Weekly Vulnerabilities Reports > August 14 to 20, 2023

Overview

484 new vulnerabilities reported during this period, including 92 critical vulnerabilities and 147 high severity vulnerabilities. This weekly summary report vulnerabilities in 1835 products from 221 vendors including Google, Fedoraproject, Broadcom, Debian, and Cisco. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "Command Injection", and "Path Traversal".

  • 366 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 188 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 284 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 62 reported vulnerabilities.
  • Broadcom has the most reported critical vulnerabilities, with 11 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

92 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-08-20 CVE-2023-4438 Inventory Management System Project SQL Injection vulnerability in Inventory Management System Project Inventory Management System 1.0

A vulnerability has been found in SourceCodester Inventory Management System 1.0 and classified as critical.

9.8
2023-08-20 CVE-2023-4440 Free Hospital Management System FOR Small Practices Project SQL Injection vulnerability in Free Hospital Management System for Small Practices Project Free Hospital Management System for Small Practices 1.0

A vulnerability was found in SourceCodester Free Hospital Management System for Small Practices 1.0.

9.8
2023-08-20 CVE-2023-4436 Inventory Management System Project SQL Injection vulnerability in Inventory Management System Project Inventory Management System 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Inventory Management System 1.0.

9.8
2023-08-20 CVE-2023-4437 Inventory Management System Project SQL Injection vulnerability in Inventory Management System Project Inventory Management System 1.0

A vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0.

9.8
2023-08-20 CVE-2022-24989 Terra Master Injection vulnerability in Terra-Master Terramaster Operating System

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI.

9.8
2023-08-18 CVE-2023-40174 Fobybus Insufficient Session Expiration vulnerability in Fobybus Social-Media-Skeleton

Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html.

9.8
2023-08-18 CVE-2023-40175 Puma HTTP Request Smuggling vulnerability in Puma

Puma is a Ruby/Rack web server built for parallelism.

9.8
2023-08-18 CVE-2023-4414 Byzoro Command Injection vulnerability in Byzoro Smart S85F

A vulnerability was found in Byzoro Smart S85F Management Platform up to 20230807.

9.8
2023-08-18 CVE-2023-4412 Totolink OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023

A vulnerability was found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 and classified as critical.

9.8
2023-08-18 CVE-2023-4410 Totolink OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023

A vulnerability, which was classified as critical, was found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023.

9.8
2023-08-18 CVE-2023-4411 Totolink OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023

A vulnerability has been found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 and classified as critical.

9.8
2023-08-18 CVE-2023-4407 Credit Lite Project SQL Injection vulnerability in Credit Lite Project Credit Lite 1.5.4

A vulnerability classified as critical was found in Codecanyon Credit Lite 1.5.4.

9.8
2023-08-18 CVE-2023-32626 Elecom Unspecified vulnerability in Elecom Lan-W300N/Pr5 Firmware and Lan-W300N/Rs Firmware

Hidden functionality vulnerability in LAN-W300N/RS all versions, and LAN-W300N/PR5 all versions allows an unauthenticated attacker to log in to the product's certain management console and execute arbitrary OS commands.

9.8
2023-08-18 CVE-2023-35991 Elecom Unspecified vulnerability in Elecom products

Hidden functionality vulnerability in LOGITEC wireless LAN routers allows an unauthenticated attacker to log in to the product's certain management console and execute arbitrary OS commands.

9.8
2023-08-18 CVE-2023-39454 Elecom Classic Buffer Overflow vulnerability in Elecom products

Buffer overflow vulnerability in WRC-X1800GS-B v1.13 and earlier, WRC-X1800GSA-B v1.13 and earlier, and WRC-X1800GSH-B v1.13 and earlier allows an unauthenticated attacker to execute arbitrary code.

9.8
2023-08-18 CVE-2023-40069 Elecom OS Command Injection vulnerability in Elecom products

OS command injection vulnerability in ELECOM wireless LAN routers allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted request.

9.8
2023-08-18 CVE-2023-39665 Dlink Classic Buffer Overflow vulnerability in Dlink Dir-868L Firmware 1.12Eumulti20170316

D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the acStack_50 parameter.

9.8
2023-08-18 CVE-2023-39666 Dlink Classic Buffer Overflow vulnerability in Dlink Dir-842 Firmware 1.05B02

D-Link DIR-842 fw_revA_1-02_eu_multi_20151008 was discovered to contain multiple buffer overflows in the fgets function via the acStack_120 and acStack_220 parameters.

9.8
2023-08-18 CVE-2023-39667 Dlink Classic Buffer Overflow vulnerability in Dlink Dir-868L Firmware 1.12Eumulti20170316

D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the param_2 parameter in the FUN_0000acb4 function.

9.8
2023-08-18 CVE-2023-39668 Dlink Classic Buffer Overflow vulnerability in Dlink Dir-868L Firmware 1.12Eumulti20170316

D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the param_2 parameter in the inet_ntoa() function.

9.8
2023-08-18 CVE-2023-39670 Tenda Classic Buffer Overflow vulnerability in Tenda AC6 Firmware 15.03.05.16

Tenda AC6 _US_AC6V1.0BR_V15.03.05.16 was discovered to contain a buffer overflow via the function fgets.

9.8
2023-08-18 CVE-2023-39671 Dlink Classic Buffer Overflow vulnerability in Dlink Dir-880L A1 Firmware 107Wwb08

D-Link DIR-880 A1_FW107WWb08 was discovered to contain a buffer overflow via the function FUN_0001be68.

9.8
2023-08-18 CVE-2023-39672 Tenda Classic Buffer Overflow vulnerability in Tenda Wh450A Firmware 1.0.0.18

Tenda WH450 v1.0.0.18 was discovered to contain a buffer overflow via the function fgets.

9.8
2023-08-18 CVE-2023-39673 Tenda Classic Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18

Tenda AC15 V1.0BR_V15.03.05.18_multi_TD01 was discovered to contain a buffer overflow via the function FUN_00010e34().

9.8
2023-08-18 CVE-2023-39674 Dlink Classic Buffer Overflow vulnerability in Dlink Dir-880L A1 Firmware 107Wwb08

D-Link DIR-880 A1_FW107WWb08 was discovered to contain a buffer overflow via the function fgets.

9.8
2023-08-17 CVE-2023-39970 Acyba Unrestricted Upload of File with Dangerous Type vulnerability in Acyba Acymailing Starter

Unrestricted Upload of File with Dangerous Type vulnerability in AcyMailing component for Joomla.

9.8
2023-08-17 CVE-2023-36845 Juniper Unspecified vulnerability in Juniper Junos

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code. This issue affects Juniper Networks Junos OS on EX Series and SRX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.

9.8
2023-08-17 CVE-2023-26469 Jorani Path Traversal vulnerability in Jorani 1.0.0

In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.

9.8
2023-08-17 CVE-2023-2917 Rockwellautomation Path Traversal vulnerability in Rockwellautomation Thinmanager Thinserver 13.1.0

The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability.  Due to an improper input validation, a path traversal vulnerability exists, via the filename field, when the ThinManager processes a certain function.

9.8
2023-08-17 CVE-2023-34215 Moxa Command Injection vulnerability in Moxa Tn-5900 Firmware 3.1/3.2/3.3

TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability.

9.8
2023-08-17 CVE-2023-40252 Genians Code Injection vulnerability in Genians Genian NAC and Genian Ztna

Improper Control of Generation of Code ('Code Injection') vulnerability in Genians Genian NAC V4.0, Genians Genian NAC V5.0, Genians Genian NAC Suite V5.0, Genians Genian ZTNA allows Replace Trusted Executable.This issue affects Genian NAC V4.0: from V4.0.0 through V4.0.155; Genian NAC V5.0: from V5.0.0 through V5.0.42 (Revision 117460); Genian NAC Suite V5.0: from V5.0.0 through V5.0.54; Genian ZTNA: from V6.0.0 through V6.0.15.

9.8
2023-08-17 CVE-2023-33238 Moxa Command Injection vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware

TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability.

9.8
2023-08-17 CVE-2023-33239 Moxa Command Injection vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware

TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability.

9.8
2023-08-17 CVE-2023-34213 Moxa Command Injection vulnerability in Moxa Tn-5900 Firmware 3.1/3.2/3.3

TN-5900 Series firmware versions v3.3 and prior are vulnerable to command-injection vulnerability.

9.8
2023-08-17 CVE-2023-34214 Moxa Command Injection vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware

TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability.

9.8
2023-08-16 CVE-2023-38894 Tree KIT Project Unspecified vulnerability in Tree KIT Project Tree KIT

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function.

9.8
2023-08-16 CVE-2023-39846 Pantsel Improper Authentication vulnerability in Pantsel Konga 0.14.9

An issue in Konga v0.14.9 allows attackers to bypass authentication via a crafted JWT token.

9.8
2023-08-16 CVE-2023-4204 Moxa Use of Hard-coded Credentials vulnerability in Moxa Nport Iaw5000A-I/O Firmware

NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected by a hardcoded credential vulnerabilitywhich poses a potential risk to the security and integrity of the affected device.

9.8
2023-08-16 CVE-2023-39115 Campcodes Unrestricted Upload of File with Dangerous Type vulnerability in Campcodes Complete Online Matrimonial Website System Script 3.3

install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.

9.8
2023-08-16 CVE-2023-32493 Dell Unspecified vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS, 9.5.0.x, contains a protection mechanism bypass vulnerability.

9.8
2023-08-16 CVE-2023-33663 AI DEV SQL Injection vulnerability in Ai-Dev Aicustomfee

In the module “Customization fields fee for your store” (aicustomfee) from ai-dev module for PrestaShop, an attacker can perform SQL injection up to 0.2.0.

9.8
2023-08-16 CVE-2020-26037 Evenbalance Path Traversal vulnerability in Evenbalance Punkbuster 1.902

Directory Traversal vulnerability in Server functionalty in Even Balance Punkbuster version 1.902 before 1.905 allows remote attackers to execute arbitrary code.

9.8
2023-08-15 CVE-2023-39850 Schoolmate Project SQL Injection vulnerability in Schoolmate Project Schoolmate 1.3

Schoolmate v1.3 was discovered to contain multiple SQL injection vulnerabilities via the $courseid and $teacherid parameters at DeleteFunctions.php.

9.8
2023-08-15 CVE-2023-39851 Webchess Project SQL Injection vulnerability in Webchess Project Webchess 1.0

webchess v1.0 was discovered to contain a SQL injection vulnerability via the $playerID parameter at mainmenu.php.

9.8
2023-08-15 CVE-2023-39852 Doctor Appointment System Project SQL Injection vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

Doctormms v1.0 was discovered to contain a SQL injection vulnerability via the $userid parameter at myAppoinment.php.

9.8
2023-08-15 CVE-2023-38864 Comfast Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2

An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the protal_delete_picname parameter in the sub_41171C function at bin/webmgnt.

9.8
2023-08-15 CVE-2023-38866 Comfast Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2

COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected at function sub_415588.

9.8
2023-08-15 CVE-2023-38861 Wavlink Command Injection vulnerability in Wavlink Wl-Wn575A3 Firmware R75A3V1410220513

An issue in Wavlink WL_WNJ575A3 v.R75A3_V1410_220513 allows a remote attacker to execute arbitrary code via username parameter of the set_sys_adm function in adm.cgi.

