.7 versions.

5.4
2023-04-25 CVE-2023-22665 Apache Expression Language Injection vulnerability in Apache Jena

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts.

5.4
2023-04-24 CVE-2023-30627 Jellyfin Cross-site Scripting vulnerability in Jellyfin

jellyfin-web is the web client for Jellyfin, a free-software media system.

5.4
2023-04-24 CVE-2023-0276 Weavertheme Unspecified vulnerability in Weavertheme Weaver Xtreme Theme Support

The Weaver Xtreme Theme Support WordPress plugin before 6.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-04-24 CVE-2023-0418 Video Central Project Unspecified vulnerability in Video Central Project Video Central 1.3.0

The Video Central for WordPress plugin through 1.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-04-24 CVE-2023-0424 MS Reviews Project Unspecified vulnerability in Ms-Reviews Project Ms-Reviews 1.5

The MS-Reviews WordPress plugin through 1.5 does not sanitise and escape reviews, which could allow users any authenticated users, such as Subscribers to perform Stored Cross-Site Scripting attacks

5.4
2023-04-24 CVE-2023-1126 WP Fevents Book Project Unspecified vulnerability in WP Fevents Book Project WP Fevents Book 0.46

The WP FEvents Book WordPress plugin through 0.46 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks

5.4
2023-04-24 CVE-2023-26059 Nokia Cross-site Scripting vulnerability in Nokia Netact 20.1

An issue was discovered in Nokia NetAct before 22 SP1037.

5.4
2023-04-24 CVE-2023-26061 Nokia Cross-site Scripting vulnerability in Nokia Netact 18A

An issue was discovered in Nokia NetAct before 22 FP2211.

5.4
2023-04-24 CVE-2023-23892 M Chart Project Cross-site Scripting vulnerability in M Chart Project M Chart

Auth.

5.4
2023-04-28 CVE-2023-28472 Concretecms Unspecified vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies.

5.3
2023-04-28 CVE-2023-28821 Concretecms Weak Password Recovery Mechanism for Forgotten Password vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

5.3
2023-04-28 CVE-2020-4729 IBM Unspecified vulnerability in IBM Safer Payments

IBM Counter Fraud Management for Safer Payments 5.7.0.00 through 5.7.0.10, 6.0.0.00 through 6.0.0.07, 6.1.0.00 through 6.1.0.05, and 6.2.0.00 through 6.2.1.00 could allow an authenticated attacker under special circumstances to send multiple specially crafted API requests that could cause the application to crash.

5.3
2023-04-27 CVE-2022-25091 Infopop Unspecified vulnerability in Infopop Ultimate Bulletin Board

Infopop Ultimate Bulletin Board up to v5.47a was discovered to allow all messages posted inside private forums to be disclosed by unauthenticated users via the quote reply feature.

5.3
2023-04-27 CVE-2023-27860 IBM Information Exposure Through an Error Message vulnerability in IBM Maximo Asset Management 7.6.1.2/7.6.1.3

IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 could disclose sensitive information in an error message.

5.3
2023-04-27 CVE-2023-31286 Serenity Information Exposure Through an Error Message vulnerability in Serenity Serene and Startsharp

An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0.

5.3
2023-04-25 CVE-2022-40482 Laravel Information Exposure Through Discrepancy vulnerability in Laravel Framework

The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing.

5.3
2023-04-25 CVE-2023-26840 Churchcrm Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3

A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator.

5.3
2023-04-24 CVE-2023-29479 Ribose Resource Exhaustion vulnerability in Ribose RNP

Ribose RNP before 0.16.3 may hang when the input is malformed.

5.3
2023-04-24 CVE-2023-30458 Medicine Tracker System Project Information Exposure Through Discrepancy vulnerability in Medicine Tracker System Project Medicine Tracker System 1.0

A username enumeration issue was discovered in Medicine Tracker System 1.0.

