Weekly Vulnerabilities Reports > May 22 to 28, 2023
Overview
488 new vulnerabilities reported during this period, including 83 critical vulnerabilities and 228 high severity vulnerabilities. This weekly summary report vulnerabilities in 920 products from 288 vendors including Netbox, Debian, Huawei, Liferay, and Apache. Vulnerabilities are notably categorized as "Cross-Site Request Forgery (CSRF)", "Cross-site Scripting", "SQL Injection", "Path Traversal", and "Classic Buffer Overflow".
- 436 reported vulnerabilities are remotely exploitables.
- 179 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 324 reported vulnerabilities are exploitable by an anonymous user.
- Netbox has the most reported vulnerabilities, with 16 reported vulnerabilities.
- Garmin has the most reported critical vulnerabilities, with 8 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
83 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-05-22 | CVE-2023-31241 | Snapone | Unspecified vulnerability in Snapone Orvc Snap One OvrC cloud servers contain a route an attacker can use to bypass requirements and claim devices outright. | 10.0 |
2023-05-28 | CVE-2021-4336 | Itrsgroup | SQL Injection vulnerability in Itrsgroup Ninja A vulnerability was found in ITRS Group monitor-ninja up to 2021.11.1. | 9.8 |
2023-05-28 | CVE-2014-125101 | Huge IT | SQL Injection vulnerability in Huge-It Portfolio Gallery A vulnerability classified as critical has been found in Portfolio Gallery Plugin up to 1.1.8 on WordPress. | 9.8 |
2023-05-27 | CVE-2015-20108 | Onelogin | Command Injection vulnerability in Onelogin Ruby-Saml xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used. | 9.8 |
2023-05-27 | CVE-2023-2927 | Jizhicms | Server-Side Request Forgery (SSRF) vulnerability in Jizhicms 2.4.5 A vulnerability was found in JIZHICMS 2.4.5. | 9.8 |
2023-05-27 | CVE-2023-2923 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware Usac6V1.0Brv15.03.05.19 A vulnerability classified as critical was found in Tenda AC6 US_AC6V1.0BR_V15.03.05.19. | 9.8 |
2023-05-27 | CVE-2023-2924 | Supcontech | Unrestricted Upload of File with Dangerous Type vulnerability in Supcontech Simfield Firmware 1.80.00.00 A vulnerability, which was classified as critical, has been found in Supcon SimField up to 1.80.00.00. | 9.8 |
2023-05-26 | CVE-2023-32321 | Okfn | Unspecified vulnerability in Okfn Ckan CKAN is an open-source data management system for powering data hubs and data portals. | 9.8 |
2023-05-26 | CVE-2021-46887 | Huawei | Unspecified vulnerability in Huawei Emui 10.1.0/10.1.1/11.0.0 Lack of length check vulnerability in the HW_KEYMASTER module. | 9.8 |
2023-05-26 | CVE-2022-48478 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0 The facial recognition TA of some products lacks memory length verification. | 9.8 |
2023-05-26 | CVE-2022-48479 | Huawei | Out-of-bounds Read vulnerability in Huawei Harmonyos 2.0 The facial recognition TA of some products has the out-of-bounds memory read vulnerability. | 9.8 |
2023-05-26 | CVE-2023-30145 | Tuzitio | Code Injection vulnerability in Tuzitio Camaleon CMS Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter. | 9.8 |
2023-05-25 | CVE-2023-32074 | Nextcloud | Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud User Oidc user_oidc app is an OpenID Connect user backend for Nextcloud. | 9.8 |
2023-05-25 | CVE-2023-33278 | Storecommander | SQL Injection vulnerability in Storecommander Customers Export In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. | 9.8 |
2023-05-25 | CVE-2023-33279 | Scfixmyprestashop Project | SQL Injection vulnerability in Scfixmyprestashop Project Scfixmyprestashop In the Store Commander scfixmyprestashop module through 2023-05-09 for PrestaShop, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. | 9.8 |
2023-05-25 | CVE-2023-33280 | Storecommander | SQL Injection vulnerability in Storecommander Quickaccounting In the Store Commander scquickaccounting module for PrestaShop through 3.7.3, multiple sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. | 9.8 |
2023-05-25 | CVE-2023-2851 | Agtteknik | SQL Injection vulnerability in Agtteknik Ceppatron Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AGT Tech Ceppatron allows Command Line Execution through SQL Injection, SQL Injection.This issue affects all versions of the sofware also EOS when CVE-ID assigned. | 9.8 |
2023-05-25 | CVE-2023-2882 | Cbot | Generation of Incorrect Security Identifiers vulnerability in Cbot Core and Cbot Panel Generation of Incorrect Security Tokens vulnerability in CBOT Chatbot allows Token Impersonation, Privilege Abuse.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | 9.8 |
2023-05-25 | CVE-2023-2884 | Cbot | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Cbot Core and Cbot Panel Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Use of Insufficiently Random Values vulnerability in CBOT Chatbot allows Signature Spoofing by Key Recreation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | 9.8 |
2023-05-25 | CVE-2023-2887 | Cbot | Authentication Bypass by Spoofing vulnerability in Cbot Core and Cbot Panel Authentication Bypass by Spoofing vulnerability in CBOT Chatbot allows Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | 9.8 |
2023-05-25 | CVE-2023-2732 | Inspireui | Unspecified vulnerability in Inspireui Mstore API The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. | 9.8 |
2023-05-25 | CVE-2023-2733 | Inspireui | Unspecified vulnerability in Inspireui Mstore API The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. | 9.8 |
2023-05-25 | CVE-2023-2734 | Inspireui | Unspecified vulnerability in Inspireui Mstore API The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. | 9.8 |
2023-05-24 | CVE-2023-29721 | Sofawiki Project | Unrestricted Upload of File with Dangerous Type vulnerability in Sofawiki Project Sofawiki SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution. | 9.8 |
2023-05-24 | CVE-2023-31458 | Mitel | Unspecified vulnerability in Mitel Mivoice Connect A vulnerability in the Edge Gateway component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because initial installation does not enforce a password change. | 9.8 |
2023-05-24 | CVE-2023-31457 | Mitel | Unspecified vulnerability in Mitel Mivoice Connect A vulnerability in the Headquarters server component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control. | 9.8 |
2023-05-24 | CVE-2023-2868 | Barracuda | Command Injection vulnerability in Barracuda products A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. | 9.8 |
2023-05-24 | CVE-2023-1174 | Kubernetes | Unspecified vulnerability in Kubernetes Minikube This vulnerability exposes a network port in minikube running on macOS with Docker driver that could enable unexpected remote access to the minikube container. | 9.8 |
2023-05-24 | CVE-2023-33246 | Apache | Code Injection vulnerability in Apache Rocketmq For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. | 9.8 |
2023-05-24 | CVE-2023-2045 | Ipekyolunet | SQL Injection vulnerability in Ipekyolunet Software Auto Damage Tracking Software Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ipekyolu Software Auto Damage Tracking Software allows SQL Injection.This issue affects Auto Damage Tracking Software: before 4. | 9.8 |
2023-05-24 | CVE-2023-2064 | Minovateknoloji | SQL Injection vulnerability in Minovateknoloji Etrace Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Minova Technology eTrace allows SQL Injection.This issue affects eTrace: before 23.05.20. | 9.8 |
2023-05-24 | CVE-2023-33009 | Zyxel | Classic Buffer Overflow vulnerability in Zyxel products A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. | 9.8 |
2023-05-24 | CVE-2023-33010 | Zyxel | Classic Buffer Overflow vulnerability in Zyxel products A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. | 9.8 |
2023-05-24 | CVE-2023-2750 | Cityboss | SQL Injection vulnerability in Cityboss E-Municipality Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cityboss E-municipality allows SQL Injection.This issue affects E-municipality: before 6.05. | 9.8 |
2023-05-24 | CVE-2023-2865 | Theme Park Ticketing System Project | SQL Injection vulnerability in Theme Park Ticketing System Project Theme Park Ticketing System 1.0 A vulnerability was found in SourceCodester Theme Park Ticketing System 1.0. | 9.8 |
2023-05-23 | CVE-2023-32697 | Sqlite Jdbc Project | Code Injection vulnerability in Sqlite Jdbc Project Sqlite Jdbc SQLite JDBC is a library for accessing and creating SQLite database files in Java. | 9.8 |
2023-05-23 | CVE-2023-1508 | Adampos | SQL Injection vulnerability in Adampos Mobilmen EL Terminali Yazilimi Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adam Retail Automation Systems Mobilmen Terminal Software allows SQL Injection.This issue affects Mobilmen Terminal Software: before 3. | 9.8 |
2023-05-23 | CVE-2023-23298 | Garmin | Integer Overflow or Wraparound vulnerability in Garmin Connect-Iq The `Toybox.Graphics.BufferedBitmap.initialize` API method in CIQ API version 2.3.0 through 4.1.7 does not validate its parameters, which can result in integer overflows when allocating the underlying bitmap buffer. | 9.8 |
2023-05-23 | CVE-2023-23300 | Garmin | Classic Buffer Overflow vulnerability in Garmin Connect-Iq The `Toybox.Cryptography.Cipher.initialize` API method in CIQ API version 3.0.0 through 4.1.7 does not validate its parameters, which can result in buffer overflows when copying data. | 9.8 |
2023-05-23 | CVE-2023-23301 | Garmin | Out-of-bounds Read vulnerability in Garmin Connect-Iq The `news` MonkeyC operation code in CIQ API version 1.0.0 through 4.1.7 fails to check that string resources are not extending past the end of the expected sections. | 9.8 |
2023-05-23 | CVE-2023-23302 | Garmin | Classic Buffer Overflow vulnerability in Garmin Connect-Iq The `Toybox.GenericChannel.setDeviceConfig` API method in CIQ API version 1.2.0 through 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes. | 9.8 |
2023-05-23 | CVE-2023-23303 | Garmin | Classic Buffer Overflow vulnerability in Garmin Connect-Iq The `Toybox.Ant.GenericChannel.enableEncryption` API method in CIQ API version 3.2.0 through 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes. | 9.8 |
2023-05-23 | CVE-2023-23305 | Garmin | Classic Buffer Overflow vulnerability in Garmin Connect-Iq The GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 is vulnerable to various buffer overflows when loading binary resources. | 9.8 |
2023-05-23 | CVE-2023-23306 | Garmin | Out-of-bounds Write vulnerability in Garmin Connect-Iq The `Toybox.Ant.BurstPayload.add` API method in CIQ API version 2.2.0 through 4.1.7 suffers from a type confusion vulnreability, which can result in an out-of-bounds write operation. | 9.8 |
2023-05-23 | CVE-2023-31752 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Employee and Visitor Gate Pass Logging System 1.0 SourceCodester Employee and Visitor Gate Pass Logging System v1.0 is vulnerable to SQL Injection via /employee_gatepass/classes/Login.php. | 9.8 |
2023-05-23 | CVE-2023-33361 | Piwigo | SQL Injection vulnerability in Piwigo 13.6.0 Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php. | 9.8 |
2023-05-23 | CVE-2023-33362 | Piwigo | SQL Injection vulnerability in Piwigo 13.6.0 Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function. | 9.8 |
2023-05-23 | CVE-2023-33338 | Phpgurukul | SQL Injection vulnerability in PHPgurukul OLD AGE Home Management System 1.0 Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter. | 9.8 |
2023-05-23 | CVE-2023-25953 | Worksmobile | Code Injection vulnerability in Worksmobile Drive Explorer Code injection vulnerability in Drive Explorer for macOS versions 3.5.4 and earlier allows an attacker who can login to the client where the affected product is installed to inject arbitrary code while processing the product execution. | 9.8 |
2023-05-23 | CVE-2023-27388 | Tandd Especmic | Improper Authentication vulnerability in multiple products Improper authentication vulnerability in T&D Corporation and ESPEC MIC CORP. | 9.8 |
2023-05-23 | CVE-2023-27397 | Microengine | Unrestricted Upload of File with Dangerous Type vulnerability in Microengine Mailform Unrestricted upload of file with dangerous type exists in MicroEngine Mailform version 1.1.0 to 1.1.8. | 9.8 |
2023-05-23 | CVE-2023-27507 | Microengine | Path Traversal vulnerability in Microengine Mailform MicroEngine Mailform version 1.1.0 to 1.1.8 contains a path traversal vulnerability. | 9.8 |
2023-05-23 | CVE-2023-28408 | MW WP Form Project | Path Traversal vulnerability in MW WP Form Project MW WP Form Directory traversal vulnerability in MW WP Form versions v4.4.2 and earlier allows a remote unauthenticated attacker to alter the website or cause a denial-of-service (DoS) condition, and obtain sensitive information depending on settings. | 9.8 |
2023-05-23 | CVE-2023-28409 | MW WP Form Project | Unrestricted Upload of File with Dangerous Type vulnerability in MW WP Form Project MW WP Form Unrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remote unauthenticated attacker to upload an arbitrary file. | 9.8 |