9.8
2023-08-15 CVE-2023-38862 Comfast Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2

An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the destination parameter of sub_431F64 function in bin/webmgnt.

9.8
2023-08-15 CVE-2023-38863 Comfast Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2

An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the ifname and mac parameters in the sub_410074 function at bin/webmgnt.

9.8
2023-08-15 CVE-2023-38865 Comfast Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2

COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected at function sub_4143F0.

9.8
2023-08-15 CVE-2023-4323 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable to improper session management of active sessions on Gateway setup

9.8
2023-08-15 CVE-2023-4324 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable due to insecure defaults of lacking HTTP Content-Security-Policy headers

9.8
2023-08-15 CVE-2023-4325 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable due to usage of Libcurl with LSA has known vulnerabilities

9.8
2023-08-15 CVE-2023-4329 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable due to insecure default of HTTP configuration that does not safeguard SESSIONID cookie with SameSite attribute

9.8
2023-08-15 CVE-2023-4336 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable due to insecure default of HTTP configuration that does not safeguard cookies with Secure attribute

9.8
2023-08-15 CVE-2023-4337 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable to improper session handling of managed servers on Gateway installation

9.8
2023-08-15 CVE-2023-4338 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable due to insecure default of HTTP configuration that does not provide X-Content-Type-Options Headers

9.8
2023-08-15 CVE-2023-4340 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller is vulnerable to Privilege escalation by taking advantage of the Session prints in the log file

9.8
2023-08-15 CVE-2023-4341 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller is vulnerable to Privilege escalation to root due to creation of insecure folders by Web GUI

9.8
2023-08-15 CVE-2023-4342 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable due to insecure defaults of lacking HTTP strict-transport-security policy

9.8
2023-08-15 CVE-2023-4344 Broadcom Use of Insufficiently Random Values vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection

9.8
2023-08-15 CVE-2023-38860 Langchain Code Injection vulnerability in Langchain 0.0.231

An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.

9.8
2023-08-15 CVE-2023-38889 Alluxio Code Injection vulnerability in Alluxio

An issue in Alluxio v.2.9.3 and before allows an attacker to execute arbitrary code via a crafted script to the username parameter of lluxio.util.CommonUtils.getUnixGroups(java.lang.String).

9.8
2023-08-15 CVE-2023-38896 Langchain Injection vulnerability in Langchain

An issue in Harrison Chase langchain v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions.

9.8
2023-08-15 CVE-2023-38915 Wolf18 Unrestricted Upload of File with Dangerous Type vulnerability in Wolf18 Easyadmin8 1.0

File Upload vulnerability in Wolf-leo EasyAdmin8 v.1.0 allows a remote attacker to execute arbtirary code via the upload type function.

9.8
2023-08-15 CVE-2023-39659 Langchain Injection vulnerability in Langchain

An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.

9.8
2023-08-15 CVE-2023-39661 Gabrieleventuri Injection vulnerability in Gabrieleventuri Pandasai

An issue in pandas-ai v.0.9.1 and before allows a remote attacker to execute arbitrary code via the _is_jailbreak function.

9.8
2023-08-15 CVE-2023-39662 Llamaindex Project Injection vulnerability in Llamaindex Project Llamaindex

An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function.

9.8
2023-08-15 CVE-2023-35082 Ivanti Improper Authentication vulnerability in Ivanti Endpoint Manager Mobile

An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication.

9.8
2023-08-14 CVE-2023-21287 Google Type Confusion vulnerability in Google Android

In multiple locations, there is a possible code execution due to type confusion.

9.8
2023-08-14 CVE-2023-20965 Google Insufficiently Protected Credentials vulnerability in Google Android 13.0

In processMessageImpl of ClientModeImpl.java, there is a possible credential disclosure in the TOFU flow due to a logic error in the code.

9.8
2023-08-14 CVE-2023-21242 Google Unspecified vulnerability in Google Android 13.0

In isServerCertChainValid of InsecureEapNetworkHandler.java, there is a possible way to trust an imposter server due to a logic error in the code.

9.8
2023-08-14 CVE-2023-3435 Solwininfotech Unspecified vulnerability in Solwininfotech User Activity LOG

The User Activity Log WordPress plugin before 1.6.5 does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks.

9.8
2023-08-14 CVE-2023-29468 TI Classic Buffer Overflow vulnerability in TI Wilink8-Wifi-Mcp8 8.5

The Texas Instruments (TI) WiLink WL18xx MCP driver does not limit the number of information elements (IEs) of type XCC_EXT_1_IE_ID or XCC_EXT_2_IE_ID that can be parsed in a management frame.

9.8
2023-08-14 CVE-2023-39292 Mitel SQL Injection vulnerability in Mitel products

A SQL Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to access sensitive information and execute arbitrary database and management operations.

9.8
2023-08-14 CVE-2023-39293 Mitel Command Injection vulnerability in Mitel products

A Command Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to execute arbitrary commands within the context of the system.

9.8
2023-08-14 CVE-2023-32748 Mitel Incorrect Authorization vulnerability in Mitel Mivoice Connect

The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 (22.24.1500.0) could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control.

9.8
2023-08-14 CVE-2023-40359 Invisible Island Unspecified vulnerability in Invisible-Island Xterm

xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue.

9.8
2023-08-14 CVE-2023-4322 Radare
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0.

9.8
2023-08-14 CVE-2023-30186 Onlyoffice Use After Free vulnerability in Onlyoffice Document Server

A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.

9.8
2023-08-14 CVE-2023-30187 Onlyoffice Out-of-bounds Write vulnerability in Onlyoffice Document Server

An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.

9.8
2023-08-14 CVE-2023-37847 Novel Plus SQL Injection vulnerability in Novel-Plus 3.6.2

novel-plus v3.6.2 was discovered to contain a SQL injection vulnerability.

9.8
2023-08-14 CVE-2023-3264 Cyberpower
Dataprobe
Use of Hard-coded Credentials vulnerability in multiple products

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database. A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records.

9.8
2023-08-14 CVE-2023-3265 Cyberpower Unspecified vulnerability in Cyberpower Powerpanel Server

An authentication bypass exists on CyberPower PowerPanel Enterprise by failing to sanitize meta-characters from the username, allowing an attacker to login into the application with the default user "cyberpower" by appending a non-printable character.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator with hardcoded default credentials.

9.8
2023-08-14 CVE-2023-3266 Cyberpower Unspecified vulnerability in Cyberpower Powerpanel Server

A non-feature complete authentication mechanism exists in the production application allowing an attacker to bypass all authentication checks if LDAP authentication is selected.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator by selecting LDAP authentication from a hidden HTML combo box.

9.8
2023-08-14 CVE-2023-3259 Dataprobe Deserialization of Untrusted Data vulnerability in Dataprobe products

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass.

9.8
2023-08-19 CVE-2023-2317 Typora Cross-site Scripting vulnerability in Typora

DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag.

9.6
2023-08-19 CVE-2023-2318 Marktext Cross-site Scripting vulnerability in Marktext

DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 and before on Windows, Linux and macOS allows arbitrary JavaScript code to run in the context of MarkText main window.

9.6
2023-08-17 CVE-2023-2915 Rockwellautomation Path Traversal vulnerability in Rockwellautomation Thinmanager Thinserver 13.1.0

The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal vulnerability exists when the ThinManager software processes a certain function.

9.1
2023-08-16 CVE-2023-20013 Cisco Command Injection vulnerability in Cisco Intersight Private Virtual Appliance 1.0.9

Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges.

9.1
2023-08-16 CVE-2023-20017 Cisco Command Injection vulnerability in Cisco Intersight Private Virtual Appliance 1.0.9

Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges.

9.1

147 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-08-18 CVE-2023-40172 Fobybus Cross-Site Request Forgery (CSRF) vulnerability in Fobybus Social-Media-Skeleton

Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html.

8.8
2023-08-18 CVE-2023-38890 Phpgurukul SQL Injection vulnerability in PHPgurukul Online Shopping Portal 3.1

Online Shopping Portal Project 3.1 allows remote attackers to execute arbitrary SQL commands/queries via the login form, leading to unauthorized access and potential data manipulation.

8.8
2023-08-18 CVE-2023-4415 Ruijienetworks Improper Authentication vulnerability in Ruijienetworks Rg-Ew1200G Firmware 07161417R483

A vulnerability was found in Ruijie RG-EW1200G 07161417 r483.

8.8
2023-08-18 CVE-2023-4409 Happysoft Unrestricted Upload of File with Dangerous Type vulnerability in Happysoft Nbs&Happysoftwechat 1.1.6

A vulnerability, which was classified as critical, has been found in NBS&HappySoftWeChat 1.1.6.

8.8
2023-08-18 CVE-2023-38132 Elecom Unspecified vulnerability in Elecom Lan-W451Ngr Firmware

LAN-W451NGR all versions provided by LOGITEC CORPORATION contains an improper access control vulnerability, which allows an unauthenticated attacker to log in to telnet service.

8.8
2023-08-18 CVE-2023-39445 Elecom Unspecified vulnerability in Elecom products

Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an unauthenticated attacker to execute arbitrary code by sending a specially crafted file to the product's certain management console.

8.8
2023-08-18 CVE-2023-39455 Elecom OS Command Injection vulnerability in Elecom products

OS command injection vulnerability in ELECOM wireless LAN routers allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request.

8.8
2023-08-18 CVE-2023-39944 Elecom OS Command Injection vulnerability in Elecom Wrc-1750Ghbk Firmware and Wrc-F1167Acf Firmware

OS command injection vulnerability in WRC-F1167ACF all versions, and WRC-1750GHBK all versions allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted request.

8.8
2023-08-18 CVE-2023-40072 Elecom OS Command Injection vulnerability in Elecom Wab-S300 Firmware and Wab-S600-Ps Firmware

OS command injection vulnerability in ELECOM wireless LAN access point devices allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request.

8.8
2023-08-17 CVE-2023-40313 Opennms Unspecified vulnerability in Opennms Horizon

A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution.

8.8
2023-08-17 CVE-2023-37914 Xwiki Code Injection vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

8.8
2023-08-17 CVE-2023-38902 Ruijie Command Injection vulnerability in Ruijie products

A command injection vulnerability in RG-EW series home routers and repeaters v.EW_3.0(1)B11P219, RG-NBS and RG-S1930 series switches v.SWITCH_3.0(1)B11P219, RG-EG series business VPN routers v.EG_3.0(1)B11P219, EAP and RAP series wireless access points v.AP_3.0(1)B11P219, and NBC series wireless controllers v.AC_3.0(1)B11P219 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /cgi-bin/luci/api/cmd via the remoteIp field.

8.8
2023-08-17 CVE-2023-2910 Asustor Command Injection vulnerability in Asustor Data Master

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors.

8.8
2023-08-17 CVE-2023-3697 Asustor Path Traversal vulnerability in Asustor Data Master

Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files.

8.8
2023-08-17 CVE-2023-33237 Moxa Improper Authentication vulnerability in Moxa Tn-5900 Firmware 3.1/3.2/3.3

TN-5900 Series firmware version v3.3 and prior is vulnerable to improper-authentication vulnerability.

8.8
2023-08-16 CVE-2023-20211 Cisco SQL Injection vulnerability in Cisco Unified Communications Manager

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.

