Weekly Vulnerabilities Reports > May 22 to 28, 2023

Overview

488 new vulnerabilities reported during this period, including 83 critical vulnerabilities and 228 high severity vulnerabilities. This weekly summary report vulnerabilities in 920 products from 288 vendors including Netbox, Debian, Huawei, Apache, and Liferay. Vulnerabilities are notably categorized as "Cross-Site Request Forgery (CSRF)", "Cross-site Scripting", "SQL Injection", "Path Traversal", and "Classic Buffer Overflow".

  • 436 reported vulnerabilities are remotely exploitables.
  • 179 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 324 reported vulnerabilities are exploitable by an anonymous user.
  • Netbox has the most reported vulnerabilities, with 16 reported vulnerabilities.
  • Garmin has the most reported critical vulnerabilities, with 8 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

83 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-05-22 CVE-2023-31241 Snapone Unspecified vulnerability in Snapone Orvc

Snap One OvrC cloud servers contain a route an attacker can use to bypass requirements and claim devices outright.

10.0
2023-05-28 CVE-2021-4336 Itrsgroup SQL Injection vulnerability in Itrsgroup Ninja

A vulnerability was found in ITRS Group monitor-ninja up to 2021.11.1.

9.8
2023-05-28 CVE-2014-125101 Huge IT SQL Injection vulnerability in Huge-It Portfolio Gallery

A vulnerability classified as critical has been found in Portfolio Gallery Plugin up to 1.1.8 on WordPress.

9.8
2023-05-27 CVE-2015-20108 Onelogin Command Injection vulnerability in Onelogin Ruby-Saml

xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.

9.8
2023-05-27 CVE-2023-2927 Jizhicms Server-Side Request Forgery (SSRF) vulnerability in Jizhicms 2.4.5

A vulnerability was found in JIZHICMS 2.4.5.

9.8
2023-05-27 CVE-2023-2923 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware Usac6V1.0Brv15.03.05.19

A vulnerability classified as critical was found in Tenda AC6 US_AC6V1.0BR_V15.03.05.19.

9.8
2023-05-27 CVE-2023-2924 Supcontech Unrestricted Upload of File with Dangerous Type vulnerability in Supcontech Simfield Firmware 1.80.00.00

A vulnerability, which was classified as critical, has been found in Supcon SimField up to 1.80.00.00.

9.8
2023-05-26 CVE-2023-32321 Okfn Unspecified vulnerability in Okfn Ckan

CKAN is an open-source data management system for powering data hubs and data portals.

9.8
2023-05-26 CVE-2021-46887 Huawei Unspecified vulnerability in Huawei Emui 10.1.0/10.1.1/11.0.0

Lack of length check vulnerability in the HW_KEYMASTER module.

9.8
2023-05-26 CVE-2022-48478 Huawei Unspecified vulnerability in Huawei Harmonyos 2.0

The facial recognition TA of some products lacks memory length verification.

9.8
2023-05-26 CVE-2022-48479 Huawei Out-of-bounds Read vulnerability in Huawei Harmonyos 2.0

The facial recognition TA of some products has the out-of-bounds memory read vulnerability.

9.8
2023-05-26 CVE-2023-30145 Tuzitio Code Injection vulnerability in Tuzitio Camaleon CMS

Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.

9.8
2023-05-25 CVE-2023-32074 Nextcloud Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud User Oidc

user_oidc app is an OpenID Connect user backend for Nextcloud.

9.8
2023-05-25 CVE-2023-33278 Storecommander SQL Injection vulnerability in Storecommander Customers Export

In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.

9.8
2023-05-25 CVE-2023-33279 Scfixmyprestashop Project SQL Injection vulnerability in Scfixmyprestashop Project Scfixmyprestashop

In the Store Commander scfixmyprestashop module through 2023-05-09 for PrestaShop, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.

9.8
2023-05-25 CVE-2023-33280 Storecommander SQL Injection vulnerability in Storecommander Quickaccounting

In the Store Commander scquickaccounting module for PrestaShop through 3.7.3, multiple sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.

9.8
2023-05-25 CVE-2023-2851 Agtteknik SQL Injection vulnerability in Agtteknik Ceppatron

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AGT Tech Ceppatron allows Command Line Execution through SQL Injection, SQL Injection.This issue affects all versions of the sofware also EOS when CVE-ID assigned.

9.8
2023-05-25 CVE-2023-2882 Cbot Generation of Incorrect Security Identifiers vulnerability in Cbot Core and Cbot Panel

Generation of Incorrect Security Tokens vulnerability in CBOT Chatbot allows Token Impersonation, Privilege Abuse.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

9.8
2023-05-25 CVE-2023-2884 Cbot Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Cbot Core and Cbot Panel

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Use of Insufficiently Random Values vulnerability in CBOT Chatbot allows Signature Spoofing by Key Recreation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

9.8
2023-05-25 CVE-2023-2887 Cbot Authentication Bypass by Spoofing vulnerability in Cbot Core and Cbot Panel

Authentication Bypass by Spoofing vulnerability in CBOT Chatbot allows Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

9.8
2023-05-25 CVE-2023-2732 Inspireui Unspecified vulnerability in Inspireui Mstore API

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2.

9.8
2023-05-25 CVE-2023-2733 Inspireui Unspecified vulnerability in Inspireui Mstore API

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0.

9.8
2023-05-25 CVE-2023-2734 Inspireui Unspecified vulnerability in Inspireui Mstore API

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1.

9.8
2023-05-24 CVE-2023-29721 Sofawiki Project Unrestricted Upload of File with Dangerous Type vulnerability in Sofawiki Project Sofawiki

SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.

9.8
2023-05-24 CVE-2023-31458 Mitel Unspecified vulnerability in Mitel Mivoice Connect

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because initial installation does not enforce a password change.

9.8
2023-05-24 CVE-2023-31457 Mitel Unspecified vulnerability in Mitel Mivoice Connect

A vulnerability in the Headquarters server component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control.

9.8
2023-05-24 CVE-2023-2868 Barracuda Command Injection vulnerability in Barracuda products

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006.

9.8
2023-05-24 CVE-2023-1174 Kubernetes Unspecified vulnerability in Kubernetes Minikube

This vulnerability exposes a network port in minikube running on macOS with Docker driver that could enable unexpected remote access to the minikube container.

9.8
2023-05-24 CVE-2023-33246 Apache Code Injection vulnerability in Apache Rocketmq

For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.  Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as.

9.8
2023-05-24 CVE-2023-2045 Ipekyolunet SQL Injection vulnerability in Ipekyolunet Software Auto Damage Tracking Software

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ipekyolu Software Auto Damage Tracking Software allows SQL Injection.This issue affects Auto Damage Tracking Software: before 4.

9.8
2023-05-24 CVE-2023-2064 Minovateknoloji SQL Injection vulnerability in Minovateknoloji Etrace

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Minova Technology eTrace allows SQL Injection.This issue affects eTrace: before 23.05.20.

9.8
2023-05-24 CVE-2023-33009 Zyxel Classic Buffer Overflow vulnerability in Zyxel products

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

9.8
2023-05-24 CVE-2023-33010 Zyxel Classic Buffer Overflow vulnerability in Zyxel products

A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

9.8
2023-05-24 CVE-2023-2750 Cityboss SQL Injection vulnerability in Cityboss E-Municipality

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cityboss E-municipality allows SQL Injection.This issue affects E-municipality: before 6.05.

9.8
2023-05-24 CVE-2023-2865 Theme Park Ticketing System Project SQL Injection vulnerability in Theme Park Ticketing System Project Theme Park Ticketing System 1.0

A vulnerability was found in SourceCodester Theme Park Ticketing System 1.0.

9.8
2023-05-23 CVE-2023-32697 Sqlite Jdbc Project Code Injection vulnerability in Sqlite Jdbc Project Sqlite Jdbc

SQLite JDBC is a library for accessing and creating SQLite database files in Java.

9.8
2023-05-23 CVE-2023-1508 Adampos SQL Injection vulnerability in Adampos Mobilmen EL Terminali Yazilimi

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adam Retail Automation Systems Mobilmen Terminal Software allows SQL Injection.This issue affects Mobilmen Terminal Software: before 3.

9.8
2023-05-23 CVE-2023-23298 Garmin Integer Overflow or Wraparound vulnerability in Garmin Connect-Iq

The `Toybox.Graphics.BufferedBitmap.initialize` API method in CIQ API version 2.3.0 through 4.1.7 does not validate its parameters, which can result in integer overflows when allocating the underlying bitmap buffer.

9.8
2023-05-23 CVE-2023-23300 Garmin Classic Buffer Overflow vulnerability in Garmin Connect-Iq

The `Toybox.Cryptography.Cipher.initialize` API method in CIQ API version 3.0.0 through 4.1.7 does not validate its parameters, which can result in buffer overflows when copying data.

9.8
2023-05-23 CVE-2023-23301 Garmin Out-of-bounds Read vulnerability in Garmin Connect-Iq

The `news` MonkeyC operation code in CIQ API version 1.0.0 through 4.1.7 fails to check that string resources are not extending past the end of the expected sections.

9.8
2023-05-23 CVE-2023-23302 Garmin Classic Buffer Overflow vulnerability in Garmin Connect-Iq

The `Toybox.GenericChannel.setDeviceConfig` API method in CIQ API version 1.2.0 through 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes.

9.8
2023-05-23 CVE-2023-23303 Garmin Classic Buffer Overflow vulnerability in Garmin Connect-Iq

The `Toybox.Ant.GenericChannel.enableEncryption` API method in CIQ API version 3.2.0 through 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes.

9.8
2023-05-23 CVE-2023-23305 Garmin Classic Buffer Overflow vulnerability in Garmin Connect-Iq

The GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 is vulnerable to various buffer overflows when loading binary resources.

9.8
2023-05-23 CVE-2023-23306 Garmin Out-of-bounds Write vulnerability in Garmin Connect-Iq

The `Toybox.Ant.BurstPayload.add` API method in CIQ API version 2.2.0 through 4.1.7 suffers from a type confusion vulnreability, which can result in an out-of-bounds write operation.

9.8
2023-05-23 CVE-2023-31752 Employee AND Visitor Gate Pass Logging System Project SQL Injection vulnerability in Employee and Visitor Gate Pass Logging System Project Employee and Visitor Gate Pass Logging System 1.0

SourceCodester Employee and Visitor Gate Pass Logging System v1.0 is vulnerable to SQL Injection via /employee_gatepass/classes/Login.php.

9.8
2023-05-23 CVE-2023-33361 Piwigo SQL Injection vulnerability in Piwigo 13.6.0

Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.

9.8
2023-05-23 CVE-2023-33362 Piwigo SQL Injection vulnerability in Piwigo 13.6.0

Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

9.8
2023-05-23 CVE-2023-33338 Phpgurukul SQL Injection vulnerability in PHPgurukul OLD AGE Home Management System 1.0

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

9.8
2023-05-23 CVE-2023-25953 Worksmobile Code Injection vulnerability in Worksmobile Drive Explorer

Code injection vulnerability in Drive Explorer for macOS versions 3.5.4 and earlier allows an attacker who can login to the client where the affected product is installed to inject arbitrary code while processing the product execution.

9.8
2023-05-23 CVE-2023-27388 Tandd
Especmic
Improper Authentication vulnerability in multiple products

Improper authentication vulnerability in T&D Corporation and ESPEC MIC CORP.

9.8
2023-05-23 CVE-2023-27397 Microengine Unrestricted Upload of File with Dangerous Type vulnerability in Microengine Mailform

Unrestricted upload of file with dangerous type exists in MicroEngine Mailform version 1.1.0 to 1.1.8.

9.8
2023-05-23 CVE-2023-27507 Microengine Path Traversal vulnerability in Microengine Mailform

MicroEngine Mailform version 1.1.0 to 1.1.8 contains a path traversal vulnerability.

9.8
2023-05-23 CVE-2023-28408 MW WP Form Project Path Traversal vulnerability in MW WP Form Project MW WP Form

Directory traversal vulnerability in MW WP Form versions v4.4.2 and earlier allows a remote unauthenticated attacker to alter the website or cause a denial-of-service (DoS) condition, and obtain sensitive information depending on settings.

9.8
2023-05-23 CVE-2023-28409 MW WP Form Project Unrestricted Upload of File with Dangerous Type vulnerability in MW WP Form Project MW WP Form

Unrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remote unauthenticated attacker to upload an arbitrary file.

9.8
2023-05-23 CVE-2023-28413 Snow Monkey Forms Project Path Traversal vulnerability in Snow Monkey Forms Project Snow Monkey Forms

Directory traversal vulnerability in Snow Monkey Forms versions v5.0.6 and earlier allows a remote unauthenticated attacker to obtain sensitive information, alter the website, or cause a denial-of-service (DoS) condition.

9.8
2023-05-23 CVE-2020-20012 Sudytech Path Traversal vulnerability in Sudytech Webplus PRO 1.4.7.8.401

WebPlus Pro v1.4.7.8.4-01 is vulnerable to Incorrect Access Control.