2023-05-23 | CVE-2023-28413 | Snow Monkey Forms Project | Path Traversal vulnerability in Snow Monkey Forms Project Snow Monkey Forms Directory traversal vulnerability in Snow Monkey Forms versions v5.0.6 and earlier allows a remote unauthenticated attacker to obtain sensitive information, alter the website, or cause a denial-of-service (DoS) condition. | 9.8 |
2023-05-23 | CVE-2020-20012 | Sudytech | Path Traversal vulnerability in Sudytech Webplus PRO 1.4.7.8.401 WebPlus Pro v1.4.7.8.4-01 is vulnerable to Incorrect Access Control. | 9.8 |
2023-05-23 | CVE-2023-27068 | Sitecore | Deserialization of Untrusted Data vulnerability in Sitecore Experience Platform Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx. | 9.8 |
2023-05-23 | CVE-2023-31814 | Dlink | Unspecified vulnerability in Dlink Dir-300 Firmware D-Link DIR-300 firmware <=REVA1.06 and <=REVB2.06 is vulnerable to File inclusion via /model/__lang_msg.php. | 9.8 |
2023-05-22 | CVE-2022-46658 | Dataprobe | Unspecified vulnerability in Dataprobe products The affected product is vulnerable to a stack-based buffer overflow which could lead to a denial of service or remote code execution. | 9.8 |
2023-05-22 | CVE-2022-46738 | Dataprobe | Unspecified vulnerability in Dataprobe products The affected product exposes multiple sensitive data fields of the affected product. | 9.8 |
2023-05-22 | CVE-2023-2504 | Birddog | Use of Hard-coded Credentials vulnerability in Birddog products Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials. | 9.8 |
2023-05-22 | CVE-2023-28386 | Snapone | Insufficient Verification of Data Authenticity vulnerability in Snapone Orvc Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. | 9.8 |
2023-05-22 | CVE-2023-31240 | Snapone | Use of Hard-coded Credentials vulnerability in Snapone Orvc Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. | 9.8 |
2023-05-22 | CVE-2023-31689 | Wcms | Unrestricted Upload of File with Dangerous Type vulnerability in Wcms 0.3.2 In Wcms 0.3.2, an attacker can send a crafted request from a vulnerable web application backend server /wcms/wex/html.php via the finish parameter and the textAreaCode parameter. | 9.8 |
2023-05-22 | CVE-2023-2840 | Gpac | NULL Pointer Dereference vulnerability in Gpac NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. | 9.8 |
2023-05-22 | CVE-2023-2586 | Teltonika | Improper Authentication vulnerability in Teltonika Remote Management System 4.14.0 Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. | 9.8 |
2023-05-22 | CVE-2023-31062 | Apache | Improper Privilege Management vulnerability in Apache Inlong Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. When the attacker has access to a valid (but unprivileged) account, the exploit can be executed using Burp Suite by sending a login request and following it with a subsequent HTTP request using the returned cookie. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 to solve it. | 9.8 |
2023-05-22 | CVE-2023-31098 | Apache | Weak Password Requirements vulnerability in Apache Inlong Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0. When users change their password to a simple password (with any character or symbol), attackers can easily guess the user's password and access the account. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 https://github.com/apache/inlong/pull/7805 to solve it. | 9.8 |
2023-05-22 | CVE-2023-33294 | Kaiostech | Command Injection vulnerability in Kaiostech Kaios 3.0/3.1 An issue was discovered in KaiOS 3.0 before 3.1. | 9.8 |
2023-05-22 | CVE-2023-32347 | Teltonika | Improper Authentication vulnerability in Teltonika Remote Management System Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. | 9.8 |
2023-05-22 | CVE-2022-46680 | Schneider Electric | Cleartext Transmission of Sensitive Information vulnerability in Schneider-Electric products A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic. | 9.8 |
2023-05-22 | CVE-2022-44739 | Thingsforrestaurants | Cross-Site Request Forgery (CSRF) vulnerability in Thingsforrestaurants Quick Restaurant Reservations Cross-Site Request Forgery (CSRF) vulnerability in ThingsForRestaurants Quick Restaurant Reservations plugin <= 1.5.4 versions. | 9.8 |
2023-05-22 | CVE-2023-33236 | Moxa | Use of Hard-coded Credentials vulnerability in Moxa Mxsecurity 1.0 MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability. | 9.8 |
2023-05-22 | CVE-2023-32336 | IBM | Deserialization of Untrusted Data vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 is affected by a remote code execution vulnerability due to insecure deserialization in an RMI service. | 9.8 |
2023-05-26 | CVE-2023-21516 | Samsung | Cross-site Scripting vulnerability in Samsung Galaxy Store 4.5.32.4/4.5.36.4/4.5.41.8 XSS vulnerability from InstantPlay in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store. | 9.6 |
2023-05-28 | CVE-2023-2951 | BUS Dispatch AND Information System Project | SQL Injection vulnerability in BUS Dispatch and Information System Project BUS Dispatch and Information System 1.0 A vulnerability classified as critical has been found in code-projects Bus Dispatch and Information System 1.0. | 9.1 |
2023-05-24 | CVE-2023-33796 | Netbox | Unspecified vulnerability in Netbox 3.5.1 A vulnerability in Netbox v3.5.1 allows unauthenticated attackers to execute queries against the GraphQL database, granting them access to sensitive data stored in the database. | 9.1 |
2023-05-23 | CVE-2023-23304 | Garmin | Unspecified vulnerability in Garmin Connect-Iq The GarminOS TVM component in CIQ API version 2.1.0 through 4.1.7 allows applications with a specially crafted head section to use the `Toybox.SensorHistory` module without permission. | 9.1 |
2023-05-23 | CVE-2023-29919 | Contec | Incorrect Default Permissions vulnerability in Contec Solarview Compact Firmware 6.0 SolarView Compact <= 6.0 is vulnerable to Insecure Permissions. | 9.1 |
2023-05-22 | CVE-2023-2838 | Gpac | Out-of-bounds Read vulnerability in Gpac Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. | 9.1 |
2023-05-22 | CVE-2023-31065 | Apache | Insufficient Session Expiration vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0 Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 , https://github.com/apache/inlong/pull/7884 https://github.com/apache/inlong/pull/7884 to solve it. | 9.1 |
2023-05-22 | CVE-2023-31066 | Apache | Files or Directories Accessible to External Parties vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0 Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. | 9.1 |
2023-05-22 | CVE-2023-2597 | Eclipse | Out-of-bounds Read vulnerability in Eclipse Openj9 In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer. | 9.1 |
228 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-05-28 | CVE-2022-36345 | Metagauss | Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin <= 2.0.4 versions. | 8.8 |
2023-05-28 | CVE-2023-33926 | Supsystic | Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps plugin <= 1.11.7 versions. | 8.8 |
2023-05-28 | CVE-2023-33313 | Themeinprogress | Cross-Site Request Forgery (CSRF) vulnerability in Themeinprogress WIP Custom Login Cross-Site Request Forgery (CSRF) vulnerability in ThemeinProgress WIP Custom Login plugin <= 1.2.9 versions. | 8.8 |
2023-05-28 | CVE-2023-33316 | Woocommerce | Cross-Site Request Forgery (CSRF) vulnerability in Woocommerce Automatewoo Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions. | 8.8 |
2023-05-28 | CVE-2023-33212 | Crocoblock | Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock Jetformbuilder Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetFormBuilder — Dynamic Blocks Form Builder plugin <= 3.0.6 versions. | 8.8 |
2023-05-28 | CVE-2023-33314 | Pluginus | Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional Cross-Site Request Forgery (CSRF) vulnerability in realmag777 BEAR plugin <= 1.1.3.1 versions. | 8.8 |
2023-05-28 | CVE-2023-33315 | Wandlesoftware | Cross-Site Request Forgery (CSRF) vulnerability in Wandlesoftware Smart APP Banner Cross-Site Request Forgery (CSRF) vulnerability in Stephen Darlington, Wandle Software Limited Smart App Banner plugin <= 1.1.2 versions. | 8.8 |
2023-05-28 | CVE-2023-33931 | Getbutterfly | Cross-Site Request Forgery (CSRF) vulnerability in Getbutterfly Youtube Playlist Player Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Popescu YouTube Playlist Player plugin <= 4.6.4 versions. | 8.8 |
2023-05-28 | CVE-2015-10106 | MH Httpbl Project | SQL Injection vulnerability in MH Httpbl Project MH Httpbl ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical was found in mback2k mh_httpbl Extension up to 1.1.7 on TYPO3. | 8.8 |
2023-05-27 | CVE-2023-2943 | Open EMR | Code Injection vulnerability in Open-Emr Openemr Code Injection in GitHub repository openemr/openemr prior to 7.0.1. | 8.8 |
2023-05-27 | CVE-2023-2928 | Dedecms | Code Injection vulnerability in Dedecms A vulnerability was found in DedeCMS up to 5.7.106. | 8.8 |
2023-05-26 | CVE-2023-21514 | Samsung | Improper Input Validation vulnerability in Samsung Galaxy Store 4.5.32.4/4.5.36.4/4.5.41.8 Improper scheme validation from InstantPlay Deeplink in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store. | 8.8 |
2023-05-26 | CVE-2023-21515 | Samsung | Unspecified vulnerability in Samsung Galaxy Store 4.5.32.4/4.5.36.4/4.5.41.8 InstantPlay which included vulnerable script which could execute javascript in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store. | 8.8 |
2023-05-26 | CVE-2023-31128 | Nextcloud | OS Command Injection vulnerability in Nextcloud Cookbook NextCloud Cookbook is a recipe library app. | 8.8 |
2023-05-26 | CVE-2023-33779 | Xuxueli | Unspecified vulnerability in Xuxueli Xxl-Job 2.4.1 A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/. | 8.8 |
2023-05-26 | CVE-2023-25034 | WP Clean UP Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Clean UP Project WP Clean UP Cross-Site Request Forgery (CSRF) vulnerability in BoLiQuan WP Clean Up plugin <= 1.2.3 versions. | 8.8 |
2023-05-26 | CVE-2023-25058 | Brainstormforce | Cross-Site Request Forgery (CSRF) vulnerability in Brainstormforce Schema Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Schema – All In One Schema Rich Snippets plugin <= 1.6.5 versions. | 8.8 |
2023-05-26 | CVE-2023-25467 | Resize AT Upload Plus Project | Cross-Site Request Forgery (CSRF) vulnerability in Resize AT Upload Plus Project Resize AT Upload Plus Cross-Site Request Forgery (CSRF) vulnerability in Daniel Mores, A. | 8.8 |
2023-05-26 | CVE-2023-32964 | Madewithfuel | Cross-Site Request Forgery (CSRF) vulnerability in Madewithfuel Better Notifications for WP Cross-Site Request Forgery (CSRF) vulnerability in Made with Fuel Better Notifications for WP plugin <= 1.9.2 versions. | 8.8 |
2023-05-26 | CVE-2023-25029 | WP Social Bookmarking Light Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Social Bookmarking Light Project WP Social Bookmarking Light Cross-Site Request Forgery (CSRF) vulnerability in utahta WP Social Bookmarking Light plugin <= 2.0.7 versions. | 8.8 |
2023-05-26 | CVE-2023-25470 | RUS TO LAT Project | Cross-Site Request Forgery (CSRF) vulnerability in Rus-To-Lat Project Rus-To-Lat Cross-Site Request Forgery (CSRF) vulnerability in Anton Skorobogatov Rus-To-Lat plugin <= 0.3 versions. | 8.8 |
2023-05-26 | CVE-2023-22693 | Conlabz | Cross-Site Request Forgery (CSRF) vulnerability in Conlabz WP Google TAG Manager Cross-Site Request Forgery (CSRF) vulnerability in conlabzgmbh WP Google Tag Manager plugin <= 1.1 versions. | 8.8 |
2023-05-26 | CVE-2023-24008 | Wpmaspik | Cross-Site Request Forgery (CSRF) vulnerability in Wpmaspik Maspik Cross-Site Request Forgery (CSRF) vulnerability in yonifre Maspik – Spam Blacklist plugin <= 0.7.8 versions. | 8.8 |
2023-05-26 | CVE-2023-25038 | 984 RU | Cross-Site Request Forgery (CSRF) vulnerability in 984.Ru for the Visually Impaired Cross-Site Request Forgery (CSRF) vulnerability in 984.Ru For the visually impaired plugin <= 0.58 versions. | 8.8 |
2023-05-26 | CVE-2023-23714 | Uncannyowl | Cross-Site Request Forgery (CSRF) vulnerability in Uncannyowl Uncanny Toolkit for Learndash Cross-Site Request Forgery (CSRF) vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash plugin <= 3.6.4.1 versions. | 8.8 |
2023-05-26 | CVE-2023-24007 | Admin Block Country Project | Cross-Site Request Forgery (CSRF) vulnerability in Admin Block Country Project Admin Block Country Cross-Site Request Forgery (CSRF) vulnerability in TheOnlineHero - Tom Skroza Admin Block Country plugin <= 7.1.4 versions. | 8.8 |
2023-05-26 | CVE-2023-25971 | Fixbd | Cross-Site Request Forgery (CSRF) vulnerability in Fixbd Educare Cross-Site Request Forgery (CSRF) vulnerability in FixBD Educare plugin <= 1.4.1 versions. | 8.8 |
2023-05-26 | CVE-2023-25976 | Crmperks | Cross-Site Request Forgery (CSRF) vulnerability in Crmperks Integration for Contact Form 7 and Zoho Crm, Bigin Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin plugin <= 1.2.2 versions. | 8.8 |
2023-05-25 | CVE-2022-47174 | Wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress Performance LAB Cross-Site Request Forgery (CSRF) vulnerability in WordPress Performance Team Performance Lab plugin <= 2.2.0 versions. | 8.8 |
2023-05-25 | CVE-2023-2888 | Phpok | Unrestricted Upload of File with Dangerous Type vulnerability in PHPok 6.4.100 A vulnerability, which was classified as problematic, was found in PHPOK 6.4.100. | 8.8 |