8.8
2023-08-16 CVE-2023-35893 IBM OS Command Injection vulnerability in IBM Security Guardium

IBM Security Guardium 10.6, 11.3, 11.4, and 11.5 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

8.8
2023-08-16 CVE-2023-39975 MIT Double Free vulnerability in MIT Kerberos 5 1.21/1.21.1

kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure.

8.8
2023-08-16 CVE-2023-40336 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Folders

A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.

8.8
2023-08-16 CVE-2023-40341 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Blue Ocean

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

8.8
2023-08-16 CVE-2023-0579 Yarpp Unspecified vulnerability in Yarpp

The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks.

8.8
2023-08-16 CVE-2023-1977 Oplugins Unspecified vulnerability in Oplugins Booking Manager

The Booking Manager WordPress plugin before 2.0.29 does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network.

8.8
2023-08-15 CVE-2023-2312 Google Use After Free vulnerability in Google Chrome

Use after free in Offline in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4349 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Device Trust Connectors in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4351 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Network in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who has elicited a browser shutdown to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4352 Google
Debian
Fedoraproject
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4353 Google
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in ANGLE in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4354 Google
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in Skia in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4355 Google
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4356 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Audio in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who has convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4357 Google
Debian
Fedoraproject
Insufficient validation of untrusted input in XML in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to bypass file access restrictions via a crafted HTML page.
8.8
2023-08-15 CVE-2023-4358 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in DNS in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4362 Google
Debian
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process and gained control of a WebUI process to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4366 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Extensions in Google Chrome prior to 116.0.5845.96 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-08-15 CVE-2023-4368 Google
Debian
Insufficient policy enforcement in Extensions API in Google Chrome prior to 116.0.5845.96 allowed an attacker who convinced a user to install a malicious extension to bypass an enterprise policy via a crafted HTML page.
8.8
2023-08-15 CVE-2023-4369 Google Unspecified vulnerability in Google Chrome

Insufficient data validation in Systems Extensions in Google Chrome on ChromeOS prior to 116.0.5845.120 allowed an attacker who convinced a user to install a malicious extension to bypass file restrictions via a crafted HTML page.

8.8
2023-08-15 CVE-2023-38916 Mohammad Ajazuddin SQL Injection vulnerability in Mohammad-Ajazuddin Evotingsystem-PHP 1.0

SQL Injection vulnerability in eVotingSystem-PHP v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the user input fields.

8.8
2023-08-15 CVE-2023-32004 Nodejs
Fedoraproject
Path Traversal vulnerability in multiple products

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model.

8.8
2023-08-15 CVE-2023-32006 Nodejs
Fedoraproject
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
8.8
2023-08-15 CVE-2023-28479 Tigergraph Unspecified vulnerability in Tigergraph 3.7.0

An issue was discovered in Tigergraph Enterprise 3.7.0.

8.8
2023-08-14 CVE-2022-42828 Apple Unspecified vulnerability in Apple Macos

The issue was addressed with improved memory handling.

8.8
2023-08-14 CVE-2022-48503 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved bounds checks.

8.8
2023-08-14 CVE-2023-28198 Apple
Wpewebkit
Webkitgtk
Use After Free vulnerability in multiple products

A use-after-free issue was addressed with improved memory management.

8.8
2023-08-14 CVE-2023-32358 Apple Type Confusion vulnerability in Apple Ipados, Iphone OS and Macos

A type confusion issue was addressed with improved checks.

8.8
2023-08-14 CVE-2023-21273 Google Out-of-bounds Write vulnerability in Google Android

In SDP_AddAttribute of sdp_db.cc, there is a possible out of bounds write due to an incorrect bounds check.

8.8
2023-08-14 CVE-2023-21282 Google Out-of-bounds Write vulnerability in Google Android

In TRANSPOSER_SETTINGS of lpp_tran.h, there is a possible out of bounds write due to an incorrect bounds check.

8.8
2023-08-14 CVE-2023-28481 Tigergraph Authorization Bypass Through User-Controlled Key vulnerability in Tigergraph 3.7.0

An issue was discovered in Tigergraph Enterprise 3.7.0.

8.8
2023-08-14 CVE-2023-28483 Tigergraph Unspecified vulnerability in Tigergraph 3.7.0

An issue was discovered in Tigergraph Enterprise 3.7.0.

8.8
2023-08-14 CVE-2023-33013 Zyxel OS Command Injection vulnerability in Zyxel Nbg6604 Firmware 1.01(Abir.1)C0

A post-authentication command injection vulnerability in the NTP feature of Zyxel NBG6604 firmware version V1.01(ABIR.1)C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request.

8.8
2023-08-14 CVE-2023-3267 Cyberpower OS Command Injection vulnerability in Cyberpower Powerpanel Server

When adding a remote backup location, an authenticated user can pass arbitrary OS commands through the username field.

8.8
2023-08-14 CVE-2023-3260 Cyberpower
Dataprobe
OS Command Injection vulnerability in multiple products

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to command injection via the `user-name` URL parameter.

8.8
2023-08-14 CVE-2023-40295 0Branch Out-of-bounds Write vulnerability in 0Branch Boron 2.0.8

libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_strInitUtf8 at string.c.

8.8
2023-08-14 CVE-2023-40020 Troplo Improper Authentication vulnerability in Troplo Privateuploader

PrivateUploader is an open source image hosting server written in Vue and TypeScript.

8.3
2023-08-17 CVE-2023-3698 Asustor Path Traversal vulnerability in Asustor Data Master

Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files.

8.1
2023-08-17 CVE-2023-34216 Moxa Path Traversal vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware

TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability.

8.1
2023-08-17 CVE-2023-34217 Moxa Path Traversal vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware

TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability.

8.1
2023-08-16 CVE-2023-40034 Woodpecker CI Unspecified vulnerability in Woodpecker-Ci Woodpecker 1.0.0/1.0.1

Woodpecker is a community fork of the Drone CI system.

8.1
2023-08-15 CVE-2023-39438 SAP Missing Authorization vulnerability in SAP Contributor License Agreement Assistant

A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps.

8.1
2023-08-18 CVE-2023-38576 Elecom Unspecified vulnerability in Elecom Lan-Wh300N/Re Firmware

Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an authenticated user to execute arbitrary OS commands on a certain management console.

8.0
2023-08-17 CVE-2023-40315 Opennms Unspecified vulnerability in Opennms Horizon and Meridian

In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 and related Meridian versions, any user that has the ROLE_FILESYSTEM_EDITOR can easily escalate their privileges to ROLE_ADMIN or any other role. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer.

8.0
2023-08-17 CVE-2023-38843 Atlos Improper Neutralization of Formula Elements in a CSV File vulnerability in Atlos 1.0

An issue in Atlos v.1.0 allows an authenticated attacker to execute arbitrary code via a crafted payload into the description field in the incident function.

8.0
2023-08-14 CVE-2023-0872 Opennms Unspecified vulnerability in Opennms Horizon and Meridian

The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer.

8.0
2023-08-17 CVE-2023-3078 Lenovo Uncontrolled Search Path Element vulnerability in Lenovo Universal Device Client

An uncontrolled search path vulnerability was reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges.

7.8
2023-08-17 CVE-2023-4030 Lenovo Failing Open vulnerability in Lenovo products

A vulnerability was reported in BIOS for ThinkPad P14s Gen 2, P15s Gen 2, T14 Gen 2, and T15 Gen 2 that could cause the system to recover to insecure settings if the BIOS becomes corrupt.

7.8
2023-08-16 CVE-2023-20224 Cisco Argument Injection or Modification vulnerability in Cisco Thousandeyes Enterprise Agent

A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to insufficient input validation of user-supplied CLI arguments.

7.8
2023-08-16 CVE-2023-4383 Escanav Incorrect Permission Assignment for Critical Resource vulnerability in Escanav Escan Anti-Virus 7.0.32

A vulnerability, which was classified as critical, was found in MicroWorld eScan Anti-Virus 7.0.32 on Linux.

7.8
2023-08-16 CVE-2023-32486 Dell Unspecified vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS 9.5.x version contain a privilege escalation vulnerability.

7.8
2023-08-16 CVE-2023-32487 Dell Unspecified vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS, 8.2.x - 9.5.0.x, contains an elevation of privilege vulnerability.

7.8
2023-08-16 CVE-2023-32495 Dell Unspecified vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS, 8.2.x-9.5.x, contains a exposure of sensitive information to an unauthorized Actor vulnerability.

7.8
2023-08-15 CVE-2023-38401 HP Unspecified vulnerability in HP Aruba Virtual Intranet Access

A vulnerability in the HPE Aruba Networking Virtual Intranet Access (VIA) client could allow local users to elevate privileges.

7.8
2023-08-14 CVE-2020-36615 Apple Out-of-bounds Read vulnerability in Apple Macos

An out-of-bounds read was addressed with improved bounds checking.

7.8
2023-08-14 CVE-2022-46706 Apple Type Confusion vulnerability in Apple mac OS X and Macos

A type confusion issue was addressed with improved state handling.

7.8
2023-08-14 CVE-2023-21229 Google Unspecified vulnerability in Google Android 11.0/13.0

In registerServiceLocked of ManagedServices.java, there is a possible bypass of background activity launch restrictions due to an unsafe PendingIntent.

7.8
2023-08-14 CVE-2023-21231 Google Unspecified vulnerability in Google Android 13.0

In getIntentForButton of ButtonManager.java, there is a possible way for an unprivileged application to start a non-exported or permission-protected activity due to a missing permission check.

7.8
2023-08-14 CVE-2023-21235 Google Unspecified vulnerability in Google Android 11.0/13.0

In onCreate of LockSettingsActivity.java, there is a possible way set a new lockscreen PIN without entering the existing PIN due to a permissions bypass.

7.8
2023-08-14 CVE-2023-21272 Google Improper Input Validation vulnerability in Google Android 11.0/12.0/12.1

In readFrom of Uri.java, there is a possible bad URI permission grant due to improper input validation.

7.8
2023-08-14 CVE-2023-21275 Google Unspecified vulnerability in Google Android 12.0/12.1/13.0

In decideCancelProvisioningDialog of AdminIntegratedFlowPrepareActivity.java, there is a possible way to bypass factory reset protections due to a logic error in the code.

7.8
2023-08-14 CVE-2023-21281 Google Unspecified vulnerability in Google Android

In multiple functions of KeyguardViewMediator.java, there is a possible failure to lock after screen timeout due to a logic error in the code.

7.8
2023-08-14 CVE-2023-21286 Google Unspecified vulnerability in Google Android

In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check.

7.8
2023-08-14 CVE-2023-35689 Google Insecure Default Initialization of Resource vulnerability in Google Android 11.0/13.0

In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW completion due to an insecure default value.

7.8
2023-08-14 CVE-2023-21269 Google Improper Privilege Management vulnerability in Google Android 13.0

In startActivityInner of ActivityStarter.java, there is a possible way to launch an activity into PiP mode from the background due to BAL bypass.

7.8
2023-08-14 CVE-2023-38721 IBM Unspecified vulnerability in IBM I

The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability.

7.8
2023-08-14 CVE-2023-3160 Eset Improper Privilege Management vulnerability in Eset products

The vulnerability potentially allows an attacker to misuse ESET’s file operations during the module update to delete or move files without having proper permissions.