9.8
2023-05-23 CVE-2023-27068 Sitecore Deserialization of Untrusted Data vulnerability in Sitecore Experience Platform

Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx.

9.8
2023-05-23 CVE-2023-31814 Dlink Unspecified vulnerability in Dlink Dir-300 Firmware

D-Link DIR-300 firmware <=REVA1.06 and <=REVB2.06 is vulnerable to File inclusion via /model/__lang_msg.php.

9.8
2023-05-22 CVE-2022-46658 Dataprobe Unspecified vulnerability in Dataprobe products

The affected product is vulnerable to a stack-based buffer overflow which could lead to a denial of service or remote code execution.

9.8
2023-05-22 CVE-2022-46738 Dataprobe Unspecified vulnerability in Dataprobe products

The affected product exposes multiple sensitive data fields of the affected product.

9.8
2023-05-22 CVE-2023-2504 Birddog Use of Hard-coded Credentials vulnerability in Birddog products

Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials.

9.8
2023-05-22 CVE-2023-28386 Snapone Insufficient Verification of Data Authenticity vulnerability in Snapone Orvc

Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly.

9.8
2023-05-22 CVE-2023-31240 Snapone Use of Hard-coded Credentials vulnerability in Snapone Orvc

Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely.

9.8
2023-05-22 CVE-2023-31689 Wcms Unrestricted Upload of File with Dangerous Type vulnerability in Wcms 0.3.2

In Wcms 0.3.2, an attacker can send a crafted request from a vulnerable web application backend server /wcms/wex/html.php via the finish parameter and the textAreaCode parameter.

9.8
2023-05-22 CVE-2023-2840 Gpac NULL Pointer Dereference vulnerability in Gpac

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2.

9.8
2023-05-22 CVE-2023-2586 Teltonika Improper Authentication vulnerability in Teltonika Remote Management System 4.14.0

Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform.

9.8
2023-05-22 CVE-2023-31062 Apache Improper Privilege Management vulnerability in Apache Inlong

Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0.  When the attacker has access to a valid (but unprivileged) account, the exploit can be executed using Burp Suite by sending a login request and following it with a subsequent HTTP request using the returned cookie. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 to solve it.

9.8
2023-05-22 CVE-2023-31098 Apache Weak Password Requirements vulnerability in Apache Inlong

Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0.  When users change their password to a simple password (with any character or symbol), attackers can easily guess the user's password and access the account. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 https://github.com/apache/inlong/pull/7805 to solve it.

9.8
2023-05-22 CVE-2023-33294 Kaiostech Command Injection vulnerability in Kaiostech Kaios 3.0/3.1

An issue was discovered in KaiOS 3.0 before 3.1.

9.8
2023-05-22 CVE-2023-32347 Teltonika Improper Authentication vulnerability in Teltonika Remote Management System

Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication.

9.8
2023-05-22 CVE-2022-46680 Schneider Electric Cleartext Transmission of Sensitive Information vulnerability in Schneider-Electric products

A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic.

9.8
2023-05-22 CVE-2022-44739 Thingsforrestaurants Cross-Site Request Forgery (CSRF) vulnerability in Thingsforrestaurants Quick Restaurant Reservations

Cross-Site Request Forgery (CSRF) vulnerability in ThingsForRestaurants Quick Restaurant Reservations plugin <= 1.5.4 versions.

9.8
2023-05-22 CVE-2023-33236 Moxa Use of Hard-coded Credentials vulnerability in Moxa Mxsecurity 1.0

MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability.

9.8
2023-05-22 CVE-2023-32336 IBM Deserialization of Untrusted Data vulnerability in IBM Infosphere Information Server 11.7

IBM InfoSphere Information Server 11.7 is affected by a remote code execution vulnerability due to insecure deserialization in an RMI service.

9.8
2023-05-26 CVE-2023-21516 Samsung Cross-site Scripting vulnerability in Samsung Galaxy Store 4.5.32.4/4.5.36.4/4.5.41.8

XSS vulnerability from InstantPlay in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.

9.6
2023-05-28 CVE-2023-2951 BUS Dispatch AND Information System Project SQL Injection vulnerability in BUS Dispatch and Information System Project BUS Dispatch and Information System 1.0

A vulnerability classified as critical has been found in code-projects Bus Dispatch and Information System 1.0.

9.1
2023-05-24 CVE-2023-33796 Netbox Unspecified vulnerability in Netbox 3.5.1

A vulnerability in Netbox v3.5.1 allows unauthenticated attackers to execute queries against the GraphQL database, granting them access to sensitive data stored in the database.

9.1
2023-05-23 CVE-2023-23304 Garmin Unspecified vulnerability in Garmin Connect-Iq

The GarminOS TVM component in CIQ API version 2.1.0 through 4.1.7 allows applications with a specially crafted head section to use the `Toybox.SensorHistory` module without permission.

9.1
2023-05-23 CVE-2023-29919 Contec Incorrect Default Permissions vulnerability in Contec Solarview Compact Firmware 6.0

SolarView Compact <= 6.0 is vulnerable to Insecure Permissions.

9.1
2023-05-22 CVE-2023-2838 Gpac Out-of-bounds Read vulnerability in Gpac

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.

9.1
2023-05-22 CVE-2023-31065 Apache Insufficient Session Expiration vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0

Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.  An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 , https://github.com/apache/inlong/pull/7884 https://github.com/apache/inlong/pull/7884 to solve it.

9.1
2023-05-22 CVE-2023-31066 Apache Files or Directories Accessible to External Parties vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0

Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.

9.1
2023-05-22 CVE-2023-2597 Eclipse Out-of-bounds Read vulnerability in Eclipse Openj9

In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.

9.1

228 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-05-28 CVE-2022-36345 Metagauss Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin <= 2.0.4 versions.

8.8
2023-05-28 CVE-2023-33926 Supsystic Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps plugin <= 1.11.7 versions.

8.8
2023-05-28 CVE-2023-33313 Themeinprogress Cross-Site Request Forgery (CSRF) vulnerability in Themeinprogress WIP Custom Login

Cross-Site Request Forgery (CSRF) vulnerability in ThemeinProgress WIP Custom Login plugin <= 1.2.9 versions.

8.8
2023-05-28 CVE-2023-33316 Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in Woocommerce Automatewoo

Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions.

8.8
2023-05-28 CVE-2023-33212 Crocoblock Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock Jetformbuilder

Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetFormBuilder — Dynamic Blocks Form Builder plugin <= 3.0.6 versions.

8.8
2023-05-28 CVE-2023-33314 Pluginus Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

Cross-Site Request Forgery (CSRF) vulnerability in realmag777 BEAR plugin <= 1.1.3.1 versions.

8.8
2023-05-28 CVE-2023-33315 Wandlesoftware Cross-Site Request Forgery (CSRF) vulnerability in Wandlesoftware Smart APP Banner

Cross-Site Request Forgery (CSRF) vulnerability in Stephen Darlington, Wandle Software Limited Smart App Banner plugin <= 1.1.2 versions.

8.8
2023-05-28 CVE-2023-33931 Getbutterfly Cross-Site Request Forgery (CSRF) vulnerability in Getbutterfly Youtube Playlist Player

Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Popescu YouTube Playlist Player plugin <= 4.6.4 versions.

8.8
2023-05-28 CVE-2015-10106 MH Httpbl Project SQL Injection vulnerability in MH Httpbl Project MH Httpbl

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical was found in mback2k mh_httpbl Extension up to 1.1.7 on TYPO3.

8.8
2023-05-27 CVE-2023-2943 Open EMR Code Injection vulnerability in Open-Emr Openemr

Code Injection in GitHub repository openemr/openemr prior to 7.0.1.

8.8
2023-05-27 CVE-2023-2928 Dedecms Code Injection vulnerability in Dedecms

A vulnerability was found in DedeCMS up to 5.7.106.

8.8
2023-05-26 CVE-2023-21514 Samsung Improper Input Validation vulnerability in Samsung Galaxy Store 4.5.32.4/4.5.36.4/4.5.41.8

Improper scheme validation from InstantPlay Deeplink in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.

8.8
2023-05-26 CVE-2023-21515 Samsung Unspecified vulnerability in Samsung Galaxy Store 4.5.32.4/4.5.36.4/4.5.41.8

InstantPlay which included vulnerable script which could execute javascript in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.

8.8
2023-05-26 CVE-2023-31128 Nextcloud OS Command Injection vulnerability in Nextcloud Cookbook

NextCloud Cookbook is a recipe library app.

8.8
2023-05-26 CVE-2023-33779 Xuxueli Unspecified vulnerability in Xuxueli Xxl-Job 2.4.1

A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/.

8.8
2023-05-26 CVE-2023-25034 WP Clean UP Project Cross-Site Request Forgery (CSRF) vulnerability in WP Clean UP Project WP Clean UP

Cross-Site Request Forgery (CSRF) vulnerability in BoLiQuan WP Clean Up plugin <= 1.2.3 versions.

8.8
2023-05-26 CVE-2023-25058 Brainstormforce Cross-Site Request Forgery (CSRF) vulnerability in Brainstormforce Schema

Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Schema – All In One Schema Rich Snippets plugin <= 1.6.5 versions.

8.8
2023-05-26 CVE-2023-25467 Resize AT Upload Plus Project Cross-Site Request Forgery (CSRF) vulnerability in Resize AT Upload Plus Project Resize AT Upload Plus

Cross-Site Request Forgery (CSRF) vulnerability in Daniel Mores, A.

8.8
2023-05-26 CVE-2023-32964 Madewithfuel Cross-Site Request Forgery (CSRF) vulnerability in Madewithfuel Better Notifications for WP

Cross-Site Request Forgery (CSRF) vulnerability in Made with Fuel Better Notifications for WP plugin <= 1.9.2 versions.

8.8
2023-05-26 CVE-2023-25029 WP Social Bookmarking Light Project Cross-Site Request Forgery (CSRF) vulnerability in WP Social Bookmarking Light Project WP Social Bookmarking Light

Cross-Site Request Forgery (CSRF) vulnerability in utahta WP Social Bookmarking Light plugin <= 2.0.7 versions.

8.8
2023-05-26 CVE-2023-25470 RUS TO LAT Project Cross-Site Request Forgery (CSRF) vulnerability in Rus-To-Lat Project Rus-To-Lat

Cross-Site Request Forgery (CSRF) vulnerability in Anton Skorobogatov Rus-To-Lat plugin <= 0.3 versions.

8.8
2023-05-26 CVE-2023-22693 Conlabz Cross-Site Request Forgery (CSRF) vulnerability in Conlabz WP Google TAG Manager

Cross-Site Request Forgery (CSRF) vulnerability in conlabzgmbh WP Google Tag Manager plugin <= 1.1 versions.

8.8
2023-05-26 CVE-2023-24008 Wpmaspik Cross-Site Request Forgery (CSRF) vulnerability in Wpmaspik Maspik

Cross-Site Request Forgery (CSRF) vulnerability in yonifre Maspik – Spam Blacklist plugin <= 0.7.8 versions.

8.8
2023-05-26 CVE-2023-25038 984 RU Cross-Site Request Forgery (CSRF) vulnerability in 984.Ru for the Visually Impaired

Cross-Site Request Forgery (CSRF) vulnerability in 984.Ru For the visually impaired plugin <= 0.58 versions.

8.8
2023-05-26 CVE-2023-23714 Uncannyowl Cross-Site Request Forgery (CSRF) vulnerability in Uncannyowl Uncanny Toolkit for Learndash

Cross-Site Request Forgery (CSRF) vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash plugin <= 3.6.4.1 versions.

8.8
2023-05-26 CVE-2023-24007 Admin Block Country Project Cross-Site Request Forgery (CSRF) vulnerability in Admin Block Country Project Admin Block Country

Cross-Site Request Forgery (CSRF) vulnerability in TheOnlineHero - Tom Skroza Admin Block Country plugin <= 7.1.4 versions.

8.8
2023-05-26 CVE-2023-25971 Fixbd Cross-Site Request Forgery (CSRF) vulnerability in Fixbd Educare

Cross-Site Request Forgery (CSRF) vulnerability in FixBD Educare plugin <= 1.4.1 versions.

8.8
2023-05-26 CVE-2023-25976 Crmperks Cross-Site Request Forgery (CSRF) vulnerability in Crmperks Integration for Contact Form 7 and Zoho Crm, Bigin

Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin plugin <= 1.2.2 versions.

8.8
2023-05-25 CVE-2022-47174 Wordpress Cross-Site Request Forgery (CSRF) vulnerability in Wordpress Performance LAB

Cross-Site Request Forgery (CSRF) vulnerability in WordPress Performance Team Performance Lab plugin <= 2.2.0 versions.

8.8
2023-05-25 CVE-2023-2888 Phpok Unrestricted Upload of File with Dangerous Type vulnerability in PHPok 6.4.100

A vulnerability, which was classified as problematic, was found in PHPOK 6.4.100.