5.3
2023-04-28 CVE-2023-25495 Lenovo Insufficiently Protected Credentials vulnerability in Lenovo products

A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations.

4.9
2023-04-27 CVE-2023-30852 Pimcore Path Traversal vulnerability in Pimcore

Pimcore is an open source data and experience management platform.

4.9
2023-04-27 CVE-2023-22901 Changingtec Path Traversal vulnerability in Changingtec Mobile ONE Time Password

ChangingTec MOTP system has a path traversal vulnerability.

4.9
2023-04-26 CVE-2023-29443 Zohocorp XXE vulnerability in Zohocorp products

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

4.9
2023-04-29 CVE-2023-2425 Simple Student Information System Project Cross-site Scripting vulnerability in Simple Student Information System Project Simple Student Information System 1.0

A vulnerability was found in SourceCodester Simple Student Information System 1.0.

4.8
2023-04-28 CVE-2023-2397 Simple Mobile Comparison Website Project Cross-site Scripting vulnerability in Simple Mobile Comparison Website Project Simple Mobile Comparison Website 1.0

A vulnerability, which was classified as problematic, has been found in SourceCodester Simple Mobile Comparison Website 1.0.

4.8
2023-04-28 CVE-2023-2391 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability was found in Netgear SRX5308 up to 4.3.5-3 and classified as problematic.

4.8
2023-04-28 CVE-2023-2392 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability was found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2393 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability was found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2394 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability was found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2388 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability, which was classified as problematic, has been found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2389 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability, which was classified as problematic, was found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2390 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability has been found in Netgear SRX5308 up to 4.3.5-3 and classified as problematic.

4.8
2023-04-28 CVE-2023-2386 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability classified as problematic has been found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2387 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability classified as problematic was found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2383 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability was found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2384 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability was found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2385 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability was found in Netgear SRX5308 up to 4.3.5-3.

4.8
2023-04-28 CVE-2023-2381 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability has been found in Netgear SRX5308 up to 4.3.5-3 and classified as problematic.

4.8
2023-04-28 CVE-2023-2382 Netgear Cross-site Scripting vulnerability in Netgear Srx5308 Firmware 4.3.53

A vulnerability was found in Netgear SRX5308 up to 4.3.5-3 and classified as problematic.

4.8
2023-04-28 CVE-2023-2372 Online DJ Management System Project Cross-site Scripting vulnerability in Online DJ Management System Project Online DJ Management System 1.0

A vulnerability, which was classified as problematic, has been found in SourceCodester Online DJ Management System 1.0.

4.8
2023-04-25 CVE-2023-2293 Purchase Order Management System Project Cross-site Scripting vulnerability in Purchase Order Management System Project Purchase Order Management System 1.0

A vulnerability was found in SourceCodester Purchase Order Management System 1.0.

4.8
2023-04-25 CVE-2023-23710 Auth.
4.8
2023-04-25 CVE-2023-23995 Auth.
4.8
2023-04-25 CVE-2023-24005 Auth.
4.8
2023-04-25 CVE-2023-25461 Auth.
4.8
2023-04-25 CVE-2023-25485 Auth.
4.8
2023-04-25 CVE-2023-25793 Auth.
4.8
2023-04-25 CVE-2022-47608 Auth.
4.8
2023-04-25 CVE-2023-25484 Auth.
4.8
2023-04-25 CVE-2023-25479 Podlove Cross-site Scripting vulnerability in Podlove Subscribe Button

Auth.

4.8
2023-04-25 CVE-2023-25490 Archivist Custom Archive Templates Project Cross-site Scripting vulnerability in Archivist - Custom Archive Templates Project Archivist - Custom Archive Templates

Auth.

4.8
2023-04-25 CVE-2023-25710 Digitalblue Cross-site Scripting vulnerability in Digitalblue Click to Call or Chat Buttons

Auth.