2023-05-25 | CVE-2022-46810 | Villatheme | Cross-Site Request Forgery (CSRF) vulnerability in Villatheme Thank YOU Page Customizer for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Thank You Page Customizer for WooCommerce – Increase Your Sales plugin <= 1.0.13 versions. | 8.8 |
2023-05-25 | CVE-2022-46814 | Pierros | Cross-Site Request Forgery (CSRF) vulnerability in Pierros Kodex Posts Likes Cross-Site Request Forgery (CSRF) vulnerability in Pierre Lebedel Kodex Posts likes plugin <= 2.4.3 versions. | 8.8 |
2023-05-25 | CVE-2022-46820 | Wpjoli | Cross-Site Request Forgery (CSRF) vulnerability in Wpjoli Joli Table of Contents Cross-Site Request Forgery (CSRF) vulnerability in WPJoli Joli Table Of Contents plugin <= 1.3.9 versions. | 8.8 |
2023-05-25 | CVE-2022-46856 | Orion | Cross-Site Request Forgery (CSRF) vulnerability in Orion Woocommerce products Designer Cross-Site Request Forgery (CSRF) vulnerability in ORION Woocommerce Products Designer plugin <= 4.3.3 versions. | 8.8 |
2023-05-25 | CVE-2022-47136 | Wpmanageninja | Cross-Site Request Forgery (CSRF) vulnerability in Wpmanageninja Ninja Tables Cross-Site Request Forgery (CSRF) vulnerability in WPManageNinja LLC Ninja Tables – Best Data Table Plugin for WordPress plugin <= 4.3.4 versions. | 8.8 |
2023-05-25 | CVE-2022-47144 | Frenify | Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mediamatic 2.7/2.8.1 Cross-Site Request Forgery (CSRF) vulnerability in Plugincraft Mediamatic – Media Library Folders plugin <= 2.8.1 versions. | 8.8 |
2023-05-25 | CVE-2022-47178 | Simplesharebuttons | Cross-Site Request Forgery (CSRF) vulnerability in Simplesharebuttons Simple Share Buttons Adder Cross-Site Request Forgery (CSRF) vulnerability in Simple Share Buttons Simple Share Buttons Adder plugin <= 8.4.7 versions. | 8.8 |
2023-05-25 | CVE-2022-38356 | Stylemixthemes | Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Pearl Header Builder Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes WordPress Header Builder Plugin – Pearl plugin <= 1.3.4 versions. | 8.8 |
2023-05-25 | CVE-2022-38716 | Stylemixthemes | Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Motors - CAR Dealer, Classifieds & Listing Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing plugin <= 1.4.4 versions. | 8.8 |
2023-05-25 | CVE-2022-41987 | Badgeos | Cross-Site Request Forgery (CSRF) vulnerability in Badgeos Cross-Site Request Forgery (CSRF) vulnerability in LearningTimes BadgeOS plugin <= 3.7.1.6 versions. | 8.8 |
2023-05-25 | CVE-2022-43490 | XWP | Cross-Site Request Forgery (CSRF) vulnerability in XWP Stream Cross-Site Request Forgery (CSRF) vulnerability in XWP Stream plugin <= 3.9.2 versions. | 8.8 |
2023-05-25 | CVE-2022-45371 | Wpmet | Cross-Site Request Forgery (CSRF) vulnerability in Wpmet Shopengine Cross-Site Request Forgery (CSRF) vulnerability in Wpmet ShopEngine plugin <= 4.1.1 versions. | 8.8 |
2023-05-25 | CVE-2022-45815 | Stylemixthemes | Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Gdpr Compliance & Cookie Consent Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes GDPR Compliance & Cookie Consent plugin <= 1.2 versions. | 8.8 |
2023-05-25 | CVE-2022-45367 | Tychesoftwares | Cross-Site Request Forgery (CSRF) vulnerability in Tychesoftwares Custom Order Numbers for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in Tyche Softwares Custom Order Numbers for WooCommerce plugin <= 1.4.0 versions. | 8.8 |
2023-05-25 | CVE-2022-47149 | Upress | Cross-Site Request Forgery (CSRF) vulnerability in Upress Enable Accessibility 1.4 Cross-Site Request Forgery (CSRF) vulnerability in Pretty Links plugin <= 3.4.0 versions. | 8.8 |
2023-05-25 | CVE-2022-47161 | Wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress Health Check & Troubleshooting Cross-Site Request Forgery (CSRF) vulnerability in The WordPress.Org community Health Check & Troubleshooting plugin <= 1.5.1 versions. | 8.8 |
2023-05-25 | CVE-2022-47165 | Coschedule | Cross-Site Request Forgery (CSRF) vulnerability in Coschedule Cross-Site Request Forgery (CSRF) vulnerability in CoSchedule plugin <= 3.3.8 versions. | 8.8 |
2023-05-25 | CVE-2022-47177 | Wpeasypay | Cross-Site Request Forgery (CSRF) vulnerability in Wpeasypay WP Easypay Cross-Site Request Forgery (CSRF) vulnerability in WP Easy Pay WP EasyPay – Square for WordPress plugin <= 4.1 versions. | 8.8 |
2023-05-25 | CVE-2023-30484 | Upress | Cross-Site Request Forgery (CSRF) vulnerability in Upress Enable Accessibility Cross-Site Request Forgery (CSRF) vulnerability in uPress Enable Accessibility plugin <= 1.4 versions. | 8.8 |
2023-05-25 | CVE-2022-41635 | Zorem | Cross-Site Request Forgery (CSRF) vulnerability in Zorem Advanced Shipment Tracking for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in Zorem Advanced Shipment Tracking for WooCommerce plugin <= 3.5.2 versions. | 8.8 |
2023-05-25 | CVE-2022-46800 | Litespeedtech | Cross-Site Request Forgery (CSRF) vulnerability in Litespeedtech Litespeed Cache Cross-Site Request Forgery (CSRF) vulnerability in LiteSpeed Technologies LiteSpeed Cache plugin <= 5.3 versions. | 8.8 |
2023-05-25 | CVE-2022-46812 | Villatheme | Cross-Site Request Forgery (CSRF) vulnerability in Villatheme Thank YOU Page Customizer for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Thank You Page Customizer for WooCommerce – Increase Your Sales plugin <= 1.0.13 versions. | 8.8 |
2023-05-25 | CVE-2022-46865 | Bulk Resize Media Project | Cross-Site Request Forgery (CSRF) vulnerability in Bulk Resize Media Project Bulk Resize Media Cross-Site Request Forgery (CSRF) vulnerability in Marty Thornley Bulk Resize Media plugin <= 1.1 versions. | 8.8 |
2023-05-25 | CVE-2022-46866 | Import External Images Project | Cross-Site Request Forgery (CSRF) vulnerability in Import External Images Project Import External Images Cross-Site Request Forgery (CSRF) vulnerability in Marty Thornley Import External Images plugin <= 1.4 versions. | 8.8 |
2023-05-25 | CVE-2022-47135 | Chronoengine | Cross-Site Request Forgery (CSRF) vulnerability in Chronoengine Chronoforms Cross-Site Request Forgery (CSRF) vulnerability in chronoengine.Com Chronoforms plugin <= 7.0.9 versions. | 8.8 |
2023-05-25 | CVE-2022-47138 | Login AND Registration Attempts Limit Project | Cross-Site Request Forgery (CSRF) vulnerability in Login and Registration Attempts Limit Project Login and Registration Attempts Limit Cross-Site Request Forgery (CSRF) vulnerability in German Krutov LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin <= 2.1 versions. | 8.8 |
2023-05-25 | CVE-2022-47139 | WP Basic Elements Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Basic Elements Project WP Basic Elements Cross-Site Request Forgery (CSRF) vulnerability in Damir Calusic WP Basic Elements plugin <= 5.2.15 versions. | 8.8 |
2023-05-25 | CVE-2022-47159 | Logaster | Cross-Site Request Forgery (CSRF) vulnerability in Logaster Logo Generator Cross-Site Request Forgery (CSRF) vulnerability in Logaster Logaster Logo Generator plugin <= 1.3 versions. | 8.8 |
2023-05-25 | CVE-2022-47164 | Mage People | Cross-Site Request Forgery (CSRF) vulnerability in Mage-People Event Manager and Tickets Selling Plugin for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce plugin <= 3.7.7 versions. | 8.8 |
2023-05-25 | CVE-2023-2883 | Cbot | Authorization Bypass Through User-Controlled Key vulnerability in Cbot Core and Cbot Panel Authorization Bypass Through User-Controlled Key vulnerability in CBOT Chatbot allows Authentication Abuse, Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | 8.8 |
2023-05-25 | CVE-2023-2500 | Granthweb | Deserialization of Untrusted Data vulnerability in Granthweb GO Pricing The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.3.19 via deserialization of untrusted input from the 'go_pricing' shortcode 'data' parameter. | 8.8 |
2023-05-24 | CVE-2022-4815 | Hitachi | Deserialization of Untrusted Data vulnerability in Hitachi products Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. | 8.8 |
2023-05-24 | CVE-2023-31459 | Mitel | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Mitel Mivoice Connect A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because the initial installation does not enforce a password change. | 8.8 |
2023-05-24 | CVE-2022-47446 | Viadat | Cross-Site Request Forgery (CSRF) vulnerability in Viadat Store Locator for Wordpress With Google Maps Cross-Site Request Forgery (CSRF) vulnerability in Viadat Creations Store Locator for WordPress with Google Maps – LotsOfLocales plugin <= 3.98.7 versions. | 8.8 |
2023-05-24 | CVE-2022-47447 | Internet Formation | Cross-Site Request Forgery (CSRF) vulnerability in Internet-Formation Wp-Advanced-Search Cross-Site Request Forgery (CSRF) vulnerability in Mathieu Chartier WordPress WP-Advanced-Search plugin <= 3.3.8 versions. | 8.8 |
2023-05-24 | CVE-2022-47448 | Xiligroup | Cross-Site Request Forgery (CSRF) vulnerability in Xiligroup Xili-Tidy-Tags Cross-Site Request Forgery (CSRF) vulnerability in dev.Xiligroup.Com - MS plugin <= 1.12.03 versions. | 8.8 |
2023-05-24 | CVE-2022-45364 | Codedropz | Cross-Site Request Forgery (CSRF) vulnerability in Codedropz Drag and Drop multiple File Upload - Contact Form 7 Cross-Site Request Forgery (CSRF) vulnerability in Glen Don L. | 8.8 |
2023-05-24 | CVE-2022-46794 | Weightbasedshipping | Cross-Site Request Forgery (CSRF) vulnerability in Weightbasedshipping Woocommerce Weight Based Shipping Cross-Site Request Forgery (CSRF) vulnerability in weightbasedshipping.Com WooCommerce Weight Based Shipping plugin <= 5.4.1 versions. | 8.8 |
2023-05-24 | CVE-2022-46816 | Bookingultrapro | Cross-Site Request Forgery (CSRF) vulnerability in Bookingultrapro Booking Ultra PRO Appointments Booking Calendar Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro Appointments Booking Calendar Plugin plugin <= 1.1.4 versions. | 8.8 |
2023-05-24 | CVE-2022-47152 | Clickfunnels | Cross-Site Request Forgery (CSRF) vulnerability in Clickfunnels Cross-Site Request Forgery (CSRF) vulnerability in Etison, LLC ClickFunnels plugin <= 3.1.1 versions. | 8.8 |
2023-05-24 | CVE-2022-47180 | Kopatheme | Cross-Site Request Forgery (CSRF) vulnerability in Kopatheme Kopa Framework Cross-Site Request Forgery (CSRF) vulnerability in Kopa Theme Kopa Framework plugin <= 1.3.5 versions. | 8.8 |
2023-05-24 | CVE-2023-2065 | Armoli | Authorization Bypass Through User-Controlled Key vulnerability in Armoli Cargo Tracking System Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass.This issue affects Cargo Tracking System: before 3558f28 . | 8.8 |
2023-05-24 | CVE-2023-2859 | Teampass | Code Injection vulnerability in Teampass Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | 8.8 |
2023-05-24 | CVE-2023-2494 | Granthweb | Missing Authorization vulnerability in Granthweb GO Pricing The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. | 8.8 |
2023-05-23 | CVE-2023-2702 | Finexmedia | Authorization Bypass Through User-Controlled Key vulnerability in Finexmedia Competition Management System Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07. | 8.8 |
2023-05-23 | CVE-2023-1837 | Hypr | Missing Authentication for Critical Function vulnerability in Hypr Server Missing Authentication for critical function vulnerability in HYPR Server allows Authentication Bypass when using Legacy APIs.This issue affects HYPR Server: before 8.0 (with enabled Legacy APIs) | 8.8 |
2023-05-23 | CVE-2023-25474 | About ME 3000 Widget Project | Cross-Site Request Forgery (CSRF) vulnerability in About ME 3000 Widget Project About ME 3000 Widget Cross-Site Request Forgery (CSRF) vulnerability in Csaba Kissi About Me 3000 widget plugin <= 2.2.6 versions. | 8.8 |
2023-05-23 | CVE-2022-46813 | Sigmaplugin | Cross-Site Request Forgery (CSRF) vulnerability in Sigmaplugin Advanced Database Cleaner Cross-Site Request Forgery (CSRF) vulnerability in Younes JFR. | 8.8 |
2023-05-23 | CVE-2023-26011 | Dogblocker | Cross-Site Request Forgery (CSRF) vulnerability in Dogblocker Read More Excerpt Link Cross-Site Request Forgery (CSRF) vulnerability in Tim Eckel Read More Excerpt Link plugin <= 1.6 versions. | 8.8 |
2023-05-23 | CVE-2023-26014 | Dogblocker | Cross-Site Request Forgery (CSRF) vulnerability in Dogblocker Minify Html Cross-Site Request Forgery (CSRF) vulnerability in Tim Eckel Minify HTML plugin <= 2.1.7 vulnerability. | 8.8 |
2023-05-23 | CVE-2022-46851 | Brainstormforce | Cross-Site Request Forgery (CSRF) vulnerability in Brainstormforce Starter Templates Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Starter Templates plugin <= 3.1.20 versions. | 8.8 |
2023-05-23 | CVE-2022-46853 | Radiustheme | Cross-Site Request Forgery (CSRF) vulnerability in Radiustheme Post Grid Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme The Post Grid plugin <= 5.0.4 versions. | 8.8 |
2023-05-23 | CVE-2023-23705 | Hmplugin | Cross-Site Request Forgery (CSRF) vulnerability in Hmplugin Wordpress Books Gallery Cross-Site Request Forgery (CSRF) vulnerability in HM Plugin WordPress Books Gallery plugin <= 4.4.8 versions. | 8.8 |
2023-05-23 | CVE-2023-23713 | Theme Tweaker Project | Cross-Site Request Forgery (CSRF) vulnerability in Theme Tweaker Project Theme Tweaker Cross-Site Request Forgery (CSRF) vulnerability in Manoj Thulasidas Theme Tweaker plugin <= 5.20 versions. | 8.8 |