8.8
2023-05-25 CVE-2022-46810 Villatheme Cross-Site Request Forgery (CSRF) vulnerability in Villatheme Thank YOU Page Customizer for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Thank You Page Customizer for WooCommerce – Increase Your Sales plugin <= 1.0.13 versions.

8.8
2023-05-25 CVE-2022-46814 Pierros Cross-Site Request Forgery (CSRF) vulnerability in Pierros Kodex Posts Likes

Cross-Site Request Forgery (CSRF) vulnerability in Pierre Lebedel Kodex Posts likes plugin <= 2.4.3 versions.

8.8
2023-05-25 CVE-2022-46820 Wpjoli Cross-Site Request Forgery (CSRF) vulnerability in Wpjoli Joli Table of Contents

Cross-Site Request Forgery (CSRF) vulnerability in WPJoli Joli Table Of Contents plugin <= 1.3.9 versions.

8.8
2023-05-25 CVE-2022-46856 Orion Cross-Site Request Forgery (CSRF) vulnerability in Orion Woocommerce products Designer

Cross-Site Request Forgery (CSRF) vulnerability in ORION Woocommerce Products Designer plugin <= 4.3.3 versions.

8.8
2023-05-25 CVE-2022-47136 Wpmanageninja Cross-Site Request Forgery (CSRF) vulnerability in Wpmanageninja Ninja Tables

Cross-Site Request Forgery (CSRF) vulnerability in WPManageNinja LLC Ninja Tables – Best Data Table Plugin for WordPress plugin <= 4.3.4 versions.

8.8
2023-05-25 CVE-2022-47144 Frenify Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mediamatic 2.7/2.8.1

Cross-Site Request Forgery (CSRF) vulnerability in Plugincraft Mediamatic – Media Library Folders plugin <= 2.8.1 versions.

8.8
2023-05-25 CVE-2022-47178 Simplesharebuttons Cross-Site Request Forgery (CSRF) vulnerability in Simplesharebuttons Simple Share Buttons Adder

Cross-Site Request Forgery (CSRF) vulnerability in Simple Share Buttons Simple Share Buttons Adder plugin <= 8.4.7 versions.

8.8
2023-05-25 CVE-2022-38356 Stylemixthemes Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Pearl Header Builder

Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes WordPress Header Builder Plugin – Pearl plugin <= 1.3.4 versions.

8.8
2023-05-25 CVE-2022-38716 Stylemixthemes Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Motors - CAR Dealer, Classifieds & Listing

Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing plugin <= 1.4.4 versions.

8.8
2023-05-25 CVE-2022-41987 Badgeos Cross-Site Request Forgery (CSRF) vulnerability in Badgeos

Cross-Site Request Forgery (CSRF) vulnerability in LearningTimes BadgeOS plugin <= 3.7.1.6 versions.

8.8
2023-05-25 CVE-2022-43490 XWP Cross-Site Request Forgery (CSRF) vulnerability in XWP Stream

Cross-Site Request Forgery (CSRF) vulnerability in XWP Stream plugin <= 3.9.2 versions.

8.8
2023-05-25 CVE-2022-45371 Wpmet Cross-Site Request Forgery (CSRF) vulnerability in Wpmet Shopengine

Cross-Site Request Forgery (CSRF) vulnerability in Wpmet ShopEngine plugin <= 4.1.1 versions.

8.8
2023-05-25 CVE-2022-45815 Stylemixthemes Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Gdpr Compliance & Cookie Consent

Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes GDPR Compliance & Cookie Consent plugin <= 1.2 versions.

8.8
2023-05-25 CVE-2022-45367 Tychesoftwares Cross-Site Request Forgery (CSRF) vulnerability in Tychesoftwares Custom Order Numbers for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in Tyche Softwares Custom Order Numbers for WooCommerce plugin <= 1.4.0 versions.

8.8
2023-05-25 CVE-2022-47149 Upress Cross-Site Request Forgery (CSRF) vulnerability in Upress Enable Accessibility 1.4

Cross-Site Request Forgery (CSRF) vulnerability in Pretty Links plugin <= 3.4.0 versions.

8.8
2023-05-25 CVE-2022-47161 Wordpress Cross-Site Request Forgery (CSRF) vulnerability in Wordpress Health Check & Troubleshooting

Cross-Site Request Forgery (CSRF) vulnerability in The WordPress.Org community Health Check & Troubleshooting plugin <= 1.5.1 versions.

8.8
2023-05-25 CVE-2022-47165 Coschedule Cross-Site Request Forgery (CSRF) vulnerability in Coschedule

Cross-Site Request Forgery (CSRF) vulnerability in CoSchedule plugin <= 3.3.8 versions.

8.8
2023-05-25 CVE-2022-47177 Wpeasypay Cross-Site Request Forgery (CSRF) vulnerability in Wpeasypay WP Easypay

Cross-Site Request Forgery (CSRF) vulnerability in WP Easy Pay WP EasyPay – Square for WordPress plugin <= 4.1 versions.

8.8
2023-05-25 CVE-2023-30484 Upress Cross-Site Request Forgery (CSRF) vulnerability in Upress Enable Accessibility

Cross-Site Request Forgery (CSRF) vulnerability in uPress Enable Accessibility plugin <= 1.4 versions.

8.8
2023-05-25 CVE-2022-41635 Zorem Cross-Site Request Forgery (CSRF) vulnerability in Zorem Advanced Shipment Tracking for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in Zorem Advanced Shipment Tracking for WooCommerce plugin <= 3.5.2 versions.

8.8
2023-05-25 CVE-2022-46800 Litespeedtech Cross-Site Request Forgery (CSRF) vulnerability in Litespeedtech Litespeed Cache

Cross-Site Request Forgery (CSRF) vulnerability in LiteSpeed Technologies LiteSpeed Cache plugin <= 5.3 versions.

8.8
2023-05-25 CVE-2022-46812 Villatheme Cross-Site Request Forgery (CSRF) vulnerability in Villatheme Thank YOU Page Customizer for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Thank You Page Customizer for WooCommerce – Increase Your Sales plugin <= 1.0.13 versions.

8.8
2023-05-25 CVE-2022-46865 Bulk Resize Media Project Cross-Site Request Forgery (CSRF) vulnerability in Bulk Resize Media Project Bulk Resize Media

Cross-Site Request Forgery (CSRF) vulnerability in Marty Thornley Bulk Resize Media plugin <= 1.1 versions.

8.8
2023-05-25 CVE-2022-46866 Import External Images Project Cross-Site Request Forgery (CSRF) vulnerability in Import External Images Project Import External Images

Cross-Site Request Forgery (CSRF) vulnerability in Marty Thornley Import External Images plugin <= 1.4 versions.

8.8
2023-05-25 CVE-2022-47135 Chronoengine Cross-Site Request Forgery (CSRF) vulnerability in Chronoengine Chronoforms

Cross-Site Request Forgery (CSRF) vulnerability in chronoengine.Com Chronoforms plugin <= 7.0.9 versions.

8.8
2023-05-25 CVE-2022-47138 Login AND Registration Attempts Limit Project Cross-Site Request Forgery (CSRF) vulnerability in Login and Registration Attempts Limit Project Login and Registration Attempts Limit

Cross-Site Request Forgery (CSRF) vulnerability in German Krutov LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin <= 2.1 versions.

8.8
2023-05-25 CVE-2022-47139 WP Basic Elements Project Cross-Site Request Forgery (CSRF) vulnerability in WP Basic Elements Project WP Basic Elements

Cross-Site Request Forgery (CSRF) vulnerability in Damir Calusic WP Basic Elements plugin <= 5.2.15 versions.

8.8
2023-05-25 CVE-2022-47159 Logaster Cross-Site Request Forgery (CSRF) vulnerability in Logaster Logo Generator

Cross-Site Request Forgery (CSRF) vulnerability in Logaster Logaster Logo Generator plugin <= 1.3 versions.

8.8
2023-05-25 CVE-2022-47164 Mage People Cross-Site Request Forgery (CSRF) vulnerability in Mage-People Event Manager and Tickets Selling Plugin for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce plugin <= 3.7.7 versions.

8.8
2023-05-25 CVE-2023-2883 Cbot Authorization Bypass Through User-Controlled Key vulnerability in Cbot Core and Cbot Panel

Authorization Bypass Through User-Controlled Key vulnerability in CBOT Chatbot allows Authentication Abuse, Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

8.8
2023-05-25 CVE-2023-2500 Granthweb Deserialization of Untrusted Data vulnerability in Granthweb GO Pricing

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.3.19 via deserialization of untrusted input from the 'go_pricing' shortcode 'data' parameter.

8.8
2023-05-24 CVE-2022-4815 Hitachi Deserialization of Untrusted Data vulnerability in Hitachi products

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. 

8.8
2023-05-24 CVE-2023-31459 Mitel Weak Password Recovery Mechanism for Forgotten Password vulnerability in Mitel Mivoice Connect

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because the initial installation does not enforce a password change.

8.8
2023-05-24 CVE-2022-47446 Viadat Cross-Site Request Forgery (CSRF) vulnerability in Viadat Store Locator for Wordpress With Google Maps

Cross-Site Request Forgery (CSRF) vulnerability in Viadat Creations Store Locator for WordPress with Google Maps – LotsOfLocales plugin <= 3.98.7 versions.

8.8
2023-05-24 CVE-2022-47447 WP Advanced Search Project Cross-Site Request Forgery (CSRF) vulnerability in Wp-Advanced-Search Project Wp-Advanced-Search

Cross-Site Request Forgery (CSRF) vulnerability in Mathieu Chartier WordPress WP-Advanced-Search plugin <= 3.3.8 versions.

8.8
2023-05-24 CVE-2022-47448 Xiligroup Cross-Site Request Forgery (CSRF) vulnerability in Xiligroup Xili-Tidy-Tags

Cross-Site Request Forgery (CSRF) vulnerability in dev.Xiligroup.Com - MS plugin <= 1.12.03 versions.

8.8
2023-05-24 CVE-2022-45364 Codedropz Cross-Site Request Forgery (CSRF) vulnerability in Codedropz Drag and Drop multiple File Upload - Contact Form 7

Cross-Site Request Forgery (CSRF) vulnerability in Glen Don L.

8.8
2023-05-24 CVE-2022-46794 Weightbasedshipping Cross-Site Request Forgery (CSRF) vulnerability in Weightbasedshipping Woocommerce Weight Based Shipping

Cross-Site Request Forgery (CSRF) vulnerability in weightbasedshipping.Com WooCommerce Weight Based Shipping plugin <= 5.4.1 versions.

8.8
2023-05-24 CVE-2022-46816 Bookingultrapro Cross-Site Request Forgery (CSRF) vulnerability in Bookingultrapro Booking Ultra PRO Appointments Booking Calendar

Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro Appointments Booking Calendar Plugin plugin <= 1.1.4 versions.

8.8
2023-05-24 CVE-2022-47152 Clickfunnels Cross-Site Request Forgery (CSRF) vulnerability in Clickfunnels

Cross-Site Request Forgery (CSRF) vulnerability in Etison, LLC ClickFunnels plugin <= 3.1.1 versions.

8.8
2023-05-24 CVE-2022-47180 Kopatheme Cross-Site Request Forgery (CSRF) vulnerability in Kopatheme Kopa Framework

Cross-Site Request Forgery (CSRF) vulnerability in Kopa Theme Kopa Framework plugin <= 1.3.5 versions.

8.8
2023-05-24 CVE-2023-2065 Armoli Authorization Bypass Through User-Controlled Key vulnerability in Armoli Cargo Tracking System

Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass.This issue affects Cargo Tracking System: before 3558f28 .

8.8
2023-05-24 CVE-2023-2859 Teampass Code Injection vulnerability in Teampass

Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

8.8
2023-05-24 CVE-2023-2494 Granthweb Missing Authorization vulnerability in Granthweb GO Pricing

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19.

8.8
2023-05-23 CVE-2023-2702 Finexmedia Authorization Bypass Through User-Controlled Key vulnerability in Finexmedia Competition Management System

Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07.

8.8
2023-05-23 CVE-2023-1837 Hypr Missing Authentication for Critical Function vulnerability in Hypr Server

Missing Authentication for critical function vulnerability in HYPR Server allows Authentication Bypass when using Legacy APIs.This issue affects HYPR Server: before 8.0 (with enabled Legacy APIs)

8.8
2023-05-23 CVE-2023-25474 About ME 3000 Widget Project Cross-Site Request Forgery (CSRF) vulnerability in About ME 3000 Widget Project About ME 3000 Widget

Cross-Site Request Forgery (CSRF) vulnerability in Csaba Kissi About Me 3000 widget plugin <= 2.2.6 versions.

8.8
2023-05-23 CVE-2022-46813 Sigmaplugin Cross-Site Request Forgery (CSRF) vulnerability in Sigmaplugin Advanced Database Cleaner

Cross-Site Request Forgery (CSRF) vulnerability in Younes JFR.