4.8
2023-04-24 CVE-2023-0420 Custom Post Type AND Taxonomy GUI Manager Project Unspecified vulnerability in Custom Post Type and Taxonomy GUI Manager Project Custom Post Type and Taxonomy GUI Manager 1.1

The Custom Post Type and Taxonomy GUI Manager WordPress plugin through 1.1 does not have CSRF, and is lacking sanitising as well as escaping in some parameters, allowing attackers to make a logged in admin put Stored Cross-Site Scripting payloads via CSRF

4.8
2023-04-24 CVE-2023-27990 Zyxel Cross-site Scripting vulnerability in Zyxel products

The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device.

4.8
2023-04-24 CVE-2022-41612 Shareaholic Cross-site Scripting vulnerability in Shareaholic Similar Posts

Auth.

4.8
2023-04-24 CVE-2022-47158 Alfred24 Click Collect Project Cross-site Scripting vulnerability in Alfred24 Click & Collect Project Alfred24 Click & Collect

Auth.

4.8
2023-04-24 CVE-2022-47598 WP Super Popup Project Cross-site Scripting vulnerability in WP Super Popup Project WP Super Popup

Auth.

4.8
2023-04-24 CVE-2023-29848 Hockeycomputindo Cross-site Scripting vulnerability in Hockeycomputindo Bang Resto 1.0

Bang Resto 1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the itemName parameter in the admin/menu.php Add New Menu function.

4.8
2023-04-24 CVE-2023-31045 Backdropcms Cross-site Scripting vulnerability in Backdropcms Backdrop

A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter.

4.8
2023-04-26 CVE-2023-0458 Linux
Debian
NULL Pointer Dereference vulnerability in multiple products

A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function.

4.7
2023-04-25 CVE-2023-30609 Matrix React SDK Project Injection vulnerability in Matrix-React-Sdk Project Matrix-React-Sdk

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page.

4.7
2023-04-24 CVE-2023-31083 Linux NULL Pointer Dereference vulnerability in Linux Kernel 6.2

An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2.

4.7
2023-04-28 CVE-2023-1526 HP Unspecified vulnerability in HP products

Certain DesignJet and PageWide XL TAA compliant models may have risk of potential information disclosure if the hard disk drive is physically removed from the printer.

4.6
2023-04-25 CVE-2023-2269 Linux
Fedoraproject
Debian
Netapp
Improper Locking vulnerability in multiple products

A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.

4.4
2023-04-24 CVE-2023-2019 Linux
Redhat
A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events.
4.4
2023-04-28 CVE-2023-29334 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Spoofing Vulnerability

4.3
2023-04-26 CVE-2023-22728 Silverstripe Missing Authorization vulnerability in Silverstripe Framework

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system.

4.3
2023-04-25 CVE-2021-44465 Odoo Unspecified vulnerability in Odoo

Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.

4.3
2023-04-25 CVE-2023-2281 Mattermost Unspecified vulnerability in Mattermost Server

When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients.

4.3
2023-04-25 CVE-2023-26839 Churchcrm Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3

A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site.

4.3
2023-04-24 CVE-2023-1414 Coderex Missing Authorization vulnerability in Coderex WP VR

The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours

4.3
2023-04-24 CVE-2023-30544 Kiwitcms Incorrect Authorization vulnerability in Kiwitcms Kiwi Tcms

Kiwi TCMS is an open source test management system.

4.3

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-04-28 CVE-2023-30857 Aedart Unspecified vulnerability in Aedart ION

@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages.

3.7
2023-04-28 CVE-2023-28473 Concretecms Improper Authentication vulnerability in Concretecms Concrete CMS

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section.

3.3
2023-04-25 CVE-2022-23721 Pingidentity Injection vulnerability in Pingidentity Pingid Integration for Windows Login

PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times.

3.3
2023-04-25 CVE-2023-25815 GIT FOR Windows Project
Fedoraproject
Use of Externally-Controlled Format String vulnerability in multiple products

In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer.

2.2