7.8
2023-08-14 CVE-2023-40303 GNU Unchecked Return Value vulnerability in GNU Inetutils

GNU inetutils before 2.5 may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd.

7.8
2023-08-14 CVE-2023-40283 Linux
Debian
Canonical
Use After Free vulnerability in multiple products

An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10.

7.8
2023-08-20 CVE-2023-37369 QT
Debian
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
7.5
2023-08-20 CVE-2023-40711 Veilid Out-of-bounds Write vulnerability in Veilid

Veilid before 0.1.9 does not check the size of uncompressed data during decompression upon an envelope receipt, which allows remote attackers to cause a denial of service (out-of-memory abort) via crafted packet data, as exploited in the wild in August 2023.

7.5
2023-08-18 CVE-2023-38839 Kidus SQL Injection vulnerability in Kidus Minimati 1.0.0

SQL injection vulnerability in Kidus Minimati v.1.0.0 allows a remote attacker to obtain sensitive information via theID parameter in the fulldelete.php component.

7.5
2023-08-18 CVE-2023-40173 Fobybus Insufficiently Protected Credentials vulnerability in Fobybus Social-Media-Skeleton

Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html.

7.5
2023-08-18 CVE-2023-20212 Cisco Unspecified vulnerability in Cisco Secure Endpoint and Secure Endpoint Private Cloud

A vulnerability in the AutoIt module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.5
2023-08-18 CVE-2023-39415 Northgrid Improper Authentication vulnerability in Northgrid Proself 1.07/1.62/5.61

Improper authentication vulnerability in Proself Enterprise/Standard Edition Ver5.61 and earlier, Proself Gateway Edition Ver1.62 and earlier, and Proself Mail Sanitize Edition Ver1.07 and earlier allow a remote unauthenticated attacker to log in to the product's Control Panel and perform an unintended operation.

7.5
2023-08-18 CVE-2023-39669 Dlink NULL Pointer Dereference vulnerability in Dlink Dir-880L A1 Firmware 107Wwb08

D-Link DIR-880 A1_FW107WWb08 was discovered to contain a NULL pointer dereference in the function FUN_00010824.

7.5
2023-08-18 CVE-2023-39125 Ntsc CRT Project Integer Overflow or Wraparound vulnerability in Ntsc-Crt Project Ntsc-Crt 2.2.1

NTSC-CRT 2.2.1 has an integer overflow and out-of-bounds write in loadBMP in bmp_rw.c because a file's width, height, and BPP are not validated.

7.5
2023-08-17 CVE-2023-40171 Netflix Information Exposure Through an Error Message vulnerability in Netflix Dispatch

Dispatch is an open source security incident management tool.

7.5
2023-08-17 CVE-2023-36106 Powerjob Unspecified vulnerability in Powerjob

An incorrect access control vulnerability in powerjob 4.3.2 and earlier allows remote attackers to obtain sensitive information via the interface for querying via appId parameter to /container/list.

7.5
2023-08-17 CVE-2023-40165 Rubygems Unspecified vulnerability in Rubygems Rubygems.Org

rubygems.org is the Ruby community's primary gem (library) hosting service.

7.5
2023-08-17 CVE-2023-2914 Rockwellautomation Integer Overflow or Wraparound vulnerability in Rockwellautomation Thinmanager Thinserver 13.1.0

The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, an integer overflow condition exists in the affected products.

7.5
2023-08-17 CVE-2023-40272 Apache Unspecified vulnerability in Apache Apache-Airflow-Providers-Apache-Spark

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected.

7.5
2023-08-17 CVE-2023-38838 Kiduswb SQL Injection vulnerability in Kiduswb Minimati 1.0.0

SQL injection vulnerability in Kidus Minimati v.1.0.0 allows a remote attacker to obtain sensitive information via the edit.php component.

7.5
2023-08-16 CVE-2023-20197 Cisco
Fedoraproject
Infinite Loop vulnerability in multiple products

A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding.

7.5
2023-08-16 CVE-2023-38737 IBM Resource Exhaustion vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is vulnerable to a denial of service, caused by sending a specially-crafted request.

7.5
2023-08-16 CVE-2023-40339 Jenkins Unspecified vulnerability in Jenkins Config File Provider

Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.

7.5
2023-08-16 CVE-2023-40340 Jenkins Unspecified vulnerability in Jenkins Nodejs

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

7.5
2023-08-16 CVE-2023-4241 Cloudflare Unspecified vulnerability in Cloudflare Lol-Html

lol-html can cause panics on certain HTML inputs.

7.5
2023-08-15 CVE-2023-4326 Broadcom Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable has an insecure default TLS configuration that supports obsolete SHA1-based ciphersuites

7.5
2023-08-15 CVE-2023-4331 Broadcom Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable has an insecure default TLS configuration that support obsolete and vulnerable TLS protocols

7.5
2023-08-15 CVE-2023-4332 Broadcom Incorrect Permission Assignment for Critical Resource vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable due to Improper permissions on the log file

7.5
2023-08-15 CVE-2023-4334 Broadcom Missing Authentication for Critical Function vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller Web server (nginx) is serving private files without any authentication

7.5
2023-08-15 CVE-2023-4335 Broadcom Missing Authentication for Critical Function vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller Web server (nginx) is serving private server-side files without any authentication on Linux

7.5
2023-08-15 CVE-2023-4339 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable to exposure of private keys used for CIM stored with insecure file permissions

7.5
2023-08-15 CVE-2023-4343 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable due to exposure of sensitive password information in the URL as a URL search parameter

7.5
2023-08-14 CVE-2023-21233 Google Use of Uninitialized Resource vulnerability in Google Android 11.0

In multiple locations of avrc, there is a possible leak of heap data due to uninitialized data.

7.5
2023-08-14 CVE-2023-40518 Litespeedtech Unspecified vulnerability in Litespeedtech Openlitespeed

LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers.

7.5
2023-08-14 CVE-2023-21265 Google Improper Certificate Validation vulnerability in Google Android

In multiple locations, there are root CA certificates which need to be disabled.

7.5
2023-08-14 CVE-2023-39827 Tenda Out-of-bounds Write vulnerability in Tenda A18 Firmware 15.13.07.09

Tenda A18 V15.13.07.09 was discovered to contain a stack overflow via the rule_info parameter in the formAddMacfilterRule function.

7.5
2023-08-14 CVE-2023-39828 Tenda Out-of-bounds Write vulnerability in Tenda A18 Firmware 15.13.07.09

Tenda A18 V15.13.07.09 was discovered to contain a stack overflow via the security parameter in the formWifiBasicSet function.

7.5
2023-08-14 CVE-2023-39829 Tenda Out-of-bounds Write vulnerability in Tenda A18 Firmware 15.13.07.09

Tenda A18 V15.13.07.09 was discovered to contain a stack overflow via the wpapsk_crypto2_4g parameter in the fromSetWirelessRepeat function.

7.5
2023-08-14 CVE-2023-40023 Yaklang Unspecified vulnerability in Yaklang

yaklang is a programming language designed for cybersecurity.

7.5
2023-08-14 CVE-2023-39908 Yubico Out-of-bounds Read vulnerability in Yubico Yubihsm 2 SDK

The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata.

7.5
2023-08-14 CVE-2023-38741 IBM Unspecified vulnerability in IBM Txseries for Multiplatform 8.1/8.2/9.1

IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations.

7.5
2023-08-14 CVE-2023-31041 Insyde Cleartext Storage of Sensitive Information vulnerability in Insyde Insydeh2O

An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5.

7.5
2023-08-14 CVE-2023-30188 Onlyoffice Infinite Loop vulnerability in Onlyoffice Document Server

Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file.

7.5
2023-08-14 CVE-2023-3263 Dataprobe Improper Authentication vulnerability in Dataprobe products

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass in the REST API due to the mishandling of special characters when parsing credentials.Successful exploitation allows the malicious agent to obtain a valid authorization token and read information relating to the state of the relays and power distribution.

7.5
2023-08-14 CVE-2023-40296 Eminfedar Out-of-bounds Write vulnerability in Eminfedar Async-Sockets-Cpp

async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in ReceiveFrom and Receive in udpsocket.hpp when processing malformed UDP packets.

7.5
2023-08-14 CVE-2023-40274 Getzola Path Traversal vulnerability in Getzola Zola

An issue was discovered in zola 0.13.0 through 0.17.2.

7.5
2023-08-19 CVE-2023-2316 Typora Path Traversal vulnerability in Typora

Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>".

7.4
2023-08-16 CVE-2022-4894 HP
Samsung
Uncontrolled Search Path Element vulnerability in multiple products

Certain HP and Samsung Printer software packages may potentially be vulnerable to elevation of privilege due to Uncontrolled Search Path Element.

7.3
2023-08-18 CVE-2023-39416 Northgrid OS Command Injection vulnerability in Northgrid Proself 1.07/1.62/5.61

Proself Enterprise/Standard Edition Ver5.61 and earlier, Proself Gateway Edition Ver1.62 and earlier, and Proself Mail Sanitize Edition Ver1.07 and earlier allow a remote authenticated attacker with an administrative privilege to execute arbitrary OS commands.

7.2
2023-08-17 CVE-2023-31938 Online Travel Agency System Project SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0

SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the emp_id parameter at employee_detail.php.

7.2
2023-08-17 CVE-2023-31939 Online Travel Agency System Project SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0

SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the costomer_id parameter at customer_edit.php.

7.2
2023-08-17 CVE-2023-31940 Online Travel Agency System Project SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0

SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the page_id parameter at article_edit.php.

7.2
2023-08-17 CVE-2023-31941 Online Travel Agency System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0

File Upload vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via a crafted PHP file to the employee_insert.php.

7.2
2023-08-17 CVE-2023-31943 Online Travel Agency System Project SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0

SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the ticket_id parameter at ticket_detail.php.

7.2
2023-08-17 CVE-2023-31944 Online Travel Agency System Project SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0

SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the emp_id parameter at employee_edit.php.

7.2
2023-08-17 CVE-2023-31945 Online Travel Agency System Project SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0

SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the id parameter at daily_expenditure_edit.php.

7.2
2023-08-17 CVE-2023-31946 Online Travel Agency System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0

File Upload vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via a crafted PHP file to the artical.php.

7.2
2023-08-16 CVE-2023-20209 Cisco Command Injection vulnerability in Cisco Telepresence Video Communication Server 14.0/14.0.5/14.0.7

A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device. This vulnerability is due to insufficient validation of user-supplied input.

7.2
2023-08-14 CVE-2023-3261 Cyberpower
Dataprobe
OS Command Injection vulnerability in multiple products

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier contains a buffer overflow vulnerability in the librta.so.0.0.0 library.Successful exploitation could cause denial of service or unexpected behavior with respect to all interactions relying on the targeted vulnerable binary, including the ability to log in via the web server.

7.2
2023-08-19 CVE-2023-2110 Obsidian Path Traversal vulnerability in Obsidian

Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>".

7.1
2023-08-16 CVE-2023-20229 Cisco Path Traversal vulnerability in Cisco DUO Device Health Application

A vulnerability in the CryptoService function of Cisco Duo Device Health Application for Windows could allow an authenticated, local attacker with low privileges to conduct directory traversal attacks and overwrite arbitrary files on an affected system. This vulnerability is due to insufficient input validation.