8.8
2023-05-23 CVE-2023-26011 Dogblocker Cross-Site Request Forgery (CSRF) vulnerability in Dogblocker Read More Excerpt Link

Cross-Site Request Forgery (CSRF) vulnerability in Tim Eckel Read More Excerpt Link plugin <= 1.6 versions.

8.8
2023-05-23 CVE-2023-26014 Dogblocker Cross-Site Request Forgery (CSRF) vulnerability in Dogblocker Minify Html

Cross-Site Request Forgery (CSRF) vulnerability in Tim Eckel Minify HTML plugin <= 2.1.7 vulnerability.

8.8
2023-05-23 CVE-2022-46851 Brainstormforce Cross-Site Request Forgery (CSRF) vulnerability in Brainstormforce Starter Templates

Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Starter Templates plugin <= 3.1.20 versions.

8.8
2023-05-23 CVE-2022-46853 Radiustheme Cross-Site Request Forgery (CSRF) vulnerability in Radiustheme Post Grid

Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme The Post Grid plugin <= 5.0.4 versions.

8.8
2023-05-23 CVE-2023-23705 Hmplugin Cross-Site Request Forgery (CSRF) vulnerability in Hmplugin Wordpress Books Gallery

Cross-Site Request Forgery (CSRF) vulnerability in HM Plugin WordPress Books Gallery plugin <= 4.4.8 versions.

8.8
2023-05-23 CVE-2023-23713 Theme Tweaker Project Cross-Site Request Forgery (CSRF) vulnerability in Theme Tweaker Project Theme Tweaker

Cross-Site Request Forgery (CSRF) vulnerability in Manoj Thulasidas Theme Tweaker plugin <= 5.20 versions.

8.8
2023-05-23 CVE-2023-25056 Slickremix Cross-Site Request Forgery (CSRF) vulnerability in Slickremix Feed Them Social

Cross-Site Request Forgery (CSRF) vulnerability in SlickRemix Feed Them Social plugin <= 3.0.2 versions.

8.8
2023-05-23 CVE-2023-23706 Miniorange Cross-Site Request Forgery (CSRF) vulnerability in Miniorange Wordpress Social Login and Register (Discord, Google, Twitter, Linkedin)

Cross-Site Request Forgery (CSRF) vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 versions.

8.8
2023-05-23 CVE-2023-23724 Winwar Cross-Site Request Forgery (CSRF) vulnerability in Winwar WP Email Capture

Cross-Site Request Forgery (CSRF) vulnerability in Winwar Media WP Email Capture plugin <= 3.9.3 versions.

8.8
2023-05-23 CVE-2023-25472 Podlove Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podcast Publisher

Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher plugin <= 3.8.3 versions.

8.8
2023-05-23 CVE-2023-25481 Podlove Cross-Site Request Forgery (CSRF) vulnerability in Podlove Subscribe Button

Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Subscribe button plugin <= 1.3.7 versions.

8.8
2023-05-23 CVE-2023-25707 Vikwp Cross-Site Request Forgery (CSRF) vulnerability in Vikwp Vikbooking Hotel Booking Engine & PMS

Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L.

8.8
2023-05-23 CVE-2023-25946 Qrio Improper Authentication vulnerability in Qrio Q-Sl2 Firmware

Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product's communication data and conduct an arbitrary operation under certain conditions.

8.8
2023-05-23 CVE-2023-27387 Tandd
Especmic
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Cross-site request forgery (CSRF) in T&D Corporation and ESPEC MIC CORP.

8.8
2023-05-23 CVE-2023-27514 Contec OS Command Injection vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware

OS command injection vulnerability in the download page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker to execute an arbitrary OS command.

8.8
2023-05-23 CVE-2023-27518 Contec Classic Buffer Overflow vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware

Buffer overflow vulnerability in the multiple setting pages of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker to execute arbitrary code.

8.8
2023-05-23 CVE-2023-27521 Contec OS Command Injection vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware

OS command injection vulnerability in the mail setting page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows remote authenticated attackers to execute an arbitrary OS command.

8.8
2023-05-23 CVE-2023-28394 Beekeeperstudio OS Command Injection vulnerability in Beekeeperstudio Beekeeper-Studio

Beekeeper Studio versions prior to 3.9.9 allows a remote authenticated attacker to execute arbitrary JavaScript code with the privilege of the application on the PC where the affected product is installed.

8.8
2023-05-23 CVE-2023-31996 Hanwhavision Command Injection vulnerability in Hanwhavision products

Hanwha IP Camera ANE-L7012R 1.41.01 is vulnerable to Command Injection due to improper sanitization of special characters for the NAS storage test function.

8.8
2023-05-22 CVE-2022-47311 Dataprobe Unspecified vulnerability in Dataprobe products

A proprietary protocol for iBoot devices is used for control and keepalive commands.

8.8
2023-05-22 CVE-2023-2505 Birddog Cross-Site Request Forgery (CSRF) vulnerability in Birddog products

The affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files.

8.8
2023-05-22 CVE-2023-2588 Teltonika Inclusion of Web Functionality from an Untrusted Source vulnerability in Teltonika Remote Management System

Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy.

8.8
2023-05-22 CVE-2023-32349 Teltonika Networks External Control of System or Configuration Setting vulnerability in Teltonika-Networks products

Version 00.07.03.4 and prior of Teltonika’s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters.

8.8
2023-05-22 CVE-2023-32350 Teltonika Networks OS Command Injection vulnerability in Teltonika-Networks products

Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service.

8.8
2023-05-22 CVE-2023-25447 Inkthemes Cross-Site Request Forgery (CSRF) vulnerability in Inkthemes Colorway

Cross-Site Request Forgery (CSRF) vulnerability in Inkthemescom ColorWay theme <= 4.2.3 versions.

8.8
2023-05-22 CVE-2023-25448 Archivist Project Cross-Site Request Forgery (CSRF) vulnerability in Archivist Project Archivist

Cross-Site Request Forgery (CSRF) vulnerability in Eric Teubert Archivist – Custom Archive Templates plugin <= 1.7.4 versions.

8.8
2023-05-22 CVE-2023-31923 Supremainc Improper Preservation of Permissions vulnerability in Supremainc Biostar 2

Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions.

8.8
2023-05-22 CVE-2023-23797 Secondlinethemes Cross-Site Request Forgery (CSRF) vulnerability in Secondlinethemes Auto Youtube Importer

Cross-Site Request Forgery (CSRF) vulnerability in SecondLineThemes Auto YouTube Importer plugin <= 1.0.3 versions.

8.8
2023-05-22 CVE-2022-41608 Asgaros Cross-Site Request Forgery (CSRF) vulnerability in Asgaros Forum

Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum plugin <= 2.2.0 versions.

8.8
2023-05-22 CVE-2022-45076 Webmat Cross-Site Request Forgery (CSRF) vulnerability in Webmat Flexible Elementor Panel

Cross-Site Request Forgery (CSRF) vulnerability in WebMat Flexible Elementor Panel plugin <= 2.3.8 versions.

8.8
2023-05-22 CVE-2022-45079 Loginizer Cross-Site Request Forgery (CSRF) vulnerability in Loginizer

Cross-Site Request Forgery (CSRF) vulnerability in Softaculous Loginizer plugin <= 1.7.5 versions.

8.8
2023-05-22 CVE-2022-45376 Xootix Cross-Site Request Forgery (CSRF) vulnerability in Xootix Side Cart Woocommerce 1.0.0/1.0.2/2.0

Cross-Site Request Forgery (CSRF) vulnerability in XootiX Side Cart Woocommerce (Ajax) < 2.1 versions.

8.8
2023-05-22 CVE-2022-47167 Crayon Syntax Highlighter Project Cross-Site Request Forgery (CSRF) vulnerability in Crayon Syntax Highlighter Project Crayon Syntax Highlighter

Cross-Site Request Forgery (CSRF) vulnerability in Aram Kocharyan Crayon Syntax Highlighter plugin <= 2.8.4 versions.

8.8
2023-05-22 CVE-2022-47183 Stylist Project Cross-Site Request Forgery (CSRF) vulnerability in Stylist Project Stylist

Cross-Site Request Forgery (CSRF) vulnerability in StylistWP Extra Block Design, Style, CSS for ANY Gutenberg Blocks plugin <= 0.2.6 versions.

8.8
2023-05-22 CVE-2022-47611 Hover Image Project Cross-Site Request Forgery (CSRF) vulnerability in Hover Image Project Hover Image

Cross-Site Request Forgery (CSRF) vulnerability in Julian Weinert // cs&m Hover Image plugin <= 1.4.1 versions.

8.8
2023-05-22 CVE-2022-47142 Mediamatic Cross-Site Request Forgery (CSRF) vulnerability in Mediamatic Media Library Folders

Cross-Site Request Forgery (CSRF) vulnerability in Plugincraft Mediamatic – Media Library Folders plugin <= 2.8.1 versions.

8.8
2023-05-22 CVE-2022-47609 Nicearma Cross-Site Request Forgery (CSRF) vulnerability in Nicearma Dnui-Delete-Not-Used-Image

Cross-Site Request Forgery (CSRF) vulnerability in Nicearma DNUI plugin <= 2.8.1 versions.

8.8
2023-05-22 CVE-2023-22688 WP Tabs Slides Project Cross-Site Request Forgery (CSRF) vulnerability in WP Tabs Slides Project WP Tabs Slides

Cross-Site Request Forgery (CSRF) vulnerability in Abdul Ibad WP Tabs Slides plugin <= 2.0.3 versions.

8.8
2023-05-22 CVE-2023-22692 Name Directory Project Cross-Site Request Forgery (CSRF) vulnerability in Name Directory Project Name Directory

Cross-Site Request Forgery (CSRF) vulnerability in Jeroen Peters Name Directory plugin <= 1.27.1 versions.

8.8
2023-05-22 CVE-2023-22709 SRS Simple Hits Counter Project Cross-Site Request Forgery (CSRF) vulnerability in SRS Simple Hits Counter Project SRS Simple Hits Counter

Cross-Site Request Forgery (CSRF) vulnerability in Atif N SRS Simple Hits Counter plugin <= 1.1.0 versions.

8.8
2023-05-22 CVE-2023-22714 Supsystic Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Coming Soon

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Coming Soon by Supsystic plugin <= 1.7.10 versions.

8.8
2023-05-22 CVE-2023-23680 WP Topbar Project Cross-Site Request Forgery (CSRF) vulnerability in WP Topbar Project WP Topbar 5.36

Cross-Site Request Forgery (CSRF) vulnerability in Bob Goetz WP-TopBar plugin <= 5.36 versions.

8.8
2023-05-22 CVE-2023-23712 User Meta Cross-Site Request Forgery (CSRF) vulnerability in User-Meta User Meta Manager

Cross-Site Request Forgery (CSRF) vulnerability in User Meta Manager plugin <= 3.4.9 versions.

8.8
2023-05-22 CVE-2023-23813 MY Calendar Project Cross-Site Request Forgery (CSRF) vulnerability in MY Calendar Project MY Calendar

Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My Calendar plugin <= 3.4.3 versions.

8.8
2023-05-22 CVE-2023-33235 Moxa Command Injection vulnerability in Moxa Mxsecurity 1.0

MXsecurity version 1.0 is vulnearble to command injection vulnerability.

8.8
2023-05-22 CVE-2023-2587 Teltonika Cross-site Scripting vulnerability in Teltonika Remote Management System

Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface.

8.3
2023-05-23 CVE-2023-23693 Dell OS Command Injection vulnerability in Dell Vxrail Hyperconverged Infrastructure

Dell VxRail, versions prior to 7.0.450, contains an OS command injection Vulnerability in DCManager command-line utility.

8.2
2023-05-28 CVE-2023-2950 Open EMR Improper Authorization vulnerability in Open-Emr Openemr

Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.

8.1
2023-05-27 CVE-2023-2946 Open EMR Improper Access Control vulnerability in Open-Emr Openemr

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

8.1
2023-05-27 CVE-2023-2942 Open EMR Improper Input Validation vulnerability in Open-Emr Openemr

Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.1.

8.1
2023-05-26 CVE-2023-28382 ET X Path Traversal vulnerability in Et-X ESS REC

Directory traversal vulnerability in ESS REC Agent Server Edition series allows an authenticated attacker to view or alter an arbitrary file on the server.

8.1
2023-05-25 CVE-2023-2885 Cbot Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Cbot Core and Cbot Panel

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in CBOT Chatbot allows Adversary in the Middle (AiTM).This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

8.1
2023-05-24 CVE-2023-33945 Liferay SQL Injection vulnerability in Liferay Digital Experience Platform and Liferay Portal

SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index.

8.1
2023-05-24 CVE-2023-1424 Mitsubishielectric Classic Buffer Overflow vulnerability in Mitsubishielectric products

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules and MELSEC iQ-R Series CPU modules allows a remote unauthenticated attacker to cause a denial of service (DoS) condition or execute malicious code on a target product by sending specially crafted packets.

8.1
2023-05-23 CVE-2023-2845 Fit2Cloud Unspecified vulnerability in Fit2Cloud Cloudexplorer Lite

Improper Access Control in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.