2023-05-23 | CVE-2023-25056 | Slickremix | Cross-Site Request Forgery (CSRF) vulnerability in Slickremix Feed Them Social Cross-Site Request Forgery (CSRF) vulnerability in SlickRemix Feed Them Social plugin <= 3.0.2 versions. | 8.8 |
2023-05-23 | CVE-2023-23706 | Miniorange | Cross-Site Request Forgery (CSRF) vulnerability in Miniorange Wordpress Social Login and Register (Discord, Google, Twitter, Linkedin) Cross-Site Request Forgery (CSRF) vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 versions. | 8.8 |
2023-05-23 | CVE-2023-23724 | Winwar | Cross-Site Request Forgery (CSRF) vulnerability in Winwar WP Email Capture Cross-Site Request Forgery (CSRF) vulnerability in Winwar Media WP Email Capture plugin <= 3.9.3 versions. | 8.8 |
2023-05-23 | CVE-2023-25472 | Podlove | Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podcast Publisher Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher plugin <= 3.8.3 versions. | 8.8 |
2023-05-23 | CVE-2023-25481 | Podlove | Cross-Site Request Forgery (CSRF) vulnerability in Podlove Subscribe Button Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Subscribe button plugin <= 1.3.7 versions. | 8.8 |
2023-05-23 | CVE-2023-25707 | Vikwp | Cross-Site Request Forgery (CSRF) vulnerability in Vikwp Vikbooking Hotel Booking Engine & PMS Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. | 8.8 |
2023-05-23 | CVE-2023-25946 | Qrio | Improper Authentication vulnerability in Qrio Q-Sl2 Firmware Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product's communication data and conduct an arbitrary operation under certain conditions. | 8.8 |
2023-05-23 | CVE-2023-27387 | Tandd Especmic | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Cross-site request forgery (CSRF) in T&D Corporation and ESPEC MIC CORP. | 8.8 |
2023-05-23 | CVE-2023-27514 | Contec | OS Command Injection vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware OS command injection vulnerability in the download page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker to execute an arbitrary OS command. | 8.8 |
2023-05-23 | CVE-2023-27518 | Contec | Classic Buffer Overflow vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware Buffer overflow vulnerability in the multiple setting pages of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker to execute arbitrary code. | 8.8 |
2023-05-23 | CVE-2023-27521 | Contec | OS Command Injection vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware OS command injection vulnerability in the mail setting page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows remote authenticated attackers to execute an arbitrary OS command. | 8.8 |
2023-05-23 | CVE-2023-28394 | Beekeeperstudio | OS Command Injection vulnerability in Beekeeperstudio Beekeeper-Studio Beekeeper Studio versions prior to 3.9.9 allows a remote authenticated attacker to execute arbitrary JavaScript code with the privilege of the application on the PC where the affected product is installed. | 8.8 |
2023-05-23 | CVE-2023-31996 | Hanwhavision | Command Injection vulnerability in Hanwhavision products Hanwha IP Camera ANE-L7012R 1.41.01 is vulnerable to Command Injection due to improper sanitization of special characters for the NAS storage test function. | 8.8 |
2023-05-22 | CVE-2022-47311 | Dataprobe | Unspecified vulnerability in Dataprobe products A proprietary protocol for iBoot devices is used for control and keepalive commands. | 8.8 |
2023-05-22 | CVE-2023-2505 | Birddog | Cross-Site Request Forgery (CSRF) vulnerability in Birddog products The affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files. | 8.8 |
2023-05-22 | CVE-2023-2588 | Teltonika | Inclusion of Web Functionality from an Untrusted Source vulnerability in Teltonika Remote Management System Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. | 8.8 |
2023-05-22 | CVE-2023-32349 | Teltonika Networks | External Control of System or Configuration Setting vulnerability in Teltonika-Networks products Version 00.07.03.4 and prior of Teltonika’s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters. | 8.8 |
2023-05-22 | CVE-2023-32350 | Teltonika Networks | OS Command Injection vulnerability in Teltonika-Networks products Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. | 8.8 |
2023-05-22 | CVE-2023-25447 | Inkthemes | Cross-Site Request Forgery (CSRF) vulnerability in Inkthemes Colorway Cross-Site Request Forgery (CSRF) vulnerability in Inkthemescom ColorWay theme <= 4.2.3 versions. | 8.8 |
2023-05-22 | CVE-2023-25448 | Archivist Project | Cross-Site Request Forgery (CSRF) vulnerability in Archivist Project Archivist Cross-Site Request Forgery (CSRF) vulnerability in Eric Teubert Archivist – Custom Archive Templates plugin <= 1.7.4 versions. | 8.8 |
2023-05-22 | CVE-2023-31923 | Supremainc | Improper Preservation of Permissions vulnerability in Supremainc Biostar 2 Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. | 8.8 |
2023-05-22 | CVE-2023-23797 | Secondlinethemes | Cross-Site Request Forgery (CSRF) vulnerability in Secondlinethemes Auto Youtube Importer Cross-Site Request Forgery (CSRF) vulnerability in SecondLineThemes Auto YouTube Importer plugin <= 1.0.3 versions. | 8.8 |
2023-05-22 | CVE-2022-41608 | Asgaros | Cross-Site Request Forgery (CSRF) vulnerability in Asgaros Forum Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum plugin <= 2.2.0 versions. | 8.8 |
2023-05-22 | CVE-2022-45076 | Webmat | Cross-Site Request Forgery (CSRF) vulnerability in Webmat Flexible Elementor Panel Cross-Site Request Forgery (CSRF) vulnerability in WebMat Flexible Elementor Panel plugin <= 2.3.8 versions. | 8.8 |
2023-05-22 | CVE-2022-45079 | Loginizer | Cross-Site Request Forgery (CSRF) vulnerability in Loginizer Cross-Site Request Forgery (CSRF) vulnerability in Softaculous Loginizer plugin <= 1.7.5 versions. | 8.8 |
2023-05-22 | CVE-2022-45376 | Xootix | Cross-Site Request Forgery (CSRF) vulnerability in Xootix Side Cart Woocommerce 1.0.0/1.0.2/2.0 Cross-Site Request Forgery (CSRF) vulnerability in XootiX Side Cart Woocommerce (Ajax) < 2.1 versions. | 8.8 |
2023-05-22 | CVE-2022-47167 | Crayon Syntax Highlighter Project | Cross-Site Request Forgery (CSRF) vulnerability in Crayon Syntax Highlighter Project Crayon Syntax Highlighter Cross-Site Request Forgery (CSRF) vulnerability in Aram Kocharyan Crayon Syntax Highlighter plugin <= 2.8.4 versions. | 8.8 |
2023-05-22 | CVE-2022-47183 | Stylist Project | Cross-Site Request Forgery (CSRF) vulnerability in Stylist Project Stylist Cross-Site Request Forgery (CSRF) vulnerability in StylistWP Extra Block Design, Style, CSS for ANY Gutenberg Blocks plugin <= 0.2.6 versions. | 8.8 |
2023-05-22 | CVE-2022-47611 | Hover Image Project | Cross-Site Request Forgery (CSRF) vulnerability in Hover Image Project Hover Image Cross-Site Request Forgery (CSRF) vulnerability in Julian Weinert // cs&m Hover Image plugin <= 1.4.1 versions. | 8.8 |
2023-05-22 | CVE-2022-47142 | Mediamatic | Cross-Site Request Forgery (CSRF) vulnerability in Mediamatic Media Library Folders Cross-Site Request Forgery (CSRF) vulnerability in Plugincraft Mediamatic – Media Library Folders plugin <= 2.8.1 versions. | 8.8 |
2023-05-22 | CVE-2022-47609 | Nicearma | Cross-Site Request Forgery (CSRF) vulnerability in Nicearma Dnui-Delete-Not-Used-Image Cross-Site Request Forgery (CSRF) vulnerability in Nicearma DNUI plugin <= 2.8.1 versions. | 8.8 |
2023-05-22 | CVE-2023-22688 | WP Tabs Slides Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Tabs Slides Project WP Tabs Slides Cross-Site Request Forgery (CSRF) vulnerability in Abdul Ibad WP Tabs Slides plugin <= 2.0.3 versions. | 8.8 |
2023-05-22 | CVE-2023-22692 | Name Directory Project | Cross-Site Request Forgery (CSRF) vulnerability in Name Directory Project Name Directory Cross-Site Request Forgery (CSRF) vulnerability in Jeroen Peters Name Directory plugin <= 1.27.1 versions. | 8.8 |
2023-05-22 | CVE-2023-22709 | SRS Simple Hits Counter Project | Cross-Site Request Forgery (CSRF) vulnerability in SRS Simple Hits Counter Project SRS Simple Hits Counter Cross-Site Request Forgery (CSRF) vulnerability in Atif N SRS Simple Hits Counter plugin <= 1.1.0 versions. | 8.8 |
2023-05-22 | CVE-2023-22714 | Supsystic | Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Coming Soon Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Coming Soon by Supsystic plugin <= 1.7.10 versions. | 8.8 |
2023-05-22 | CVE-2023-23680 | WP Topbar Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Topbar Project WP Topbar 5.36 Cross-Site Request Forgery (CSRF) vulnerability in Bob Goetz WP-TopBar plugin <= 5.36 versions. | 8.8 |
2023-05-22 | CVE-2023-23712 | User Meta | Cross-Site Request Forgery (CSRF) vulnerability in User-Meta User Meta Manager Cross-Site Request Forgery (CSRF) vulnerability in User Meta Manager plugin <= 3.4.9 versions. | 8.8 |
2023-05-22 | CVE-2023-23813 | MY Calendar Project | Cross-Site Request Forgery (CSRF) vulnerability in MY Calendar Project MY Calendar Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My Calendar plugin <= 3.4.3 versions. | 8.8 |
2023-05-22 | CVE-2023-33235 | Moxa | Command Injection vulnerability in Moxa Mxsecurity 1.0 MXsecurity version 1.0 is vulnearble to command injection vulnerability. | 8.8 |
2023-05-22 | CVE-2023-2587 | Teltonika | Cross-site Scripting vulnerability in Teltonika Remote Management System Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. | 8.3 |
2023-05-23 | CVE-2023-23693 | Dell | OS Command Injection vulnerability in Dell Vxrail Hyperconverged Infrastructure Dell VxRail, versions prior to 7.0.450, contains an OS command injection Vulnerability in DCManager command-line utility. | 8.2 |
2023-05-28 | CVE-2023-2950 | Open EMR | Improper Authorization vulnerability in Open-Emr Openemr Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1. | 8.1 |
2023-05-27 | CVE-2023-2946 | Open EMR | Improper Access Control vulnerability in Open-Emr Openemr Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | 8.1 |
2023-05-27 | CVE-2023-2942 | Open EMR | Improper Input Validation vulnerability in Open-Emr Openemr Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.1. | 8.1 |
2023-05-26 | CVE-2023-28382 | ET X | Path Traversal vulnerability in Et-X ESS REC Directory traversal vulnerability in ESS REC Agent Server Edition series allows an authenticated attacker to view or alter an arbitrary file on the server. | 8.1 |
2023-05-25 | CVE-2023-2885 | Cbot | Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Cbot Core and Cbot Panel Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in CBOT Chatbot allows Adversary in the Middle (AiTM).This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | 8.1 |
2023-05-24 | CVE-2023-33945 | Liferay | SQL Injection vulnerability in Liferay Digital Experience Platform and Liferay Portal SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. | 8.1 |
2023-05-24 | CVE-2023-1424 | Mitsubishielectric | Classic Buffer Overflow vulnerability in Mitsubishielectric products Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules and MELSEC iQ-R Series CPU modules allows a remote unauthenticated attacker to cause a denial of service (DoS) condition or execute malicious code on a target product by sending specially crafted packets. | 8.1 |
2023-05-23 | CVE-2023-2845 | Fit2Cloud | Unspecified vulnerability in Fit2Cloud Cloudexplorer Lite Improper Access Control in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. | 8.1 |
2023-05-22 | CVE-2022-47320 | Dataprobe | Unspecified vulnerability in Dataprobe products The iBoot device’s basic discovery protocol assists in initial device configuration. | 8.1 |
2023-05-23 | CVE-2023-30440 | IBM | Improper Input Validation vulnerability in IBM Powervm Hypervisor IBM PowerVM Hypervisor FW860.00 through FW860.B3, FW950.00 through FW950.70, FW1010.00 through FW1010.50, FW1020.00 through FW1020.30, and FW1030.00 through FW1030.10 could allow a local attacker with control a partition that has been assigned SRIOV virtual function (VF) to cause a denial of service to a peer partition or arbitrary data corruption. | 7.9 |
2023-05-28 | CVE-2023-31873 | GIN Project | Unspecified vulnerability in GIN Project GIN 0.7.4 Gin 0.7.4 allows execution of arbitrary code when a crafted file is opened, e.g., via require('child_process'). | 7.8 |
2023-05-27 | CVE-2023-26127 | N158 Project | Command Injection vulnerability in N158 Project N158 All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. | 7.8 |
2023-05-27 | CVE-2023-26128 | Keep Module Latest Project | Command Injection vulnerability in Keep-Module-Latest Project Keep-Module-Latest All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. | 7.8 |
2023-05-27 | CVE-2023-26129 | BWM NG Project | Command Injection vulnerability in Bwm-Ng Project Bwm-Ng All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. | 7.8 |
2023-05-26 | CVE-2023-22970 | Usebottles Fedoraproject | Bottles before 51.0 mishandles YAML load, which allows remote code execution via a crafted file. | 7.8 |
2023-05-25 | CVE-2023-0950 | Libreoffice Debian | Improper Validation of Array Index vulnerability in multiple products Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. | 7.8 |