7.1
2023-08-16 CVE-2023-40033 Flarum Server-Side Request Forgery (SSRF) vulnerability in Flarum

Flarum is an open source forum software.

7.1
2023-08-16 CVE-2023-4387 Linux
Redhat
Use After Free vulnerability in multiple products

A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel.

7.1
2023-08-16 CVE-2023-4389 Linux Double Free vulnerability in Linux Kernel

A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count.

7.1
2023-08-16 CVE-2023-32492 Dell Incorrect Default Permissions vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS 9.5.0.x contains an incorrect default permissions vulnerability.

7.1
2023-08-15 CVE-2023-38402 HP Unspecified vulnerability in HP Aruba Virtual Intranet Access

A vulnerability in the HPE Aruba Networking Virtual Intranet Access (VIA) client could allow malicious users to overwrite arbitrary files as NT AUTHORITY\SYSTEM.

7.1
2023-08-14 CVE-2023-28179 Apple Unspecified vulnerability in Apple Macos

The issue was addressed with improved memory handling.

7.1
2023-08-20 CVE-2023-37250 Unity Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Unity Parsec

Unity Parsec has a TOCTOU race condition that permits local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode.

7.0

236 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-08-14 CVE-2023-21132 Google Missing Authorization vulnerability in Google Android 12.0/12.1/13.0

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check.

6.8
2023-08-14 CVE-2023-21133 Google Missing Authorization vulnerability in Google Android 12.0/12.1/13.0

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check.

6.8
2023-08-14 CVE-2023-21134 Google Missing Authorization vulnerability in Google Android 12.0/12.1/13.0

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check.

6.8
2023-08-14 CVE-2023-21140 Google Missing Authorization vulnerability in Google Android 12.0/12.1/13.0

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check.

6.8
2023-08-14 CVE-2023-40291 Samsung Unspecified vulnerability in Samsung Harman Infotainment 20190525031613

Harman Infotainment 20190525031613 allows root access via SSH over a USB-to-Ethernet dongle with a password that is an internal project name.

6.8
2023-08-14 CVE-2023-40293 Samsung Command Injection vulnerability in Samsung Harman Infotainment 20190525031613

Harman Infotainment 20190525031613 and later allows command injection via unauthenticated RPC with a D-Bus connection object.

6.8
2023-08-18 CVE-2023-27576 Phplist Unspecified vulnerability in PHPlist 3.6.12

An issue was discovered in phpList before 3.6.14.

6.7
2023-08-17 CVE-2023-34419 Lenovo Classic Buffer Overflow vulnerability in Lenovo products

A buffer overflow has been identified in the SetupUtility driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code.

6.7
2023-08-17 CVE-2023-4028 Lenovo Classic Buffer Overflow vulnerability in Lenovo products

A buffer overflow has been identified in the SystemUserMasterHddPwdDxe driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code.

6.7
2023-08-17 CVE-2023-4029 Lenovo Classic Buffer Overflow vulnerability in Lenovo products

A buffer overflow has been identified in the BoardUpdateAcpiDxe driver in some Lenovo ThinkPad products which may allow an attacker with local access and elevated privileges to execute arbitrary code.

6.7
2023-08-17 CVE-2023-29182 Fortinet Out-of-bounds Write vulnerability in Fortinet Fortios

A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiOS before 7.0.3 allows a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections.

6.7
2023-08-16 CVE-2023-32489 Dell Unspecified vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS 8.2x -9.5x contains a privilege escalation vulnerability.

6.7
2023-08-16 CVE-2023-32490 Dell Unspecified vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS 8.2x -9.5x contains an improper privilege management vulnerability.

6.7
2023-08-16 CVE-2023-32494 Dell Unspecified vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS, 8.0.x-9.5.x, contains an improper handling of insufficient privileges vulnerability.

6.7
2023-08-15 CVE-2023-20564 AMD Improper Input Validation vulnerability in AMD Ryzen Master and Ryzen Master Monitoring SDK

Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD Ryzen™ Master may permit a privileged attacker to perform memory reads/writes potentially leading to a loss of confidentiality or arbitrary kernel execution.

6.7
2023-08-14 CVE-2023-21264 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place.

6.7
2023-08-14 CVE-2023-3262 Dataprobe Use of Hard-coded Credentials vulnerability in Dataprobe products

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database.A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records.

6.7
2023-08-19 CVE-2023-2971 Typora Path Traversal vulnerability in Typora

Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/typemark/".

6.5
2023-08-18 CVE-2023-40037 Apache Incorrect Comparison vulnerability in Apache Nifi 1.21.0/1.22.0

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs.

6.5
2023-08-17 CVE-2023-31492 Zohocorp Insufficiently Protected Credentials vulnerability in Zohocorp Manageengine Admanager Plus

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.

6.5
2023-08-17 CVE-2023-40168 Turbowarp Incorrect Authorization vulnerability in Turbowarp Desktop

TurboWarp is a desktop application that compiles scratch projects to JavaScript.

6.5
2023-08-16 CVE-2023-20111 Cisco Unspecified vulnerability in Cisco Identity Services Engine

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information. This vulnerability is due to the improper storage of sensitive information within the web-based management interface.

6.5
2023-08-16 CVE-2023-20221 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web-based management interface of an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device.

6.5
2023-08-16 CVE-2023-40345 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Delphix

Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to.

6.5
2023-08-16 CVE-2023-40347 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Maven Artifact Choicelistprovider (Nexus)

Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

6.5
2023-08-16 CVE-2023-32491 Dell Information Exposure Through Log Files vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS 9.5.0.x, contains an insertion of sensitive information into log file vulnerability in SNMPv3.

6.5
2023-08-15 CVE-2023-40028 Ghost Link Following vulnerability in Ghost

Ghost is an open source content management system.

6.5
2023-08-15 CVE-2023-4345 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable client-side control bypass leads to unauthorized data access for low privileged user

6.5
2023-08-15 CVE-2023-4350 Google
Debian
Fedoraproject
Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to potentially spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
6.5
2023-08-15 CVE-2023-4367 Google
Debian
Fedoraproject
Insufficient policy enforcement in Extensions API in Google Chrome prior to 116.0.5845.96 allowed an attacker who convinced a user to install a malicious extension to bypass an enterprise policy via a crafted HTML page.
6.5
2023-08-15 CVE-2023-38851 Libxls Project Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the xls_parseWorkBook function in xls.c:1018.

6.5
2023-08-15 CVE-2023-38852 Libxls Project Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the unicode_decode_wcstombs function in xlstool.c:266.

6.5
2023-08-15 CVE-2023-38853 Libxls Project Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the xls_parseWorkBook function in xls.c:1015.

6.5
2023-08-15 CVE-2023-38854 Libxls Project Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the transcode_latin1_to_utf8 function in xlstool.c:296.

6.5
2023-08-15 CVE-2023-38855 Libxls Project Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the get_string function in xlstool.c:395.

6.5
2023-08-15 CVE-2023-38856 Libxls Project Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the get_string function in xlstool.c:411.

6.5
2023-08-15 CVE-2023-38858 Faad2 Project Out-of-bounds Write vulnerability in Faad2 Project Faad2 2.10.1

Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the mp4info function in mp4read.c:1039.

6.5
2023-08-14 CVE-2023-28480 Tigergraph Unrestricted Upload of File with Dangerous Type vulnerability in Tigergraph 3.7.0

An issue was discovered in Tigergraph Enterprise 3.7.0.

6.5
2023-08-14 CVE-2023-28482 Tigergraph Unrestricted Upload of File with Dangerous Type vulnerability in Tigergraph 3.7.0

An issue was discovered in Tigergraph Enterprise 3.7.0.

6.5
2023-08-14 CVE-2023-28768 Zyxel Improper Handling of Exceptional Conditions vulnerability in Zyxel products

Improper frame handling in the Zyxel XGS2220-30 firmware version V4.80(ABXN.1), XMG1930-30 firmware version V4.80(ACAR.1), and XS1930-10 firmware version V4.80(ABQE.1) could allow an unauthenticated LAN-based attacker to cause denial-of-service (DoS) conditions by sending crafted frames to an affected switch.

6.5
2023-08-14 CVE-2023-40354 Mariadb Cleartext Storage of Sensitive Information vulnerability in Mariadb Maxscale

An issue was discovered in MariaDB MaxScale before 23.02.3.

6.5
2023-08-14 CVE-2023-40294 0Branch Out-of-bounds Write vulnerability in 0Branch Boron 2.0.8

libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_parseBlockI at i_parse_blk.c.

6.5
2023-08-16 CVE-2023-28075 Dell Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Dell products

Dell BIOS contain a Time-of-check Time-of-use vulnerability in BIOS.

6.3
2023-08-20 CVE-2023-4451 Agentejo Cross-site Scripting vulnerability in Agentejo Cockpit

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

6.1
2023-08-20 CVE-2023-4434 Hamza417 Missing Authorization vulnerability in Hamza417 Inure

Missing Authorization in GitHub repository hamza417/inure prior to build88.

6.1
2023-08-19 CVE-2023-4432 Agentejo Cross-site Scripting vulnerability in Agentejo Cockpit

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

6.1
2023-08-18 CVE-2023-38910 Cszcms Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.3.0

CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.

6.1
2023-08-18 CVE-2023-32122 Spiffyplugins Cross-site Scripting vulnerability in Spiffyplugins Spiffy Calendar

Unauth.

6.1
2023-08-18 CVE-2023-30499 Foliovision Cross-site Scripting vulnerability in Foliovision FV Flowplayer Video Player

Unauth.

6.1
2023-08-18 CVE-2023-32108 Eduva Cross-site Scripting vulnerability in Eduva Albo Pretorio Online

Unauth.

6.1
2023-08-18 CVE-2023-32109 Eduva Cross-site Scripting vulnerability in Eduva Albo Pretorio Online

Unauth.

6.1
2023-08-18 CVE-2023-31218 Pluginus Cross-site Scripting vulnerability in Pluginus Wolf - Wordpress Posts Bulk Editor and products Manager Professional

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.6 versions.

6.1
2023-08-18 CVE-2023-32105 WP Pizza Cross-site Scripting vulnerability in Wp-Pizza Wppizza

Unauth.

6.1
2023-08-18 CVE-2023-32106 Fahad Mahmood Cross-site Scripting vulnerability in Fahad Mahmood WP Docs

Unauth.

6.1
2023-08-18 CVE-2023-32107 AYS PRO Cross-site Scripting vulnerability in Ays-Pro Photo Gallery

Unauth.

6.1
2023-08-18 CVE-2023-31094 Wptrio Cross-site Scripting vulnerability in Wptrio Stock Sync for Woocommerce

Unauth.

6.1
2023-08-17 CVE-2023-39971 Acymailing Cross-site Scripting vulnerability in Acymailing 6.7.0

Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS.

6.1
2023-08-17 CVE-2023-28693 Balasahebbhise Cross-site Scripting vulnerability in Balasahebbhise Advanced Youtube Channel Pagination

Unauth.

6.1
2023-08-17 CVE-2023-31072 Praveengoswami Cross-site Scripting vulnerability in Praveengoswami Advanced Category Template 0.1

Unauth.