8.1
2023-05-22 CVE-2022-47320 Dataprobe Unspecified vulnerability in Dataprobe products

The iBoot device’s basic discovery protocol assists in initial device configuration.

8.1
2023-05-23 CVE-2023-30440 IBM Improper Input Validation vulnerability in IBM Powervm Hypervisor

IBM PowerVM Hypervisor FW860.00 through FW860.B3, FW950.00 through FW950.70, FW1010.00 through FW1010.50, FW1020.00 through FW1020.30, and FW1030.00 through FW1030.10 could allow a local attacker with control a partition that has been assigned SRIOV virtual function (VF) to cause a denial of service to a peer partition or arbitrary data corruption.

7.9
2023-05-28 CVE-2023-31873 GIN Project Unspecified vulnerability in GIN Project GIN 0.7.4

Gin 0.7.4 allows execution of arbitrary code when a crafted file is opened, e.g., via require('child_process').

7.8
2023-05-27 CVE-2023-26127 N158 Project Command Injection vulnerability in N158 Project N158

All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment.

7.8
2023-05-27 CVE-2023-26128 Keep Module Latest Project Command Injection vulnerability in Keep-Module-Latest Project Keep-Module-Latest

All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment.

7.8
2023-05-27 CVE-2023-26129 BWM NG Project Command Injection vulnerability in Bwm-Ng Project Bwm-Ng

All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file.

7.8
2023-05-26 CVE-2023-22970 Usebottles
Fedoraproject
Bottles before 51.0 mishandles YAML load, which allows remote code execution via a crafted file.
7.8
2023-05-25 CVE-2023-0950 Libreoffice
Debian
Improper Validation of Array Index vulnerability in multiple products

Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded.

7.8
2023-05-25 CVE-2023-2480 M Files Missing Authorization vulnerability in M-Files

Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications

7.8
2023-05-25 CVE-2023-27529 Wacom Link Following vulnerability in Wacom Tablet Driver Installer

Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an improper link resolution before file access vulnerability.

7.8
2023-05-24 CVE-2023-2873 Filseclab Out-of-bounds Write vulnerability in Filseclab Twister Antivirus 8.0/8.17

A vulnerability classified as critical was found in Twister Antivirus 8.

7.8
2023-05-24 CVE-2021-25749 Kubernetes Unspecified vulnerability in Kubernetes

Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.

7.8
2023-05-24 CVE-2023-1944 Kubernetes Use of Hard-coded Credentials vulnerability in Kubernetes Minikube

This vulnerability enables ssh access to minikube container using a default password.

7.8
2023-05-24 CVE-2023-31748 Wondershare Incorrect Permission Assignment for Critical Resource vulnerability in Wondershare Mobiletrans 4.0.11

Insecure permissions in MobileTrans v4.0.11 allows attackers to escalate privileges to local admin via replacing the executable file.

7.8
2023-05-24 CVE-2022-0357 Bitdefender Unquoted Search Path or Element vulnerability in Bitdefender Antivirus Plus, Internet Security and Total Security

Unquoted Search Path or Element vulnerability in the Vulnerability Scan component of Bitdefender Total Security, Bitdefender Internet Security, and Bitdefender Antivirus Plus allows an attacker to elevate privileges to SYSTEM. This issue affects: Bitdefender Total Security versions prior to 26.0.10.45. Bitdefender Internet Security versions prior to 26.0.10.45. Bitdefender Antivirus Plus versions prior to 26.0.10.45.

7.8
2023-05-23 CVE-2023-31747 Wondershare Unquoted Search Path or Element vulnerability in Wondershare Filmora 12

Wondershare Filmora 12 (Build 12.2.1.2088) was discovered to contain an unquoted service path vulnerability via the component NativePushService.

7.8
2023-05-23 CVE-2023-23694 Dell OS Command Injection vulnerability in Dell Vxrail Hyperconverged Infrastructure

Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager.

7.8
2023-05-23 CVE-2023-31826 Skyscreamer Missing Authorization vulnerability in Skyscreamer Nevado JMS 1.3.2

Skyscreamer Open Source Nevado JMS v1.3.2 does not perform security checks when receiving messages.

7.8
2023-05-22 CVE-2023-29838 Allwaysync Incorrect Default Permissions vulnerability in Allwaysync 19.0.3.0

Insecure Permission vulnerability found in Botkind/Siber Systems SyncApp v.19.0.3.0 allows a local attacker toe escalate privileges via the SyncService.exe file.

7.8
2023-05-22 CVE-2023-25537 Dell Out-of-bounds Write vulnerability in Dell products

Dell PowerEdge 14G server BIOS versions prior to 2.18.1 and Dell Precision BIOS versions prior to 2.18.2, contain an Out of Bounds write vulnerability.

7.8
2023-05-24 CVE-2023-33248 Amazon Unspecified vulnerability in Amazon Alexa 8960323972

Amazon Alexa software version 8960323972 on Echo Dot 2nd generation and 3rd generation devices potentially allows attackers to deliver security-relevant commands via an audio signal between 16 and 22 kHz (often outside the range of human adult hearing).

7.6
2023-05-28 CVE-2023-32763 QT Classic Buffer Overflow vulnerability in QT

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1.

7.5
2023-05-27 CVE-2023-32695 Socket Improper Check for Unusual or Exceptional Conditions vulnerability in Socket Socket.Io-Parser

socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol.

7.5
2023-05-27 CVE-2023-32688 Parseplatform Improper Input Validation vulnerability in Parseplatform Parse Server Push Adapter

parse-server-push-adapter is the official Push Notification adapter for Parse Server.

7.5
2023-05-27 CVE-2023-33192 Tweedegolf Unspecified vulnerability in Tweedegolf Ntpd-Rs

ntpd-rs is an NTP implementation written in Rust.

7.5
2023-05-26 CVE-2023-32307 Signalwire
Debian
Heap-based Buffer Overflow vulnerability in multiple products

Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. Referring to [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 were found because the lack of attributes length check when Sofia-SIP handles STUN packets.

7.5
2023-05-26 CVE-2023-32315 Igniterealtime Path Traversal vulnerability in Igniterealtime Openfire

Openfire is an XMPP server licensed under the Open Source Apache License.

7.5
2023-05-26 CVE-2023-28319 Haxx
Apple
Netapp
Use After Free vulnerability in multiple products

A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash.

7.5
2023-05-26 CVE-2023-2825 Gitlab Path Traversal vulnerability in Gitlab 16.0.0

An issue has been discovered in GitLab CE/EE affecting only version 16.0.0.

7.5
2023-05-26 CVE-2023-2879 Wireshark
Debian
Infinite Loop vulnerability in multiple products

GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file

7.5
2023-05-26 CVE-2023-33247 Talend Unspecified vulnerability in Talend Data Catalog 7.320210930

Talend Data Catalog remote harvesting server before 8.0-20230413 contains a /upgrade endpoint that allows an unauthenticated WAR file to be deployed on the server.

7.5
2023-05-26 CVE-2021-46881 Huawei Classic Buffer Overflow vulnerability in Huawei Emui

The video framework has memory overwriting caused by addition overflow.

7.5
2023-05-26 CVE-2021-46882 Huawei Classic Buffer Overflow vulnerability in Huawei Emui

The video framework has memory overwriting caused by addition overflow.

7.5
2023-05-26 CVE-2021-46883 Huawei Classic Buffer Overflow vulnerability in Huawei Emui

The video framework has memory overwriting caused by addition overflow.

7.5
2023-05-26 CVE-2021-46884 Huawei Classic Buffer Overflow vulnerability in Huawei Emui

The video framework has memory overwriting caused by addition overflow.

7.5
2023-05-26 CVE-2021-46885 Huawei Classic Buffer Overflow vulnerability in Huawei Emui

The video framework has memory overwriting caused by addition overflow.

7.5
2023-05-26 CVE-2021-46886 Huawei Classic Buffer Overflow vulnerability in Huawei Emui

The video framework has memory overwriting caused by addition overflow.

7.5
2023-05-26 CVE-2022-48480 Huawei Integer Overflow or Wraparound vulnerability in Huawei Emui 10.1.0/10.1.1/11.0.0

Integer overflow vulnerability in some phones.

7.5
2023-05-26 CVE-2023-0116 Huawei Missing Authentication for Critical Function vulnerability in Huawei Emui 12.0/12.0.1/13.0.0

The reminder module lacks an authentication mechanism for broadcasts received.

7.5
2023-05-26 CVE-2023-20883 Vmware Resource Exhaustion vulnerability in VMWare Spring Boot

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

7.5
2023-05-26 CVE-2023-31226 Huawei Incorrect Authorization vulnerability in Huawei Emui 13.0.0

The SDK for the MediaPlaybackController module has improper permission verification.

7.5
2023-05-26 CVE-2023-31227 Huawei Unspecified vulnerability in Huawei Emui 13.0.0

The hwPartsDFR module has a vulnerability in API calling verification.

7.5
2023-05-25 CVE-2023-32067 C Ares Project
Fedoraproject
Debian
c-ares is an asynchronous resolver library.
7.5
2023-05-25 CVE-2023-2900 Nfine Rapid Development Platform Project Use of a Broken or Risky Cryptographic Algorithm vulnerability in Nfine Rapid Development Platform Project Nfine Rapid Development Platform 20230511

A vulnerability was found in NFine Rapid Development Platform 20230511.

7.5
2023-05-25 CVE-2023-33263 Wftpd Project Insufficiently Protected Credentials vulnerability in Wftpd Project Wftpd 3.25

In WFTPD 3.25, usernames and password hashes are stored in an openly viewable wftpd.ini configuration file within the WFTPD directory.

7.5
2023-05-25 CVE-2023-2798 Htmlunit Out-of-bounds Write vulnerability in Htmlunit

Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS).

7.5
2023-05-25 CVE-2023-33355 Thecosy Unspecified vulnerability in Thecosy Icecms 1.0.0

IceCMS v1.0.0 has Insecure Permissions.

7.5
2023-05-25 CVE-2023-31861 Zlmediakit Path Traversal vulnerability in Zlmediakit 4.0

ZLMediaKit 4.0 is vulnerable to Directory Traversal.

7.5
2023-05-25 CVE-2023-31594 IC Missing Authentication for Critical Function vulnerability in IC Realtime Icip-P2012T Firmware 2.420

IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via an exposed HTTP channel using VLC network.

7.5
2023-05-24 CVE-2023-31595 IC Unspecified vulnerability in IC Realtime Icip-P2012T Firmware 2.420

IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via unauthenticated port access.

7.5
2023-05-24 CVE-2023-33980 Briarproject Resource Exhaustion vulnerability in Briarproject Briar

Bramble Synchronisation Protocol (BSP) in Briar before 1.4.22 allows attackers to cause a denial of service (repeated application crashes) via a series of long messages to a contact.

7.5
2023-05-24 CVE-2023-33949 Liferay Insecure Default Initialization of Resource vulnerability in Liferay Digital Experience Platform and Liferay Portal

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control.

7.5
2023-05-24 CVE-2023-33950 Liferay Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal

Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.

7.5
2023-05-24 CVE-2023-33948 Liferay Missing Authorization vulnerability in Liferay Digital Experience Platform and Liferay Portal

The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.

7.5
2023-05-24 CVE-2023-2496 Granthweb Unspecified vulnerability in Granthweb GO Pricing

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability check on the 'validate_upload' function in versions up to, and including, 3.3.19.

7.5
2023-05-24 CVE-2023-31759 Keruistore Authentication Bypass by Capture-replay vulnerability in Keruistore Kerui W18 Firmware 1.0

Weak Security in the 433MHz keyfob of Kerui W18 Alarm System v1.0 allows attackers to gain full access via a code replay attack.

7.5
2023-05-24 CVE-2023-31761 Blitzwolf Authentication Bypass by Capture-replay vulnerability in Blitzwolf Bw-Is22 Firmware 1.0

Weak security in the transmitter of Blitzwolf BW-IS22 Smart Home Security Alarm v1.0 allows attackers to gain full access to the system via a code replay attack.

7.5
2023-05-24 CVE-2023-31762 Mydigoo Authentication Bypass by Capture-replay vulnerability in Mydigoo Dg-Hamb Firmware 1.0

Weak security in the transmitter of Digoo DG-HAMB Smart Home Security System v1.0 allows attackers to gain full access to the system via a code replay attack.

7.5
2023-05-24 CVE-2023-31763 Agshome Smart Alarm Project Authentication Bypass by Capture-replay vulnerability in Agshome Smart Alarm Project Agshome Smart Alarm Firmware 1.0

Weak security in the transmitter of AGShome Smart Alarm v1.0 allows attackers to gain full access to the system via a code replay attack.

7.5
2023-05-23 CVE-2023-31726 Alist Project Unspecified vulnerability in Alist Project Alist 3.15.1

AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information.

7.5
2023-05-23 CVE-2023-23299 Garmin Unspecified vulnerability in Garmin Connect-Iq

The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely.