2023-05-25 | CVE-2023-2480 | M Files | Missing Authorization vulnerability in M-Files Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications | 7.8 |
2023-05-25 | CVE-2023-27529 | Wacom | Link Following vulnerability in Wacom Tablet Driver Installer Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an improper link resolution before file access vulnerability. | 7.8 |
2023-05-24 | CVE-2023-2873 | Filseclab | Out-of-bounds Write vulnerability in Filseclab Twister Antivirus 8.0/8.17 A vulnerability classified as critical was found in Twister Antivirus 8. | 7.8 |
2023-05-24 | CVE-2021-25749 | Kubernetes | Unspecified vulnerability in Kubernetes Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true. | 7.8 |
2023-05-24 | CVE-2023-1944 | Kubernetes | Use of Hard-coded Credentials vulnerability in Kubernetes Minikube This vulnerability enables ssh access to minikube container using a default password. | 7.8 |
2023-05-24 | CVE-2023-31748 | Wondershare | Incorrect Permission Assignment for Critical Resource vulnerability in Wondershare Mobiletrans 4.0.11 Insecure permissions in MobileTrans v4.0.11 allows attackers to escalate privileges to local admin via replacing the executable file. | 7.8 |
2023-05-24 | CVE-2022-0357 | Bitdefender | Unquoted Search Path or Element vulnerability in Bitdefender Antivirus Plus, Internet Security and Total Security Unquoted Search Path or Element vulnerability in the Vulnerability Scan component of Bitdefender Total Security, Bitdefender Internet Security, and Bitdefender Antivirus Plus allows an attacker to elevate privileges to SYSTEM. This issue affects: Bitdefender Total Security versions prior to 26.0.10.45. Bitdefender Internet Security versions prior to 26.0.10.45. Bitdefender Antivirus Plus versions prior to 26.0.10.45. | 7.8 |
2023-05-23 | CVE-2023-31747 | Wondershare | Unquoted Search Path or Element vulnerability in Wondershare Filmora 12 Wondershare Filmora 12 (Build 12.2.1.2088) was discovered to contain an unquoted service path vulnerability via the component NativePushService. | 7.8 |
2023-05-23 | CVE-2023-23694 | Dell | OS Command Injection vulnerability in Dell Vxrail Hyperconverged Infrastructure Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. | 7.8 |
2023-05-23 | CVE-2023-31826 | Skyscreamer | Missing Authorization vulnerability in Skyscreamer Nevado JMS 1.3.2 Skyscreamer Open Source Nevado JMS v1.3.2 does not perform security checks when receiving messages. | 7.8 |
2023-05-22 | CVE-2023-29838 | Allwaysync | Incorrect Default Permissions vulnerability in Allwaysync 19.0.3.0 Insecure Permission vulnerability found in Botkind/Siber Systems SyncApp v.19.0.3.0 allows a local attacker toe escalate privileges via the SyncService.exe file. | 7.8 |
2023-05-22 | CVE-2023-25537 | Dell | Out-of-bounds Write vulnerability in Dell products Dell PowerEdge 14G server BIOS versions prior to 2.18.1 and Dell Precision BIOS versions prior to 2.18.2, contain an Out of Bounds write vulnerability. | 7.8 |
2023-05-24 | CVE-2023-33248 | Amazon | Unspecified vulnerability in Amazon Alexa 8960323972 Amazon Alexa software version 8960323972 on Echo Dot 2nd generation and 3rd generation devices potentially allows attackers to deliver security-relevant commands via an audio signal between 16 and 22 kHz (often outside the range of human adult hearing). | 7.6 |
2023-05-28 | CVE-2023-32763 | QT | Classic Buffer Overflow vulnerability in QT An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. | 7.5 |
2023-05-27 | CVE-2023-32695 | Socket | Improper Check for Unusual or Exceptional Conditions vulnerability in Socket Socket.Io-Parser socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. | 7.5 |
2023-05-27 | CVE-2023-32688 | Parseplatform | Improper Input Validation vulnerability in Parseplatform Parse Server Push Adapter parse-server-push-adapter is the official Push Notification adapter for Parse Server. | 7.5 |
2023-05-27 | CVE-2023-33192 | Tweedegolf | Unspecified vulnerability in Tweedegolf Ntpd-Rs ntpd-rs is an NTP implementation written in Rust. | 7.5 |
2023-05-26 | CVE-2023-32307 | Signalwire Debian | Heap-based Buffer Overflow vulnerability in multiple products Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. Referring to [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 were found because the lack of attributes length check when Sofia-SIP handles STUN packets. | 7.5 |
2023-05-26 | CVE-2023-32315 | Igniterealtime | Path Traversal vulnerability in Igniterealtime Openfire Openfire is an XMPP server licensed under the Open Source Apache License. | 7.5 |
2023-05-26 | CVE-2023-28319 | Haxx Apple Netapp | Use After Free vulnerability in multiple products A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. | 7.5 |
2023-05-26 | CVE-2023-2825 | Gitlab | Path Traversal vulnerability in Gitlab 16.0.0 An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. | 7.5 |
2023-05-26 | CVE-2023-2879 | Wireshark Debian | Infinite Loop vulnerability in multiple products GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file | 7.5 |
2023-05-26 | CVE-2023-33247 | Talend | Unspecified vulnerability in Talend Data Catalog 7.320210930 Talend Data Catalog remote harvesting server before 8.0-20230413 contains a /upgrade endpoint that allows an unauthenticated WAR file to be deployed on the server. | 7.5 |
2023-05-26 | CVE-2021-46881 | Huawei | Classic Buffer Overflow vulnerability in Huawei Emui The video framework has memory overwriting caused by addition overflow. | 7.5 |
2023-05-26 | CVE-2021-46882 | Huawei | Classic Buffer Overflow vulnerability in Huawei Emui The video framework has memory overwriting caused by addition overflow. | 7.5 |
2023-05-26 | CVE-2021-46883 | Huawei | Classic Buffer Overflow vulnerability in Huawei Emui The video framework has memory overwriting caused by addition overflow. | 7.5 |
2023-05-26 | CVE-2021-46884 | Huawei | Classic Buffer Overflow vulnerability in Huawei Emui The video framework has memory overwriting caused by addition overflow. | 7.5 |
2023-05-26 | CVE-2021-46885 | Huawei | Classic Buffer Overflow vulnerability in Huawei Emui The video framework has memory overwriting caused by addition overflow. | 7.5 |
2023-05-26 | CVE-2021-46886 | Huawei | Classic Buffer Overflow vulnerability in Huawei Emui The video framework has memory overwriting caused by addition overflow. | 7.5 |
2023-05-26 | CVE-2022-48480 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Emui 10.1.0/10.1.1/11.0.0 Integer overflow vulnerability in some phones. | 7.5 |
2023-05-26 | CVE-2023-0116 | Huawei | Missing Authentication for Critical Function vulnerability in Huawei Emui 12.0/12.0.1/13.0.0 The reminder module lacks an authentication mechanism for broadcasts received. | 7.5 |
2023-05-26 | CVE-2023-20883 | Vmware | Resource Exhaustion vulnerability in VMWare Spring Boot In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. | 7.5 |
2023-05-26 | CVE-2023-31226 | Huawei | Incorrect Authorization vulnerability in Huawei Emui 13.0.0 The SDK for the MediaPlaybackController module has improper permission verification. | 7.5 |
2023-05-26 | CVE-2023-31227 | Huawei | Unspecified vulnerability in Huawei Emui 13.0.0 The hwPartsDFR module has a vulnerability in API calling verification. | 7.5 |
2023-05-25 | CVE-2023-32067 | C Ares Project Fedoraproject Debian | c-ares is an asynchronous resolver library. | 7.5 |
2023-05-25 | CVE-2023-2900 | Nfine Rapid Development Platform Project | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Nfine Rapid Development Platform Project Nfine Rapid Development Platform 20230511 A vulnerability was found in NFine Rapid Development Platform 20230511. | 7.5 |
2023-05-25 | CVE-2023-33263 | Wftpd Project | Insufficiently Protected Credentials vulnerability in Wftpd Project Wftpd 3.25 In WFTPD 3.25, usernames and password hashes are stored in an openly viewable wftpd.ini configuration file within the WFTPD directory. | 7.5 |
2023-05-25 | CVE-2023-2798 | Htmlunit | Out-of-bounds Write vulnerability in Htmlunit Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS). | 7.5 |
2023-05-25 | CVE-2023-33355 | Thecosy | Unspecified vulnerability in Thecosy Icecms 1.0.0 IceCMS v1.0.0 has Insecure Permissions. | 7.5 |
2023-05-25 | CVE-2023-31861 | Zlmediakit | Path Traversal vulnerability in Zlmediakit 4.0 ZLMediaKit 4.0 is vulnerable to Directory Traversal. | 7.5 |
2023-05-25 | CVE-2023-31594 | IC | Missing Authentication for Critical Function vulnerability in IC Realtime Icip-P2012T Firmware 2.420 IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via an exposed HTTP channel using VLC network. | 7.5 |
2023-05-24 | CVE-2023-31595 | IC | Unspecified vulnerability in IC Realtime Icip-P2012T Firmware 2.420 IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via unauthenticated port access. | 7.5 |
2023-05-24 | CVE-2023-33980 | Briarproject | Resource Exhaustion vulnerability in Briarproject Briar Bramble Synchronisation Protocol (BSP) in Briar before 1.4.22 allows attackers to cause a denial of service (repeated application crashes) via a series of long messages to a contact. | 7.5 |
2023-05-24 | CVE-2023-33949 | Liferay | Insecure Default Initialization of Resource vulnerability in Liferay Digital Experience Platform and Liferay Portal In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. | 7.5 |
2023-05-24 | CVE-2023-33950 | Liferay | Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs. | 7.5 |
2023-05-24 | CVE-2023-33948 | Liferay | Missing Authorization vulnerability in Liferay Digital Experience Platform and Liferay Portal The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL. | 7.5 |
2023-05-24 | CVE-2023-2496 | Granthweb | Unspecified vulnerability in Granthweb GO Pricing The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability check on the 'validate_upload' function in versions up to, and including, 3.3.19. | 7.5 |
2023-05-24 | CVE-2023-31759 | Keruistore | Authentication Bypass by Capture-replay vulnerability in Keruistore Kerui W18 Firmware 1.0 Weak Security in the 433MHz keyfob of Kerui W18 Alarm System v1.0 allows attackers to gain full access via a code replay attack. | 7.5 |
2023-05-24 | CVE-2023-31761 | Blitzwolf | Authentication Bypass by Capture-replay vulnerability in Blitzwolf Bw-Is22 Firmware 1.0 Weak security in the transmitter of Blitzwolf BW-IS22 Smart Home Security Alarm v1.0 allows attackers to gain full access to the system via a code replay attack. | 7.5 |
2023-05-24 | CVE-2023-31762 | Mydigoo | Authentication Bypass by Capture-replay vulnerability in Mydigoo Dg-Hamb Firmware 1.0 Weak security in the transmitter of Digoo DG-HAMB Smart Home Security System v1.0 allows attackers to gain full access to the system via a code replay attack. | 7.5 |
2023-05-24 | CVE-2023-31763 | Agshome Smart Alarm Project | Authentication Bypass by Capture-replay vulnerability in Agshome Smart Alarm Project Agshome Smart Alarm Firmware 1.0 Weak security in the transmitter of AGShome Smart Alarm v1.0 allows attackers to gain full access to the system via a code replay attack. | 7.5 |
2023-05-23 | CVE-2023-31726 | Alist Project | Unspecified vulnerability in Alist Project Alist 3.15.1 AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information. | 7.5 |
2023-05-23 | CVE-2023-23299 | Garmin | Unspecified vulnerability in Garmin Connect-Iq The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. | 7.5 |
2023-05-23 | CVE-2023-2703 | Finexmedia | Privacy Violation vulnerability in Finexmedia Competition Management System Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Finex Media Competition Management System allows Retrieve Embedded Sensitive Data, Collect Data as Provided by Users.This issue affects Competition Management System: before 23.07. | 7.5 |
2023-05-23 | CVE-2023-31517 | Teeworlds | Memory Leak vulnerability in Teeworlds 0.7.5 A memory leak in the component CConsole::Chain of Teeworlds v0.7.5 allows attackers to cause a Denial of Service (DoS) via opening a crafted file. | 7.5 |
2023-05-23 | CVE-2023-31670 | Webassembly | Unspecified vulnerability in Webassembly Binary Toolkit 1.0.32 An issue in wasm2c 1.0.32, wasm2wat 1.0.32, wasm-decompile 1.0.32, and wasm-validate 1.0.32 allows attackers to cause a Denial of Service (DoS) via running a crafted binary. | 7.5 |
2023-05-22 | CVE-2023-28649 | Snapone | Improper Input Validation vulnerability in Snapone Orvc The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. | 7.5 |
2023-05-22 | CVE-2023-31193 | Snapone | Cleartext Transmission of Sensitive Information vulnerability in Snapone Orvc Snap One OvrC Pro versions prior to 7.3 use HTTP connections when downloading a program from their servers. | 7.5 |
2023-05-22 | CVE-2023-27067 | Sitecore | Path Traversal vulnerability in Sitecore Experience Platform Directory Traversal vulnerability in Sitecore Experience Platform through 10.2 allows remote attackers to download arbitrary files via crafted command to download.aspx | 7.5 |
2023-05-22 | CVE-2023-2839 | Gpac | Divide By Zero vulnerability in Gpac Divide By Zero in GitHub repository gpac/gpac prior to 2.2.2. | 7.5 |
2023-05-22 | CVE-2023-31064 | Apache | Files or Directories Accessible to External Parties vulnerability in Apache Inlong Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. | 7.5 |