6.1
2023-08-17 CVE-2023-26530 Updraftplus Cross-site Scripting vulnerability in Updraftplus Updraft

Unauth.

6.1
2023-08-17 CVE-2023-31074 Hupe13 Cross-site Scripting vulnerability in Hupe13 Extensions for Leaflet MAP

Unauth.

6.1
2023-08-17 CVE-2023-30877 Icopydoc Cross-site Scripting vulnerability in Icopydoc XML for Google Merchant Center

Unauth.

6.1
2023-08-17 CVE-2023-31071 Ylefebvre Cross-site Scripting vulnerability in Ylefebvre Modal Dialog

Unauth.

6.1
2023-08-17 CVE-2023-31076 Really Simple Plugins Cross-site Scripting vulnerability in Really-Simple-Plugins Recipe Maker for Your Food Blog From ZIP Recipes

Unauth.

6.1
2023-08-16 CVE-2023-20222 Cisco Cross-site Scripting vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system.

6.1
2023-08-16 CVE-2023-20228 Cisco Cross-site Scripting vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user input.

6.1
2023-08-16 CVE-2023-20242 Cisco Cross-site Scripting vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input.

6.1
2023-08-16 CVE-2023-0058 Tiempo Unspecified vulnerability in Tiempo

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

6.1
2023-08-16 CVE-2023-1465 Wpeasypay Unspecified vulnerability in Wpeasypay WP Easypay

The WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin

6.1
2023-08-16 CVE-2023-2122 10Web Unspecified vulnerability in 10Web Image Optimizer

The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_tabs_active parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in admin to execute arbitrary javascript by clicking a link.

6.1
2023-08-16 CVE-2023-2123 Wpinventory Unspecified vulnerability in Wpinventory WP Inventory Manager

The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.

6.1
2023-08-16 CVE-2023-2272 Tiempo Unspecified vulnerability in Tiempo

The Tiempo.com WordPress plugin through 0.1.2 does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2023-08-16 CVE-2023-30779 Daggerheart Cross-site Scripting vulnerability in Daggerheart Query Wrangler

Unauth.

6.1
2023-08-16 CVE-2023-30871 Webdados Cross-site Scripting vulnerability in Webdados Stock Exporter for Woocommerce

Unauth.

6.1
2023-08-16 CVE-2023-30473 Icopydoc Cross-site Scripting vulnerability in Icopydoc YML for Yandex Market

Unauth.

6.1
2023-08-16 CVE-2023-30782 Churchadminplugin Cross-site Scripting vulnerability in Churchadminplugin Church Admin

Unauth.

6.1
2023-08-16 CVE-2023-30785 I13Websolution Cross-site Scripting vulnerability in I13Websolution Video Grid

Unauth.

6.1
2023-08-16 CVE-2023-39507 Recruit Missing Authorization vulnerability in Recruit Rikunabi Next

Improper authorization in the custom URL scheme handler in "Rikunabi NEXT" App for Android prior to ver.

6.1
2023-08-16 CVE-2023-26140 Excalidraw Cross-site Scripting vulnerability in Excalidraw

Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization.

6.1
2023-08-15 CVE-2023-4371 Phprecdb Cross-site Scripting vulnerability in PHPrecdb 1.3.1

A vulnerability was found in phpRecDB 1.3.1.

6.1
2023-08-15 CVE-2023-30498 Codeflavors Cross-site Scripting vulnerability in Codeflavors Vimeotheque

Unauth.

6.1
2023-08-15 CVE-2023-30747 Wpgem Cross-site Scripting vulnerability in Wpgem Woocommerce Easy Duplicate Product

Unauth.

6.1
2023-08-14 CVE-2022-4953 Elementor Unspecified vulnerability in Elementor Website Builder

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM.

6.1
2023-08-14 CVE-2023-2803 Themefic Unspecified vulnerability in Themefic Ultimate Addons for Contact Form 7

The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

6.1
2023-08-14 CVE-2023-40024 Nexb Cross-site Scripting vulnerability in Nexb Scancode.Io

ScanCode.io is a server to script and automate software composition analysis pipelines.

6.1
2023-08-14 CVE-2023-28535 Commoninja Cross-site Scripting vulnerability in Commoninja Paytm Payment Donation

Unauth.

6.1
2023-08-14 CVE-2023-30489 I13Websolution Cross-site Scripting vulnerability in I13Websolution Email Subscription Popup

Unauth.

6.1
2023-08-14 CVE-2023-30754 WP Foxly Cross-site Scripting vulnerability in WP Foxly Adfoxly 1.8.5

Unauth.

6.1
2023-08-14 CVE-2023-30475 Couponaffiliates Cross-site Scripting vulnerability in Couponaffiliates Woocommerce Affiliate

Unauth.

6.1
2023-08-14 CVE-2023-30483 Kibokolabs Cross-site Scripting vulnerability in Kibokolabs Watu Quiz

Unauth.

6.1
2023-08-14 CVE-2023-4321 Agentejo Cross-site Scripting vulnerability in Agentejo Cockpit

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.

6.1
2023-08-17 CVE-2023-4394 Linux Use After Free vulnerability in Linux Kernel

A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel.

6.0
2023-08-17 CVE-2023-40251 Genians Missing Encryption of Sensitive Data vulnerability in Genians Genian NAC and Genian Ztna

Missing Encryption of Sensitive Data vulnerability in Genians Genian NAC V4.0, Genians Genian NAC V5.0, Genians Genian NAC Suite V5.0, Genians Genian ZTNA allows Man in the Middle Attack.This issue affects Genian NAC V4.0: from V4.0.0 through V4.0.155; Genian NAC V5.0: from V5.0.0 through V5.0.42 (Revision 117460); Genian NAC Suite V5.0: from V5.0.0 through V5.0.54; Genian ZTNA: from V6.0.0 through V6.0.15.

5.9
2023-08-16 CVE-2023-4384 Maximatech Missing Encryption of Sensitive Data vulnerability in Maximatech Portal Executivo 21.9.1.140

A vulnerability has been found in MaximaTech Portal Executivo 21.9.1.140 and classified as problematic.

5.9
2023-08-16 CVE-2023-40343 Jenkins Information Exposure Through Discrepancy vulnerability in Jenkins Tuleap Authentication

Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

5.9
2023-08-20 CVE-2023-4435 Hamza417 Improper Input Validation vulnerability in Hamza417 Inure

Improper Input Validation in GitHub repository hamza417/inure prior to build88.

5.5
2023-08-18 CVE-2023-27471 Insyde Unspecified vulnerability in Insyde Insydeh2O

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5.

5.5
2023-08-17 CVE-2023-38905 Jeecg SQL Injection vulnerability in Jeecg Boot

SQL injection vulnerability in Jeecg-boot v.3.5.0 and before allows a local attacker to cause a denial of service via the Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE functions.

5.5
2023-08-17 CVE-2023-39741 Long Range ZIP Project Out-of-bounds Write vulnerability in Long Range ZIP Project Long Range ZIP 0.651

lrzip v0.651 was discovered to contain a heap overflow via the libzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp.

5.5
2023-08-16 CVE-2023-20217 Cisco Unspecified vulnerability in Cisco products

A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to insufficient input validation by the operating system CLI.

5.5
2023-08-16 CVE-2023-4385 Linux NULL Pointer Dereference vulnerability in Linux Kernel

A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel.

5.5
2023-08-16 CVE-2023-2737 Thalesgroup Incorrect Default Permissions vulnerability in Thalesgroup Safenet Authentication Service 3.4.0

Improper log permissions in SafeNet Authentication Service Version 3.4.0 on Windows allows an authenticated attacker to cause a denial of service via local privilege escalation.

5.5
2023-08-16 CVE-2023-39250 Dell Information Exposure Through Source Code vulnerability in Dell products

Dell Storage Integration Tools for VMware (DSITV) and Dell Storage vSphere Client Plugin (DSVCP) versions prior to 6.1.1 and Replay Manager for VMware (RMSV) versions prior to 3.1.2 contain an information disclosure vulnerability.

5.5
2023-08-15 CVE-2023-4327 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable to exposure of sensitive data and the keys used for encryption are accessible to any local user on Linux

5.5
2023-08-15 CVE-2023-4328 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface is vulnerable to exposure of sensitive data and the keys used for encryption are accessible to any local user on Windows

5.5
2023-08-15 CVE-2023-4333 Broadcom Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779

Broadcom RAID Controller web interface doesn’t enforce SSL cipher ordering by server

5.5
2023-08-15 CVE-2023-38840 Bitwarden Unspecified vulnerability in Bitwarden

Bitwarden Desktop 2023.7.0 and below allows an attacker with local access to obtain sensitive information via the Bitwarden.exe process.

5.5
2023-08-15 CVE-2023-38850 Msweet Classic Buffer Overflow vulnerability in Msweet Codedoc 3.7

Buffer Overflow vulnerability in Michaelrsweet codedoc v.3.7 allows an attacker to cause a denial of service via the codedoc.c:1742 comppnent.

5.5
2023-08-15 CVE-2023-38857 Faad2 Project Out-of-bounds Write vulnerability in Faad2 Project Faad2 2.10.1

Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the stcoin function in mp4read.c.

5.5
2023-08-15 CVE-2023-24478 Intel Use of Insufficiently Random Values vulnerability in Intel Quartus Prime

Use of insufficiently random values for some Intel Agilex(R) software included as part of Intel(R) Quartus(R) Prime Pro Edition for linux before version 22.4 may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2023-08-14 CVE-2022-22646 Apple Unspecified vulnerability in Apple Macos 12.0.0/12.0.1/12.1

This issue was addressed by removing the vulnerable code.

5.5
2023-08-14 CVE-2022-22655 Apple Unspecified vulnerability in Apple Ipados, Iphone OS and Macos

An access issue was addressed with improvements to the sandbox.

5.5
2023-08-14 CVE-2022-26699 Apple Unspecified vulnerability in Apple Macos

A logic issue was addressed with improved state management.

5.5
2023-08-14 CVE-2022-46722 Apple Unspecified vulnerability in Apple Macos

A logic issue was addressed with improved checks.

5.5
2023-08-14 CVE-2023-27939 Apple Out-of-bounds Read vulnerability in Apple Macos

An out-of-bounds read was addressed with improved input validation.

5.5
2023-08-14 CVE-2023-27947 Apple Out-of-bounds Read vulnerability in Apple Macos

An out-of-bounds read was addressed with improved input validation.

5.5
2023-08-14 CVE-2023-27948 Apple Out-of-bounds Read vulnerability in Apple Macos

An out-of-bounds read was addressed with improved input validation.

5.5
2023-08-14 CVE-2023-28199 Apple Out-of-bounds Read vulnerability in Apple Macos

An out-of-bounds read issue existed that led to the disclosure of kernel memory.

5.5
2023-08-14 CVE-2023-21230 Google Improper Check for Unusual or Exceptional Conditions vulnerability in Google Android 11.0/13.0

In onAccessPointChanged of AccessPointPreference.java, there is a possible way for unprivileged apps to receive a broadcast about WiFi access point change and its BSSID or SSID due to a precondition check failure.

5.5
2023-08-14 CVE-2023-21234 Google Missing Authorization vulnerability in Google Android 11.0/13.0

In launchConfirmationActivity of ChooseLockSettingsHelper.java, there is a possible way to enable developer options without the lockscreen PIN due to a missing permission check.