7.5
2023-05-23 CVE-2023-2703 Finexmedia Privacy Violation vulnerability in Finexmedia Competition Management System

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Finex Media Competition Management System allows Retrieve Embedded Sensitive Data, Collect Data as Provided by Users.This issue affects Competition Management System: before 23.07.

7.5
2023-05-23 CVE-2023-31517 Teeworlds Memory Leak vulnerability in Teeworlds 0.7.5

Teeworlds v0.7.5 was discovered to contain memory leaks.

7.5
2023-05-23 CVE-2023-31670 Webassembly Unspecified vulnerability in Webassembly Binary Toolkit 1.0.32

An issue in wasm2c 1.0.32, wasm2wat 1.0.32, wasm-decompile 1.0.32, and wasm-validate 1.0.32 allows attackers to cause a Denial of Service (DoS) via running a crafted binary.

7.5
2023-05-22 CVE-2023-28649 Snapone Improper Input Validation vulnerability in Snapone Orvc

The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it.

7.5
2023-05-22 CVE-2023-31193 Snapone Cleartext Transmission of Sensitive Information vulnerability in Snapone Orvc

Snap One OvrC Pro versions prior to 7.3 use HTTP connections when downloading a program from their servers.

7.5
2023-05-22 CVE-2023-27067 Sitecore Path Traversal vulnerability in Sitecore Experience Platform

Directory Traversal vulnerability in Sitecore Experience Platform through 10.2 allows remote attackers to download arbitrary files via crafted command to download.aspx

7.5
2023-05-22 CVE-2023-2839 Gpac Divide By Zero vulnerability in Gpac

Divide By Zero in GitHub repository gpac/gpac prior to 2.2.2.

7.5
2023-05-22 CVE-2023-31064 Apache Files or Directories Accessible to External Parties vulnerability in Apache Inlong

Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0.

7.5
2023-05-22 CVE-2023-31103 Apache Exposure of Resource to Wrong Sphere vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.  Attackers can change the immutable name and type of cluster of InLong. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891 to solve it.

7.5
2023-05-22 CVE-2023-31206 Apache Exposure of Resource to Wrong Sphere vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong.

7.5
2023-05-22 CVE-2023-31453 Apache Incorrect Permission Assignment for Critical Resource vulnerability in Apache Inlong

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0.

7.5
2023-05-22 CVE-2023-31454 Apache Incorrect Permission Assignment for Critical Resource vulnerability in Apache Inlong

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0.  The attacker can bind any cluster, even if he is not the cluster owner.

7.5
2023-05-22 CVE-2023-31058 Apache Deserialization of Untrusted Data vulnerability in Apache Inlong 1.4.0/1.5.0/1.6.0

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.

7.5
2023-05-22 CVE-2023-28709 Apache
Debian
Netapp
Off-by-one Error vulnerability in multiple products

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87.

7.5
2023-05-22 CVE-2023-33297 Bitcoin Resource Exhaustion vulnerability in Bitcoin Core

Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (e.g., CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023.

7.5
2023-05-28 CVE-2023-33291 Ebankit Incorrect Default Permissions vulnerability in Ebankit 6

In ebankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any e-mail address or phone number without validation.

7.4
2023-05-24 CVE-2023-25599 Mitel Cross-site Scripting vulnerability in Mitel Mivoice Connect 19.1/19.3

A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2, 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the test_presenter.php page.

7.4
2023-05-24 CVE-2023-33983 Briarproject Missing Authorization vulnerability in Briarproject Briar

The Introduction Client in Briar through 1.5.3 does not implement out-of-band verification for the public keys of introducees.

7.4
2023-05-23 CVE-2023-30382 Valvesoftware Out-of-bounds Write vulnerability in Valvesoftware Half-Life

A buffer overflow in the component hl.exe of Valve Half-Life up to 5433873 allows attackers to execute arbitrary code and escalate privileges by supplying crafted parameters.

7.3
2023-05-26 CVE-2023-32317 Autolabproject Path Traversal vulnerability in Autolabproject Autolab

Autolab is a course management service that enables auto-graded programming assignments.

7.2
2023-05-26 CVE-2023-32676 Autolabproject Path Traversal vulnerability in Autolabproject Autolab

Autolab is a course management service that enables auto-graded programming assignments.

7.2
2023-05-26 CVE-2023-33439 Faculty Evaluation System Project SQL Injection vulnerability in Faculty Evaluation System Project Faculty Evaluation System 1.0

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=.

7.2
2023-05-26 CVE-2023-33440 Faculty Evaluation System Project Unspecified vulnerability in Faculty Evaluation System Project Faculty Evaluation System 1.0

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

7.2
2023-05-25 CVE-2023-26216 Tibco Path Traversal vulnerability in Tibco EBX Add-Ons

The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an exploitable vulnerability that allows an attacker to upload files to a directory accessible by the web server.

7.2
2023-05-24 CVE-2023-31460 Mitel Command Injection vulnerability in Mitel Mivoice Connect

A vulnerability in the Connect Mobility Router component of MiVoice Connect versions 9.6.2208.101 and earlier could allow an authenticated attacker with internal network access to conduct a command injection attack due to insufficient restriction on URL parameters.

7.2
2023-05-23 CVE-2023-33617 Eparks OS Command Injection vulnerability in Eparks Fiberlink 210 Firmware 2.1.14X000

An OS Command Injection vulnerability in Parks Fiberlink 210 firmware version V2.1.14_X000 was found via the /boaform/admin/formPing target_addr parameter.

7.2
2023-05-23 CVE-2023-27512 Contec Use of Hard-coded Credentials vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware

Use of hard-coded credentials exists in SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10, and SV-CPT-MC310F versions prior to Ver.8.10, which may allow a remote authenticated attacker to login the affected product with an administrative privilege and perform an unintended operation.

7.2
2023-05-23 CVE-2023-28392 Inaba OS Command Injection vulnerability in Inaba products

Wi-Fi AP UNIT AC-PD-WAPU v1.05_B04 and earlier, AC-PD-WAPUM v1.05_B04 and earlier, AC-PD-WAPU-P v1.05_B04P and earlier, AC-PD-WAPUM-P v1.05_B04P and earlier, AC-WAPU-300 v1.00_B07 and earlier, AC-WAPU-300-P v1.00_B08P and earlier, AC-WAPUM-300 v1.00_B07 and earlier, and AC-WAPUM-300-P v1.00_B08P and earlier allow an authenticated user with an administrative privilege to execute an arbitrary OS command.

7.2
2023-05-23 CVE-2023-31740 Linksys Command Injection vulnerability in Linksys E2000 Firmware 1.0.06

There is a command injection vulnerability in the Linksys E2000 router with firmware version 1.0.06.

7.2
2023-05-23 CVE-2023-31741 Linksys Command Injection vulnerability in Linksys E2000 Firmware 1.0.06

There is a command injection vulnerability in the Linksys E2000 router with firmware version 1.0.06.

7.2
2023-05-22 CVE-2023-25183 Snapone Unspecified vulnerability in Snapone Orvc

In Snap One OvrC Pro versions prior to 7.2, when logged into the superuser account, a new functionality appears that could allow users to execute arbitrary commands on the hub device.

7.2
2023-05-22 CVE-2023-31742 Linksys Command Injection vulnerability in Linksys Wrt54Gl Firmware 4.30.18.006

There is a command injection vulnerability in the Linksys WRT54GL router with firmware version 4.30.18.006.

7.2
2023-05-22 CVE-2023-2832 Bumsys Project SQL Injection vulnerability in Bumsys Project Bumsys

SQL Injection in GitHub repository unilogies/bumsys prior to 2.2.0.

7.2
2023-05-24 CVE-2022-41221 Opentext XXE vulnerability in Opentext Archive Center Administration

The client in OpenText Archive Center Administration through 21.2 allows XXE attacks.

7.1

174 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-05-26 CVE-2023-2002 Linux
Debian
Incorrect Authorization vulnerability in multiple products

A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel.

6.8
2023-05-23 CVE-2023-28390 Icom Unspecified vulnerability in Icom Sr-7100Vn#31 Firmware and Sr-7100Vn Firmware

Privilege escalation vulnerability in SR-7100VN firmware Ver.1.38(N) and earlier and SR-7100VN #31 firmware Ver.1.21 and earlier allows a network-adjacent attacker with administrative privilege of the affected product to obtain an administrative privilege of the OS (Operating System).

6.8
2023-05-26 CVE-2023-32318 Nextcloud Insufficient Session Expiration vulnerability in Nextcloud Server

Nextcloud server provides a home for data.

6.7
2023-05-27 CVE-2023-2926 Seacms Unspecified vulnerability in Seacms 11.6

A vulnerability was found in SeaCMS 11.6 and classified as problematic.

6.5
2023-05-26 CVE-2023-32319 Nextcloud Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud Server

Nextcloud server is an open source personal cloud implementation.

6.5
2023-05-26 CVE-2023-2854 Wireshark
Debian
Out-of-bounds Write vulnerability in multiple products

BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file

6.5
2023-05-26 CVE-2023-2855 Wireshark
Debian
Out-of-bounds Write vulnerability in multiple products

Candump log parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file

6.5
2023-05-26 CVE-2023-2856 Wireshark
Debian
Out-of-bounds Write vulnerability in multiple products

VMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file

6.5
2023-05-26 CVE-2023-2857 Wireshark
Debian
Out-of-bounds Write vulnerability in multiple products

BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file

6.5
2023-05-26 CVE-2023-2858 Wireshark
Debian
Out-of-bounds Write vulnerability in multiple products

NetScaler file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file

6.5
2023-05-26 CVE-2023-33187 Highlight Cleartext Transmission of Sensitive Information vulnerability in Highlight

Highlight is an open source, full-stack monitoring platform.

6.5
2023-05-26 CVE-2023-1664 Redhat Improper Certificate Validation vulnerability in Redhat products

A flaw was found in Keycloak.

6.5
2023-05-26 CVE-2023-1667 Libssh
Fedoraproject
Debian
Redhat
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference was found In libssh during re-keying with algorithm guessing.

6.5
2023-05-26 CVE-2023-2283 Libssh
Fedoraproject
Redhat
Improper Authentication vulnerability in multiple products

A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems.

6.5
2023-05-26 CVE-2023-33720 Mp4V2 Project Resource Exhaustion vulnerability in Mp4V2 Project Mp4V2 2.1.2

mp4v2 v2.1.2 was discovered to contain a memory leak via the class MP4BytesProperty.

6.5
2023-05-26 CVE-2022-46945 Nagvis Path Traversal vulnerability in Nagvis

Nagvis before 1.9.34 was discovered to contain an arbitrary file read vulnerability via the component /core/classes/NagVisHoverUrl.php.

6.5
2023-05-26 CVE-2022-39374 Matrix Resource Exhaustion vulnerability in Matrix Synapse 1.62.0

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation.

6.5
2023-05-25 CVE-2023-2903 Nfine Improper Access Control vulnerability in Nfine Rapid Development Platform 20230511

A vulnerability classified as problematic has been found in NFine Rapid Development Platform 20230511.

6.5
2023-05-25 CVE-2023-2804 Libjpeg Turbo Out-of-bounds Write vulnerability in Libjpeg-Turbo 2.1.90

A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file.

6.5
2023-05-25 CVE-2023-2901 Nfine Rapid Development Platform Project Unspecified vulnerability in Nfine Rapid Development Platform Project Nfine Rapid Development Platform 20230511

A vulnerability was found in NFine Rapid Development Platform 20230511.

6.5
2023-05-25 CVE-2023-2902 Nfine Rapid Development Platform Project Unspecified vulnerability in Nfine Rapid Development Platform Project Nfine Rapid Development Platform 20230511

A vulnerability was found in NFine Rapid Development Platform 20230511.

6.5
2023-05-25 CVE-2023-31147 C Ares Project
Fedoraproject
Use of Insufficiently Random Values vulnerability in multiple products

c-ares is an asynchronous resolver library.

6.5
2023-05-25 CVE-2023-26215 Tibco Path Traversal vulnerability in Tibco EBX Add-Ons

The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that allows an attacker with low-privileged application access to read system files that are accessible to the web server.

6.5
2023-05-25 CVE-2023-22504 Atlassian Unrestricted Upload of File with Dangerous Type vulnerability in Atlassian Confluence Server

Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

6.5
2023-05-24 CVE-2022-30025 Credenceanalytics SQL Injection vulnerability in Credenceanalytics Ideal - Wealth and Funds 1.0

SQL injection in "/Framewrk/Home.jsp" file (POST method) in tCredence Analytics iDEAL Wealth and Funds - 1.0 iallows authenticated remote attackers to inject payload via "v" parameter.

6.5
2023-05-24 CVE-2023-33981 Briarproject Improper Validation of Integrity Check Value vulnerability in Briarproject Briar

Briar before 1.4.22 allows attackers to spoof other users' messages in a blog, forum, or private group, but each spoofed message would need to be an exact duplicate of a legitimate message displayed alongside the spoofed one.