2023-05-22 | CVE-2023-31103 | Apache | Exposure of Resource to Wrong Sphere vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0 Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of cluster of InLong. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891 to solve it. | 7.5 |
2023-05-22 | CVE-2023-31206 | Apache | Exposure of Resource to Wrong Sphere vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0 Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. | 7.5 |
2023-05-22 | CVE-2023-31453 | Apache | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Inlong Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. | 7.5 |
2023-05-22 | CVE-2023-31454 | Apache | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Inlong Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can bind any cluster, even if he is not the cluster owner. | 7.5 |
2023-05-22 | CVE-2023-31058 | Apache | Deserialization of Untrusted Data vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0 Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. | 7.5 |
2023-05-22 | CVE-2023-28709 | Apache Debian Netapp | Off-by-one Error vulnerability in multiple products The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. | 7.5 |
2023-05-22 | CVE-2023-33297 | Bitcoin | Resource Exhaustion vulnerability in Bitcoin Core Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (e.g., CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023. | 7.5 |
2023-05-28 | CVE-2023-33291 | Ebankit | Incorrect Default Permissions vulnerability in Ebankit 6 In ebankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any e-mail address or phone number without validation. | 7.4 |
2023-05-24 | CVE-2023-25599 | Mitel | Cross-site Scripting vulnerability in Mitel Mivoice Connect 19.1/19.3 A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2, 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the test_presenter.php page. | 7.4 |
2023-05-24 | CVE-2023-33983 | Briarproject | Missing Authorization vulnerability in Briarproject Briar The Introduction Client in Briar through 1.5.3 does not implement out-of-band verification for the public keys of introducees. | 7.4 |
2023-05-23 | CVE-2023-30382 | Valvesoftware | Out-of-bounds Write vulnerability in Valvesoftware Half-Life A buffer overflow in the component hl.exe of Valve Half-Life up to 5433873 allows attackers to execute arbitrary code and escalate privileges by supplying crafted parameters. | 7.3 |
2023-05-26 | CVE-2023-32317 | Autolabproject | Path Traversal vulnerability in Autolabproject Autolab Autolab is a course management service that enables auto-graded programming assignments. | 7.2 |
2023-05-26 | CVE-2023-32676 | Autolabproject | Path Traversal vulnerability in Autolabproject Autolab Autolab is a course management service that enables auto-graded programming assignments. | 7.2 |
2023-05-26 | CVE-2023-33439 | Faculty Evaluation System Project | SQL Injection vulnerability in Faculty Evaluation System Project Faculty Evaluation System 1.0 Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=. | 7.2 |
2023-05-26 | CVE-2023-33440 | Faculty Evaluation System Project | Unspecified vulnerability in Faculty Evaluation System Project Faculty Evaluation System 1.0 Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user. | 7.2 |
2023-05-25 | CVE-2023-26216 | Tibco | Path Traversal vulnerability in Tibco EBX Add-Ons The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an exploitable vulnerability that allows an attacker to upload files to a directory accessible by the web server. | 7.2 |
2023-05-24 | CVE-2023-31460 | Mitel | Command Injection vulnerability in Mitel Mivoice Connect A vulnerability in the Connect Mobility Router component of MiVoice Connect versions 9.6.2208.101 and earlier could allow an authenticated attacker with internal network access to conduct a command injection attack due to insufficient restriction on URL parameters. | 7.2 |
2023-05-23 | CVE-2023-33617 | Eparks | OS Command Injection vulnerability in Eparks Fiberlink 210 Firmware 2.1.14X000 An OS Command Injection vulnerability in Parks Fiberlink 210 firmware version V2.1.14_X000 was found via the /boaform/admin/formPing target_addr parameter. | 7.2 |
2023-05-23 | CVE-2023-27512 | Contec | Use of Hard-coded Credentials vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware Use of hard-coded credentials exists in SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10, and SV-CPT-MC310F versions prior to Ver.8.10, which may allow a remote authenticated attacker to login the affected product with an administrative privilege and perform an unintended operation. | 7.2 |
2023-05-23 | CVE-2023-28392 | Inaba | OS Command Injection vulnerability in Inaba products Wi-Fi AP UNIT AC-PD-WAPU v1.05_B04 and earlier, AC-PD-WAPUM v1.05_B04 and earlier, AC-PD-WAPU-P v1.05_B04P and earlier, AC-PD-WAPUM-P v1.05_B04P and earlier, AC-WAPU-300 v1.00_B07 and earlier, AC-WAPU-300-P v1.00_B08P and earlier, AC-WAPUM-300 v1.00_B07 and earlier, and AC-WAPUM-300-P v1.00_B08P and earlier allow an authenticated user with an administrative privilege to execute an arbitrary OS command. | 7.2 |
2023-05-23 | CVE-2023-31740 | Linksys | Command Injection vulnerability in Linksys E2000 Firmware 1.0.06 There is a command injection vulnerability in the Linksys E2000 router with firmware version 1.0.06. | 7.2 |
2023-05-23 | CVE-2023-31741 | Linksys | Command Injection vulnerability in Linksys E2000 Firmware 1.0.06 There is a command injection vulnerability in the Linksys E2000 router with firmware version 1.0.06. | 7.2 |
2023-05-22 | CVE-2023-25183 | Snapone | Unspecified vulnerability in Snapone Orvc In Snap One OvrC Pro versions prior to 7.2, when logged into the superuser account, a new functionality appears that could allow users to execute arbitrary commands on the hub device. | 7.2 |
2023-05-22 | CVE-2023-31742 | Linksys | Command Injection vulnerability in Linksys Wrt54Gl Firmware 4.30.18.006 There is a command injection vulnerability in the Linksys WRT54GL router with firmware version 4.30.18.006. | 7.2 |
2023-05-22 | CVE-2023-2832 | Bumsys Project | SQL Injection vulnerability in Bumsys Project Bumsys SQL Injection in GitHub repository unilogies/bumsys prior to 2.2.0. | 7.2 |
2023-05-24 | CVE-2022-41221 | Opentext | XXE vulnerability in Opentext Archive Center Administration The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. | 7.1 |
174 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-05-26 | CVE-2023-2002 | Linux Debian | Incorrect Authorization vulnerability in multiple products A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. | 6.8 |
2023-05-23 | CVE-2023-28390 | Icom | Unspecified vulnerability in Icom Sr-7100Vn#31 Firmware and Sr-7100Vn Firmware Privilege escalation vulnerability in SR-7100VN firmware Ver.1.38(N) and earlier and SR-7100VN #31 firmware Ver.1.21 and earlier allows a network-adjacent attacker with administrative privilege of the affected product to obtain an administrative privilege of the OS (Operating System). | 6.8 |
2023-05-26 | CVE-2023-32318 | Nextcloud | Insufficient Session Expiration vulnerability in Nextcloud Server Nextcloud server provides a home for data. | 6.7 |
2023-05-27 | CVE-2023-2926 | Seacms | Unspecified vulnerability in Seacms 11.6 A vulnerability was found in SeaCMS 11.6 and classified as problematic. | 6.5 |
2023-05-26 | CVE-2023-32319 | Nextcloud | Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud Server Nextcloud server is an open source personal cloud implementation. | 6.5 |
2023-05-26 | CVE-2023-2854 | Wireshark Debian | Out-of-bounds Write vulnerability in multiple products BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file | 6.5 |
2023-05-26 | CVE-2023-2855 | Wireshark Debian | Out-of-bounds Write vulnerability in multiple products Candump log parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file | 6.5 |
2023-05-26 | CVE-2023-2856 | Wireshark Debian | Out-of-bounds Write vulnerability in multiple products VMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file | 6.5 |
2023-05-26 | CVE-2023-2857 | Wireshark Debian | Out-of-bounds Write vulnerability in multiple products BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file | 6.5 |
2023-05-26 | CVE-2023-2858 | Wireshark Debian | Out-of-bounds Write vulnerability in multiple products NetScaler file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file | 6.5 |
2023-05-26 | CVE-2023-33187 | Highlight | Cleartext Transmission of Sensitive Information vulnerability in Highlight Highlight is an open source, full-stack monitoring platform. | 6.5 |
2023-05-26 | CVE-2023-1664 | Redhat | Improper Certificate Validation vulnerability in Redhat products A flaw was found in Keycloak. | 6.5 |
2023-05-26 | CVE-2023-1667 | Libssh Fedoraproject Debian Redhat | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. | 6.5 |
2023-05-26 | CVE-2023-2283 | Libssh Fedoraproject Redhat | Improper Authentication vulnerability in multiple products A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. | 6.5 |
2023-05-26 | CVE-2023-33720 | Mp4V2 Project | Resource Exhaustion vulnerability in Mp4V2 Project Mp4V2 2.1.2 mp4v2 v2.1.2 was discovered to contain a memory leak via the class MP4BytesProperty. | 6.5 |
2023-05-26 | CVE-2022-46945 | Nagvis | Path Traversal vulnerability in Nagvis Nagvis before 1.9.34 was discovered to contain an arbitrary file read vulnerability via the component /core/classes/NagVisHoverUrl.php. | 6.5 |
2023-05-26 | CVE-2022-39374 | Matrix | Resource Exhaustion vulnerability in Matrix Synapse 1.62.0 Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. | 6.5 |
2023-05-25 | CVE-2023-2903 | Nfine | Improper Access Control vulnerability in Nfine Rapid Development Platform 20230511 A vulnerability classified as problematic has been found in NFine Rapid Development Platform 20230511. | 6.5 |
2023-05-25 | CVE-2023-2804 | Libjpeg Turbo | Out-of-bounds Write vulnerability in Libjpeg-Turbo 2.1.90 A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. | 6.5 |
2023-05-25 | CVE-2023-2901 | Nfine Rapid Development Platform Project | Unspecified vulnerability in Nfine Rapid Development Platform Project Nfine Rapid Development Platform 20230511 A vulnerability was found in NFine Rapid Development Platform 20230511. | 6.5 |
2023-05-25 | CVE-2023-2902 | Nfine Rapid Development Platform Project | Unspecified vulnerability in Nfine Rapid Development Platform Project Nfine Rapid Development Platform 20230511 A vulnerability was found in NFine Rapid Development Platform 20230511. | 6.5 |
2023-05-25 | CVE-2023-31147 | C Ares Project Fedoraproject | Use of Insufficiently Random Values vulnerability in multiple products c-ares is an asynchronous resolver library. | 6.5 |
2023-05-25 | CVE-2023-26215 | Tibco | Path Traversal vulnerability in Tibco EBX Add-Ons The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that allows an attacker with low-privileged application access to read system files that are accessible to the web server. | 6.5 |
2023-05-25 | CVE-2023-22504 | Atlassian | Unrestricted Upload of File with Dangerous Type vulnerability in Atlassian Confluence Server Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature. | 6.5 |
2023-05-24 | CVE-2022-30025 | Credenceanalytics | SQL Injection vulnerability in Credenceanalytics Ideal - Wealth and Funds 1.0 SQL injection in "/Framewrk/Home.jsp" file (POST method) in tCredence Analytics iDEAL Wealth and Funds - 1.0 iallows authenticated remote attackers to inject payload via "v" parameter. | 6.5 |
2023-05-24 | CVE-2023-33981 | Briarproject | Improper Validation of Integrity Check Value vulnerability in Briarproject Briar Briar before 1.4.22 allows attackers to spoof other users' messages in a blog, forum, or private group, but each spoofed message would need to be an exact duplicate of a legitimate message displayed alongside the spoofed one. | 6.5 |
2023-05-24 | CVE-2021-25748 | Kubernetes | Unspecified vulnerability in Kubernetes Ingress-Nginx A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. | 6.5 |
2023-05-23 | CVE-2023-26595 | Cybozu | Resource Exhaustion vulnerability in Cybozu Garoon Denial-of-service (DoS) vulnerability in Message of Cybozu Garoon 4.10.0 to 5.9.2 allows a remote authenticated attacker to cause a denial of service condition. | 6.5 |
2023-05-23 | CVE-2023-27921 | Jins | Use of Hard-coded Credentials vulnerability in Jins Meme Firmware JINS MEME CORE Firmware version 2.2.0 and earlier uses a hard-coded cryptographic key, which may lead to data acquired by a sensor of the affected product being decrypted by a network-adjacent attacker. | 6.5 |
2023-05-22 | CVE-2022-4945 | Dataprobe | Unspecified vulnerability in Dataprobe products The Dataprobe cloud usernames and passwords are stored in plain text in a specific file. | 6.5 |
2023-05-22 | CVE-2023-27066 | Sitecore | Path Traversal vulnerability in Sitecore Experience Platform Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle. | 6.5 |
2023-05-22 | CVE-2023-31101 | Apache | Insecure Default Initialization of Resource vulnerability in Apache Inlong 1.5.0/1.6.0 Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.6.0. | 6.5 |