5.5
2023-08-14 CVE-2023-21271 Google Out-of-bounds Read vulnerability in Google Android 12.0/12.1/13.0

In parseInputs of ShimPreparedModel.cpp, there is a possible out of bounds read due to improper input validation.

5.5
2023-08-14 CVE-2023-21274 Google Out-of-bounds Read vulnerability in Google Android 12.0/12.1/13.0

In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check.

5.5
2023-08-14 CVE-2023-21276 Google Use of Uninitialized Resource vulnerability in Google Android 12.0/12.1/13.0

In writeToParcel of CursorWindow.cpp, there is a possible information disclosure due to uninitialized data.

5.5
2023-08-14 CVE-2023-21277 Google Unspecified vulnerability in Google Android 12.0/12.1/13.0

In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check.

5.5
2023-08-14 CVE-2023-21279 Google Unspecified vulnerability in Google Android 12.0/12.1/13.0

In visitUris of RemoteViews.java, there is a possible cross-user media read due to a confused deputy.

5.5
2023-08-14 CVE-2023-21280 Google Resource Exhaustion vulnerability in Google Android 12.0/12.1/13.0

In setMediaButtonBroadcastReceiver of MediaSessionRecord.java, there is a possible permanent DoS due to resource exhaustion.

5.5
2023-08-14 CVE-2023-21283 Google Unspecified vulnerability in Google Android

In multiple functions of StatusHints.java, there is a possible way to reveal images across users due to a confused deputy.

5.5
2023-08-14 CVE-2023-21284 Google Improper Input Validation vulnerability in Google Android

In multiple functions of DevicePolicyManager.java, there is a possible way to prevent enabling the Find my Device feature due to improper input validation.

5.5
2023-08-14 CVE-2023-21285 Google Unspecified vulnerability in Google Android

In setMetadata of MediaSessionRecord.java, there is a possible way to view another user's images due to a confused deputy.

5.5
2023-08-14 CVE-2023-21288 Google Missing Authorization vulnerability in Google Android

In visitUris of Notification.java, there is a possible way to reveal images across users due to a missing permission check.

5.5
2023-08-14 CVE-2023-21289 Google Unspecified vulnerability in Google Android

In multiple locations, there is a possible bypass of a multi user security boundary due to a confused deputy.

5.5
2023-08-14 CVE-2023-21290 Google Race Condition vulnerability in Google Android

In update of MmsProvider.java, there is a possible way to bypass file permission checks due to a race condition.

5.5
2023-08-14 CVE-2023-21292 Google Unspecified vulnerability in Google Android

In openContentUri of ActivityManagerService.java, there is a possible way for a third party app to obtain restricted files due to a confused deputy.

5.5
2023-08-14 CVE-2023-21267 Google Unspecified vulnerability in Google Android

In multiple functions of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code.

5.5
2023-08-14 CVE-2023-21268 Google Path Traversal vulnerability in Google Android

In update of MmsProvider.java, there is a possible way to change directory permissions due to a path traversal error.

5.5
2023-08-14 CVE-2023-40360 Qemu NULL Pointer Dereference vulnerability in Qemu

QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.

5.5
2023-08-14 CVE-2023-40305 GNU Out-of-bounds Write vulnerability in GNU Indent 2.2.13

GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in indent.c via a crafted file.

5.5
2023-08-19 CVE-2023-4433 Agentejo Cross-site Scripting vulnerability in Agentejo Cockpit

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

5.4
2023-08-18 CVE-2023-38911 Cszcms Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.3.0

A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Gallery parameter in the YouTube URL fields.

5.4
2023-08-18 CVE-2023-29387 Juliencrego Cross-site Scripting vulnerability in Juliencrego Manager for Icomoon

Auth.

5.4
2023-08-18 CVE-2023-32103 Themepalace Cross-site Scripting vulnerability in Themepalace TP Education

Auth.

5.4
2023-08-17 CVE-2023-28783 Phpradar Cross-site Scripting vulnerability in PHPradar Woocommerce Tip/Donation

Auth.

5.4
2023-08-17 CVE-2023-31079 Thechrisroberts Cross-site Scripting vulnerability in Thechrisroberts Tippy

Auth.

5.4
2023-08-17 CVE-2023-28622 Tridenttechnolabs Cross-site Scripting vulnerability in Tridenttechnolabs Easy Slider Revolution

Auth.

5.4
2023-08-17 CVE-2023-4395 Agentejo Cross-site Scripting vulnerability in Agentejo Cockpit

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

5.4
2023-08-16 CVE-2023-35011 IBM Server-Side Request Forgery (SSRF) vulnerability in IBM Cognos Analytics

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF).

5.4
2023-08-16 CVE-2023-20201 Cisco Cross-site Scripting vulnerability in Cisco Prime Infrastructure

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. These vulnerabilities are due to insufficient validation of user-supplied input.

5.4
2023-08-16 CVE-2023-20203 Cisco Cross-site Scripting vulnerability in Cisco Prime Infrastructure

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. These vulnerabilities are due to insufficient validation of user-supplied input.

5.4
2023-08-16 CVE-2023-20205 Cisco Cross-site Scripting vulnerability in Cisco Prime Infrastructure

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. These vulnerabilities are due to insufficient validation of user-supplied input.

5.4
2023-08-16 CVE-2023-4382 Tdevs Cross-site Scripting vulnerability in Tdevs Hyip RIO 2.1

A vulnerability, which was classified as problematic, has been found in tdevs Hyip Rio 2.1.

5.4
2023-08-16 CVE-2023-40342 Jenkins Cross-site Scripting vulnerability in Jenkins Flaky Test Handler

Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.

5.4
2023-08-16 CVE-2023-40346 Jenkins Cross-site Scripting vulnerability in Jenkins Shortcut JOB

Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs.

5.4
2023-08-16 CVE-2023-40350 Jenkins Cross-site Scripting vulnerability in Jenkins Docker Swarm

Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.

5.4
2023-08-16 CVE-2023-38904 Decapcms Cross-site Scripting vulnerability in Decapcms Netlify CMS 2.10.192

A Cross Site Scripting (XSS) vulnerability in Netlify CMS v.2.10.192 allows a remote attacker to execute arbitrary code via a crafted payload to the body parameter of the new post function.

5.4
2023-08-16 CVE-2022-4782 Clickfunnels Unspecified vulnerability in Clickfunnels

The ClickFunnels WordPress plugin through 3.1.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

5.4
2023-08-16 CVE-2023-0274 Asandia Unspecified vulnerability in Asandia URL Params

The URL Params WordPress plugin before 2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-08-16 CVE-2023-0551 Minapper Unspecified vulnerability in Minapper Rest API to Miniprogram

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments

5.4
2023-08-16 CVE-2023-1110 Yellowyard Unspecified vulnerability in Yellowyard Yellow Yard Searchbar 2.8.2

The Yellow Yard Searchbar WordPress plugin before 2.8.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-08-16 CVE-2023-30784 Kayastudio Cross-site Scripting vulnerability in Kayastudio Kaya QR Code Generator

Auth.

5.4
2023-08-16 CVE-2023-3958 Froger Unspecified vulnerability in Froger WP Remote Users Sync

The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12.

5.4
2023-08-15 CVE-2023-30778 Blubrry Cross-site Scripting vulnerability in Blubrry Powerpress

Auth.

5.4
2023-08-15 CVE-2023-4308 Plugin Planet Unspecified vulnerability in Plugin-Planet User Submitted Posts

The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-content’ parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping.

5.4
2023-08-15 CVE-2023-4347 Librenms Cross-site Scripting vulnerability in Librenms

Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.8.0.

5.4
2023-08-14 CVE-2023-38687 Mskocik Cross-site Scripting vulnerability in Mskocik Svelecte

Svelecte is a flexible autocomplete/select component written in Svelte.

5.4
2023-08-14 CVE-2023-40013 Shubhamjain Cross-site Scripting vulnerability in Shubhamjain SVG Loader

SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place.

5.4
2023-08-20 CVE-2023-4439 Card Holder Management System Project Improper Validation of Specified Quantity in Input vulnerability in Card Holder Management System Project Card Holder Management System 1.0

A vulnerability was found in SourceCodester Card Holder Management System 1.0 and classified as problematic.

5.3
2023-08-20 CVE-2023-36674 Mediawiki Unspecified vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1.

5.3
2023-08-18 CVE-2023-4040 Webtoffee Unspecified vulnerability in Webtoffee Stripe Payment Plugin for Woocommerce

The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_callback_handler function in versions up to, and including, 3.7.9.

5.3
2023-08-17 CVE-2023-39974 Acymailing Exposure of Resource to Wrong Sphere vulnerability in Acymailing 6.7.0

Exposure of Sensitive Information vulnerability in AcyMailing Enterprise component for Joomla.

5.3
2023-08-17 CVE-2023-36844 Juniper Unspecified vulnerability in Juniper Junos

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environment variables. Using a crafted request an attacker is able to modify certain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R3-S1; * 22.4 versions prior to 22.4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.

5.3
2023-08-17 CVE-2023-36846 Juniper Missing Authentication for Critical Function vulnerability in Juniper Junos

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain  part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.

5.3
2023-08-17 CVE-2023-36847 Juniper Missing Authentication for Critical Function vulnerability in Juniper Junos

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.

5.3
2023-08-17 CVE-2023-39743 Pete4Abw Unspecified vulnerability in Pete4Abw Lzma Software Development KIT 23.01

lrzip-next LZMA v23.01 was discovered to contain an access violation via the component /bz3_decode_block src/libbz3.c.

5.3
2023-08-17 CVE-2023-4392 Assaabloy Cleartext Storage of Sensitive Information vulnerability in Assaabloy Control ID Gerencia web 1.30

A vulnerability was found in Control iD Gerencia Web 1.30 and classified as problematic.

5.3
2023-08-16 CVE-2023-35009 IBM Information Exposure Through an Error Message vulnerability in IBM Cognos Analytics

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a remote attacker to obtain system information without authentication which could be used in reconnaissance to gather information that could be used for future attacks.

5.3
2023-08-16 CVE-2023-20232 Cisco Improper Input Validation vulnerability in Cisco Unified Contact Center Express

A vulnerability in the Tomcat implementation for Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to cause a web cache poisoning attack on an affected device.

5.3
2023-08-16 CVE-2023-40021 Oppia Information Exposure Through Discrepancy vulnerability in Oppia

Oppia is an online learning platform.

5.3
2023-08-16 CVE-2023-40348 Jenkins Unspecified vulnerability in Jenkins Gogs

The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output.

5.3
2023-08-16 CVE-2023-40349 Jenkins Improper Initialization vulnerability in Jenkins Gogs

Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs.

5.3
2023-08-15 CVE-2023-40027 Keystonejs Missing Authorization vulnerability in Keystonejs Keystone

Keystone is an open source headless CMS for Node.js — built with GraphQL and React.

5.3
2023-08-15 CVE-2023-4359 Google
Debian
Fedoraproject
Inappropriate implementation in App Launcher in Google Chrome on iOS prior to 116.0.5845.96 allowed a remote attacker to potentially spoof elements of the security UI via a crafted HTML page.
5.3
2023-08-15 CVE-2023-4361 Google
Debian
Fedoraproject
Inappropriate implementation in Autofill in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page.
5.3
2023-08-15 CVE-2023-38898 Python Unspecified vulnerability in Python 3.13.0

An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component.