6.5
2023-05-24 CVE-2021-25748 Kubernetes Unspecified vulnerability in Kubernetes Ingress-Nginx

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller.

6.5
2023-05-23 CVE-2023-26595 Cybozu Resource Exhaustion vulnerability in Cybozu Garoon

Denial-of-service (DoS) vulnerability in Message of Cybozu Garoon 4.10.0 to 5.9.2 allows a remote authenticated attacker to cause a denial of service condition.

6.5
2023-05-23 CVE-2023-27921 Jins Use of Hard-coded Credentials vulnerability in Jins Meme Firmware

JINS MEME CORE Firmware version 2.2.0 and earlier uses a hard-coded cryptographic key, which may lead to data acquired by a sensor of the affected product being decrypted by a network-adjacent attacker.

6.5
2023-05-22 CVE-2022-4945 Dataprobe Unspecified vulnerability in Dataprobe products

The Dataprobe cloud usernames and passwords are stored in plain text in a specific file.

6.5
2023-05-22 CVE-2023-27066 Sitecore Path Traversal vulnerability in Sitecore Experience Platform

Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle.

6.5
2023-05-22 CVE-2023-31101 Apache Insecure Default Initialization of Resource vulnerability in Apache Inlong 1.5.0/1.6.0

Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.6.0.

6.5
2023-05-22 CVE-2023-33281 Nissan Authentication Bypass by Capture-replay vulnerability in Nissan Sylphy Classic 2021 Firmware

The remote keyfob system on Nissan Sylphy Classic 2021 sends the same RF signal for each door-open request, which allows for a replay attack.

6.5
2023-05-25 CVE-2023-31130 C Ares Project
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

c-ares is an asynchronous resolver library.

6.4
2023-05-28 CVE-2023-32800 Rankmath Cross-site Scripting vulnerability in Rankmath SEO PRO

Unauth.

6.1
2023-05-28 CVE-2023-33319 Woocommerce Cross-site Scripting vulnerability in Woocommerce Automatewoo

Unauth.

6.1
2023-05-28 CVE-2023-33332 Woocommerce Product Vendors Project Cross-site Scripting vulnerability in Woocommerce Product Vendors Project Woocommerce Product Vendors

Unauth.

6.1
2023-05-28 CVE-2023-33309 Awesomemotive Cross-site Scripting vulnerability in Awesomemotive Duplicator

Unauth.

6.1
2023-05-28 CVE-2023-33326 Metagauss Cross-site Scripting vulnerability in Metagauss Eventprime

Unauth.

6.1
2023-05-28 CVE-2023-2948 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr

Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.

6.1
2023-05-28 CVE-2023-2949 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr

Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.1.

6.1
2023-05-27 CVE-2023-2922 Comment System Project Cross-site Scripting vulnerability in Comment System Project Comment System 1.0

A vulnerability classified as problematic has been found in SourceCodester Comment System 1.0.

6.1
2023-05-27 CVE-2023-33195 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS

Craft is a CMS for creating custom digital experiences on the web.

6.1
2023-05-27 CVE-2023-32325 Posthog Cross-site Scripting vulnerability in Posthog Posthog-Js

PostHog-js is a library to interface with the PostHog analytics tool.

6.1
2023-05-26 CVE-2023-33255 Uthscsa Cross-site Scripting vulnerability in Uthscsa Papaya Viewer 1.0

An issue was discovered in Papaya Viewer 1.0.1449.

6.1
2023-05-26 CVE-2023-20868 Vmware Cross-site Scripting vulnerability in VMWare Nsx-T Data Center

NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation.

6.1
2023-05-26 CVE-2023-32681 Python
Fedoraproject
Information Exposure vulnerability in multiple products

Requests is a HTTP library.

6.1
2023-05-26 CVE-2023-29098 Artistscope Cross-site Scripting vulnerability in Artistscope Copysafe web Protection

Unauth.

6.1
2023-05-25 CVE-2023-25439 Squarepiginteractive Cross-site Scripting vulnerability in Squarepiginteractive Fusioninvoice 20231.0

Stored Cross Site Scripting (XSS) vulnerability in Square Pig FusionInvoice 2023-1.0, allows attackers to execute arbitrary code via the description or content fields to the expenses, tasks, and customer details.

6.1
2023-05-25 CVE-2022-45366 WP Slimstat Cross-site Scripting vulnerability in Wp-Slimstat Slimstat Analytics

Unauth.

6.1
2023-05-25 CVE-2023-28370 Tornadoweb Open Redirect vulnerability in Tornadoweb Tornado

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

6.1
2023-05-25 CVE-2022-46907 Apache Cross-site Scripting vulnerability in Apache Jspwiki

A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

6.1
2023-05-24 CVE-2023-25598 Mitel Cross-site Scripting vulnerability in Mitel Mivoice Connect

A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2 and 20.x, 21.x, and 22.x through 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the home.php page.

6.1
2023-05-24 CVE-2023-33944 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.

6.1
2023-05-24 CVE-2023-33941 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter.

6.1
2023-05-24 CVE-2023-33938 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.

6.1
2023-05-24 CVE-2023-2864 Online Jewelry Store Project Cross-site Scripting vulnerability in Online Jewelry Store Project Online Jewelry Store 1.0

A vulnerability was found in SourceCodester Online Jewelry Store 1.0 and classified as problematic.

6.1
2023-05-24 CVE-2023-2862 Sscms Cross-site Scripting vulnerability in Sscms Siteserver CMS

A vulnerability, which was classified as problematic, was found in SiteServer CMS up to 7.2.1.

6.1
2023-05-23 CVE-2023-33599 Easyimages2 0 Project Cross-site Scripting vulnerability in Easyimages2.0 Project Easyimages2.0

EasyImages2.0 = 2.8.1 is vulnerable to Cross Site Scripting (XSS) via viewlog.php.

6.1
2023-05-23 CVE-2023-27922 Thenewsletterplugin Cross-site Scripting vulnerability in Thenewsletterplugin Newsletter

Cross-site scripting vulnerability in Newsletter versions prior to 7.6.9 allows a remote unauthenticated attacker to inject an arbitrary script.

6.1
2023-05-23 CVE-2023-30469 Hitachi Cross-site Scripting vulnerability in Hitachi OPS Center Analyzer 10.9.100

Cross-site Scripting vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component) allows Reflected XSS.This issue affects Hitachi Ops Center Analyzer: from 10.9.1-00 before 10.9.2-00.

6.1
2023-05-23 CVE-2023-31664 Wso2 Cross-site Scripting vulnerability in Wso2 API Manager

A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter.

6.1
2023-05-22 CVE-2023-31816 Content Management System Project Cross-site Scripting vulnerability in Content Management System Project Content Management System 1.0

IT Sourcecode Content Management System Project In PHP and MySQL With Source Code 1.0.0 is vulnerable to Cross Site Scripting (XSS) via /ecodesource/search_list.php.

6.1
2023-05-22 CVE-2023-31245 Snapone Open Redirect vulnerability in Snapone Orvc

Devices using Snap One OvrC cloud are sent to a web address when accessing a web management interface using a HTTP connection.

6.1
2023-05-22 CVE-2023-28467 Mybb Cross-site Scripting vulnerability in Mybb

In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.

6.1
2023-05-22 CVE-2023-31584 Silicon Project Cross-site Scripting vulnerability in Silicon Project Silicon

GitHub repository cu/silicon commit a9ef36 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the User Input field.

6.1
2023-05-26 CVE-2023-28320 Haxx
Apple
Netapp
Resource Exhaustion vulnerability in multiple products

A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time.

5.9
2023-05-26 CVE-2023-28321 Haxx
Debian
Fedoraproject
Netapp
Apple
Improper Certificate Validation vulnerability in multiple products

An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates.

5.9
2023-05-26 CVE-2023-20882 Cloudfoundry Unspecified vulnerability in Cloudfoundry Cf-Deployment and Routing Release

In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service of applications hosted on Cloud Foundry.

5.9
2023-05-24 CVE-2023-33982 Briarproject Inadequate Encryption Strength vulnerability in Briarproject Briar

Bramble Handshake Protocol (BHP) in Briar before 1.5.3 is not forward secure: eavesdroppers can decrypt network traffic between two accounts if they later compromise both accounts.

5.9
2023-05-22 CVE-2023-32348 Teltonika Server-Side Request Forgery (SSRF) vulnerability in Teltonika Remote Management System

Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN.

5.8
2023-05-27 CVE-2023-33188 Omninotes Externally Controlled Reference to a Resource in Another Sphere vulnerability in Omninotes Omni Notes

Omni-notes is an open source note-taking application for Android.

5.5
2023-05-26 CVE-2023-1981 Avahi
Fedoraproject
Redhat
Resource Exhaustion vulnerability in multiple products

A vulnerability was found in the avahi library.

5.5
2023-05-25 CVE-2023-0459 Linux Release of Invalid Pointer or Reference vulnerability in Linux Kernel

Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user().

5.5
2023-05-24 CVE-2023-2874 Filseclab Unspecified vulnerability in Filseclab Twister Antivirus 8.0/8.17

A vulnerability, which was classified as problematic, has been found in Twister Antivirus 8.

5.5
2023-05-24 CVE-2023-2875 Escanav NULL Pointer Dereference vulnerability in Escanav Escan Anti-Virus 22.0.1400.2443

A vulnerability, which was classified as problematic, was found in eScan Antivirus 22.0.1400.2443.

5.5
2023-05-24 CVE-2023-2870 Entechtaiwan Improper Resource Shutdown or Release vulnerability in Entechtaiwan Monitor Asset Manager 2.9

A vulnerability was found in EnTech Monitor Asset Manager 2.9.

5.5
2023-05-24 CVE-2023-2871 Fabulatech NULL Pointer Dereference vulnerability in Fabulatech USB for Remote Desktop 6.1.0.0

A vulnerability was found in FabulaTech USB for Remote Desktop 6.1.0.0.

5.5
2023-05-24 CVE-2023-2872 Electronic NULL Pointer Dereference vulnerability in Electronic Flexihub 5.5.14691.0

A vulnerability classified as problematic has been found in FlexiHub 5.5.14691.0.

5.5
2023-05-24 CVE-2023-2863 Simpledesign Cleartext Storage of Sensitive Information vulnerability in Simpledesign Diary With Lock: Daily Journal 1.012.Gp.B

A vulnerability has been found in Simple Design Daily Journal 1.012.GP.B on Android and classified as problematic.

5.5
2023-05-23 CVE-2023-31518 Teeworlds Use After Free vulnerability in Teeworlds 0.7.5

A heap use-after-free in the component CDataFileReader::GetItem of teeworlds v0.7.5 allows attackers to cause a Denial of Service (DoS) via a crafted map file.

5.5
2023-05-23 CVE-2023-31669 Webassembly Improper Encoding or Escaping of Output vulnerability in Webassembly Binary Toolkit 1.0.32

WebAssembly wat2wasm v1.0.32 allows attackers to cause a libc++abi.dylib crash by putting '@' before a quote (").

5.5
2023-05-22 CVE-2023-2837 Gpac Stack-based Buffer Overflow vulnerability in Gpac

Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.2.2.

5.5
2023-05-22 CVE-2022-0010 ABB Information Exposure Through Log Files vulnerability in ABB products

Insertion of Sensitive Information into Log File vulnerability in ABB QCS 800xA, ABB QCS AC450, ABB Platform Engineering Tools. An attacker, who already has local access to the QCS nodes, could successfully obtain the password for a system user account.

5.5
2023-05-28 CVE-2023-28785 Yoast Cross-site Scripting vulnerability in Yoast SEO

Auth.

5.4
2023-05-28 CVE-2023-33311 Crmperks Cross-site Scripting vulnerability in Crmperks Contact Form Entries - Contact Form 7 Wpforms and More

Auth.

5.4
2023-05-27 CVE-2023-2944 Open EMR Improper Access Control vulnerability in Open-Emr Openemr

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

5.4
2023-05-27 CVE-2023-2945 Open EMR Missing Authorization vulnerability in Open-Emr Openemr

Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1.

5.4
2023-05-27 CVE-2023-2925 Webkul Cross-site Scripting vulnerability in Webkul Krayin CRM 1.2.4

A vulnerability, which was classified as problematic, was found in Webkul krayin crm 1.2.4.

5.4
2023-05-27 CVE-2023-32686 Kiwitcms Cross-site Scripting vulnerability in Kiwitcms Kiwi Tcms

Kiwi TCMS is an open source test management system for both manual and automated testing.

5.4
2023-05-26 CVE-2023-33185 Django SES Project Improper Verification of Cryptographic Signature vulnerability in Django-Ses Project Django-Ses

Django-SES is a drop-in mail backend for Django.

5.4
2023-05-26 CVE-2023-33196 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS

Craft is a CMS for creating custom digital experiences.

5.4
2023-05-26 CVE-2023-33197 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS

Craft is a CMS for creating custom digital experiences on the web.

5.4
2023-05-26 CVE-2023-2817 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS

A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11.