2023-05-22 | CVE-2023-33281 | Nissan | Authentication Bypass by Capture-replay vulnerability in Nissan Sylphy Classic 2021 Firmware The remote keyfob system on Nissan Sylphy Classic 2021 sends the same RF signal for each door-open request, which allows for a replay attack. | 6.5 |
2023-05-25 | CVE-2023-31130 | C Ares Project Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products c-ares is an asynchronous resolver library. | 6.4 |
2023-05-28 | CVE-2023-32800 | Rankmath | Cross-site Scripting vulnerability in Rankmath SEO PRO Unauth. | 6.1 |
2023-05-28 | CVE-2023-33319 | Woocommerce | Cross-site Scripting vulnerability in Woocommerce Automatewoo Unauth. | 6.1 |
2023-05-28 | CVE-2023-33332 | Woocommerce Product Vendors Project | Cross-site Scripting vulnerability in Woocommerce Product Vendors Project Woocommerce Product Vendors Unauth. | 6.1 |
2023-05-28 | CVE-2023-33309 | Awesomemotive | Cross-site Scripting vulnerability in Awesomemotive Duplicator Unauth. | 6.1 |
2023-05-28 | CVE-2023-33326 | Metagauss | Cross-site Scripting vulnerability in Metagauss Eventprime Unauth. | 6.1 |
2023-05-28 | CVE-2023-2948 | Open EMR | Cross-site Scripting vulnerability in Open-Emr Openemr Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1. | 6.1 |
2023-05-28 | CVE-2023-2949 | Open EMR | Cross-site Scripting vulnerability in Open-Emr Openemr Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.1. | 6.1 |
2023-05-27 | CVE-2023-2922 | Comment System Project | Cross-site Scripting vulnerability in Comment System Project Comment System 1.0 A vulnerability classified as problematic has been found in SourceCodester Comment System 1.0. | 6.1 |
2023-05-27 | CVE-2023-33195 | Craftcms | Cross-site Scripting vulnerability in Craftcms Craft CMS Craft is a CMS for creating custom digital experiences on the web. | 6.1 |
2023-05-27 | CVE-2023-32325 | Posthog | Cross-site Scripting vulnerability in Posthog Posthog-Js PostHog-js is a library to interface with the PostHog analytics tool. | 6.1 |
2023-05-26 | CVE-2023-33255 | Uthscsa | Cross-site Scripting vulnerability in Uthscsa Papaya Viewer 1.0 An issue was discovered in Papaya Viewer 1.0.1449. | 6.1 |
2023-05-26 | CVE-2023-20868 | Vmware | Cross-site Scripting vulnerability in VMWare Nsx-T Data Center NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. | 6.1 |
2023-05-26 | CVE-2023-32681 | Python Fedoraproject | Information Exposure vulnerability in multiple products Requests is a HTTP library. | 6.1 |
2023-05-26 | CVE-2023-29098 | Artistscope | Cross-site Scripting vulnerability in Artistscope Copysafe web Protection Unauth. | 6.1 |
2023-05-25 | CVE-2023-25439 | Squarepiginteractive | Cross-site Scripting vulnerability in Squarepiginteractive Fusioninvoice 20231.0 Stored Cross Site Scripting (XSS) vulnerability in Square Pig FusionInvoice 2023-1.0, allows attackers to execute arbitrary code via the description or content fields to the expenses, tasks, and customer details. | 6.1 |
2023-05-25 | CVE-2022-45366 | WP Slimstat | Cross-site Scripting vulnerability in Wp-Slimstat Slimstat Analytics Unauth. | 6.1 |
2023-05-25 | CVE-2023-28370 | Tornadoweb | Open Redirect vulnerability in Tornadoweb Tornado Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. | 6.1 |
2023-05-25 | CVE-2022-46907 | Apache | Cross-site Scripting vulnerability in Apache Jspwiki A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | 6.1 |
2023-05-24 | CVE-2023-25598 | Mitel | Cross-site Scripting vulnerability in Mitel Mivoice Connect A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2 and 20.x, 21.x, and 22.x through 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the home.php page. | 6.1 |
2023-05-24 | CVE-2023-33944 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field. | 6.1 |
2023-05-24 | CVE-2023-33941 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. | 6.1 |
2023-05-24 | CVE-2023-33938 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field. | 6.1 |
2023-05-24 | CVE-2023-2864 | Online Jewelry Store Project | Cross-site Scripting vulnerability in Online Jewelry Store Project Online Jewelry Store 1.0 A vulnerability was found in SourceCodester Online Jewelry Store 1.0 and classified as problematic. | 6.1 |
2023-05-24 | CVE-2023-2862 | Sscms | Cross-site Scripting vulnerability in Sscms Siteserver CMS A vulnerability, which was classified as problematic, was found in SiteServer CMS up to 7.2.1. | 6.1 |
2023-05-23 | CVE-2023-33599 | Easyimages2 0 Project | Cross-site Scripting vulnerability in Easyimages2.0 Project Easyimages2.0 EasyImages2.0 = 2.8.1 is vulnerable to Cross Site Scripting (XSS) via viewlog.php. | 6.1 |
2023-05-23 | CVE-2023-27922 | Thenewsletterplugin | Cross-site Scripting vulnerability in Thenewsletterplugin Newsletter Cross-site scripting vulnerability in Newsletter versions prior to 7.6.9 allows a remote unauthenticated attacker to inject an arbitrary script. | 6.1 |
2023-05-23 | CVE-2023-30469 | Hitachi | Cross-site Scripting vulnerability in Hitachi OPS Center Analyzer 10.9.100 Cross-site Scripting vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component) allows Reflected XSS.This issue affects Hitachi Ops Center Analyzer: from 10.9.1-00 before 10.9.2-00. | 6.1 |
2023-05-23 | CVE-2023-31664 | Wso2 | Cross-site Scripting vulnerability in Wso2 API Manager A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter. | 6.1 |
2023-05-22 | CVE-2023-31816 | Content Management System Project | Cross-site Scripting vulnerability in Content Management System Project Content Management System 1.0 IT Sourcecode Content Management System Project In PHP and MySQL With Source Code 1.0.0 is vulnerable to Cross Site Scripting (XSS) via /ecodesource/search_list.php. | 6.1 |
2023-05-22 | CVE-2023-31245 | Snapone | Open Redirect vulnerability in Snapone Orvc Devices using Snap One OvrC cloud are sent to a web address when accessing a web management interface using a HTTP connection. | 6.1 |
2023-05-22 | CVE-2023-28467 | Mybb | Cross-site Scripting vulnerability in Mybb In MyBB before 1.8.34, there is XSS in the User CP module via the user email field. | 6.1 |
2023-05-22 | CVE-2023-31584 | Silicon Project | Cross-site Scripting vulnerability in Silicon Project Silicon GitHub repository cu/silicon commit a9ef36 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the User Input field. | 6.1 |
2023-05-26 | CVE-2023-28320 | Haxx Apple Netapp | Resource Exhaustion vulnerability in multiple products A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. | 5.9 |
2023-05-26 | CVE-2023-28321 | Haxx Debian Fedoraproject Netapp Apple | Improper Certificate Validation vulnerability in multiple products An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. | 5.9 |
2023-05-26 | CVE-2023-20882 | Cloudfoundry | Unspecified vulnerability in Cloudfoundry Cf-Deployment and Routing Release In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service of applications hosted on Cloud Foundry. | 5.9 |
2023-05-24 | CVE-2023-33982 | Briarproject | Inadequate Encryption Strength vulnerability in Briarproject Briar Bramble Handshake Protocol (BHP) in Briar before 1.5.3 is not forward secure: eavesdroppers can decrypt network traffic between two accounts if they later compromise both accounts. | 5.9 |
2023-05-22 | CVE-2023-32348 | Teltonika | Server-Side Request Forgery (SSRF) vulnerability in Teltonika Remote Management System Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. | 5.8 |
2023-05-27 | CVE-2023-33188 | Omninotes | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Omninotes Omni Notes Omni-notes is an open source note-taking application for Android. | 5.5 |
2023-05-26 | CVE-2023-1981 | Avahi Fedoraproject Redhat | Resource Exhaustion vulnerability in multiple products A vulnerability was found in the avahi library. | 5.5 |
2023-05-25 | CVE-2023-0459 | Linux | Release of Invalid Pointer or Reference vulnerability in Linux Kernel Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). | 5.5 |
2023-05-24 | CVE-2023-2874 | Filseclab | Unspecified vulnerability in Filseclab Twister Antivirus 8.0/8.17 A vulnerability, which was classified as problematic, has been found in Twister Antivirus 8. | 5.5 |
2023-05-24 | CVE-2023-2875 | Escanav | NULL Pointer Dereference vulnerability in Escanav Escan Anti-Virus 22.0.1400.2443 A vulnerability, which was classified as problematic, was found in eScan Antivirus 22.0.1400.2443. | 5.5 |
2023-05-24 | CVE-2023-2870 | Entechtaiwan | Improper Resource Shutdown or Release vulnerability in Entechtaiwan Monitor Asset Manager 2.9 A vulnerability was found in EnTech Monitor Asset Manager 2.9. | 5.5 |
2023-05-24 | CVE-2023-2871 | Fabulatech | NULL Pointer Dereference vulnerability in Fabulatech USB for Remote Desktop 6.1.0.0 A vulnerability was found in FabulaTech USB for Remote Desktop 6.1.0.0. | 5.5 |
2023-05-24 | CVE-2023-2872 | Electronic | NULL Pointer Dereference vulnerability in Electronic Flexihub 5.5.14691.0 A vulnerability classified as problematic has been found in FlexiHub 5.5.14691.0. | 5.5 |
2023-05-24 | CVE-2023-2863 | Simpledesign | Cleartext Storage of Sensitive Information vulnerability in Simpledesign Diary With Lock: Daily Journal 1.012.Gp.B A vulnerability has been found in Simple Design Daily Journal 1.012.GP.B on Android and classified as problematic. | 5.5 |
2023-05-23 | CVE-2023-31518 | Teeworlds | Use After Free vulnerability in Teeworlds 0.7.5 A heap use-after-free in the component CDataFileReader::GetItem of teeworlds v0.7.5 allows attackers to cause a Denial of Service (DoS) via a crafted map file. | 5.5 |
2023-05-23 | CVE-2023-31669 | Webassembly | Improper Encoding or Escaping of Output vulnerability in Webassembly Binary Toolkit 1.0.32 WebAssembly wat2wasm v1.0.32 allows attackers to cause a libc++abi.dylib crash by putting '@' before a quote ("). | 5.5 |
2023-05-22 | CVE-2023-2837 | Gpac | Stack-based Buffer Overflow vulnerability in Gpac Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.2.2. | 5.5 |
2023-05-22 | CVE-2022-0010 | ABB | Information Exposure Through Log Files vulnerability in ABB products Insertion of Sensitive Information into Log File vulnerability in ABB QCS 800xA, ABB QCS AC450, ABB Platform Engineering Tools. An attacker, who already has local access to the QCS nodes, could successfully obtain the password for a system user account. | 5.5 |
2023-05-28 | CVE-2023-28785 | Yoast | Cross-site Scripting vulnerability in Yoast SEO Auth. | 5.4 |
2023-05-28 | CVE-2023-33311 | Crmperks | Cross-site Scripting vulnerability in Crmperks Contact Form Entries - Contact Form 7 Wpforms and More Auth. | 5.4 |
2023-05-27 | CVE-2023-2944 | Open EMR | Improper Access Control vulnerability in Open-Emr Openemr Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | 5.4 |
2023-05-27 | CVE-2023-2945 | Open EMR | Missing Authorization vulnerability in Open-Emr Openemr Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1. | 5.4 |
2023-05-27 | CVE-2023-2925 | Webkul | Cross-site Scripting vulnerability in Webkul Krayin CRM 1.2.4 A vulnerability, which was classified as problematic, was found in Webkul krayin crm 1.2.4. | 5.4 |
2023-05-27 | CVE-2023-32686 | Kiwitcms | Cross-site Scripting vulnerability in Kiwitcms Kiwi Tcms Kiwi TCMS is an open source test management system for both manual and automated testing. | 5.4 |
2023-05-26 | CVE-2023-33185 | Django SES Project | Improper Verification of Cryptographic Signature vulnerability in Django-Ses Project Django-Ses Django-SES is a drop-in mail backend for Django. | 5.4 |
2023-05-26 | CVE-2023-33196 | Craftcms | Cross-site Scripting vulnerability in Craftcms Craft CMS Craft is a CMS for creating custom digital experiences. | 5.4 |
2023-05-26 | CVE-2023-33197 | Craftcms | Cross-site Scripting vulnerability in Craftcms Craft CMS Craft is a CMS for creating custom digital experiences on the web. | 5.4 |
2023-05-26 | CVE-2023-2817 | Craftcms | Cross-site Scripting vulnerability in Craftcms Craft CMS A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. | 5.4 |
2023-05-26 | CVE-2023-33780 | Invernyx | Cross-site Scripting vulnerability in Invernyx Smartcars 3 0.5.8/0.5.9 A stored cross-site scripting (XSS) vulnerability in TFDi Design smartCARS 3 v0.7.0 and below allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the body of news article. | 5.4 |
2023-05-26 | CVE-2023-33394 | Skycaiji | Cross-site Scripting vulnerability in Skycaiji 2.5.4 skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS). | 5.4 |
2023-05-25 | CVE-2023-30615 | Dfir Iris | Cross-site Scripting vulnerability in Dfir-Iris Iris Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. | 5.4 |
2023-05-25 | CVE-2023-33750 | Mipjz Project | Cross-site Scripting vulnerability in Mipjz Project Mipjz 5.0.5 A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description parameter at /index.php?s=/article/ApiAdminArticle/itemAdd. | 5.4 |
2023-05-25 | CVE-2023-33751 | Mipjz Project | Cross-site Scripting vulnerability in Mipjz Project Mipjz 5.0.5 A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at /app/tag/controller/ApiAdminTagCategory.php. | 5.4 |
2023-05-25 | CVE-2023-32694 | Saleor | Information Exposure Through Discrepancy vulnerability in Saleor Saleor Core is a composable, headless commerce API. | 5.4 |
2023-05-25 | CVE-2023-33356 | Thecosy | Cross-site Scripting vulnerability in Thecosy Icecms 1.0.0 IceCMS v1.0.0 is vulnerable to Cross Site Scripting (XSS). | 5.4 |