5.3
2023-08-15 CVE-2023-32003 Nodejs
Fedoraproject
Path Traversal vulnerability in multiple products

`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack.

5.3
2023-08-15 CVE-2023-2916 Revmakx Exposure of Resource to Wrong Sphere vulnerability in Revmakx Infinitewp Client

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function.

5.3
2023-08-14 CVE-2023-39950 Siemens Improper Input Validation vulnerability in Siemens Efibootguard

efibootguard is a simple UEFI boot loader with support for safely switching between current and updated partition sets.

5.2
2023-08-14 CVE-2023-40312 Opennms Cross-site Scripting vulnerability in Opennms Horizon and Meridian

Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that an attacker can modify to craft a malicious XSS payload. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer.

5.2
2023-08-18 CVE-2023-4422 Agentejo Cross-site Scripting vulnerability in Agentejo Cockpit

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

4.8
2023-08-18 CVE-2023-32130 Danielpowney Cross-site Scripting vulnerability in Danielpowney Multi Rating

Auth.

4.8
2023-08-18 CVE-2023-31232 Artiss Cross-site Scripting vulnerability in Artiss Plugins List

Auth.

4.8
2023-08-18 CVE-2023-31228 Cminds Cross-site Scripting vulnerability in Cminds CM on Demand Search and Replace

Auth.

4.8
2023-08-18 CVE-2023-30875 Allmywebneeds Cross-site Scripting vulnerability in Allmywebneeds Logo Scheduler 1.2.0

Auth.

4.8
2023-08-17 CVE-2023-28690 Marcosteinbrecher Cross-site Scripting vulnerability in Marcosteinbrecher WP Browserupdate 4.5

Auth.

4.8
2023-08-17 CVE-2023-31942 Online Travel Agency System Project Cross-site Scripting vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0

Cross Site Scripting vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the description parameter in insert.php.

4.8
2023-08-17 CVE-2023-34412 Helmholz
Redlion
Cross-site Scripting vulnerability in multiple products

A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker with high privileges to inject malicious HTML or JavaScript code (XSS).

4.8
2023-08-17 CVE-2023-31091 Pradeepsinghweb Cross-site Scripting vulnerability in Pradeepsinghweb Dynamically Register Sidebars

Auth.

4.8
2023-08-17 CVE-2023-28533 Nimbus Cross-site Scripting vulnerability in Nimbus CAB Grid

Auth.

4.8
2023-08-17 CVE-2023-30874 Stpetedesign Cross-site Scripting vulnerability in Stpetedesign GPS Plotter

Auth.

4.8
2023-08-17 CVE-2023-30876 Davidmichaelross Cross-site Scripting vulnerability in Davidmichaelross Dave'S Wordpress Live Search

Auth.

4.8
2023-08-17 CVE-2023-40281 EC Cube Cross-site Scripting vulnerability in Ec-Cube

EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.

4.8
2023-08-16 CVE-2023-2225 Pottie Unspecified vulnerability in Pottie SEO Alert

The SEO ALert WordPress plugin through 1.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-08-16 CVE-2023-2254 KO FI Cross-site Scripting vulnerability in Ko-Fi Button

The Ko-fi Button WordPress plugin before 1.3.3 does not properly some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup), and we consider it a low risk.

4.8
2023-08-16 CVE-2023-30786 Fuzzguard Cross-site Scripting vulnerability in Fuzzguard Captcha Them ALL

Auth.

4.8
2023-08-14 CVE-2023-2606 Brutalplugins Unspecified vulnerability in Brutalplugins WP Brutal AI

The WP Brutal AI WordPress plugin before 2.06 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-08-14 CVE-2023-2802 Themefic Unspecified vulnerability in Themefic Ultimate Addons for Contact Form 7

The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-08-14 CVE-2023-3328 Custom Field FOR WP JOB Manager Project Unspecified vulnerability in Custom Field for WP JOB Manager Project Custom Field for WP JOB Manager 1.1

The Custom Field For WP Job Manager WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-08-14 CVE-2023-3645 Bitapps Unspecified vulnerability in Bitapps Contact Form Builder

The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-08-14 CVE-2023-3721 Lesterchan Cross-site Scripting vulnerability in Lesterchan Wp-Email

The WP-EMail WordPress plugin before 2.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-08-14 CVE-2023-40311 Opennms Cross-site Scripting vulnerability in Opennms Horizon and Meridian

Multiple stored XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that allow an attacker to store on database and then load on JSPs or Angular templates.

4.8
2023-08-14 CVE-2023-30749 Ihomefinder Cross-site Scripting vulnerability in Ihomefinder Optima Express + Marketboost IDX 7.3.0

Auth.

4.8
2023-08-14 CVE-2023-30751 Icontrolwp Cross-site Scripting vulnerability in Icontrolwp Article Directory Redux 1.0.2

Auth.

4.8
2023-08-14 CVE-2023-30752 Gingertech Cross-site Scripting vulnerability in Gingertech External Videos 2.0.1

Auth.

4.8
2023-08-14 CVE-2023-29097 A3Rev Cross-site Scripting vulnerability in A3Rev A3 Portfolio

Auth.

4.8
2023-08-14 CVE-2023-30477 Essitco Cross-site Scripting vulnerability in Essitco Affiliate Solution

Auth.

4.8
2023-08-14 CVE-2023-37070 Code Projects Cross-site Scripting vulnerability in Code-Projects Hospital Information System 1.0

Code Projects Hospital Information System 1.0 is vulnerable to Cross Site Scripting (XSS)

4.8
2023-08-15 CVE-2023-39841 Etekcity Missing Encryption of Sensitive Data vulnerability in Etekcity 3-In-1 Smart Door Lock Firmware 1.0

Missing encryption in the RFID tag of Etekcity 3-in-1 Smart Door Lock v1.0 allows attackers to create a cloned tag via brief physical proximity to the original device.

4.6
2023-08-15 CVE-2023-20560 AMD Improper Input Validation vulnerability in AMD Ryzen Master and Ryzen Master Monitoring SDK

Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD Ryzen™ Master may allow a privileged attacker to provide a null value potentially resulting in a Windows crash leading to denial of service.

4.4
2023-08-17 CVE-2023-39972 Acymailing Unspecified vulnerability in Acymailing 6.7.0

Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla.

4.3
2023-08-17 CVE-2023-39973 Acymailing Unspecified vulnerability in Acymailing 6.7.0

Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla.

4.3
2023-08-17 CVE-2023-3244 Wphappycoders Unspecified vulnerability in Wphappycoders Comments Like Dislike

The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the restore_settings function called via an AJAX action in versions up to, and including, 1.1.9.

4.3
2023-08-16 CVE-2023-20237 Cisco Command Injection vulnerability in Cisco Intersight Virtual Appliance

A vulnerability in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access internal HTTP services that are otherwise inaccessible. This vulnerability is due to insufficient restrictions on internally accessible http proxies.

4.3
2023-08-16 CVE-2023-40337 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Folders

A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.

4.3
2023-08-16 CVE-2023-40338 Jenkins Information Exposure Through Log Files vulnerability in Jenkins Folders

Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.

4.3
2023-08-16 CVE-2023-40344 Jenkins Missing Authorization vulnerability in Jenkins Delphix

A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

4.3
2023-08-16 CVE-2023-40351 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Favorite View

A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar.

4.3
2023-08-16 CVE-2023-32488 Dell Unspecified vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosure vulnerability in NFS.

4.3
2023-08-16 CVE-2023-2271 Tiempo Unspecified vulnerability in Tiempo

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack

4.3
2023-08-16 CVE-2023-4381 Instantcms Unspecified vulnerability in Instantcms

Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

4.3
2023-08-16 CVE-2023-4374 Froger Unspecified vulnerability in Froger WP Remote Users Sync

The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'refresh_logs_async' functions in versions up to, and including, 1.2.11.

4.3
2023-08-15 CVE-2023-4360 Google
Debian
Fedoraproject
Inappropriate implementation in Color in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to obfuscate security UI via a crafted HTML page.
4.3
2023-08-15 CVE-2023-4363 Google
Debian
Fedoraproject
Inappropriate implementation in WebShare in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to spoof the contents of a dialog URL via a crafted HTML page.
4.3
2023-08-15 CVE-2023-4364 Google
Debian
Fedoraproject
Inappropriate implementation in Permission Prompts in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to obfuscate security UI via a crafted HTML page.
4.3
2023-08-15 CVE-2023-4365 Google
Debian
Fedoraproject
Inappropriate implementation in Fullscreen in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to obfuscate security UI via a crafted HTML page.
4.3
2023-08-14 CVE-2022-46725 Apple Unspecified vulnerability in Apple Iphone OS

A spoofing issue existed in the handling of URLs.

4.3
2023-08-14 CVE-2023-3601 Webfactoryltd Unspecified vulnerability in Webfactoryltd Simple Author BOX

The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor.

4.3
2023-08-14 CVE-2023-40292 Samsung Unspecified vulnerability in Samsung Harman Infotainment 20190525031613

Harman Infotainment 20190525031613 and later discloses the IP address via CarPlay CTRL packets.

4.3

9 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-08-16 CVE-2023-32453 Dell Improper Authentication vulnerability in Dell products

Dell BIOS contains an improper authentication vulnerability.

3.9
2023-08-17 CVE-2023-25647 ZTE Incorrect Authorization vulnerability in ZTE products

There is a permission and access control vulnerability in some ZTE mobile phones.

3.3
2023-08-14 CVE-2022-32876 Apple Unspecified vulnerability in Apple Macos

A logic issue was addressed with improved restrictions.

3.3
2023-08-14 CVE-2023-21232 Google Unspecified vulnerability in Google Android 11.0/13.0

In multiple locations, there is a possible way to retrieve sensor data without permissions due to a permissions bypass.

3.3
2023-08-14 CVE-2023-21278 Google Unspecified vulnerability in Google Android 12.0/12.1/13.0

In multiple locations, there is a possible way to obscure the microphone privacy indicator due to a logic error in the code.

3.3
2023-08-18 CVE-2023-4413 Rootkit Hunter Project Information Exposure Through Log Files vulnerability in Rootkit Hunter Project Rootkit Hunter 1.4.4/1.4.6

** DISPUTED ** A vulnerability was found in rkhunter Rootkit Hunter 1.4.4/1.4.6.

2.5
2023-08-15 CVE-2023-39842 Mydigoo Missing Encryption of Sensitive Data vulnerability in Mydigoo Dg-Hamb Smart Home Security System Firmware 1.0

Missing encryption in the RFID tag of Digoo DG-HAMB Smart Home Security System v1.0 allows attackers to create a cloned tag via brief physical proximity to the original device.

2.4
2023-08-15 CVE-2023-39843 Sulimet Missing Encryption of Sensitive Data vulnerability in Sulimet 5-In-1 Smart Door Lock Firmware 1.0

Missing encryption in the RFID tag of Suleve 5-in-1 Smart Door Lock v1.0 allows attackers to create a cloned tag via brief physical proximity to the original device.

2.4
2023-08-14 CVE-2022-46724 Apple Unspecified vulnerability in Apple Iphone OS

This issue was addressed by restricting options offered on a locked device.

2.4