5.4
2023-05-26 CVE-2023-33780 Invernyx Cross-site Scripting vulnerability in Invernyx Smartcars 3 0.5.8/0.5.9

A stored cross-site scripting (XSS) vulnerability in TFDi Design smartCARS 3 v0.7.0 and below allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the body of news article.

5.4
2023-05-26 CVE-2023-33394 Skycaiji Cross-site Scripting vulnerability in Skycaiji 2.5.4

skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS).

5.4
2023-05-25 CVE-2023-30615 Dfir Iris Cross-site Scripting vulnerability in Dfir-Iris Iris

Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations.

5.4
2023-05-25 CVE-2023-33750 Mipjz Project Cross-site Scripting vulnerability in Mipjz Project Mipjz 5.0.5

A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description parameter at /index.php?s=/article/ApiAdminArticle/itemAdd.

5.4
2023-05-25 CVE-2023-33751 Mipjz Project Cross-site Scripting vulnerability in Mipjz Project Mipjz 5.0.5

A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at /app/tag/controller/ApiAdminTagCategory.php.

5.4
2023-05-25 CVE-2023-32694 Saleor Information Exposure Through Discrepancy vulnerability in Saleor

Saleor Core is a composable, headless commerce API.

5.4
2023-05-25 CVE-2023-33356 Thecosy Cross-site Scripting vulnerability in Thecosy Icecms 1.0.0

IceCMS v1.0.0 is vulnerable to Cross Site Scripting (XSS).

5.4
2023-05-24 CVE-2023-33829 Cloudogu Cross-site Scripting vulnerability in Cloudogu SCM Manager

A stored cross-site scripting (XSS) vulnerability in Cloudogu GmbH SCM Manager v1.2 to v1.60 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field.

5.4
2023-05-24 CVE-2022-42225 Fit2Cloud Cross-site Scripting vulnerability in Fit2Cloud Lina

Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin's permission.

5.4
2023-05-24 CVE-2023-33785 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Rack Roles (/dcim/rack-roles/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33786 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Circuit Types (/circuits/circuit-types/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33787 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Tenant Groups (/tenancy/tenant-groups/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33788 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Providers (/circuits/providers/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33789 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Contact Groups (/tenancy/contact-groups/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33790 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Locations (/dcim/locations/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33791 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Provider Accounts (/circuits/provider-accounts/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33792 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Site Groups (/dcim/site-groups/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33793 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Power Panels (/dcim/power-panels/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33794 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Tenants (/tenancy/tenants/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33795 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Contact Roles (/tenancy/contact-roles/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33797 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Sites (/dcim/sites/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33798 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Rack (/dcim/rack/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33799 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Contacts (/tenancy/contacts/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33800 Netbox Cross-site Scripting vulnerability in Netbox 3.5.1

A stored cross-site scripting (XSS) vulnerability in the Create Regions (/dcim/regions/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.

5.4
2023-05-24 CVE-2023-33942 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's `Title` field.

5.4
2023-05-24 CVE-2023-33943 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field.

5.4
2023-05-24 CVE-2023-33939 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.

5.4
2023-05-24 CVE-2023-33940 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL.

5.4
2023-05-24 CVE-2023-33937 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.

5.4
2023-05-24 CVE-2023-2498 Granthweb Cross-site Scripting vulnerability in Granthweb GO Pricing

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.19 due to insufficient input sanitization and output escaping.

5.4
2023-05-23 CVE-2023-31860 Wuzhicms Cross-site Scripting vulnerability in Wuzhicms Wuzhi CMS 3.1.2

Wuzhi CMS v3.1.2 has a storage type XSS vulnerability in the backend of the Five Finger CMS b2b system.

5.4
2023-05-23 CVE-2023-1209 Servicenow Cross-site Scripting vulnerability in Servicenow

Cross-Site Scripting (XSS) vulnerabilities exist in ServiceNow records allowing an authenticated attacker to inject arbitrary scripts.

5.4
2023-05-23 CVE-2023-22654 Tandd
Especmic
Cross-site Scripting vulnerability in multiple products

Client-side enforcement of server-side security issue exists in T&D Corporation and ESPEC MIC CORP.

5.4
2023-05-23 CVE-2023-27923 Vektor INC Cross-site Scripting vulnerability in Vektor-Inc VK Blocks

Cross-site scripting vulnerability in Tag edit function of VK Blocks 1.53.0.1 and earlier and VK Blocks Pro 1.53.0.1 and earlier allows a remote authenticated attacker to inject an arbitrary script.

5.4
2023-05-23 CVE-2023-27925 Vektor INC Cross-site Scripting vulnerability in Vektor-Inc VK Blocks

Cross-site scripting vulnerability in Post function of VK Blocks 1.53.0.1 and earlier and VK Blocks Pro 1.53.0.1 and earlier allows a remote authenticated attacker to inject an arbitrary script.

5.4
2023-05-23 CVE-2023-27926 Vektor INC Cross-site Scripting vulnerability in Vektor-Inc VK ALL in ONE Expansion Unit

Cross-site scripting vulnerability in Profile setting function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script.

5.4
2023-05-23 CVE-2023-28367 Vektor INC Cross-site Scripting vulnerability in Vektor-Inc VK ALL in ONE Expansion Unit

Cross-site scripting vulnerability in CTA post function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script.

5.4
2023-05-23 CVE-2023-25440 Civicrm Cross-site Scripting vulnerability in Civicrm 5.59

Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.

5.4
2023-05-23 CVE-2023-31995 Hanwhavision Cross-site Scripting vulnerability in Hanwhavision products

Hanwha IP Camera ANE-L7012R 1.41.01 is vulnerable to Cross Site Scripting (XSS).

5.4
2023-05-22 CVE-2023-31779 Wekan Project Cross-site Scripting vulnerability in Wekan Project Wekan

Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS).

5.4
2023-05-28 CVE-2023-32762 QT Unspecified vulnerability in QT

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1.

5.3
2023-05-27 CVE-2023-33184 Nextcloud Server-Side Request Forgery (SSRF) vulnerability in Nextcloud Mail

Nextcloud Mail is a mail app in Nextcloud.

5.3
2023-05-26 CVE-2023-33199 Linuxfoundation Reachable Assertion vulnerability in Linuxfoundation Rekor

Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain.

5.3
2023-05-26 CVE-2023-27311 Netapp Path Traversal vulnerability in Netapp Blue XP Connector

NetApp Blue XP Connector versions prior to 3.9.25 expose information via a directory listing.

5.3
2023-05-26 CVE-2023-0117 Huawei Improper Authentication vulnerability in Huawei Emui 13.0.0

The online authentication provided by the hwKitAssistant lacks strict identity verification of applications.

5.3
2023-05-25 CVE-2023-2255 Libreoffice
Debian
Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt.
5.3
2023-05-25 CVE-2023-30851 Cilium Unspecified vulnerability in Cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane.

5.3
2023-05-23 CVE-2023-28015 HCL Unspecified vulnerability in HCL Domino Appdev Pack

The HCL Domino AppDev Pack IAM service is susceptible to a User Account Enumeration vulnerability.

5.3
2023-05-23 CVE-2023-23545 Tandd
Especmic
Missing Authentication for Critical Function vulnerability in multiple products

Missing authentication for critical function exists in T&D Corporation and ESPEC MIC CORP.

5.3
2023-05-23 CVE-2023-31994 Hanwhavision Unspecified vulnerability in Hanwhavision products

Certain Hanwha products are vulnerable to Denial of Service (DoS).

5.3
2023-05-22 CVE-2023-28412 Snapone Information Exposure Through Discrepancy vulnerability in Snapone Orvc

When supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device.

5.3
2023-05-22 CVE-2023-33293 Kaiostech Exposure of Resource to Wrong Sphere vulnerability in Kaiostech Kaios 3.0/3.1

An issue was discovered in KaiOS 3.0 and 3.1.

5.3
2023-05-22 CVE-2023-32346 Teltonika Response Discrepancy Information Exposure vulnerability in Teltonika Remote Management System

Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices.

5.3
2023-05-22 CVE-2023-33285 QT Out-of-bounds Read vulnerability in QT

An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1.

5.3
2023-05-26 CVE-2022-39335 Matrix Information Exposure vulnerability in Matrix Synapse

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation.

5.0
2023-05-25 CVE-2023-2881 Pimcore Insufficiently Protected Credentials vulnerability in Pimcore Customer-Data-Framework

Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10.

4.9
2023-05-23 CVE-2023-2844 Fit2Cloud Authorization Bypass Through User-Controlled Key vulnerability in Fit2Cloud Cloudexplorer Lite

Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.

4.9
2023-05-28 CVE-2023-33211 WP Matomo Integration Project Cross-site Scripting vulnerability in Wp-Matomo Integration Project Wp-Matomo Integration

Auth.

4.8
2023-05-28 CVE-2023-32958 Nosegraze Cross-site Scripting vulnerability in Nosegraze Novelist

Auth.

4.8
2023-05-28 CVE-2023-33328 Pluginops Cross-site Scripting vulnerability in Pluginops Mailchimp Subscribe Form

Auth.

4.8
2023-05-28 CVE-2023-33216 Gvectors Cross-site Scripting vulnerability in Gvectors Woodiscuz - Woocommerce Comments

Auth.

4.8
2023-05-27 CVE-2023-2947 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr

Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.

4.8
2023-05-26 CVE-2023-33194 Craftcms
Craftercms
Cross-site Scripting vulnerability in multiple products

Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload.

4.8
2023-05-26 CVE-2023-25781 Upload File Type Settings Plugin Project Cross-site Scripting vulnerability in Upload File Type Settings Plugin Project Upload File Type Settings Plugin

Auth.

4.8
2023-05-24 CVE-2023-25028 CC Custom Taxonomy Project Cross-site Scripting vulnerability in CC Custom Taxonomy Project CC Custom Taxonomy

Auth.

4.8
2023-05-26 CVE-2023-2898 Linux
Debian
Netapp
NULL Pointer Dereference vulnerability in multiple products

There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel.

4.7
2023-05-22 CVE-2023-33288 Linux Use After Free vulnerability in Linux Kernel

An issue was discovered in the Linux kernel before 6.2.9.

4.7
2023-05-26 CVE-2023-32311 Fit2Cloud Missing Authorization vulnerability in Fit2Cloud Cloudexplorer

CloudExplorer Lite is an open source cloud management platform.

4.3
2023-05-26 CVE-2023-32316 Fit2Cloud Missing Authorization vulnerability in Fit2Cloud Cloudexplorer

CloudExplorer Lite is an open source cloud management tool.

4.3
2023-05-26 CVE-2023-32323 Matrix Improper Input Validation vulnerability in Matrix Synapse

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation.

4.3
2023-05-25 CVE-2023-2886 Cbot Unspecified vulnerability in Cbot Core and Cbot Panel

Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

4.3
2023-05-24 CVE-2023-1158 Hitachi Incorrect Authorization vulnerability in Hitachi products

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. 

4.3
2023-05-24 CVE-2023-33946 Liferay Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.

4.3
2023-05-24 CVE-2023-33947 Liferay Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

4.3
2023-05-23 CVE-2023-33359 Piwigo Cross-Site Request Forgery (CSRF) vulnerability in Piwigo 13.6.0

Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.

4.3
2023-05-23 CVE-2023-27304 Cybozu Unspecified vulnerability in Cybozu Garoon

Operation restriction bypass vulnerability in Message and Bulletin of Cybozu Garoon 4.6.0 to 5.9.2 allows a remote authenticated attacker to alter the data of Message and/or Bulletin.

4.3
2023-05-23 CVE-2023-27384 Cybozu Unspecified vulnerability in Cybozu Garoon 5.15.0

Operation restriction bypass vulnerability in MultiReport of Cybozu Garoon 5.15.0 allows a remote authenticated attacker to alter the data of MultiReport.

4.3
2023-05-23 CVE-2023-27920 Contec Unspecified vulnerability in Contec Sv-Cpt-Mc310 Firmware and Sv-Cpt-Mc310F Firmware

Improper access control vulnerability in the system date/time setting page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker to alter system date/time of the affected product.

4.3
2023-05-23 CVE-2023-31708 Eyoucms Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.6.2

A Cross-Site Request Forgery (CSRF) in EyouCMS v1.6.2 allows attackers to execute arbitrary commands via a supplying a crafted HTML file to the Upload software format function.

4.3
2023-05-22 CVE-2023-33264 Hazelcast Insufficiently Protected Credentials vulnerability in Hazelcast

In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, configuration routines don't mask passwords in the member configuration properly.

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-05-26 CVE-2023-28322 Haxx
Fedoraproject
Apple
Netapp
An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback.
3.7
2023-05-25 CVE-2023-31124 C Ares Project
Fedoraproject
Use of Insufficiently Random Values vulnerability in multiple products

c-ares is an asynchronous resolver library.

3.7
2023-05-26 CVE-2023-31225 Huawei Unspecified vulnerability in Huawei Emui

The Gallery app has the risk of hijacking attacks.

3.3