2023-05-24 | CVE-2023-33829 | Cloudogu | Cross-site Scripting vulnerability in Cloudogu SCM Manager A stored cross-site scripting (XSS) vulnerability in Cloudogu GmbH SCM Manager v1.2 to v1.60 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field. | 5.4 |
2023-05-24 | CVE-2022-42225 | Fit2Cloud | Cross-site Scripting vulnerability in Fit2Cloud Lina Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin's permission. | 5.4 |
2023-05-24 | CVE-2023-33785 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Rack Roles (/dcim/rack-roles/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33786 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Circuit Types (/circuits/circuit-types/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33787 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Tenant Groups (/tenancy/tenant-groups/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33788 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Providers (/circuits/providers/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33789 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Contact Groups (/tenancy/contact-groups/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33790 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Locations (/dcim/locations/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33791 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Provider Accounts (/circuits/provider-accounts/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33792 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Site Groups (/dcim/site-groups/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33793 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Power Panels (/dcim/power-panels/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33794 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Tenants (/tenancy/tenants/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33795 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Contact Roles (/tenancy/contact-roles/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33797 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Sites (/dcim/sites/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33798 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Rack (/dcim/rack/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33799 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Contacts (/tenancy/contacts/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33800 | Netbox | Cross-site Scripting vulnerability in Netbox 3.5.1 A stored cross-site scripting (XSS) vulnerability in the Create Regions (/dcim/regions/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | 5.4 |
2023-05-24 | CVE-2023-33942 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's `Title` field. | 5.4 |
2023-05-24 | CVE-2023-33943 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field. | 5.4 |
2023-05-24 | CVE-2023-33939 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. | 5.4 |
2023-05-24 | CVE-2023-33940 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL. | 5.4 |
2023-05-24 | CVE-2023-33937 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field. | 5.4 |
2023-05-24 | CVE-2023-2498 | Granthweb | Cross-site Scripting vulnerability in Granthweb GO Pricing The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.19 due to insufficient input sanitization and output escaping. | 5.4 |
2023-05-23 | CVE-2023-31860 | Wuzhicms | Cross-site Scripting vulnerability in Wuzhicms Wuzhi CMS 3.1.2 Wuzhi CMS v3.1.2 has a storage type XSS vulnerability in the backend of the Five Finger CMS b2b system. | 5.4 |
2023-05-23 | CVE-2023-1209 | Servicenow | Cross-site Scripting vulnerability in Servicenow Cross-Site Scripting (XSS) vulnerabilities exist in ServiceNow records allowing an authenticated attacker to inject arbitrary scripts. | 5.4 |
2023-05-23 | CVE-2023-22654 | Tandd Especmic | Cross-site Scripting vulnerability in multiple products Client-side enforcement of server-side security issue exists in T&D Corporation and ESPEC MIC CORP. | 5.4 |
2023-05-23 | CVE-2023-27923 | Vektor INC | Cross-site Scripting vulnerability in Vektor-Inc VK Blocks Cross-site scripting vulnerability in Tag edit function of VK Blocks 1.53.0.1 and earlier and VK Blocks Pro 1.53.0.1 and earlier allows a remote authenticated attacker to inject an arbitrary script. | 5.4 |
2023-05-23 | CVE-2023-27925 | Vektor INC | Cross-site Scripting vulnerability in Vektor-Inc VK Blocks Cross-site scripting vulnerability in Post function of VK Blocks 1.53.0.1 and earlier and VK Blocks Pro 1.53.0.1 and earlier allows a remote authenticated attacker to inject an arbitrary script. | 5.4 |
2023-05-23 | CVE-2023-27926 | Vektor INC | Cross-site Scripting vulnerability in Vektor-Inc VK ALL in ONE Expansion Unit Cross-site scripting vulnerability in Profile setting function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script. | 5.4 |
2023-05-23 | CVE-2023-28367 | Vektor INC | Cross-site Scripting vulnerability in Vektor-Inc VK ALL in ONE Expansion Unit Cross-site scripting vulnerability in CTA post function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script. | 5.4 |
2023-05-23 | CVE-2023-25440 | Civicrm | Cross-site Scripting vulnerability in Civicrm 5.59 Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field. | 5.4 |
2023-05-23 | CVE-2023-31995 | Hanwhavision | Cross-site Scripting vulnerability in Hanwhavision products Hanwha IP Camera ANE-L7012R 1.41.01 is vulnerable to Cross Site Scripting (XSS). | 5.4 |
2023-05-22 | CVE-2023-31779 | Wekan Project | Cross-site Scripting vulnerability in Wekan Project Wekan Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). | 5.4 |
2023-05-28 | CVE-2023-32762 | QT | Unspecified vulnerability in QT An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. | 5.3 |
2023-05-27 | CVE-2023-33184 | Nextcloud | Server-Side Request Forgery (SSRF) vulnerability in Nextcloud Mail Nextcloud Mail is a mail app in Nextcloud. | 5.3 |
2023-05-26 | CVE-2023-33199 | Linuxfoundation | Reachable Assertion vulnerability in Linuxfoundation Rekor Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. | 5.3 |
2023-05-26 | CVE-2023-27311 | Netapp | Path Traversal vulnerability in Netapp Blue XP Connector NetApp Blue XP Connector versions prior to 3.9.25 expose information via a directory listing. | 5.3 |
2023-05-26 | CVE-2023-0117 | Huawei | Improper Authentication vulnerability in Huawei Emui 13.0.0 The online authentication provided by the hwKitAssistant lacks strict identity verification of applications. | 5.3 |
2023-05-25 | CVE-2023-2255 | Libreoffice Debian | Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. | 5.3 |
2023-05-25 | CVE-2023-30851 | Cilium | Unspecified vulnerability in Cilium Cilium is a networking, observability, and security solution with an eBPF-based dataplane. | 5.3 |
2023-05-23 | CVE-2023-28015 | HCL | Unspecified vulnerability in HCL Domino Appdev Pack The HCL Domino AppDev Pack IAM service is susceptible to a User Account Enumeration vulnerability. | 5.3 |
2023-05-23 | CVE-2023-23545 | Tandd Especmic | Missing Authentication for Critical Function vulnerability in multiple products Missing authentication for critical function exists in T&D Corporation and ESPEC MIC CORP. | 5.3 |
2023-05-23 | CVE-2023-31994 | Hanwhavision | Unspecified vulnerability in Hanwhavision products Certain Hanwha products are vulnerable to Denial of Service (DoS). | 5.3 |
2023-05-22 | CVE-2023-28412 | Snapone | Information Exposure Through Discrepancy vulnerability in Snapone Orvc When supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. | 5.3 |
2023-05-22 | CVE-2023-33293 | Kaiostech | Exposure of Resource to Wrong Sphere vulnerability in Kaiostech Kaios 3.0/3.1 An issue was discovered in KaiOS 3.0 and 3.1. | 5.3 |
2023-05-22 | CVE-2023-32346 | Teltonika | Response Discrepancy Information Exposure vulnerability in Teltonika Remote Management System Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. | 5.3 |
2023-05-22 | CVE-2023-33285 | QT | Out-of-bounds Read vulnerability in QT An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. | 5.3 |
2023-05-26 | CVE-2022-39335 | Matrix | Information Exposure vulnerability in Matrix Synapse Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. | 5.0 |
2023-05-25 | CVE-2023-2881 | Pimcore | Insufficiently Protected Credentials vulnerability in Pimcore Customer-Data-Framework Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10. | 4.9 |
2023-05-23 | CVE-2023-2844 | Fit2Cloud | Authorization Bypass Through User-Controlled Key vulnerability in Fit2Cloud Cloudexplorer Lite Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. | 4.9 |
2023-05-28 | CVE-2023-33211 | WP Matomo Integration Project | Cross-site Scripting vulnerability in Wp-Matomo Integration Project Wp-Matomo Integration Auth. | 4.8 |
2023-05-28 | CVE-2023-32958 | Nosegraze | Cross-site Scripting vulnerability in Nosegraze Novelist Auth. | 4.8 |
2023-05-28 | CVE-2023-33328 | Pluginops | Cross-site Scripting vulnerability in Pluginops Mailchimp Subscribe Form Auth. | 4.8 |
2023-05-28 | CVE-2023-33216 | Gvectors | Cross-site Scripting vulnerability in Gvectors Woodiscuz - Woocommerce Comments Auth. | 4.8 |
2023-05-27 | CVE-2023-2947 | Open EMR | Cross-site Scripting vulnerability in Open-Emr Openemr Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1. | 4.8 |
2023-05-26 | CVE-2023-33194 | Craftcms Craftercms | Cross-site Scripting vulnerability in multiple products Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. | 4.8 |
2023-05-26 | CVE-2023-25781 | Upload File Type Settings Plugin Project | Cross-site Scripting vulnerability in Upload File Type Settings Plugin Project Upload File Type Settings Plugin Auth. | 4.8 |
2023-05-24 | CVE-2023-25028 | CC Custom Taxonomy Project | Cross-site Scripting vulnerability in CC Custom Taxonomy Project CC Custom Taxonomy Auth. | 4.8 |
2023-05-26 | CVE-2023-2898 | Linux Debian Netapp | NULL Pointer Dereference vulnerability in multiple products There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. | 4.7 |
2023-05-22 | CVE-2023-33288 | Linux | Use After Free vulnerability in Linux Kernel An issue was discovered in the Linux kernel before 6.2.9. | 4.7 |
2023-05-26 | CVE-2023-32311 | Fit2Cloud | Missing Authorization vulnerability in Fit2Cloud Cloudexplorer CloudExplorer Lite is an open source cloud management platform. | 4.3 |
2023-05-26 | CVE-2023-32316 | Fit2Cloud | Missing Authorization vulnerability in Fit2Cloud Cloudexplorer CloudExplorer Lite is an open source cloud management tool. | 4.3 |
2023-05-26 | CVE-2023-32323 | Matrix | Improper Input Validation vulnerability in Matrix Synapse Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. | 4.3 |
2023-05-25 | CVE-2023-2886 | Cbot | Unspecified vulnerability in Cbot Core and Cbot Panel Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | 4.3 |
2023-05-24 | CVE-2023-1158 | Hitachi | Incorrect Authorization vulnerability in Hitachi products Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. | 4.3 |
2023-05-24 | CVE-2023-33946 | Liferay | Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page. | 4.3 |
2023-05-24 | CVE-2023-33947 | Liferay | Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition. | 4.3 |
2023-05-23 | CVE-2023-33359 | Piwigo | Cross-Site Request Forgery (CSRF) vulnerability in Piwigo 13.6.0 Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function. | 4.3 |
2023-05-23 | CVE-2023-27304 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operation restriction bypass vulnerability in Message and Bulletin of Cybozu Garoon 4.6.0 to 5.9.2 allows a remote authenticated attacker to alter the data of Message and/or Bulletin. | 4.3 |
2023-05-23 | CVE-2023-27384 | Cybozu | Unspecified vulnerability in Cybozu Garoon 5.15.0 Operation restriction bypass vulnerability in MultiReport of Cybozu Garoon 5.15.0 allows a remote authenticated attacker to alter the data of MultiReport. | 4.3 |
2023-05-23 | CVE-2023-27920 | Contec | Unspecified vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware Improper access control vulnerability in the system date/time setting page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker to alter system date/time of the affected product. | 4.3 |
2023-05-23 | CVE-2023-31708 | Eyoucms | Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.6.2 A Cross-Site Request Forgery (CSRF) in EyouCMS v1.6.2 allows attackers to execute arbitrary commands via a supplying a crafted HTML file to the Upload software format function. | 4.3 |
2023-05-22 | CVE-2023-33264 | Hazelcast | Insufficiently Protected Credentials vulnerability in Hazelcast In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, configuration routines don't mask passwords in the member configuration properly. | 4.3 |
3 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-05-26 | CVE-2023-28322 | Haxx Fedoraproject Apple Netapp | An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. | 3.7 |
2023-05-25 | CVE-2023-31124 | C Ares Project Fedoraproject | Use of Insufficiently Random Values vulnerability in multiple products c-ares is an asynchronous resolver library. | 3.7 |
2023-05-26 | CVE-2023-31225 | Huawei | Unspecified vulnerability in Huawei Emui The Gallery app has the risk of hijacking attacks. | 3.3 |